Shorewall users - Oct 2003 - Overnet and Shorewall

I''ve just started using Overnet (a p2p app) on my SusE 8.2 box. The box
is
protected with shorewall and has been for some time with no problems. However,
I was surprised to see that I am actually uploading files to other Overnet
users without explicitly opening any ports. I''ve checked with
grc.com''s
ShieldsUp and there don''t seem to be any open ports, including port
4662,
which is what overnet is using - certainly, Shorewall is configured to DROP
all packets from the net to the fw. Indeed, in my firewall log, I do see
packets from outside to port 4662 being DROPped by shorewall.

Is anyone familiar with the overnet program? How is it getting past the
firewall on my linux box? The linux version doesn''t seem to have the
feature
some similar apps do in Windows, of telling you whether it thinks
you''re
firewalled, so there''s no help from it.

All I can think is that it is sending files only to clients from which I have
started receiving files, so the connection is already established. It would
ease my mind greatly if this was all that was happening! Perhaps overnet opens
connections with all other clients when it searches them for files, and these
stay open, allowing the remote clients to upload from me?

TiA

John
-- 
John Pettigrew          XL Cambridge - contract and freelance editing
Biology specialist         Molecular biology, genetics, biotechnology
john@xl-cambridge.com                    http://www.xl-cambridge.com/
PGP public key available

On Fri, 24 Oct 2003 14:04:57 +0100, John Pettigrew <john@xl-cambridge.com>
wrote:
> I''ve just started using Overnet (a p2p app) on my SusE 8.2 box.
The box
> is
> protected with shorewall and has been for some time with no problems. 
> However,
> I was surprised to see that I am actually uploading files to other 
> Overnet
> users without explicitly opening any ports. I''ve checked with
grc.com''s
> ShieldsUp and there don''t seem to be any open ports, including
port 4662,
> which is what overnet is using - certainly, Shorewall is configured to 
> DROP
> all packets from the net to the fw. Indeed, in my firewall log, I do see
> packets from outside to port 4662 being DROPped by shorewall.
>
> Is anyone familiar with the overnet program? How is it getting past the
> firewall on my linux box? The linux version doesn''t seem to have
the
> feature
> some similar apps do in Windows, of telling you whether it thinks
you''re
> firewalled, so there''s no help from it.
I''m not familiar with overnet, but I know that with gnutella (and 
presumably other p2p systems), if your system is behind a firewall, it 
will make a connection to an "ultrapeer" out on the network when you
first
start the program.

This ultrapeer then takes care of seting up the connections between your 
system and the downloaders - it tells your system when to connect, and to 
where, so in terms of TCP/IP your system is still initiating all these p2p 
connections and the traffic will pass the firewall.

I don''t feel like I''ve explained that terribly well.  Do you
get the idea?

regards

Julian
-- 
jc@ljchurch.co.uk
www.ljchurch.co.uk

In a previous message, Julian Church <jc@ljchurch.co.uk> wrote:
> I''m not familiar with overnet, but I know that with gnutella (and
presumably
> other p2p systems), if your system is behind a firewall, it will make a
> connection to an "ultrapeer" out on the network when you first
start the
> program.
I don''t think overnet uses ultrapeers, though; the eDonkey2000 system
on which
it is based used servers, but overnet is completely distributed (at least,
according to what they say on the website). There are servers, which are used
initially to get a list of clients, but that''s all AFAIK. The
app''s site is
http://www.overnet.com/ but it''s pretty slow.

Thanks,

John
-- 
John Pettigrew          XL Cambridge - contract and freelance editing
Biology specialist         Molecular biology, genetics, biotechnology
john@xl-cambridge.com                    http://www.xl-cambridge.com/
PGP public key available

On Fri, 2003-10-24 at 06:04, John Pettigrew wrote:
> 
> All I can think is that it is sending files only to clients from which I
have
> started receiving files, so the connection is already established. It would
> ease my mind greatly if this was all that was happening! Perhaps overnet
opens
> connections with all other clients when it searches them for files, and
these
> stay open, allowing the remote clients to upload from me?
Since *you* have this software already installed, why don''t *you* use
the ''netstat'' command on the system where it is running to
find out what
connections it has open?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

In a previous message, Tom Eastep <teastep@shorewall.net> wrote:
> Since *you* have this software already installed, why don''t *you*
use the
> ''netstat'' command on the system where it is running to
find out what
> connections it has open?
Because my question isn''t whether it has connections - it plainly does.
I was
wondering how it manages to get connections *from* other clients when
shorewall is blocking all incoming connections.

I appreciate that, without knowing the app, it''s guesswork but was
hoping that
someone might have come across it. Given that all other indications are that
the firewall is working as it should, I''ll assume that overnet opens
the
connections itself and uploads and downloads through them.

John
-- 
John Pettigrew          XL Cambridge - contract and freelance editing
Biology specialist         Molecular biology, genetics, biotechnology
john@xl-cambridge.com                    http://www.xl-cambridge.com/
PGP public key available

On Fri, 2003-10-24 at 08:14, John Pettigrew wrote:
> I appreciate that, without knowing the app, it''s guesswork but was
hoping that
> someone might have come across it. Given that all other indications are
that
> the firewall is working as it should, I''ll assume that overnet
opens the
> connections itself and uploads and downloads through them.
> 
I was just addressing your conjecture that this app leaves connections
open to those sites that it has visited. That conjecture would be easily
verified using ''netstat''.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

In a previous message, Tom Eastep <teastep@shorewall.net> wrote:
> I was just addressing your conjecture that this app leaves connections open
> to those sites that it has visited. That conjecture would be easily
verified
> using ''netstat''.
It''s not quite that easy - there is no indication from overnet about
what
sites it has connected to so I would have to issue a whole series of netstats
for a long period of time and capture all the output, then try and analyse it.
With my fairly low level of knowledge about this stuff, this is probably (a)
outside my sensible limits and (b) unnecessary - I assume that shorewall is
doing what it''s supposed to, but was surprised by the apparent ability
of this
program to start acting as a server despite being behind a firewall.

John
-- 
John Pettigrew          XL Cambridge - contract and freelance editing
Biology specialist         Molecular biology, genetics, biotechnology
john@xl-cambridge.com                    http://www.xl-cambridge.com/
PGP public key available

On Fri, 2003-10-24 at 08:51, John Pettigrew wrote:
> In a previous message, Tom Eastep <teastep@shorewall.net> wrote:
> 
> > I was just addressing your conjecture that this app leaves connections
open
> > to those sites that it has visited. That conjecture would be easily
verified
> > using ''netstat''.
> 
> It''s not quite that easy - there is no indication from overnet
about what
> sites it has connected to so I would have to issue a whole series of
netstats
> for a long period of time and capture all the output, then try and analyse
it.
> With my fairly low level of knowledge about this stuff, this is probably
(a)
> outside my sensible limits and (b) unnecessary - I assume that shorewall is
> doing what it''s supposed to, but was surprised by the apparent
ability of this
> program to start acting as a server despite being behind a firewall.
> 
This page describes how people can download something you''ve published
without being able to connect to you. The key is that published files
are copied to the node whose 128-bit id most closely matches the 128-bit
ID of the published file.

	http://www.overnet.com/documentation/how_on.html

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Fri, 2003-10-24 at 09:37, Tom Eastep wrote:
> 
> This page describes how people can download something you''ve
published
> without being able to connect to you. The key is that published files
> are copied to the node whose 128-bit id most closely matches the 128-bit
> ID of the published file.
> 
> 	http://www.overnet.com/documentation/how_on.html
> 
Here''s more info:

	http://www.overnet.com/documentation/lowid.html

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Fri, 2003-10-24 at 15:04, John Pettigrew wrote:
> I''ve just started using Overnet (a p2p app) on my SusE 8.2 box.
The box is
> protected with shorewall and has been for some time with no problems.
However,
> I was surprised to see that I am actually uploading files to other Overnet
> users without explicitly opening any ports. I''ve checked with
grc.com''s
> ShieldsUp and there don''t seem to be any open ports, including
port 4662,
> which is what overnet is using - certainly, Shorewall is configured to DROP
> all packets from the net to the fw. Indeed, in my firewall log, I do see
> packets from outside to port 4662 being DROPped by shorewall.
If I got that right, you are trying to "participate" on a P2P network
but don''t wanna allow uploads.

So you want to benefit from others, but don''t want them to benefit from
you. This parasitic attitude kills P2P networks -- and the Internet in
general, which grew by the idea of sharing.

I am even surprised, you got help at all...

> Is anyone familiar with the overnet program? How is it getting past the
> firewall on my linux box? The linux version doesn''t seem to have
the feature
> some similar apps do in Windows, of telling you whether it thinks
you''re
> firewalled, so there''s no help from it.
Well, however... The overnet client (CLI) actually tells you every
couple of seconds it''s own status (firewalled/open). Just watch and you
likely will see "firewalled"...

 Karsten


-- 
Davision - Atelier fuer Gestaltung / Internet / Multimedia
 UNIX / Linux Netzwerke und Schulungen
 Telefon 06151/17865   Fax 06151/178659
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.shorewall.net/pipermail/shorewall-users/attachments/20031024/ebc8d4e6/attachment.bin

In a previous message, Karsten Br?ckelmann <k.braeckelmann@davision.com>
wrote:
> If I got that right, you are trying to "participate" on a P2P
network but
> don''t wanna allow uploads.
Not at all - I''m quite happy to allow uploads and would happily open
the
relevant ports to allow this while I''m running overnet. However, I seem
to be
sharing successfully *without* having opened the relevant ports, which was
what prompted my original question - not "How can I stop this?" but
"Why is
this happening?"
> The overnet client (CLI) actually tells you every couple of
> seconds it''s own status (firewalled/open). Just watch and you
likely will
> see "firewalled"...
Ah, OK - I''ll try running it from the command like. I''m
currently using the
GUI, and this doesn''t seem to report this information anywhere that I
can see.

Thanks,

John
-- 
John Pettigrew          XL Cambridge - contract and freelance editing
Biology specialist         Molecular biology, genetics, biotechnology
john@xl-cambridge.com                    http://www.xl-cambridge.com/
PGP public key available

On Fri, 2003-10-24 at 12:15, John Pettigrew wrote:
> In a previous message, Karsten Br?ckelmann
<k.braeckelmann@davision.com>
> wrote:
> 
> > If I got that right, you are trying to "participate" on a
P2P network but
> > don''t wanna allow uploads.
> 
> Not at all - I''m quite happy to allow uploads and would happily
open the
> relevant ports to allow this while I''m running overnet. However, I
seem to be
> sharing successfully *without* having opened the relevant ports, which was
> what prompted my original question - not "How can I stop this?"
but "Why is
> this happening?"
> 
> > The overnet client (CLI) actually tells you every couple of
> > seconds it''s own status (firewalled/open). Just watch and you
likely will
> > see "firewalled"...
> 
> Ah, OK - I''ll try running it from the command like. I''m
currently using the
> GUI, and this doesn''t seem to report this information anywhere
that I can see.
> 
After frustrating myself trying to use the Linux version (GUI and
''core''), I downloaded and installed the free Windoze version.
It reports
"firewalled" or "open" as Karsten has mentioned.

To get it to report "open", I had to forward tcp 4662 and UDP 12112 to
the Windoze box.

And while testing, I generated a ton of "Shorewall...DROP" messages
:-)

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Fri, 2003-10-24 at 09:37, Tom Eastep wrote:
> 
> This page describes how people can download something you''ve
published
> without being able to connect to you. The key is that published files
> are copied to the node whose 128-bit id most closely matches the 128-bit
> ID of the published file.
> 
> 	http://www.overnet.com/documentation/how_on.html
> 
Another possibility is hinted at by the firewalling page on the overnet
site (URL posted previously):

        With Overnet other clients need to be able to connect to you. If
        you are Firewalled you will be able to connect to Open clients,
        but two Firewalled clients will not be able to connect to each
        other. This means that many possible file sources are not
        available to those who are Firewalled.

This suggests to me that you can still publish if you are firewalled but
another firewalled user won''t be able to download from you and you
won''t
be able to download from another firewalled user.
        
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Fri, 2003-10-24 at 22:00, Tom Eastep wrote:
> On Fri, 2003-10-24 at 12:15, John Pettigrew wrote:
> > In a previous message, Karsten Br?ckelmann
<k.braeckelmann@davision.com>
> > wrote:
> > 
> > > If I got that right, you are trying to "participate" on
a P2P network but
> > > don''t wanna allow uploads.
> > 
> > Not at all - I''m quite happy to allow uploads and would
happily open the
> > relevant ports to allow this while I''m running overnet.
However, I seem to be
> > sharing successfully *without* having opened the relevant ports, which
was
> > what prompted my original question - not "How can I stop
this?" but "Why is
> > this happening?"
John, then please accept my apology. I misunderstood your intention...

> > > The overnet client (CLI) actually tells you every couple of
> > > seconds it''s own status (firewalled/open). Just watch
and you likely will
> > > see "firewalled"...
> > 
> > Ah, OK - I''ll try running it from the command like.
I''m currently using the
> > GUI, and this doesn''t seem to report this information
anywhere that I can see.
> 
> After frustrating myself trying to use the Linux version (GUI and
> ''core''), I downloaded and installed the free Windoze
version. It reports
> "firewalled" or "open" as Karsten has mentioned.
> 
> To get it to report "open", I had to forward tcp 4662 and UDP
12112 to
> the Windoze box.
Strange. As I mentioned some weeks ago, tcp 4662 should be all you need.

> And while testing, I generated a ton of "Shorewall...DROP"
messages :-)
heh :)

 Karsten


-- 
Davision - Atelier fuer Gestaltung / Internet / Multimedia
 UNIX / Linux Netzwerke und Schulungen
 Telefon 06151/17865   Fax 06151/178659
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.shorewall.net/pipermail/shorewall-users/attachments/20031024/217fcb2a/attachment.bin

Hi, is now posible put this rule, now in the start file in rules files ?

run_iptables -t nat -I lan_dnat -s 1.1.1.145 -d w.x.y.z -p tcp --dport pop3 -j
RETURN
run_iptables -t nat -I lan_dnat -s 1.1.1.145 -d w.x.y.z -p tcp --dport smtp -j
RETURN


portion of rules files is:

DNAT    lan     wan:a.b.c.d       tcp     smtp    -
DNAT    lan     wan:a.b.c.d       tcp     pop3    -



old shorewall dont work if put all rules in the rules file

now i try but dont work again.

any idea ?

On Fri, 2003-10-24 at 14:33, Rodrigo Cortes Cano wrote:
> Hi, is now posible put this rule, now in the start file in rules files ?
> 
> run_iptables -t nat -I lan_dnat -s 1.1.1.145 -d w.x.y.z -p tcp --dport pop3
-j
> RETURN
> run_iptables -t nat -I lan_dnat -s 1.1.1.145 -d w.x.y.z -p tcp --dport smtp
-j
> RETURN
> 
No.
> 
> portion of rules files is:
> 
> DNAT    lan     wan:a.b.c.d       tcp     smtp    -
> DNAT    lan     wan:a.b.c.d       tcp     pop3    -
> 
> 
> 
> old shorewall dont work if put all rules in the rules file
> 
> now i try but dont work again.
> 
> any idea ?
Leave the commands in your start file.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net