Trying to get a grip on port forwarding
November 21, 2006 1:37 PM Subscribe
Computer question: How is it possible for my computer and various p2p/network game apps to communicate with the Internet when it's obvious that all my ports are closed?
Basically I spent this morning trying to get a p2p client working. It said I was firewalled. I ran port tests for the client and the general port tests on whatsmyip.org, and they said that no ports were open and they were refusing packets. It was only when I went into my router that I discovered that no port forwarding was enabled... I set this up and now everything works.
Therefore why is it that some p2p and network games DO run, even with a fouled up port setup? I've been able to run Shareaza, a few network games, and other stuff, and even service outgoing files with inoperative ports. I considered that as evidence that maybe the ports were working, though obviously I was wrong. So how is it these programs were able to run?
Heck, how does http and smtp traffic get out when the modem and router are blocking all the ports? And if web & email use a tiny subset of "open ports", why don't trojans use these ports to do their dirty work? Or are those ports invincible?
Basically I spent this morning trying to get a p2p client working. It said I was firewalled. I ran port tests for the client and the general port tests on whatsmyip.org, and they said that no ports were open and they were refusing packets. It was only when I went into my router that I discovered that no port forwarding was enabled... I set this up and now everything works.
Therefore why is it that some p2p and network games DO run, even with a fouled up port setup? I've been able to run Shareaza, a few network games, and other stuff, and even service outgoing files with inoperative ports. I considered that as evidence that maybe the ports were working, though obviously I was wrong. So how is it these programs were able to run?
Heck, how does http and smtp traffic get out when the modem and router are blocking all the ports? And if web & email use a tiny subset of "open ports", why don't trojans use these ports to do their dirty work? Or are those ports invincible?
Many p2p applications are designed to deal with blocked ports, often at a degraded level. Because your client can't recieve an unsolicited request, it has to poll a known list of servers, often overloaded, for requests to open a connection, and then opens the connection from your side.
posted by nomisxid at 1:43 PM on November 21, 2006
posted by nomisxid at 1:43 PM on November 21, 2006
Home routers are typically configured to block incoming traffic, but not outgoing. And once a connection has been initiated, the response is allowed in.
So if you request a web page, for example, the request is allowed out and the response is allowed back in (because the router remembers that you just made a request to that site). If that site had attempted to make a connection to your computer without your initial request, the router would have blocked it.
Many p2p applications would like it if other computers were able to directly connect to your computer, but can work (perhaps more slowly) with connections initiated by your computer only.
posted by jellicle at 1:47 PM on November 21, 2006
So if you request a web page, for example, the request is allowed out and the response is allowed back in (because the router remembers that you just made a request to that site). If that site had attempted to make a connection to your computer without your initial request, the router would have blocked it.
Many p2p applications would like it if other computers were able to directly connect to your computer, but can work (perhaps more slowly) with connections initiated by your computer only.
posted by jellicle at 1:47 PM on November 21, 2006
When your router says 'no ports open', it doesn't mean it's not allowing traffic on any port, it's just not allowing unsolicited incoming traffic. Now if you were at work, there might be a firewall that would prevent outgoing connections on un-authorized ports, but really that's nothing to do with port-forwarding, just uses similar terminology.
posted by nomisxid at 1:48 PM on November 21, 2006
posted by nomisxid at 1:48 PM on November 21, 2006
"Established" connections are allowed. So joe opens a browser, which goes out port 80, and the router says, aw, let this go back to joe on port 80, because he established the connection.
Shareaza, kazaa, utorrent, etc, won't work well because no one can establish inbound connections to you. But the router will allow you to connect to others, which makes for cruddy seeding potential.
The trick is to remember there is inbound (highly restricted, generally, by default), and outbound, and different rules apply. You'll find that if you did forward port 5555 or whatever for your file sharing, portscan apps now show it as open.
posted by routergirl at 2:14 PM on November 21, 2006
Shareaza, kazaa, utorrent, etc, won't work well because no one can establish inbound connections to you. But the router will allow you to connect to others, which makes for cruddy seeding potential.
The trick is to remember there is inbound (highly restricted, generally, by default), and outbound, and different rules apply. You'll find that if you did forward port 5555 or whatever for your file sharing, portscan apps now show it as open.
posted by routergirl at 2:14 PM on November 21, 2006
As others have noted, most home routers are set up so that incoming ports are blocked, but outgoing ports are open. That means that no one from outside can connect to ports 1 - 65535 inside your network, but you can connect to ports 1 - 65535 on machines outside your network (assuming they have their incoming ports open to allow you to do so).
The reason that some p2p networks and networked games work, in spite of the incoming port lock down, is that there is a intermediary server that is essentially routing traffic between communicating hosts. For instance, you initiate an "always on" connection between you and P2PServer1, and your neighbor down the street does the same. When your neighbor sends information to P2PServer1 which it determines is relevant to you, it relays it on to you over the connection you initiated. Your neighbor knows nothing about the details of your connection to P2PServer1, nor do you about his; P2PServer1 manages all of these details.
This of course has potential for significantly degraded communications, because P2PServer1 is a bottleneck, having to manage all intermediate network traffic between all of these nodes. That's why P2P networks like eDonkey prefer for you to open the relevant incoming ports on your machine. That way, the server in the middle only has to keep a minimal amount of discovery information about you as a client, and other interested parties will connect directly to your machine to initiate file/data transfers, taking a significant network load off of the intermediate server.
posted by Brak at 2:19 PM on November 21, 2006
The reason that some p2p networks and networked games work, in spite of the incoming port lock down, is that there is a intermediary server that is essentially routing traffic between communicating hosts. For instance, you initiate an "always on" connection between you and P2PServer1, and your neighbor down the street does the same. When your neighbor sends information to P2PServer1 which it determines is relevant to you, it relays it on to you over the connection you initiated. Your neighbor knows nothing about the details of your connection to P2PServer1, nor do you about his; P2PServer1 manages all of these details.
This of course has potential for significantly degraded communications, because P2PServer1 is a bottleneck, having to manage all intermediate network traffic between all of these nodes. That's why P2P networks like eDonkey prefer for you to open the relevant incoming ports on your machine. That way, the server in the middle only has to keep a minimal amount of discovery information about you as a client, and other interested parties will connect directly to your machine to initiate file/data transfers, taking a significant network load off of the intermediate server.
posted by Brak at 2:19 PM on November 21, 2006
I think other people probably have it right, but I thought I'd also bring up UPnP, specifically Internet Gateway Device (IGD) protocol. It's a 'feature' (and I put that in quotes, because depending on who you ask, it's more of a vulnerability) that allows applications running on computers inside a NATed LAN to communicate with the router, and ask for an incoming port to be opened and forwarded to them.
Essentially it does something like DHCP does for IP addresses, but for forwarded ports.
I'm not sure what routers support it, and whether any have it enabled by default (I think my WRT54GL required me to turn it on manually), but I could imagine that it might cause strange behavior, if it was on and you didn't realize it.
posted by Kadin2048 at 3:29 PM on November 21, 2006
Essentially it does something like DHCP does for IP addresses, but for forwarded ports.
I'm not sure what routers support it, and whether any have it enabled by default (I think my WRT54GL required me to turn it on manually), but I could imagine that it might cause strange behavior, if it was on and you didn't realize it.
posted by Kadin2048 at 3:29 PM on November 21, 2006
« Older Reccommend a dentist in NYC who takes insurance? | What duty do I have to my grandfather (or, more... Newer »
This thread is closed to new comments.
posted by zek at 1:39 PM on November 21, 2006