-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ----- Original Message ----- From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, April 17, 2001 2:58 PM Subject: [freenet-support] Operating behind MY OWN Firewall > I am sorry, to ask this question again, but i still didn't get, why > Freenet should not be able to work behind a Firewall that is under my > control ?? > I can open the required ports. > And i can't believe, that (as someone on this list said some time > ago) Freenet needs EVERY Port for incoming Connections ... then the > server should listen on ALL Ports, which is definately no the case as a > nmap-scan showed. If I understood correctly, Freenet uses random ports for data transfer, opening them as needed. However, I think it's not necessary to set your firewall wide open to allow Freenet to function. I think that when a Freenet node is connected, the initial connection uses the hostname and port set in the Freenet config, but subsequent connections (usually data transfer) will use random ports. If this is the case, it shouldn't be too hard to set up a fully working Freenet node, even behind a masquerading firewall (like I have). However, I think that it requires a firewall with connection tracking (like iptables). For example, we have three computers. A hosts the Freenet node and is inside the firewall, B is the firewall itself, and C is the another Freenet node trying to connect to A. A has the Freenet node running on port 9322 and B is set to allow traffic to and from A:9322. C connects to A:9322 and requests a piece of data, telling that it's source address is C:20292. A opens port 12909 for the data transfer and connects to C:20292. B is set to generally allow outbound traffic from A and can track incoming connections, denying everything that isn't part of an existing connection. A transfers the requested data to C successfully. The connection is closed, and everyone is happy. However, if A is on an internal network and is required to access the Internet via a masquerading firewall B, things can get tricky. A doesn't have a public IP address, so the source address it sends in Freenet message headers is all wrong, because no-one can reach it by using its private IP. If it's set to transient mode, it can request data, but we want a full working Freenet node, not a transient one. However, B does have both public and private IP addresses, so we set the nodeAddress in A's Freenet config to B's IP address (or hostname). Then we set a DNAT rule, redirecting all packets going to B:9322 to go to A:9322. If node C tries to connect A, it will connect to B:9322, because that's the address A advertised to the Freenet network. The packets are redirected, and A opens a data connection from A:12909 to C:20292. The packets are masqueraded, so C sees that the data it requested is arriving from B:<some-random-port>. C successfully retrieves the information. In theory, this is how it's should work. I haven't tried it yet. - -- Mika Hirvonen <[EMAIL PROTECTED]> http://www.saunalahti.fi/hirvox/ PGP key @ http://www.saunalahti.fi/hirvox/stormshadow.asc -----BEGIN PGP SIGNATURE----- Version: 6.5.8ckt http://www.ipgpp.com/ Comment: KeyID: 0xA49FAC41E9DF74C1 iQA/AwUBOtyB1KSfrEHp33TBEQKdEwCg/e91r+pftuoVmxY3kmEhRgYU98kAoK4G 39MskIZrMtf3MW4EXelsyEbo =LqYv -----END PGP SIGNATURE----- _______________________________________________ Support mailing list [EMAIL PROTECTED] http://lists.freenetproject.org/mailman/listinfo/support
