[p2p-hackers] How firewall to firewall works

Stephen Samuel (leave the email alone) samnospam at bcgreen.com
Wed Dec 1 01:15:46 UTC 2004

TCP ia a connection based protocol, when you start up a connection one
machine initiates the connection, and the other is the responds to the
connection. The normal sequence is three packets used just to open the connection

Me:Port 3000 SYN ->     You:Port 80
Me:Port 3000 <- SYN/ACK You:Port 80
Me:Port 3000 ACK ->     You:port 80

At that point the connection is open, and people send messages in both
directions until a sequence is transmitted which closes the connection.

Stateful firewalls take advantage of this sequence. It can recognize
when a machine from inside the firewall is initiating a connection
and allow more freedom for outbound connections than inbound connections.

The other thing to note about a connection is that it is identified by
a combination of the local IP address/port combination  and the remote
address/port combination
so if the address of 'me' was   and the address of 'you' was then the connection above would would be described by
TCP: <->

UDP communications, on the other hand, are connectionless.  Technically,
you just send a packet and the other side either recieves it or doesnt.
There is no protocol inherent in udp that signals the beginning or end
of a connection.  Congestion control and replacement of lost or damaged
packets would have to be done at the user level, rather than the OS level
which TCP does.

For this reason most firewalls that allow UDP simply presume that any
packet sent outbound is initiating a connection (if one doesn't already
exist).  Any inbound packet would be ignored unless it was associated
with a previously outbound packet (using the same port/IP-address pair
used for TCP)

The way to 'fool' such statefull Firewalls with UDP is to have both machines
talk to an intermediary and agree on a set of IP addresses and port numbers
to use to talk to each other. You end up with the following conversation.

Me:Port 3000 Hello ->   You:Port 8000    (blocked by YOU's firewall)
Me:Port 3000 <- Hello   You:Port 8000	   Gets thru (matching ports)
Me:Port 3000 Welcome -> You:port 8000      Gets thru (matching ports)

The second and third packets get thru because the recieving machine
has already sent a packet using the address/port set of address, and
the associated firewall pretty much has to either presume that the
connection is legitimate, or just not allow outbound UDP connections
at all  (or only allow connections to specific ports).

If the first option is chosen by both machines' firewalls, then the
  'firewall to firewall' connections should work.

This only works for a portion of firewalled users, but a big enough portion
to make the process worth trying.

David Barrett wrote:
> How does the Firewall-to-Firewall portion of Limewire work?  Does it use 
> un-firewalled clients as relay servers?  It doesn’t sound like it, but I 
> thought that’s the only solution that truly works in all situations.
> The “features history” page mentions this on the entry for 8.12.2004:
> “Firewall to Firewall transfers allows two people behind firewalls to 
> connect directly to each other and transfer data. *This makes use of 
> UDP, and a third party to coordinate the initial messaging.* … Normally, 
> firewalled users would only be able to download from other hosts who are 
> not firewalled, which is of course severely limited. With firewall to 
> firewall transfers, firewalled users can now access the full 100% of hosts.”

Stephen Samuel +1(604)876-0426             samnospam at bcgreen.com
    Powerful committed communication. Transformation touching
      the jewel within each person and bringing it to light.

More information about the P2p-hackers mailing list