I'm wondering whether or not it's possible to configure a TCP socket such that it cannot accept connections from 'off-machine'.
I want to spin up an HTTP server that should only be accessible from clients running on the same machine, and although I can always filter out 'unauthorized' requests from off-machine, I would prefer it if this local-only behaviour were baked-in.
Also, opening a socket on windows triggers a firewall warning and request for the user to block/unblock the port being opened. I'm hoping that a means exists to avoid this message, if the socket can be configured to only accept local connections.
Bind to loopback interface, ip 127.0.0.1.
Related
Why does Apache-Commons-Net's FTPClient sometimes make the wrong computation for the port number in the PORT command? This is in active mode. For example FTPClient it could send out
PORT <some>,<ip>,<address>,<here>,235,181 when in fact the port number used is 60340. What's the cause for this wrong computation?
This could happen on version 3.3.
I know ftpClient.enterLocalPassiveMode(); could solve this, but I want to know the part where the active mode doesn't work as expected.
From your comments, I assume you mistake an FTP control connection with a data connection.
I assume that the 60340 is local port of the FTP control connection. When opening data connection, 60341 is assigned (hence the PORT ...,235,181).
Reasoning: In an FTP active mode, the client opens listening port for the expected data connection, which it then reports to the server via PORT command over an existing control connection. If the server cannot connect to the port, no TCP/IP packet can ever come to that port. As you claim that the "two machines still communicate at port 60340", it must be the control connection. There cannot be any communication on port, if the connection failed ("Can't open data connection").
The actual cause of the "Can't open data connection" error is likely that you are behind a firewall, so the server cannot connect back to the client. What is a common nowadays. That's what passive mode is good for.
I am splitting an application into a tray application and a Windows Service and I want to use TCP to communicate between the two*. They will both be running on the same machine.
My question is do firewalls block TCP communication between applications running on the same machine? I want to know whether firewalls are something I need to worry about when testing.
(*note that I want to use TCP instead of named pipes for communication because the apps might one day run on separate computers but that will be far in the future)
The primary objective of the firewall is to control the incoming and the outgoing network traffic! Firewall's are designed to work on IP or PORT basis.
So yes, it is 100% capable of blocking connection on same machine.(I guess you are using Class A IP [127.x.y.x] address used mainly for loopback testing and interprocess communication on the local computer).
Some firewall are preconfigured not to block local machine connection while other are configured to block them. But either way a firewall can be configured to allow/deny such connection.
I am using Boost asio in Visual C++. I am trying to connect to a static IP which listens TCP on port 1222. unfortunately i can only connect with Lan and cannot connect from another Lan to the TCP listening PC(203.143..).
It connects perfectly with the EC2 server. Is it something to do with firewall. but when i run the app it ask for the user to allow firewall for the specific port. I can post my code but i guess it's not something to with the code.
Usually a firewall on the server side (the PC you are trying to connect to) have to be configured to allow incoming connections.
Firewall on your side should be OK, it usually allows any type of outgoing connections.
I don't know what you meant by "the app ask for the user to allow firewall for the specific port" (clarify).
I just re-installed Ubuntu server 10.04 and decided to change all of my default ports to get a little extra security. Everything works fine, except when I decided to change the FTP (ProFTPd) port from the standard 21 to 3521. No problems with firewalls or port forwarding. ProFTPd was restarted but when I am trying to connect to it,even though it does respond, it throws the client (FileZilla) into a "passive mode" and then never goes into listing a directory.
I don't really want to use the "passive mode" and I have it disabled in proftpd.conf, but nevertheless I can't seem to change the default port otherwise and make it working. It does seem to work fine on port 21. FYI, the proftpd was installed as a standalone daemon, if that matters somehow?
Ok, I think I figured this out after reading this page: link . It appears that most FTP connections are indeed "passive" and the problem with "active" connections comes from the use of firewalls on the client side since FTP server is initiating an outgoing "data" connection to the client on some random port. In passive mode the client initiates both "command" and "data" connections to the server and hence the firewall isn't a problem, but you should specify which "passive" ports to use on the server. I enabled 3520 and 3521 PassivePorts and it's now working
FTP Active Mode by definition requires the server to initiate its outgoing connections from port L-1. Does your firewall allow outgoing connections from port 3520 as well?
From the FTP RFC:
3.2. ESTABLISHING DATA CONNECTIONS
The mechanics of transferring data consists of setting up the data
connection to the appropriate ports and choosing the parameters
for transfer. Both the user and the server-DTPs have a default
data port. The user-process default data port is the same as the
control connection port (i.e., U). The server-process default
data port is the port adjacent to the control connection port
(i.e., L-1).
...
3.3. DATA CONNECTION MANAGEMENT
Default Data Connection Ports: All FTP implementations must
support use of the default data connection ports, and only the
User-PI may initiate the use of non-default ports.
Negotiating Non-Default Data Ports: The User-PI may specify a
non-default user side data port with the PORT command. The
User-PI may request the server side to identify a non-default
server side data port with the PASV command. Since a connection
is defined by the pair of addresses, either of these actions is
enough to get a different data connection, still it is permitted
to do both commands to use new ports on both ends of the data
connection.
You might wish to take the opportunity to change your users to SFTP, a much nicer protocol.
I have a local server written in C++ listening to inbound TCP connects using plain socket ::accept() and UDP recvfrom(). I have two problems with this that I wish to solve:
Can I programatically make Windows let me open the accept socket without it automatically being blocked by the Windows (software) firewall?
Are there any ports I can use that will allow my packets to pass through both Windows firewall and external firewall? Port 80 is often taken by things like Skype, but are there others? Will most external firewalls typically by default allow incoming UDP and TCP connects on port 80?
Thanks!
In general, network routers need Port Forwardng enabled for the listening port, and firewalls need the listening port opened. If you are using a uPNP-enabled firewall/router, then you can dynamically set up those settings programmmably via the uPNP API. But more times than not, uPNP is either disabled or unavailable, requiring manual settings by the firewll/router admin.