I'm using Java to create a client/server application that communicates using TCP. The network that the client is running on has an outbound firewall that prevents the client from connecting to the server. Is there any way/workaround to create a TCP connection through this firewall?
I have tried to use common ports that are open such as port 80, 443, and 113, however the firewall appears to drop the connection once it is made (possibly by detecting non-protocol packets).
An alternative would be to have the client software run as a Java applet hosted from an external website, however I'm not sure if the outbound firewall would still be able to block this connection.
Any help would be greatly appreciated.
Assuming that the users have internet access, and you can't telnet through port 80/443, it probably mean that the users connect through an HTTP Proxy configured in the browser.
You could try to research on various tunneling methods via an HTTP Proxy... Though, that will be a very unstable hack.
I recommend contacting the system administrator, explaining your needs, and see what he/she suggests.
You can try to communicate using http or https. By tunneling your protocol over these, it might be possible that the firewall lets your traffic through.
Related
this is my first post so...
I'm quite new to networking, I just started transferring data over TCP and everything is working fine. I am hosting a small chat server (Made in Autoit v3) on my own network, but what bothers me is that all the clients could simply track the ip on which the server is hosted...
As I don't want to be 'hacked' I would like to know if there is a way to hide the ip on which the server is hosted. Maybe routing it through another network if that is possible.. As I said I have pretty much 0 experience with networking, I can port forward and setup a simple server but that is pretty much it :)
Thanks everyone!
When you are opening up any service to the world, you should secure via IPsec or TLS/SSL like services, further more you should open only those ports on the IP which is required by that service.
example: a.b.c.d:8080 for HTTP so instead have it on HTTPS(port 443) that means a.b.c.d:443. HTTPS requires TLS/SSL certificate and you can get them from here.
For your service TLS/SSL should suffice the needs because it works over transport layer.
Suppose I have a VPS with private networking setup such that the only ports that are open are the port for SSHing into the server and the port that connects the server to other servers on the private network. Can this same server still send requests through the internet and receive back responses? If so, through what 'channel' are the requests/responses being sent/received?
It depends on what the outbound firewall settings are on the server. If the firewall allows all outbound connections then you can connect out to any server on any protocol.
However, depending on the hosting provider, they may limit the ports which you can use for outbound connections. Most likely (but not guaranteed) you'll be able to use HTTP (80) and HTTPS (443). It is quite possible that SSH (22) would be open as well. Those three should cover most, if not all, of the needs to would have.
I've been investigating networking for use in a two-player game I'm writing, and I'm still not clear on when a device must have a port forwarded in order to communicate with the outside world.
From what I've seen in other games, port forwarding is always required in order to host a server, but is not required on the client. In addition, there are other situations, such as skype (which, to my understanding is ultimately client to client), where neither end must forward a port.
So my question is, in over-the-Internet communication, when is and isn't port forwarding necessary, and what steps can i take as a developer to make it so my users don't have to worry about it? Thanks in advance!
Port forwarding is needed when a machine on the Internet needs to initiate a connection to a machine that's behind a firewall or NAT router. If the connection is initiated by the machine behind the firewall, the firewall/router automatically recognizes the reply traffic and sends it to the machine that opened the connection.
But if a packet arrives on the external interface, and it's not a part of such a connection, the router needs to know what to do with it. By default, it will reject it. But if forwarding is configured for the port, that tells it what internal machine to send it to.
Put another way: you need port forwarding if you want to run a server behind the NAT firewall/router, you don't need it if you're just running a client.
There is reason why Skype don't (not always) need manual setting of port forwarding:
When you install Skype, a port above 1024 is chosen at random as the
port for incoming connections. You can configure Skype to use a
different port for incoming connections if you wish, but if you do,
you must open the alternative port manually.
If the port chosen for incoming connections becomes unavailable, by
default ports 80 and 443 will be used as alternatives. If another
application (such as Apache HTTP server or IIS) uses these ports, you
can either configure the application to use other ports, or you can
configure Skype to not use these ports.
Port forwarding is must if you host a server.
You can use same technique as Skype...
I am not sure if there is any other option...
Port forwarding (occurs) when a NAT, firewall or some other device blocks communication on all or some ports.
To answer your question as an example, most commercial routers use NAT to allow multiple people to use the same IP(As view from the outside world) provided by ISPs. Most ISP's use NAT to allow multiple customers to use the same IP(As viewed from the outside world). To get this to work, the NAT changes the internal IP and the port number of a communication to THE(there is only one for the entire sub network) external IP and a new port number. By doing this, the router/isp/ect can tell which internal IP and port each external communication goes to.
Anytime one of the computers communicating over the internet are behind a NAT, port forwarding is required. I'm sure there are way more situations than this, and the solution to each can be quite complicated. But this covers the vast majority.
I use to develop my project on my localhost, on apache in ubuntu machine.
Sometimes i need to show progress to my costumer.
Is it possible to access to localhost from remote machine?
You can use a service that provides a tunnel to your local service, such as localtunnel, pagekite or ngrok. These services simplify setting up remote demos, mobile testing and some provide request inspection as well.
I find ngrok useful because it provides a https address, which is needed to test things like webcam access.
Terms used in this answer:
Host = machine with site on it
Client = machine you are trying to access the host from
If the host and client are on the same network, you can access the host from the client by entering
http://(hostname or ip address)
in your client's browser. If the site is not running on port 80 (for http) or port 443 (for https), add the post as so (this example is for if your server is on 8080, a common alternate port):
http://(hostname or ip address):8080
If the host and client are not on the same network, and you need to reach across the internet from the client to see the host, you will need to make your host available on the internet for the client to access.
This can be extremely dangerous for your information security if you're not sure what you're doing and I'd recommend getting a cheap-o hosting account (can get them for like $10/month at places like 1:1 hosting).
There are many methods to do this - the difference is security, easiness of the configuration and cost of the solution.
Following I am typing some methods with some analyses
Port Forwarding (with Dynamic DNS and SSL encryption)
This requires router configuration (to forward your routers public port to loclhoat port), however this requires you to have fixed ip address. In case your ip address is not fixed (in most cases) you need to use Dynamic DNS services to be able to use domain name instead ip address (there are lot of available free services). Here we still have security question open. To solve security question i.e. setup ssl certificate we can use Let’s Encrypt service ( https://letsencrypt.org/ ) to get free certificate, however we should configure local server to use the certificate or we should setup reverse proxy (in most cases nginx or apache) and configure proxy to use certificate.
Conclusion – Hard to setup if we want to have secure connection (can be done for free)
VPN
For this scenario we should use VPN services. We should connect our local machine to VPN then in other side we should connect our client's machine to VPN that will allow us to access to localhost by local IP address. We can set up our own VPN server however this requires knowledge to do it right.
Conclusion – Easy, Paid, Secure, Bad User Experience (connecting to VPN every time you need to connect to localhost)
Tunneling
For this scenario we can use free tunneling services (i.e. https://tunnelin.com/). The process is very straight forward i.e. Register a User, Connect your device to service (by running one line command on device), use Web interface to open/close secure tunnels to the device.
Conclusion – Free, Secure, Easy
Yes, if you have a public and static IP. Usually, ISPs offer static ips during a session (i.e. until you disconnect and connect again)
If I want to open a TCP socket between 2 processes on the same computer, will having the server run on localhost and the client connect on localhost be safe from any firewall intervention?
Some firewalls are overzealous in this matter -- which is why IDLE (the Python bundled IDE which talks to children-programs on a localhost socket) warns about it and offers a command line option to avoid this bother (unfortunately, it mostly happens on Windows, so Unix-domain sockets are not a viable alternative to TCP sockets!-).
It depends on the implementation of the firewall, so, yes, there could be firewall intervention.
On systems I'm familiar with this request will never get "on the wire" so any external firewall you have is not going to enter the picture because the request never goes to the NIC at all. I can't say how a host-based firewall would interact with it as that's way too dependent on how the firewall is implemented.