On Tue, Feb 04, 2003 at 12:34:29AM +0300, Victor Denisov wrote: > I'm sorry, I'm still to receive a single message from support mailing > list... To continue discussion: > > ----------------------- > >> Of course, all outgoing ports are open for an IP address that Freenet is > >> bound to. The problem is that Freenet seems to listen for _incoming_ > >> connections on absolutely random ports. I recall reading somewhere that > > > >The port is selected randomly when you configure freenet for the first time > >and can be found in freenet.conf or freenet.ini. IIRC, it's 'listenPort', > but > >I'm not sure. > ----------------------- > > [VD] That wasn't what I was trying to convey. Of course, FNP port, as > defined by listenPort in freenet.ini, is open for incoming connections, and > I see it as LISTENING as well. I also periodically see connections > established at this port, so things are working as expected. > > In my case, Freenet creates a bunch of listening ports _in addition_ to FNP, > Fproxy and other "listed" ports.
That is very strange. Are you absolutely sure? Maybe it's missing the config for some reason? Which ports? > > ------------------------ > Yes, there's a line in the config file: > # The port to listen for incoming FNP (Freenet Node Protocol) connections > on. > listenPort=XYZ > > It's a randomly chosen port by the setup or by the generation of the config > file. > This port is usually between 1024 and 65535, the node announce itself ONLY > with the current IP address and the chosen FNP port. (that's a node > reference, > look in the seednodes.ref-file) > ----------------------- > > [VD] Yes, of course, this port is open for incoming connections. That's what > the Freenet docs (however sparse) imply. > > ------------------------ > Other nodes only tries to connect on the FNP-port. > I see also a lot of listening ports between 1025 and 4500, but I don't know > the > reason. (see the attached text file) > ------------------------- > > [VD] I reckon these are ports opened by your node to wait when nodes it > contacted will "call it back" with response to the query it sent into the > network. No. Nodes will connect to the FNP port. > > ------------------------- > Client programs uses only 8481 for the Freenet Client Protocol (FCP), > 8888 for the browser (->mainport) and 8891 for the distribution node (if > not deactivated). > ------------------------- > > [VD] Absolutely correct. > > ------------------------- > >> this is a feature -Fred contacts another Freenet node with request for > data > >> then drops TCP connection and waits for incoming one from that node, so > as > >> to conserve TCP connections during long data searches and limit amount of > >> traffic and resources required for maintenance of "idle" connections. > >> > >> This seems wise, but only in case if a single port (or a known range of > >> ports) is used to handle such incoming connections. Basic security > dictates > >> that _all_ ports which aren't in definite use should be closed, and if > this > >> rule can't be followed with current Freenet operation, I'm afraid it > could > >> be a real security problem for all more or less secure environments. > > This situation IS a security problem. But read Freenet's port usage in my > answer above. You only need to forward the FNP port to the Freenet node. > ----------------------------- > > [VD] Hmm, my experimental evidence seems to contradict your point. First, > "strange" ports you've listed (as well as those on my machine) are owned by > javaw.exe, and Freenet happens to be the only java app on this machine. And > second, when I block all ports, except defined ones, my Freenet performance > degrades rapidly, with node coming to a halt with RNFs 95% of the time - > this is an indication that there's a problem with request propagation in > such configuration. Things get back to normal as soon as I allow all > incoming connections again. So, allowing (or forwarding) only FNP port isn't > enough :-(. > > I know how "real" developers despise support lists, but I hope that someone > with code knowledge will be able to prove or disprove my point, or at least > will point to a correct place to look in the source. I don't want to barge > into devl, since I don't think this beleives there. Heh. > > If, indeed, Freenet opens one listening socket for each node it contacts > (or, God forbid, for each request it makes - but this isn't likely, judging > by the number of open sockets I see when loading TFE), I'd like to hear if > this is under consideration for modification in future versions. No, it doesn't. It opens the FNP port, and the various client ports. Anything else is a trojan, a bug or a mirage. > > Regards, > Victor Denisov. > -- Matthew Toseland [EMAIL PROTECTED][EMAIL PROTECTED] Full time freenet hacker. http://freenetproject.org/ Freenet Distribution Node (temporary) at http://amphibian.dyndns.org:8889/A8dz8aYheps/ ICTHUS.
msg02800/pgp00000.pgp
Description: PGP signature
