I'm sorry, I'm still to receive a single message from support mailing list... To continue discussion:
----------------------- >> Of course, all outgoing ports are open for an IP address that Freenet is >> bound to. The problem is that Freenet seems to listen for _incoming_ >> connections on absolutely random ports. I recall reading somewhere that > >The port is selected randomly when you configure freenet for the first time >and can be found in freenet.conf or freenet.ini. IIRC, it's 'listenPort', but >I'm not sure. ----------------------- [VD] That wasn't what I was trying to convey. Of course, FNP port, as defined by listenPort in freenet.ini, is open for incoming connections, and I see it as LISTENING as well. I also periodically see connections established at this port, so things are working as expected. In my case, Freenet creates a bunch of listening ports _in addition_ to FNP, Fproxy and other "listed" ports. ------------------------ Yes, there's a line in the config file: # The port to listen for incoming FNP (Freenet Node Protocol) connections on. listenPort=XYZ It's a randomly chosen port by the setup or by the generation of the config file. This port is usually between 1024 and 65535, the node announce itself ONLY with the current IP address and the chosen FNP port. (that's a node reference, look in the seednodes.ref-file) ----------------------- [VD] Yes, of course, this port is open for incoming connections. That's what the Freenet docs (however sparse) imply. ------------------------ Other nodes only tries to connect on the FNP-port. I see also a lot of listening ports between 1025 and 4500, but I don't know the reason. (see the attached text file) ------------------------- [VD] I reckon these are ports opened by your node to wait when nodes it contacted will "call it back" with response to the query it sent into the network. ------------------------- Client programs uses only 8481 for the Freenet Client Protocol (FCP), 8888 for the browser (->mainport) and 8891 for the distribution node (if not deactivated). ------------------------- [VD] Absolutely correct. ------------------------- >> this is a feature -Fred contacts another Freenet node with request for data >> then drops TCP connection and waits for incoming one from that node, so as >> to conserve TCP connections during long data searches and limit amount of >> traffic and resources required for maintenance of "idle" connections. >> >> This seems wise, but only in case if a single port (or a known range of >> ports) is used to handle such incoming connections. Basic security dictates >> that _all_ ports which aren't in definite use should be closed, and if this >> rule can't be followed with current Freenet operation, I'm afraid it could >> be a real security problem for all more or less secure environments. This situation IS a security problem. But read Freenet's port usage in my answer above. You only need to forward the FNP port to the Freenet node. ----------------------------- [VD] Hmm, my experimental evidence seems to contradict your point. First, "strange" ports you've listed (as well as those on my machine) are owned by javaw.exe, and Freenet happens to be the only java app on this machine. And second, when I block all ports, except defined ones, my Freenet performance degrades rapidly, with node coming to a halt with RNFs 95% of the time - this is an indication that there's a problem with request propagation in such configuration. Things get back to normal as soon as I allow all incoming connections again. So, allowing (or forwarding) only FNP port isn't enough :-(. I know how "real" developers despise support lists, but I hope that someone with code knowledge will be able to prove or disprove my point, or at least will point to a correct place to look in the source. I don't want to barge into devl, since I don't think this beleives there. If, indeed, Freenet opens one listening socket for each node it contacts (or, God forbid, for each request it makes - but this isn't likely, judging by the number of open sockets I see when loading TFE), I'd like to hear if this is under consideration for modification in future versions. Regards, Victor Denisov. _______________________________________________ support mailing list [EMAIL PROTECTED] http://hawk.freenetproject.org/cgi-bin/mailman/listinfo/support
