I just read your message again and i overread something before.
My node has a private ip for itself, but it is SNATed/DNATed to his OWN
official IP (not the one of the firewall)
I even tried to open every port (for testing) now and it didn´t work either.
So my problem is is at the beginning.
:-((
Maybe the DNAT/SNAT is the problem (actually it shouldn´t, but what else is
left ?)
Or maybe i misconfigured something ...
I will reconsider about everything the next days (1am here now and i am
tired :-))
But your explanations helped me a lot to understand freenet.
So Thank you anyway.
I will keep trying ...
Marcus
----- Original Message -----
From: "Mika Hirvonen" <[EMAIL PROTECTED]>
To: "Freenet support" <[EMAIL PROTECTED]>;
<[EMAIL PROTECTED]>
Sent: Tuesday, April 17, 2001 9:48 PM
Subject: Re: [freenet-support] Operating behind MY OWN Firewall
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> - ----- Original Message -----
> From: <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Tuesday, April 17, 2001 2:58 PM
> Subject: [freenet-support] Operating behind MY OWN Firewall
>
>
> > I am sorry, to ask this question again, but i still didn't get, why
> > Freenet should not be able to work behind a Firewall that is under my
> > control ??
> > I can open the required ports.
> > And i can't believe, that (as someone on this list said some time
> > ago) Freenet needs EVERY Port for incoming Connections ... then the
> > server should listen on ALL Ports, which is definately no the case as a
> > nmap-scan showed.
>
> If I understood correctly, Freenet uses random ports for data transfer,
> opening them as needed. However, I think it's not necessary to set your
> firewall wide open to allow Freenet to function. I think that when a
> Freenet node is connected, the initial connection uses the hostname and
> port set in the Freenet config, but subsequent connections (usually data
> transfer) will use random ports. If this is the case, it shouldn't be too
> hard to set up a fully working Freenet node, even behind a masquerading
> firewall (like I have). However, I think that it requires a firewall with
> connection tracking (like iptables).
>
> For example, we have three computers. A hosts the Freenet node and is
> inside the firewall, B is the firewall itself, and C is the another
Freenet
> node trying to connect to A.
>
> A has the Freenet node running on port 9322 and B is set to allow traffic
> to and from A:9322. C connects to A:9322 and requests a piece of data,
> telling that it's source address is C:20292. A opens port 12909 for the
> data transfer and connects to C:20292. B is set to generally allow
outbound
> traffic from A and can track incoming connections, denying everything that
> isn't part of an existing connection. A transfers the requested data to C
> successfully. The connection is closed, and everyone is happy.
>
> However, if A is on an internal network and is required to access the
> Internet via a masquerading firewall B, things can get tricky. A doesn't
> have a public IP address, so the source address it sends in Freenet
message
> headers is all wrong, because no-one can reach it by using its private IP.
> If it's set to transient mode, it can request data, but we want a full
> working Freenet node, not a transient one. However, B does have both
public
> and private IP addresses, so we set the nodeAddress in A's Freenet config
> to B's IP address (or hostname). Then we set a DNAT rule, redirecting all
> packets going to B:9322 to go to A:9322.
>
> If node C tries to connect A, it will connect to B:9322, because that's
the
> address A advertised to the Freenet network. The packets are redirected,
> and A opens a data connection from A:12909 to C:20292. The packets are
> masqueraded, so C sees that the data it requested is arriving from
> B:<some-random-port>. C successfully retrieves the information.
>
> In theory, this is how it's should work. I haven't tried it yet.
>
> - --
> Mika Hirvonen <[EMAIL PROTECTED]>
> http://www.saunalahti.fi/hirvox/
> PGP key @ http://www.saunalahti.fi/hirvox/stormshadow.asc
>
> -----BEGIN PGP SIGNATURE-----
> Version: 6.5.8ckt http://www.ipgpp.com/
> Comment: KeyID: 0xA49FAC41E9DF74C1
>
> iQA/AwUBOtyB1KSfrEHp33TBEQKdEwCg/e91r+pftuoVmxY3kmEhRgYU98kAoK4G
> 39MskIZrMtf3MW4EXelsyEbo
> =LqYv
> -----END PGP SIGNATURE-----
>
>
>
> _______________________________________________
> Support mailing list
> [EMAIL PROTECTED]
> http://lists.freenetproject.org/mailman/listinfo/support
>
_______________________________________________
Support mailing list
[EMAIL PROTECTED]
http://lists.freenetproject.org/mailman/listinfo/support
