Internet Connection sharing via smoothwall

[Soup_Nazi]

I regretfully came here, knowing i'd sound like a 'noob' at networking, but i really can't work this one out...

I'm using broadband internet from behind smoothwall, and when i want to do direct file transfer from the likes of icq, msn or mirc, i cannot get a direct connection. Its a quite a pain, cos it means that if i want to send any files it has to be done by email which is quite restricting.

I'm hoping this is a pretty common problem and there is a pretty common fix. Any ideas?

 

[Tea]

As I recall, ICQ and its various insecure brethren in chat use oddball ports to do their file transfers. You can free up certain (normally blocked) ports from the Smoothwall console, but you may not have to. ICQ has a moderately obscure setting where you tell it to function from behind a firewall. I can't remember if you can just do one or the other or if you have to do a little of both. There is a page that might be helpful at htttp://www.icq.com/icqtour/firewall - or you can just wait for Sol to log on. Sol is an expert at this stuff.

 

[Soup_Nazi]

thanx teaaaa

 

[blakerwry]

Lots of people have problems with ICQ/MSN/AOL behind firewalls..
I have a hardware firewall and cannot get incoming file transfers to work well... outgoing seem to work fine.

I assume this might just be a matter offorwarding but it seems that icq may not be consistant in the ports it uses for file transfers.

 

[Sol]

ICQ ports can aparently be set to be whatever you like instructions are here (some of this info refers to older versions)

That page also lists the ports for some other programs like MSN... The port ranges tend to be pretty large and would take a long time to open on a smoothie and leave it looking somwhat like swiss cheese...

I recomend you set up an ftp server as it would likly be easier and more flexable allowing resuming and such and would leave your firewall in much better condition...

 

[blakerwry]

I recomend you set up an ftp server as it would likly be easier and more flexable allowing resuming and such and would leave your firewall in much better condition...

ahh ahh ahh.... you didn't say the magic word....


but serisously, FTP can be just as frustrating.... I believe that FTP does not work when both the client AND the server have non-routable IP's (10.x.x.x / 192.168.x.x ...behind firewall or some such situation)

I know it can work if only one or the other is behind a firewall, but I havent gotten it to work if both are... I believe this is unavoidable because of the way FTP was designed to work.

If anybody can prove me wrong, I'd be happy to hear about it... I've tried several FTP programs with no luck (IIS 2, 3, 5, and 5.1 .... bullet proof FTP server ... Serv-U FTP server... etc)

I went through the available instructions for setting these up behind a firewall and none of them seemed to work in every situation.

 

[blakerwry]

of course, if you're using smoothwall... your firewall is probably perfectly capable of running an FTP server given that it has a routable IP address...

 

[Cliptin]

Blake, Have you tried using passive transfers?

 

[blakerwry]

yup, setup PASV..... didn't solve my problems.

 

[James]

but serisously, FTP can be just as frustrating.... I believe that FTP does not work when both the client AND the server have non-routable IP's (10.x.x.x / 192.168.x.x ...behind firewall or some such situation)

You're correct. That's also why you can't retrieve files on P2P programs if both clients are behind firewalls - there's no way to initiate a connection (unless you open all the relevant ports from both sides of both firewalls, and put in a permanent port/IP mapping into your NAT box).

 

[blakerwry]

heh, that's too bad that most browsers use randomly assigned port numbers for outbound connections... i believe they always use above 3000... or was it 2000? maybe I'll have to refresh myself.

 

[James]

Above port 1024.

Outgoing connections to non-firewalled boxes are fine because the connections are initiated by one of the client machines behind your firewall, so the NAT box knows that 10.0.0.x is connecting via port 2000-and-whatever to www.whatever.com at port 80, and to expect a series of traffic packets to follow in both directions.

The problem occurs when you try to connect to a server behind another NAT/firewall device. The box at the far end will never see the connection because the firewall will reject the incoming, unsolicited connection. Until you move your server into some form of DMZ (and basically it is connected directly to the Internet) incoming connections will be rejected.

Slightly more complicated is the situation with P2P networks and firewalls. In short, your P2P box can make connections to other peers when it is initiating the connection, but you can't initiate the connection with a peer that is behind a firewall because by default the far end firewall will reject all incoming requests which have not been initiated by a machine on the green (secure) side of the firewall.

The reason why you can serve P2P files out to people (as long as they aren't behind a firewall) is because in that situation your P2P client actually initiates the connection with the closest supernodes and then with the P2P clients as they connect. Because you as the file server are initiating the connections, they go through your firewall okay.