I have read socks5's RFC, but I still don't understand why TCP and UDP packets can be passed through the firewall.
It is not possible to simply bypass a (properly configured) firewall by using the SOCKS protocol and this is also not the intention of the protocol.
In the context of firewalls a SOCKS server is a proxy server which is explicitly installed at the firewall in order to provide internal clients with restricted access to the outside. This usually means that most outgoing traffic except SOCKS is blocked by the firewall and that the SOCKS server is configured to only allow authenticated connections (based on IP, user or similar) and maybe even restrict where specific users can connect to. Insofar it is similar to a HTTP proxy.
Related
I am trying to setup a loadbalancing lab for HAproxy in single-arm mode (when actual frontend IP and backend servers reside in same subnet, while actual clients are always remote). Another request is to make client source IPs visible to backend nodes. As we load-balance custom tcp-based app, it seems that option 'source 0.0.0.0 usesrc clientip' is a right choice here. Also, I have configured backends to have default-gateways pointing to HAproxy's IP address.
Although strange things happen once I enable this backend option: I see connection to frontend VIP was properly done and 3-way handshake formed. But when HAproxy server is trying to build a 2nd session to reach out to backend servers with spoofed IP of a client, I see exactly this happening:
Proxy is sending SYN with spoofed Client's IP address to one of the backends;
Backend is normally repsonds with SYN-ACK packet;
Proxy is NOT sending last ACK, just blindly sends SYN packets after timeout with same outcome;
On a proxy I see this connection is marked as SYN_SENT in netstat output, so it looks like proxy server doesn't accept actualy SYN-ACK packet for some reason.
Any comment would be appreciated.
The source option makes HAProxy bind to a specific IP address before it relays the request to the server. If you just need to load balance servers over TCP/IP (not HTTP), then you do not need this.
Set mode tcp in your frontend and backend, which enables load balancing of TCP-enabled applications.
To forward the client's IP address to the server, can you modify your custom application to support the Proxy Protocol? https://www.haproxy.com/blog/using-haproxy-with-the-proxy-protocol-to-better-secure-your-database/
I want to make a really secure environment for a Linux computer. Essentially I will direct connect to the hardware with keyboard and screen only, there is no need to have any SSH etc. so all servers will be stopped, UFW will block all inbound ports.
Re outbound ports, there is one client service for arguments sake 'foo-serviced' that will need to connect to some other servers on my LAN, its a client that gets a system allocated outbound port. If possible I would like to block all outgoing traffic too, except for that foo-serviced connection. Is there a way to manage system allocated ports so I can allow that port, or is there a way to allow specific clients access?
After further research I realised that I can block all outbound and then use the port of the destination server to allow the outbound access.
I am reading the SOCKS5 RFC, it has:
CONNECT
In the reply to a CONNECT, BND.PORT contains the port number that the
server assigned to connect to the target host, while BND.ADDR
contains the associated IP address. The supplied BND.ADDR is often
different from the IP address that the client uses to reach the SOCKS
server, since such servers are often multi-homed. It is expected
that the SOCKS server will use DST.ADDR and DST.PORT, and the
client-side source address and port in evaluating the CONNECT
request.
For the last part of this paragraph, I have two questions:
The doc states that SOCKS servers are often multi-homed, and will reply to the client different bound address and port than the ones the client originally connects to. Does this mean the SOCKS server the client connects to redirects the connection to another SOCKS server? If so, what is point of letting the client sense the presence of the redirected SOCKS server? What will a client normally do with the bound address and port the SOCKS server replies?
The doc states It is expected that the SOCKS server will use DST.ADDR and DST.PORT, and the client-side source address and port in evaluating the CONNECT request, what exactly does it mean by evaluating the CONNECT request? What am I supposed to do in this evaluating process if I am implementing a SOCKS server?
SOCKS proxies are multi-homed because they are often installed at network boundaries like firewalls. The client connects to the internal interface of the firewall but the outgoing address is the external face. Since some protocols like FTP need to include the external visible IP address and port in-band (see FTP data transfer, i.e. PORT and PASV) they need to know this externally visible IP and port.
A normal socks proxy will connect where the clients wants to, i.e. DST. But when an upstream proxy is configured or when firewall ACL say different the proxy might behave differently.
No. It means the server has 2 (or more) network cards/connections -- you communicate with the server on cardA, but when that server connects to the device downstream, it uses cardB.
That's up to you really...perhaps you want to blacklist/whitelist certain clients/servers/ports (ex. only allow clients from your country, or only allow connections to a specific country). Good example is not letting a client connect back to itself (?). Just a guess. Usually RFCs are good about saying "MUST, MIGHT, MUST NOT, etc" ..if it says "expected", to me that sounds like 'might' which basically means 'can, but doesn't have to.'
Suppose I have a VPS with private networking setup such that the only ports that are open are the port for SSHing into the server and the port that connects the server to other servers on the private network. Can this same server still send requests through the internet and receive back responses? If so, through what 'channel' are the requests/responses being sent/received?
It depends on what the outbound firewall settings are on the server. If the firewall allows all outbound connections then you can connect out to any server on any protocol.
However, depending on the hosting provider, they may limit the ports which you can use for outbound connections. Most likely (but not guaranteed) you'll be able to use HTTP (80) and HTTPS (443). It is quite possible that SSH (22) would be open as well. Those three should cover most, if not all, of the needs to would have.
I've been investigating networking for use in a two-player game I'm writing, and I'm still not clear on when a device must have a port forwarded in order to communicate with the outside world.
From what I've seen in other games, port forwarding is always required in order to host a server, but is not required on the client. In addition, there are other situations, such as skype (which, to my understanding is ultimately client to client), where neither end must forward a port.
So my question is, in over-the-Internet communication, when is and isn't port forwarding necessary, and what steps can i take as a developer to make it so my users don't have to worry about it? Thanks in advance!
Port forwarding is needed when a machine on the Internet needs to initiate a connection to a machine that's behind a firewall or NAT router. If the connection is initiated by the machine behind the firewall, the firewall/router automatically recognizes the reply traffic and sends it to the machine that opened the connection.
But if a packet arrives on the external interface, and it's not a part of such a connection, the router needs to know what to do with it. By default, it will reject it. But if forwarding is configured for the port, that tells it what internal machine to send it to.
Put another way: you need port forwarding if you want to run a server behind the NAT firewall/router, you don't need it if you're just running a client.
There is reason why Skype don't (not always) need manual setting of port forwarding:
When you install Skype, a port above 1024 is chosen at random as the
port for incoming connections. You can configure Skype to use a
different port for incoming connections if you wish, but if you do,
you must open the alternative port manually.
If the port chosen for incoming connections becomes unavailable, by
default ports 80 and 443 will be used as alternatives. If another
application (such as Apache HTTP server or IIS) uses these ports, you
can either configure the application to use other ports, or you can
configure Skype to not use these ports.
Port forwarding is must if you host a server.
You can use same technique as Skype...
I am not sure if there is any other option...
Port forwarding (occurs) when a NAT, firewall or some other device blocks communication on all or some ports.
To answer your question as an example, most commercial routers use NAT to allow multiple people to use the same IP(As view from the outside world) provided by ISPs. Most ISP's use NAT to allow multiple customers to use the same IP(As viewed from the outside world). To get this to work, the NAT changes the internal IP and the port number of a communication to THE(there is only one for the entire sub network) external IP and a new port number. By doing this, the router/isp/ect can tell which internal IP and port each external communication goes to.
Anytime one of the computers communicating over the internet are behind a NAT, port forwarding is required. I'm sure there are way more situations than this, and the solution to each can be quite complicated. But this covers the vast majority.