My program uses a component which makes http connections over the internet, but when I install and run my program on a clean installation of XP, it runs fine without an exception in the Windows Firewall having to be made. Why doesn't it need an exception in the firewall?
If it makes only http connections, those are allowed to enable browsers accessing the Internet.
In general firewall rules can be based on various conditions, one of which is the port (http is port 80), other could be the protocol (http is TCP) and the program itself. In order to enhance user experience and allow any browsers to work correctly without extra configuration, TCP connections to port 80 are configured to be allowed.
The Windows Firewall only protects you against incoming connections; all outgoing and local connection are automatically permitted. This means that it is not as secure as a full software firewall, but it avoids nagging you every time Firefox auto-updates itself.
Related
I have an application with a server written in F# and serve web files using suave. I remote login using powershell into another machine in the network to run the application (The application is also in one of the network drives). I do that because that machine have access to third party APIs needed for the server. Now when I do [IPAddress_Of_Remote_Machine]/[html_file] or [name_of_pc]/[html_file] then chrome is waiting forever and doesn't ever return the webpage. This wasn't happening before and I ran into this problem recently. I opened a different port and used it instead of the default one 80. This made things work but the problem keeps showing up after a couple of days. I don't think it's a firewall issue but I'm clueless to why this is happening.
When running netstat -an, this is what I get (I hid the IP address):
As you can see all of the connections are either in CLOSE_WAIT or ESTABLISHED but not LISTENING. All of these TCP connections is probably because I have PhantomJS and two other APIs running in the application as well. However the loop back address is also open on the same port 5959:
I'm not sure what is difference between these two but when using PortQryUI to query the remote server it returns a success!
I have already made an inbound rule for port 5959 on the server so it should be allowed. The web page is stuck at Waiting for [name_of_pc]. Also, sometimes this problem disappears and everything works fine.
What is the potential problem behind this? Why would this happen all of a sudden?
UPDATE:
I re-ran the application today and it's working correctly. It could be that something is dynamically set within the firewall? Not really sure what is going on. The machine I'm running the server on has a bunch of applications running on it as well so maybe there is an external process that is affecting it?
I made a hello world app with Suave and deployed it on the network drive to test if it's going to work. I opened inbound rule for port 6001
Then I ran the app:
However, it's still not working and this time it says the site cannot be reached when I do: http://[name_of_pc]:6001.
Moving this to an answer so that it can be closed:
Could you post the bindings section of your suave cfg? I'm guessing you know where that is since you are using a non-standard port but if you need don't, search for HttpBinding. I suspect you will find it pointing to 127.0.0.1 which is not good enough for remote access. You could try changing it to 0.0.0.0 or to the server's actual IP address. I would try 0.0.0.0 first for the flexibility it provides
I never figured this one out and I've been programming for years. How do P2P programs like chat programs or torrent programs manage to create connections between two peers without peers opening any ports? I know I haven't opened up a port for Skype yet I can send and receive large files to and from my friends, and I'm pretty sure all those gigabytes don't go through Skype servers. Or do they?
What about torrenting? I can upload data to peers and I haven't opened any ports either.
I'm pretty sure the answer will be language-nonspecific, but in case I'm wrong, I code mostly in C++. Thanks in advance.
You only need to "open a port" for inbound connections. One peer will open a listening port, then instruct the other peer to connect to it. If the connection fails, the peers will usually swap roles and try again. If the connection still fails, then either the transfer is aborted, or a server relay is used if feisable.
For each listening peer, if the port is behind a router/firewall, the peer can either programmably instruct the router/firewall to open a port for forwarding inbound connections to the peer (some routers support uPNP for that, and some firewalls have their own API), or the peer can try using various "hole punching" techniques to trick the router/firewall into opening a forwarding port (some routers/firewalls are not susceptible to this).
Read this for more details: How Skype & Co. get round firewalls
I want to develop an iPhone app with a simple IM feature. I am thinking about setting up an HTTP server on an iPhone. If the iPhone is using wifi and is behind a firewall, how can I make sure that other iPhone clients can connect to it?
It's not the firewall that will disturb the connection as much it is the NAT.
When you are connected through wireless router to connect the internet you are surfing via NAT. it means you dont really have an extenral IP but once you initiate connection the router will map your intenral IP to one of his externatl ports and for certain time window he will pass connections to you if he will get it to the right port.
That being said, there is no actual way of setting a server behind a NAT unless you can configure port forwarding in the router and internal static IP.
Hope i was clear enough, good luck
I do not really think that you need to get an HTPP server up and running on iPhone to make an application that can send and receive messages (IM). The idea of making one iPhone user to directly connect to one another does not seem right to me since the users will need to know IP addresses of one another to do that.
Interconnectivity between different users of the chat can be solved by making your application communicate via a dedicated TCP port. It is generally advisable to choose ports with a number higher than 1024 since those below are generally found on the list of so-called well-known ports and are used for Web (like port 80), FTP (port 21), SSH (22), DNS (53), etc., it will be the responsibility of the user to make sure the port used by your application is open on the firewall. In order to solve this problem you can actually use port 80 for communication if you find that the port you have selected is blocked. You can do this because you know that this port will not be blocked in most cases. Indeed Yahoo Messenger is reported to use this technique when the firewall blocks the port it uses for communication.
The port should be used by your application to connect to the Web-server that will actually store user credentials, perform authentication, message transmission, etc., and the server should reside on capable hardware to be able to support large number of simultaneous connections. I can suggest using either a VPS (like the one provided by Linode) or a cloud (like Amazon EC2, Google Application Engine, Rackspace).
I have an iPhone app which relies on connecting via the local network to a server running on a user's mac/pc.
The server is running an http service on port 8080
I already add exceptions to the default windows firewall, or the default mac firewall to ensure traffic is allowed to reach my app.
However the most common customer issue is that the iPhone can't communicate with the server.
Normally this is the network router blocking traffic - though sometimes the user is running their own firewall which blocks the traffic.
Is there a protocol which will let me say something to the effect of
'will all the firewalls on this network, please allow communication to <an ip> on <a port> if the traffic originates within this network?'
I have looked into upnp - but that seems to concentrate on opening a port to the outside world which I don't want to do.
suggestions?
thanks in advance.
No, there is no such way or protocol aside from UPnP. And I wouldn't recommend it anyway because in company networks it would cause all sorts of problems and security issues if this were possible.
I'd suggest that you set up a FAQ entry or installation section for your software where you describe this common issue and give details to the customers how they can detect and solve this problem.
In general, higher ports (above 8000 or 16000) are not blocked or firewalled. I would seriously consider allocating a random port in that range.
Also, consider to advertise your service with Bonjour. Using Bonjour has the nice side-effect that your iPhone app does not have to know the port number. It can simply browse the network for available servers. If there is just one then connect to that, otherwise present the user with a list to choose.
Is there any way to run the server on port 80? You're likely to encounter fewer issues on a standard port.
Here's what I've done:
I wrote a minimal web server (using Qt, but I don't think it's relevant here).
I'm running it on a legal Windows 7 32-bit.
The problem:
If I make a request with Firefox, IE, Chrome or Safari it takes takes about one second before my server sees that there is a new connection to be accepted.
Clues:
Using other clients (wget, own test client that just opens a socket) than Firefox, IE, Chrome, Safari seeing the new connection is matter of milliseconds.
I installed Apache and tried the clients mentioned above. Serving the request takes ~50ms as expected.
The problem isn't reproducible when running Windows XP (or compiling and running the same code under Linux)
The problem seems to present itself only when connecting to localhost. A friend connected over the Internet and serving the connection was a matter of milliseconds.
Running the server in different ports has no effect on the 1 second latency
Here's what I've tried without luck:
Stopped the Windows Defender service
Stopped the Windows Firewall service
Any ideas? Is this some clever 'security feature' in Windows 7? Why isn't Apache affected? Why are only the browsers affected?
If you're saying "localhost" instead of "127.0.0.1", you're forcing a name lookup before the actual connection attempt, adding delay.
In addition, some browsers, like Firefox 3.5+, don't use the operating system's DNS lookup mechanism, which is why it can have different performance than, say, wget.
You may be running into some automatic proxy discovery problem. In Firefox, you can disable this in Options | Advanced | Network | Settings; select either "No proxy" or give it explicit values. There's also the Internet Properties control panel, which is IE's network settings, but other browsers on Windows may obey settings here, too. Again, disable auto-proxy discovery. This can speed connections outside localhost, too.
For some reason Windows 7 takes 1 second to resolve address localhost regardless of it being in hosts file.
Adding localhost1 to hosts file and using that works around the problem.
When connecting to localhost on a IPv4/IPv6 dual stack host:
A DNS lookup is performed for localhost.
The DNS server (whether IPv6 enabled or not - this doesn't matter) returns both the AAAA record ::1, and the A record 127.0.0.1.
The client first attempts to connect to ::1.
We assume your server program is not IPv6-capable, which is a common case - due to historical reasons, many servers bind their socket to 0.0.0.0 by default rather than [::].
Here an ECONNREFUSED error would be raised for the client. This happens immediately on most platforms; on Windows however, a single call to connect() would try 3 times in 500ms intervals before giving up, hence taking a bit more than one second (See http://stackoverflow.com/q/19440364 for more details).
The client then creates a connection to 127.0.0.1 instead.
This would explain all your clues above:
If you make a request with Firefox, IE, Chrome, Safari or any other IPv6-capable clients, it takes takes about one second trying for ::1 before connecting to 127.0.0.1.
Your own test client just opens a INET socket, so it won't try ::1 at all.
Using a dual-stack server such as Apache, the clients will connect to ::1 happily.
The problem isn't reproducible on Windows XP, of which IPv6 support is not enabled by default.
The problem seems to present itself only when connecting to localhost, as your friend connected with an IPv4-only network.
Running the server in different ports has no effect on the 1 second latency.