Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Closed 8 years ago.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Improve this question
I've noticed that my employer blocks outgoing traffic on a few problematic ports, such as SSH. It looks like a timeout to every application being blocked. Why isn't this implemented by refusing the connection? Is this simply that the SYN doesn't make it to the destination? I'm trying to make a list of ports that I am sure are blocked and I'm thinking perhaps I can just port scan a known host outside of the network, such as my VPS.
Are these statements true for most implementations?
If the connection is refused or accepted, then the port is open
through the firewall.
If the connection times out but the host
certainly exists and doesn't have any kernel-level features turned on
to make it look like it doesn't exist, then the firewall is blocking
it.
Your firewall may block/allow depending on IP address as well, so the port alone doesn't say anything.
If the connection is accepted, it doesn't mean the firewall isn't blocking, it might just mean the firewall redirects it elsewhere. For example, redirect all traffic to port 80 outside your organization to some "you can't get there from here" webpage.
If the connection times out, it may have lots of reasons, one of them being the firewall, but it might also be your DSL line is down, or routing is misconfigured somewhere, or just about anything that can go wrong on the network.
Even if the connection is accepted AND connects the correct target (your VPS), it might have been redirected to a transparent proxy.
Think twice about the port scan. If the network people of your company manage their network well, they will detect the port scan, and you'll have to answer some embarrasing questions to them.
It's a security consideration. Sending a reset (refusing the connection) indicates that the resource exists, which is itself an information leak. Sending nothing reveals nothing, leaks nothing: it is indistinguishable from the case where the entire host doesn't exist. There was one firewall product in the 1990s that sent resets, which was considered poor practice.
I'm away from my library at the moment but I'll provide more details on Monday.
You can profile what outbound ports are blocked with Firebind.
Check out scanme.firebind.com
It uses a custom client/server solution to specifically enumerate firewall rules.
Dave
Related
Closed. This question is not about programming or software development. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed yesterday.
Improve this question
We have been using Linphone for our calling services and its working fine on wifi and almost every cellular network except the one with iPV6 infrastructure.
The problem we discovered with iPV6 environment is that our signalling ip changes very frequently and as a result our call drops after 30 seconds timeout.
Any guide regarding this matter will be helpful.
Thats happens often on 5G network.
You can do nothing here, it is not related to asterisk, it is related to how 5G providers handle NAT. The do not care.
Only thing you can do is use android/apple push mechanism to force your application to re-register with new IP.
You can do nothing if customer change GSM cells while in call. Except maybe issue re-invite, but that is really hard and I know no softphone which do that correctly.
Another option is to use tunnel with ping inside it/resetup(or setup ignore source IP for tunnel) and put your sip traffic inside tunnel. But that WILL eat battery a lot and customer will complain or uninstall your app.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 4 years ago.
Improve this question
Say I have a DNS Server configured for a URL with a TTL of 5 minutes. The browser will cache the URL to IP address mapping for 5 minutes.
But, if the user clicks on refresh for that URL, will it's corresponding entry in the browser's cache be cleared? Is the browser going to fetch information at the DNS server again?
The case is the following: I need to set a proper TTL to avoid excessive DNS traffic (so it should not be too low), but in the case of VM failure, the traffic should be redirected to another IP address (so it should not be too high).
If a refresh clears the DNS mapping cache entry, then I might choose a higher value.
On clicking the refresh in the browser doesn't query the DNS again, if there is already a cached DNS entry in the browser which is not expired.
If your site relies on DNS failover than in general you shouldn't have anything more than 60 seconds as TTL for your DNS. Please note this is just a suggestion not a full proof way, most of the top 100 websites use this TTL.
HTTP and DNS are on different layers. There is no reason to do a DNS query again if it is in the cache and not expired, when the user requests again some URLs.
DNS, alone, is not a good fail over mechanism. You need to add some kind of load-balancing or master/slave virtual IP handling to have an "immediate" switchover in case of some dead server. Or use IP anycasting. In short, many solutions but even if they can use DNS to their advantage DNS alone can not solve it.
You need to define what amount of time of unavailability is accepted in your setup and based on that it gives you the amount of time/energy/money you can invest on a setup to achieve this fail over.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 7 years ago.
Improve this question
I have this scenario: an IP (eg. 192.168.0.109). It's possible to make some requests from the same IP but thru different ports ? More, each port to be from a different zone. Something like a proxy, but for ports.
So, I would like to achieve something like this:
192.168.0.109:20000 -> Paris
192.168.0.109:20457 -> Lyon
192.168.0.109:21341 -> Sydney
I read something about TCP Proxy but I am not sure if this is exactly what I am looking for.
Can anyone explain me if this is achievable and if so, describe me the entire process and what would the steps be in order to have something like this running ?
Each new TCP connection will automatically be assigned a local IP and random port number from the kernel's ephemeral ports pool by default. You can optionally bind(2) the socket to the desired local IP and/or port before connect-ing to the server. You can bind() to a desired IP and let the kernel choose the port for you.
Have the client create a socket and call connect with the details of the server IP:Port. In this case, the OS automatically provides the local IP:Port to which the client binds to. This is default behavior.
If you wish, you can have the client bind to a specific IP - call bind before connect. You can leave the bound Port set to 0 so the OS will still choose a random local Port for you.
Now, when you want to make another connection, simply do the same thing as above. Nothing more is required.
So, you keep creating as many sockets as you want and making connections for them. They will automatically be from the chosen "zones" that they are bound to.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 8 years ago.
Improve this question
I live in the UK and my ISP BT has blocked the pirate bay. I know you can just use proxies. I thought I'd be smart and get the pirate bay IP and connect to it that way, but it turns out BT has blocked the pirate bays IP. So I was wondering how does an ISP block you from accessing IP addresses?
Your ISP is by definition on path to anything you access. It can just keep a list of IPs that they will not let you access and can hijack connections to them.
So for example when you connect to 192.0.2.1 they can just reply directly instead of letting the packets go to the real IP, and their reply is just a page displaying something like "site blocked etc".
Alternatively they could just not pass the packets forward and you would get a timeout. The gist of the matter is that since they are always on path they can always just check the destination IP in your packets.
They Know each Root u go, logic compairs Target ip with blacklists! Thats it
Considering all your traffic goes through your ISP, it's within their power to block anything or everything from their side.
Also take note, a websites "address" only exists in the pretty version(www.something.com) because it makes it easier to read for people, than a bunch of numbers(an IP).
But in practice, when you visit a website, the first is always converted into the latter, so there's no difference if you visit piratebay.com or whatever it's IP number is.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Closed 7 years ago.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Improve this question
I have a small doubt regarding the LAN as i Havesome pcs in my office i want to connect them internally with the little cable connection but i don't want to use any internet activity from them.(purpose is the share the data internally and no use of internet).
And i have some more selected people who want to use the internet access so i want to give some special access for internet for that selected laptops.
Iam a kid in networks as i don't have any idea how i can start and move with the project suggestions are mostly accepted
You can do the following :-
Establish a small LAN connection in your office which will consist of those selected PC's which are not intended to run internet at all! You can simply establish LAN connection using routers and switches! Then,develop a small web-server like thing on one of the PC's which will work as server and the rest will work like clients! You can simply set up a distributed server which will take care of synchronisation things too(but, that is not advisable for a basic OR a newbie)!
But, simply multiple-clients and a server is what you need to
establish using LAN connection for and make network file-sharing access permissions for all the systems... There are several softwares to transfer files and internally communicate like a small mail-server intended for OS like Windows,Linux,etc.
Next for those laptops which you wanna connect to internet---please establish a source of internet like any ISP and so! Next,a gain establish a small LAN connection among those PC's which you want to connect to internet to. That's it,VOILA!
Next step of yours would be simply to configure DNS setting,IP-Address of the ISP,Subnet Mask and Gateway and that is damn easy. You simply need to add it to the router settings through which all of your systems,which are intended to access internet,would be connected. If you want to achieve the first thing with these PC's, then simply establish a local web-server or mail server for file transfer or mails,etc. locally within the office.
Another possibility :-
Establish the web server communication with all the PC's connected. Connect all the PC's and laptop to router's and switches as desired. Keep a note of IP-Address of all the PC's and laptops. Now, install a web-filter/firewall which will restrict users from accessing internet based on their hostname & IP-Address. Remember for this to take place, all the systems must have static IP-Address allocation,not the DHCP configuration!
I guess these are some of the possible steps. But,there can be several effective steps too...
Best wishes from my side!