From owner-freebsd-hackers Thu Oct 19 14:14:23 2000 Delivered-To: freebsd-hackers@freebsd.org Received: from css-1.cs.iastate.edu (css-1.cs.iastate.edu [129.186.3.24]) by hub.freebsd.org (Postfix) with ESMTP id 98D0C37B4D7 for ; Thu, 19 Oct 2000 14:14:19 -0700 (PDT) Received: from popeye.cs.iastate.edu (ghelmer@popeye.cs.iastate.edu [129.186.3.4]) by css-1.cs.iastate.edu (8.9.0/8.9.0) with ESMTP id QAA02265; Thu, 19 Oct 2000 16:14:19 -0500 (CDT) Received: from localhost (ghelmer@localhost) by popeye.cs.iastate.edu (8.9.0/8.9.0) with ESMTP id QAA27221; Thu, 19 Oct 2000 16:14:15 -0500 (CDT) X-Authentication-Warning: popeye.cs.iastate.edu: ghelmer owned process doing -bs Date: Thu, 19 Oct 2000 16:14:14 -0500 (CDT) From: Guy Helmer To: Nate Williams Cc: freebsd-hackers@FreeBSD.ORG Subject: Re: IPFW bug/incoming TCP connections being let in. In-Reply-To: <200010192029.OAA25357@nomad.yogotech.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Thu, 19 Oct 2000, Nate Williams wrote: > I had blocked incoming TCP connections coming into my network using > IPFW, and I noticed that my brother was able to establish a Napster > connection, even though I had blocked it earlier. > > I thought, no worries, I'll just block it at the port level. > > I read a couple of articles, and noted that connections from 8888 to the > server should be blocked. > > Easy enough, I'll just block my clients from establishing connections to > port 8888. > > Unfortunately, that doesn't work. Looking at tcpdump output, the > 'server' appears to initiates a TCP connection from 8888 -> some random > port. My firewall rules do *NOT* allow incoming TCP connections to be > made to internal machines, since they only allow 'setup' packets to go > out. > > So, how can Napster work? What happened to the 3-way handshake? I > could see an issue if the OS's were hacked to get around this and not > require a 3-way handshake, but the client in this case in a Win98 box. The remote napster client sends a message through the central Napster server, which relays the message to your Napster client to tell your machine to make a connection to the remote machine. This is so that, as long as one of the two Napster clients are not behind a firewall, the two clients can communicate directly. The client behind the firewall makes the connection to the client that isn't behind a firewall, since most firewalls are configured to allow internal machines to make connections to any outside machine. The regular 3-way handshake is occurring. It's just not initiated by the machine you would expect. You'd have to block outgoing SYNs to any outside host at port 8888 (but anyone who knows anything about ports could change their port number and get around your block). Guy Guy Helmer, Ph.D. Candidate, Iowa State University Dept. of Computer Science Research Assistant, Dept. of Computer Science --- ghelmer@cs.iastate.edu http://www.cs.iastate.edu/~ghelmer To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message