Thread: Firewalls
View Single Post
  #5 (permalink)  
Old September 8th, 2001
lurker701 lurker701 is offline
Apprentice
  
Join Date: September 6th, 2001
Posts: 9
lurker701 is flying high
Default
This is a bit of a pet peeve of mine, so please bear with me ... however, the *best* sollution to connecting through a firewall is **knowing how to use your firewall software** This, of course, assumes that you are the one in control of your firewall, but in the case of home systems, that is indeed usually the case.

First off, if you *don't* control your firewall, which means you're probably logging in from work, or from a university, try changing the port gnutella is using in your settings. If you're using a windoze non-server machine that has a real internet address (rather than 10.0.x.x or 192.168.x.x), try ports 80,21,22,23,,407, and 113 (in that order of priority). These ports are rarely blocked by this type of firewall, and are rarely used for any purpose on non-server machines.

Second, if you're running only a single machine with a firewall on it, just allow connections to the ports gnutella is listening on.

But, I'm still seeing a *lot* of 192.168.xxx.xxx addies out there. Now, in some cases, these may be office clusters, but my guess is that in most cases, these people are either behind a linux box gateway using ipmasquerading or using a hardware router. In this case, you need to do two things:

1) Change the real ip address of your machine in your gnutella settings. Most (if not all) servents allow you to specify your real ip address. If you're on a cable modem or a dsl line and are connected most of the time, chances are that your ip address doesn't change, or if you are using dchp to get an addy, it doesn't change very often. For instance, my @home addy hasn't changed in almost a year.

2) After doing this, you need to *forward* the ports gnutella listens on from your gateway (either your linux box or your hardware router) to the machine you're running gnutella on. In linux, you do this by using ipmasqadm, or if you're running a newer kernel, ipchains. SEE THE DOCUMENTATION FOR THIS SOFTWARE FOR DETAILS (specifically the HOW-TO documents at www.linux.org). If you're using a hardware router, see the documentation for your specific router for instructions on how to do this.

Q: WHY SHOULD I BOTHER TO DO THIS?
A: Because "push" only marginally improves the connectivity of the gnutella network. If the push route is lost before the file transfer begins, or if the transfer is interrupted after the push route is lost, then connectivity to your files is lost. Push routes can be lost very easily and very quickly. The best way to improve the connectivity of gnutella, or any p2p application, is to allow it to interact directly with the internet, with real ip addresses.

Q: THE HOW-TO FOR IPMASQADM AND/OR IPCHAINS IS TOO COMPLICATED.
A: I won't tell you that if you don't know how to run your operating system that you have no business running it. I, too, was once a Linux newbie. I will, however, say that if you don't want to *learn* how to use Linux, you have no business running it. Knowing a little Linux is kind of like knowing a little Karate -- It may impress your friends, but it's a very dangerous thing to only know half-assed.

Q: ISN'T IT DANGEROUS TO CREATE THIS HOLE IN MY FIREWALL?
A: No. It's perfectly safe. I haven't heard of one instance of a cracker being able to exploit gnutella to gain access to peoples' computers. And if you're not running gnutella 24/7, there's still no danger, as any packets sent will just be rejected.
Reply With Quote