From owner-freebsd-hackers Thu Oct 19 14:24:13 2000 Delivered-To: freebsd-hackers@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id 6963437B4E5 for ; Thu, 19 Oct 2000 14:24:10 -0700 (PDT) Received: from nomad.yogotech.com (nomad.yogotech.com [206.127.123.131]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id PAA26756; Thu, 19 Oct 2000 15:24:03 -0600 (MDT) (envelope-from nate@nomad.yogotech.com) Received: (from nate@localhost) by nomad.yogotech.com (8.8.8/8.8.8) id PAA25574; Thu, 19 Oct 2000 15:24:03 -0600 (MDT) (envelope-from nate) Date: Thu, 19 Oct 2000 15:24:03 -0600 (MDT) Message-Id: <200010192124.PAA25574@nomad.yogotech.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: Guy Helmer Cc: Nate Williams , freebsd-hackers@FreeBSD.ORG Subject: Re: IPFW bug/incoming TCP connections being let in. In-Reply-To: References: <200010192029.OAA25357@nomad.yogotech.com> X-Mailer: VM 6.34 under 19.16 "Lille" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > > I had blocked incoming TCP connections coming into my network using > > IPFW, and I noticed that my brother was able to establish a Napster > > connection, even though I had blocked it earlier. > > > > I thought, no worries, I'll just block it at the port level. > > > > I read a couple of articles, and noted that connections from 8888 to the > > server should be blocked. > > > > Easy enough, I'll just block my clients from establishing connections to > > port 8888. > > > > Unfortunately, that doesn't work. Looking at tcpdump output, the > > 'server' appears to initiates a TCP connection from 8888 -> some random > > port. My firewall rules do *NOT* allow incoming TCP connections to be > > made to internal machines, since they only allow 'setup' packets to go > > out. > > > > So, how can Napster work? What happened to the 3-way handshake? I > > could see an issue if the OS's were hacked to get around this and not > > require a 3-way handshake, but the client in this case in a Win98 box. > > The remote napster client sends a message through the central Napster > server, which relays the message to your Napster client to tell your > machine to make a connection to the remote machine. This much I undertand. However, I'm not making any downloads, so my client isn't (yet) connecting to another client. I'm trying to block connections to the server. How is the client connecting to the server? I don't see *any* TCP setup packets being sent out by my client, so how is the client communicating with the server via TCP? (I *AM* seeing TCP packets being sent out, but they are being sent as 'established' connections, before a setup packet is being sent.) > The regular 3-way handshake is occurring. It's just not initiated by the > machine you would expect. The only way my client can work is if it initiates the connection, but I don't see it initiating a connection to port 8888. So, how then is the Napster server at port 8888 communicating with my client? > You'd have to block outgoing SYNs to any > outside host at port 8888 (but anyone who knows anything about ports could > change their port number and get around your block). That was what I did, but the rule is never being hit. However, there appears to be a connecting from my client to port 8888 on the server. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message