Home | Downloads | Development | Information | Forums | Links | About | Site Map
Gnutella News
Click here to find out more!

 
Home > Information >
Gnutella & Firewalls
 

Maintained By manuka
Last Update: May 21, 2000



Many people on the internet are behind a firewall of some sort. This can cause some difficulties using Gnutella. This document explains how to get the most out of Gnutella if you're behind a firewall.

About Firewalls

The idea of a firewall is to only allow certain network connections of a desireable nature through, while keeping dangerous ones out, protecting the systems behind it from attacks. There are several different types of firewalls in use, and I'll cover each one separately, and how to deal with it in the context of Gnutella.

How Gnutella handles firewalls

As with any firewall, some special procedures must be initiated by Gnutella to establish connections across firewalls. With a firewall, connections not explicitly allowed in must be initiated by the system inside the wall. This is problematic for Gnutella when making a request for a file. To compensate for this, Gnutella's designers came up with the "push request".

When Gnutella tries to download something from a system within a firewall, it initially assumes that there's nothing impeding its ability to connect to that system, and tries a standard "pull" request to that system. If that fails, it will then route a packet called a "push request" through the GnutellaNet to the system in question. Upon receiving this request, the system inside the firewall will initiate a connection with the requestor, and send the file to it. This, naturally, is not going to work if the requesting system is also behind a firewall, since the external system can't initiate the connection. This is usually the cause of why you're unable to download something. One indicator of a firewalled system is if its IP address falls into one of the ranges defined as private network space by RFC 1918. Those ranges are as follows:

  • 10.0.0.0 through 10.255.255.255 (Class A)
  • 172.16.0.0 through 172.31.255.255 (Class B)
  • 192.168.0.0 through 192.168.255.255 (Class C)
An IP within that range indicates the system is behind either a NAT or IP Masquerading gateway and will therefore be unreachable via that address.

Packet Filters

Packet filtering firewalls are the kind you typically find in an office environment. They're configured to only allow certain services (such as http) to come in (to protect against attacks) or to go out (generally to restrict employee access to non-productive sites). This can be slightly problematic for Gnutella, since many administrators have by now blocked Gnutella's default port (6346) going in either direction.

If you're not sharing files out, this is not as much of a problem as one might think, since you're only concern is what port other gnutella users are listening on. Many still use the default port, but more and more are beginning to randomize what port they use in an effort to help out people like you.

If you are sharing files out and want people to be able to access them, you'll need to find an incoming port on the firewall that is open. Typical port numbers for this are the ones used by mail servers (25, 110, 143), web servers (80, 443, 8000, 8080), telnet servers (23) and ssh servers (22). It should be noted, however, that any firewall administrator with half a brain will limit these ports to only go to the systems on which said services are running for official business. Who knows, you may get lucky.

NAT Gateways

NAT stands for "Network Address Translation". NAT is a form of firewall that lets you have a set number of routable IP numbers at the firewall (or gateway/router), and share those among many more machines. An example of this would be if you had an office with a circuit and were assigned only 5 usable IP's, but had 15 machines that need to be connected. Same principle applies if you only have one IP address available.

NAT and Windows

With Windows 98 and Windows 2000, Microsoft Windows has a feature they call "Internet Connection Sharing". This is quite simply a NAT system that allows you to share the IP that system is using to the rest of the network. This is what you'd use if you and your 2 roommates wanted to share a dialup connection. Windows will typically use the internal class C reserved address space (defined in RFC 1918), which is 192.168.*.*.

This is actually quite easy for Gnutella to work with. Under the advanced properties (when you tell Windows to "Share this connection"), you will see something called "Exported Services". If you go in here, you can tell the NAT system to forward all connections on a given port on the NAT machine to one of the internal addresses.

Assume for a second that you're running Windows NAT on a DSL, and the IP given to you by your ISP is 1.2.3.4. Windows will assign 192.168.0.1 to the internal side of the network and set up a rudimentary DHCP server. Your machine is 192.168.0.6, and you're running Gnutella on port 6350. You would tell your NAT configuration to export port 6350 to 192.168.0.6. In Gnutella, you go into your configuration and tell it to Force Local IP to the address of the NAT system (1.2.3.4). This way, you're telling the GnutellaNet that you're running a servant on 1.2.3.4:6350, and that's where everyone will connect, Since the service on port 6350 is being exported to 192.168.0.6, it will simply be passed on to the Gnutella servant running on your workstation.

NAT and Linux

Linux does not currently support NAT at the kernel level (It's in development for the 2.4 kernel release. Current production kernels use IP Masquerading with ipchains).

NAT and Routers

Many home and small-business routers also have NAT built-in to their feature set. They also have a configuration option commonly referred to as "Exported Services". How to configure it varies widely from one router to the next, and you should consult the documentation provided with it. Here's a short list of links to vendor documentation on some common routers:

  • Netopia R7100 (SDSL) [ specs | docs ]
  • D-Link DI-701 (DSL) [ specs | docs ]

IP Masquerading

IP Masquerading works similarly to NAT, except that it works at a different layer than NAT does. IP Masquerading functions at the packet level and is commonly referred to as PAT (Packet Address Translation). Examples of IP Masquerading applications are ipchains in Linux, ipfw under most other Unix systems, and WinGate under Windows.

Some applications have difficulty with packets that have been mangled by IP Masquerading and usually require special handling. Linux does this in the form of kernel modules. Gnutella doesn't currently appear to require any special treatment. Setup on a masqueraded system is very similar to that of NAT, except that you will need a port forwarding utility on your masquerading application. Please refer to the accompanying documentation for details.

SOCKS

Neither Gnutella nor its clients appear to have any kind of native support for SOCKS proxies at this time. However, you may socksify the application with a utility such as SocksCAP, or the entire system with an application like Hummingbird SOCKS Client. Please refer to the documentation for your individual client. Gnutella runs quite well in an environment like this, but cannot accept incoming connections from outside the firewall unless you're using a secure inbound SOCKS client.


 

Have more questions? Post them in our forum, and we'll try our best to answer them.

 

Mirrored from http://gnutella.wego.com/ (with permission).

 

 

All trademarks used are properties of their respective owners.
Copyright © 2000 Gnutella News. All Rights Reserved.

Click Here!