Benjamin Coates wrote:
>
> >From Mr.Bad <[EMAIL PROTECTED]>
>
> >So, is the following statement true?
> >
> > "You can run a Freenet node behind a firewall iff
> >
> > a) The firewall allows the node to make outbound connections
> > on arbitrary ports.
>
> Are there a significant number of firewalls that allow you to make outbound
> connections, but not on arbitrary (1024-5000) ports? Would it be worthwhile
> to have the node take a range of ports to make outbound connections on?
Most firewalls nowadays, or at least the ones being managed by competent
admins, take a "Deny by default" approach. In other words, not only on
inbound but also on outbound connections, *all* connections are denied
unless explicitly approved.
I agree with what seems to be the general consensus that trying to make
Freenet overly firewall-friendly is going to be a waste of most of the
effort as it's probably about as friendly as it's going to get in all
honesty. (with one exception, covered below.)
FWIW and only tangentially related - I *am* running a Freenet node
behind my firewall at home, but it required some trickery. Note that at
home, I only have the "deny by default" on inbound connections.
Outbound connections all simply get masqueraded. (So does that make me
an "incompetent admin", too trusting or just lazy? :) If I were using
"deny by default" on outbound connections as well, I would have just
given up on getting Freenet to run as a node behind the firewall.
Nonetheless, I still ran into one thing that kept me stumped for a
while. Here's the issue I ran into and a small change that would help
the situation:
My external address is dynamically assigned (cablemodem) but stays
relatively persistent for several weeks at a time. I have a Linux box
acting as a firewall directly connected to the cablemodem, running
iptables with the 2.4 kernel. I set up a DNAT rule that forwarded
connections to "19114" to the cablemodem address to the machine on my
internal home network running as a Freenet node.
The problem is that if I set "nodeAddress" to the machine's "real"
internal address, that's the address that gets advertised to the rest of
the Freenet. Since it's a non-routable address, nobody can ever talk to
me.
If I set "nodeAddress" to the address of the cablemodem's "real"
external address, it gets advertised to the rest of the Freenet
properly, but when the Node starts up and attempts to service any
requests, it tries to connect to that address, which it can't reach
since a) it's not the machine's real address and b) it can't connect to
it through the firewall because firewalls have a real hard time (i.e.
don't) rewriting packet addresses for packets coming from the address to
which they are supposed to be rewritten, and routing packets that are
coming from the machine/interface to which they're then supposed to be
re-routed.
The solution involved some DNS trickery and only works because I also
have a "real" server that's "really" internet routable with a "real" IP
address and runs BIND and is authoritative for a domain I own. So on
the Freenet Node machine, I edit /etc/hosts so that the name
"freenet.my.domain.com" is the machine's real local address and make sur
eit looks at /etc/hosts before it checks DNS, then set up my DNS so that
"freenet.my.domain.com" points to the external address of my cablemodem.
Now other machines on Freenet get "freenet.my.domain.com" as the address
of my Node, but my box knows "freenet.my.domain.com" as its own internal
address and everyone's happy.
Short version: if the config file had "bindAddress" and
"advertiseAddress" as seperate entries, this would not require *any*
trickery - just different values for each of those settings and then
people with cablemodems, DSL or other semi-permanent addresses could run
Freenet Nodes without having to do weird split-DNS stuff.
Other than that, I think doing anything more than Freenet already does
to make it play happier with Firewalls is going to be wasted effort
since it's only going to work in a very few firewalled environments as a
whole.
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
#!/usr/bin/perl -w
$_='while(read+STDIN,$_,2048){$a=29;$b=73;$c=142;$t=255;@t=map
{$_%16or$t^=$c^=($m=(11,10,116,100,11,122,20,100)[$_/16%8])&110;
$t^=(72,@z=(64,72,$a^=12*($_%16-2?0:$m&17)),$b^=$_%64?12:0,@z)
[$_%8]}(16..271);if((@a=unx"C*",$_)[20]&48){$h=5;$_=unxb24,join
"",@b=map{xB8,unxb8,chr($_^$a[--$h+84])}@ARGV;s/...$/1$&/;$d=
unxV,xb25,$_;$e=256|(ord$b[4])<<9|ord$b[3];$d=$d>>8^($f=$t&($d
>>12^$d>>4^$d^$d/8))<<17,$e=$e>>8^($t&($g=($q=$e>>14&7^$e)^$q*
8^$q<<6))<<9,$_=$t[$_]^(($h>>=8)+=$f+(~$g&$t))for@a[128..$#a]}
print+x"C*",@a}';s/x/pack+/g;eval
usage: qrpff 153 2 8 105 225 < /mnt/dvd/VOB_FILENAME \
| extract_mpeg2 | mpeg2dec -
http://www.eff.org/ http://www.opendvd.org/
http://www.cs.cmu.edu/~dst/DeCSS/Gallery/
_______________________________________________
Devl mailing list
[EMAIL PROTECTED]
http://lists.freenetproject.org/mailman/listinfo/devl
