On Thu, 19 Oct 2000, Nate Williams wrote:
> I had blocked incoming TCP connections coming into my network using
> IPFW, and I noticed that my brother was able to establish a Napster
> connection, even though I had blocked it earlier.
>
> I thought, no worries, I'll just block it at the port level.
>
> I read a couple of articles, and noted that connections from 8888 to the
> server should be blocked.
>
> Easy enough, I'll just block my clients from establishing connections to
> port 8888.
>
> Unfortunately, that doesn't work. Looking at tcpdump output, the
> 'server' appears to initiates a TCP connection from 8888 -> some random
> port. My firewall rules do *NOT* allow incoming TCP connections to be
> made to internal machines, since they only allow 'setup' packets to go
> out.
>
> So, how can Napster work? What happened to the 3-way handshake? I
> could see an issue if the OS's were hacked to get around this and not
> require a 3-way handshake, but the client in this case in a Win98 box.
The remote napster client sends a message through the central Napster
server, which relays the message to your Napster client to tell your
machine to make a connection to the remote machine. This is so that, as
long as one of the two Napster clients are not behind a firewall, the two
clients can communicate directly. The client behind the firewall makes the
connection to the client that isn't behind a firewall, since most
firewalls are configured to allow internal machines to make connections to
any outside machine.
The regular 3-way handshake is occurring. It's just not initiated by the
machine you would expect. You'd have to block outgoing SYNs to any
outside host at port 8888 (but anyone who knows anything about ports could
change their port number and get around your block).
Guy
Guy Helmer, Ph.D. Candidate, Iowa State University Dept. of Computer Science
Research Assistant, Dept. of Computer Science --- [EMAIL PROTECTED]
http://www.cs.iastate.edu/~ghelmer
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
