Home | Downloads | Development | Information | Forums | Links | About | Site Map |
![]() |
![]() |
![]() |
![]() ![]() |
|
Maintained By
manuka Last Update: May 21, 2000 Many people on the internet are behind a firewall of some sort. This can cause some difficulties using Gnutella. This document explains how to get the most out of Gnutella if you're behind a firewall. About Firewalls The idea of a firewall is to only allow certain network connections of a desireable nature through, while keeping dangerous ones out, protecting the systems behind it from attacks. There are several different types of firewalls in use, and I'll cover each one separately, and how to deal with it in the context of Gnutella. How Gnutella handles firewalls As with any firewall, some special procedures must be initiated by Gnutella to establish connections across firewalls. With a firewall, connections not explicitly allowed in must be initiated by the system inside the wall. This is problematic for Gnutella when making a request for a file. To compensate for this, Gnutella's designers came up with the "push request". When Gnutella tries to download something from a system within a firewall, it initially assumes that there's nothing impeding its ability to connect to that system, and tries a standard "pull" request to that system. If that fails, it will then route a packet called a "push request" through the GnutellaNet to the system in question. Upon receiving this request, the system inside the firewall will initiate a connection with the requestor, and send the file to it. This, naturally, is not going to work if the requesting system is also behind a firewall, since the external system can't initiate the connection. This is usually the cause of why you're unable to download something. One indicator of a firewalled system is if its IP address falls into one of the ranges defined as private network space by RFC 1918. Those ranges are as follows:
Packet Filters Packet filtering firewalls are the kind you typically find in an office environment. They're configured to only allow certain services (such as http) to come in (to protect against attacks) or to go out (generally to restrict employee access to non-productive sites). This can be slightly problematic for Gnutella, since many administrators have by now blocked Gnutella's default port (6346) going in either direction. If you're not sharing files out, this is not as much of a problem as one might think, since you're only concern is what port other gnutella users are listening on. Many still use the default port, but more and more are beginning to randomize what port they use in an effort to help out people like you.
If you are sharing files out and want people to be able to access them, you'll need to find an incoming port on the firewall that is open. Typical port numbers for this are the ones used by mail servers (25, 110, 143), web servers (80, 443, 8000, 8080), telnet servers (23) and ssh servers (22). It should be noted, however, that any firewall administrator with half a brain will limit these ports to only go to the systems on which said services are running for official business. Who knows, you may get lucky. With Windows 98 and Windows 2000, Microsoft Windows has a feature they call "Internet Connection Sharing". This is quite simply a NAT system that allows you to share the IP that system is using to the rest of the network. This is what you'd use if you and your 2 roommates wanted to share a dialup connection. Windows will typically use the internal class C reserved address space (defined in RFC 1918), which is 192.168.*.*. This is actually quite easy for Gnutella to work with. Under the advanced properties (when you tell Windows to "Share this connection"), you will see something called "Exported Services". If you go in here, you can tell the NAT system to forward all connections on a given port on the NAT machine to one of the internal addresses. Assume for a second that you're running Windows NAT on a DSL, and the IP given to you by your ISP is 1.2.3.4. Windows will assign 192.168.0.1 to the internal side of the network and set up a rudimentary DHCP server. Your machine is 192.168.0.6, and you're running Gnutella on port 6350. You would tell your NAT configuration to export port 6350 to 192.168.0.6. In Gnutella, you go into your configuration and tell it to Force Local IP to the address of the NAT system (1.2.3.4). This way, you're telling the GnutellaNet that you're running a servant on 1.2.3.4:6350, and that's where everyone will connect, Since the service on port 6350 is being exported to 192.168.0.6, it will simply be passed on to the Gnutella servant running on your workstation. NAT and Linux Linux does not currently support NAT at the kernel level (It's in development for the 2.4 kernel release. Current production kernels use IP Masquerading with ipchains). NAT and Routers Many home and small-business routers also have NAT built-in to their feature set. They also have a configuration option commonly referred to as "Exported Services". How to configure it varies widely from one router to the next, and you should consult the documentation provided with it. Here's a short list of links to vendor documentation on some common routers: IP Masquerading IP Masquerading works similarly to NAT, except that it works at a different layer than NAT does. IP Masquerading functions at the packet level and is commonly referred to as PAT (Packet Address Translation). Examples of IP Masquerading applications are ipchains in Linux, ipfw under most other Unix systems, and WinGate under Windows. Some applications have difficulty with packets that have been mangled by IP Masquerading and usually require special handling. Linux does this in the form of kernel modules. Gnutella doesn't currently appear to require any special treatment. Setup on a masqueraded system is very similar to that of NAT, except that you will need a port forwarding utility on your masquerading application. Please refer to the accompanying documentation for details. Neither Gnutella nor its clients appear to have any kind of native support for SOCKS proxies at this time. However, you may socksify the application with a utility such as SocksCAP, or the entire system with an application like Hummingbird SOCKS Client. Please refer to the documentation for your individual client. Gnutella runs quite well in an environment like this, but cannot accept incoming connections from outside the firewall unless you're using a secure inbound SOCKS client. |
Have more questions? Post them in our forum, and we'll try our best to answer them.
Mirrored from http://gnutella.wego.com/ (with permission).