PDA

View Full Version : Firewalls



kim jong il
5th August 2004, 10:51 AM
I'm a little lost with this one. My computers are protected from the outside world by my modem/router's NAT as well as the OS X firewall. My modem/router only allows me to forward 20 ports (i.e access to my machine) and the OS X firewall should only allow connections to the outside world on the ports I open there; is this right?

If yes, why do I see, while using a bittorrent client, in the activity monitor/(process name here)/insepect process/open files view , find that there are remote connections that are on ports that should by all rights be blocked. Virtually, all connections are on port 6881, while the odd one comes up with 16881 or 4562 or something similar. You get the idea? How does this work? It makes me wonder about security and what is enough and what ...........blah

Any input on this would be appreciated.

cheers, kim

EDIT: admins feel free to relocate this to the bittorrent thread if you have to, although my enquiry is firewall related

Jimbo
5th August 2004, 12:36 PM
well, if you're communicating OUT on those ports using BT then of course they're gonna be open

kim jong il
6th August 2004, 03:36 AM
Originally posted by Jimbo@Aug 5 2004, 12:36 PM
well, if you're communicating OUT on those ports using BT then of course they're gonna be open
I realise that there can be no block on outgoing traffic. These are connected peers and i am talking two way traffic. I figured that the uploads only were the connections where no port is listed in the activity monitor and two way traffic where the ports are listed.

I can see I will have to resort to using a traffic monitor to find out what is going on. The out of range connections are rare and I still believe they should not be there. Hopefully I will find out.

One more thing Tomato torrent claims only to use 6881-6889 while azureus claims only 6881. Surely they should be negotiating connections on these ports exclusively

kim

elvis
6th August 2004, 12:41 PM
Torrent Networking 101 with professor elvis:

Torrent networking requires a direct connection between peers seeding files for transfer to occur. This can cause problems for folks sitting behind NATs and Firewalls who don't know how to open their ports, and forward information.

Torrent technology uses a port per connection. The default port configuration are ports 6881 through 6889 inclusive. Azureus seems to be able to "share" a port by constantly swapping connections on the port. However if told, it can use the full portrange for better performance.

Two types of situations exist that can block ports. You can be connected directly to the internet, and protected by a firewall. In this case, you'll only need to "poke holes" in your firewall to allow specific ports through.

Alternatively, you my be behind a NAT. NAT stands for "Network Address Translation". Routing devices often use NATs to allow multiple machines to connect to the internet from a single public IP.

Say for instance I have three machines and one internet connection. My internal IP's are 192.168.0.1 through .3 for the machines, and .254 for the router. The router acts as the communication centre for all messages to the internet to go through. If machine .1 wants to access a website, it asks the .254 router to do so. The .254 router then "masquerades" the request from the .1 machine, and when information returns sends it back to the correct machine.

Now, if you want masqueraded/NATed machines behind a router to recieve information (like you would if you were using Torrent), the machine has no direct inbound connection from the internet (it only has outbound request capabilty by default), and won't work. So if your public IP was 200.200.200.200, that translates to the public side of your router. How does the torrent information know which machine to connet to after the router? It doesn't.

Enter "port forwarding". Say information comes in to port 6881 on my router. The router can be told that all TCP information coming in on port 6881 must be forwarded from my external public IP to my internal private IP of 192.168.0.1. This way, internal machine .1 has it's TCP port 6881 open to the internet, thanks to the router forwarding all information on.

Imagine the whole setup like a large building of staff. If I am the IT manager, how do people know how to send me a letter? They don't. The write a letter to the "IT manager" (ie: port number) at the "street address" (ie: the public IP), and the letter is then forwarded on by the seretary (ie: the router) to the correct location internally.

So, long story short: if you want to enabled Torrent technology to work and you have both a firewall and a NAT, you first need to tell the firewall to allow ports 6881 to 6889 through. Secondarily you need to also tell the router component to manually forward those same ports through to the machine that will be using the Torrent client.

Here endeth the lesson.

Disko
6th August 2004, 12:50 PM
*standing ovation to professor elvis*

kim jong il
6th August 2004, 04:58 PM
Absolute poetry......but I feel it answered a different question. I have mastered bittorrent. Maybe I was not clear? Who knows? However, this is the situation.

I am using dynamic NAPT, each IP linked to the open ppp session. Only certain ports have been forwarded on the modem router; mapped to appropriate IP's coupled with the OSX firewall. How solid is it? How does it work?
Answer this and you have my eternal gratitude (non-core gratitude that is)........ even as i write the answer is coming to me.

............The firewall is only one way. I have (metaphorically) 65356 doors exposed to the outside world. A number of these can be opened from the outside with the right permissions while the rest can only be openened from the inside and then they will allow two way communication within certain parameters (I get to hold the door handle). Is that about right? I can edit easy enough to clarify the metaphor.

kim

elvis
7th August 2004, 06:09 PM
If a particular port is opened and forwarded, all information coming in on that port number will be sent through to the machine inside the network.

This isn't as bad as it sounds. If Azureus (or any other torrent client) is not running on that machine, and information is forwarded on, the information simply times out due to no service responding to information on that port. Information coming in with no responding service can do no evil to your Mac.

Forwarding only the ports you want, and also turning on your MacOSX firewall (and only opening the ports you want to use) is a safe way to use the internet. Generally speaking services like torrent are safe. Most attacks on servers tend to hit the more popular ports for unpatched software. Ports 80 (http), 21 (ftp), 53 (DNS), 113 (auth), 25 (SMTP), 139 and 445 (Microsoft SMB/CIFS) and others are generally the targets for attacks due to software often being out of date and unpatched.

Your door metaphor above is a bit weird. Generally from behind a firewall all outbound information is allowed. Anything inbound that is an ACK (Synchronise Acknowledgement) to a SYN (Synchronise Start) request is allowed (ie: I ask for a webpage to be displayed (SYN) and the webpage is sent to me (ACK), etc). Anything inbound that is a SYN should be denied unless you explicitly say it is allowed via your firewall allow list.

The MacOSX firewall is based on the BSD IPFilters, which are an SPI (stateful packet inspection) firewall, and industry proven in their strength and resistance to attack. This is the same code used in commerical hardware firewall devices all overthe world. These same devices protect banks, governments and military organisations everywhere.

I'd happily put a Mac live on the web with the default firewall enabled. On the flipside there's no way in hell I'd stick a WindowsXP box with the default firewall enabled live on the web. I just don't trust that software!

The best plan of attack always is to firewall everything from the router backwards. Open only the ports you want for the programs you want. Generally speaking, most programs do not need firewall ports opened. Torrent stuff is different due to it's design (ie: forced file sharing for bandwidth alleviation of hosts).

If you ever take your Mac to an untrusted network (ie: to a LAN, or take a laptop to a friend's house), ALWAYS turn your firewall on. While Macs are far more resistant to virus and other attacks than Windows, it never hurts to play safe.