Re: Understanding NAT, Firewalls, TCP/IP

Roedy Green wrote: 
But if I got that route, I thought I might get in trouble with
firewalls.  My clients won't have a clue what to do.

Firewalls are usually there for a reason. If your client doesn't know about their own firewalls, well ...

As someone else has mentioned, the other thing is NAT. This is not related to firewalls. Even if you run an HTTP server on port 80 behind a NAT device, that device will typically need configuration - in case of course the server should be reachable from the outside.

However, if the software behind the NAT initiates the TCP connection, the NAT device need no special configuration. It is not clear from your description who initiates the connection. If you have some client behind a NAT which initiates a connection it shouldn't be a problem. If you have a server behind a NAT device, waiting for incoming requests, it is a problem.

Again, in both cases firewalls are a separate issue. Only because typical devices do both (and many other things), doesn't mean you should mix the problems, because the fixes are different.

Regarding SOHO NAT devices ("routers"). Many of them are remote/application configurable via UPnP these days. From a security point of view this is a nightmare. But if your client runs such a device, you could use UPnP to discover the device, and then configure it. However, UPnP is not fun. And, it uses SOAP. And once you start using SOAP, you could think about using that for your application, too, instead of raw data.

Which brings up another question.. Does http have a way of SENDING
unarmoured binary to the server, or only the other way?

A POST with an application/octet-stream mime type should do. But there is no guarantee that a particular firewall won't find this format objectionable.

/Thomas
--
The comp.lang.java.gui FAQ:
ftp://ftp.cs.uu.nl/pub/NEWS.ANSWERS/computer-lang/java/gui/faq
http://www.uni-giessen.de/faq/archiv/computer-lang.java.gui.faq/
.

Relevant Pages

  • RE: Network connection to file server issues
    ... be the same as the NAT device which causes problems on the server. ... Q301673 - SMB Server Does Not Allow More Than 1 Client Connection Over NAT ...
    (microsoft.public.win2000.networking)
  • Re: Personal Firewalls
    ... Firewalls (Whatever you choose should be checked and automatically combed ... A dedicated client PC with no unneeded applications loaded would ... I would not host the data on a web server unless absolutely ... >inexpensive solution could be the installation of removable hard drives. ...
    (Security-Basics)
  • Re: Program that requires drive letter fails
    ... I disabled the antivirus client and there are no firewalls enabled. ... client and server are on the same IP subnet, ... related to permissions, but I am puzzled because if you don't map a drive ...
    (microsoft.public.sms.admin)
  • Re: [fw-wiz] Phrack #60: "Java tears down the Firewall"
    ... > kind of attack? ... If you mean: client speaks active, server speaks passive: yes, the ... If you mean: client speaks passive, server speaks active: well, then ... is this the same "can" that dictates that proxy firewalls "can inspect ...
    (Firewall-Wizards)
  • Re: Swing client to App Server
    ... Now we're asked to write a Swing to app server ... while going through firewalls is possible, ... Again, they can work, even if both client and server are hidden ...
    (comp.lang.java.programmer)