Have you ever wondered how P2P software like Skype directly exchanges
data when both client desktop sitting behind a firewall that only
permits outgoing traffic.
This article explains how Skype & Co. get round firewalls using the hole trick. From the article:
Peer-to-peer software applications are a network administrator’s nightmare. In order to be able to exchange packets with their counterpart as directly as possible they use subtle tricks to punch holes in firewalls, which shouldn’t actually be letting in packets from the outside world.
This is a good article and a good idea carried out by Skype. This is not exactly a new concept (just search for NAT2NAT using google and you will get more information about this hack). Author has doen good job explaining the whole concept in clear language
Firstly start a UDP listener on UDP port 14141 on the local/1 console behind the firewall:
An external computer “remote” then attempts to contact it.
However, as expected nothing is received on local/1 and, thanks to the firewall, nothing is returned to remote. Now on a second console, local/2, hping2, our universal tool for generating IP packets, punches a hole in the firewall:
As long as remote is behaving itself, it will send back a “port unreachable” response via ICMP – however this is of no consequence. On the second attempt
The netcat listener on console local/1 then coughs up a “hello” – the UDP packet from outside has passed through the firewall and arrived at the computer behind it.
Right now there is no perfect solution exists, if you are using Linux based firewall to avoid abuse.
This article explains how Skype & Co. get round firewalls using the hole trick. From the article:
Peer-to-peer software applications are a network administrator’s nightmare. In order to be able to exchange packets with their counterpart as directly as possible they use subtle tricks to punch holes in firewalls, which shouldn’t actually be letting in packets from the outside world.
This is a good article and a good idea carried out by Skype. This is not exactly a new concept (just search for NAT2NAT using google and you will get more information about this hack). Author has doen good job explaining the whole concept in clear language
How do I bypass Linux firewall restriction?
This article also covers DIY hole punching using standard hping2 and nc (netcat) tools under Linux. From the article:Firstly start a UDP listener on UDP port 14141 on the local/1 console behind the firewall:
local/1# nc -u -l -p 14141 An external computer “remote” then attempts to contact it.
remote# echo "hello" | nc -p 53 -u local-fw 14141However, as expected nothing is received on local/1 and, thanks to the firewall, nothing is returned to remote. Now on a second console, local/2, hping2, our universal tool for generating IP packets, punches a hole in the firewall:
local/2# hping2 -c 1 -2 -s 14141 -p 53 remoteAs long as remote is behaving itself, it will send back a “port unreachable” response via ICMP – however this is of no consequence. On the second attempt
remote# echo "hello" | nc -p 53 -u local-fw 14141The netcat listener on console local/1 then coughs up a “hello” – the UDP packet from outside has passed through the firewall and arrived at the computer behind it.
Right now there is no perfect solution exists, if you are using Linux based firewall to avoid abuse.
No comments:
Post a Comment