Problem Communicating behind NAT/firewall

Hi j-trobec,
     I think you have misunderstood the problem

>The problem is that any time you want to send a message, you have to know what port you're sending it to...and that port    >needs to be open.  So, at the least, the server will need an open well known port.
  There is a well known open port at the server where the server listens for connection requests and the client connects to the
  server at that port. But if the server is behind firewall/NAT(i.e in a private LAN) and the client is in an outside n/w, the client  
  cannot make direct connection to the server because the firewall/NAT intercepts the packets sent from the server as also that  
  received from the client. The below diagram will explain it properly

----------------------------------------------------\           /
                                                                   \       /
       -----------                   -------------             \   /                      ----------------
      | Client1   |                |   Server  |              | |                       |    Client2    |
       -----------                   -------------             /    \                       ---------------
             LAN                                                 /       \
-----------------------------------------------------/          \                 Internet
                                                                      |
                                                                      |
                                                                firewall/NAT

   1. Consider the Server as the Chat Server
   2. Client1 and Server are in the same private network.
   3. The network is connected to the internet through firewall.
   4. Client2 is not in the same network as Client1 and Server but is connected to the internet
   5. In the above case Client1 can communicate with the Server without any hassle.
   6. Client2 cannot connect to server unless the port forwarding is done for the Server at the firewall/NAT.
   
    Now is there a way for communication to take place between Server and Client2 without manual port forwarding.
   A related problem : Is there a way to determine if a client or server is behind NAT/firewall.

I'm sorry for the miscommunication, Vinod.  When I said that the server needed an open well known port, what I was intending to say was that the server needed to have that port accessible to the client, meaning that the firewall would have to forward those packets to the server.  If this wasn't the case, then a NAT firewall really wouldn't do anyone any good; if it was possible to open connections to a server behind the firewall without configuring the firewall, of what use would that firewall be in the first place?

So, I believe that the answer to your first question is: no.  The firewall MUST be configured to allow communication from the client to pass through to the server.

In regards to determining if a client or server is behind a firewall, I am not aware of any certain tests available.  However, you could try programmatically testing available connections.  For example, say you have a program running on a machine, and you'd like to determine whether or not that machine is behind a firewall.  This machine can first test for internet access by pinging some well known internet sites.  Once that's done, the machine could then contact a server that you've put on the internet.  This server will then attempt to open a client connection to several ports on the original machine.  If none of the requests are successful, the server will have a good guess that the original machine is behind a firewall.  The original machine can then check back in with the server to find out the results of the test.

Hopefully that helps.

Hi TheLearnedOne,
  As i have not received any useful responses i am closing this question as requested.

While you may not deem my responses useful, they are accurate answers to your question.  If you happen to find a way to connect to a server that is behind a firewall without configuring that firewall, please notify the manufacturers of that firewall so they can issue a recall.

Well j-trobec,

 This was your response to my post
>> So, I believe that the answer to your first question is: no.  The firewall MUST be configured to >>allow communication from the client to pass through to the server.

       In my original post i had mentioned  "Yahoo Messenger".  I checked up with my System  
 administrator to find that there was no rule set up for the messenger. It uses some "Socks Firewall Library" to make communication possible even if client is behind firewall. So your observation is wrong.

Ok, you checked with your systems administrator, and found out that there was no configuration of your internal firewall to account for yahoo messenger.  Do me a favor and also ask your administrator this: do you run an internal Yahoo! Messenger server?  Of course not...

The point is that the machines on your internal network act as SOCKS clients.  Let me emphasize this, because it's important: the machines inside your network are CLIENTS.  The situation you described was that the server was behind a NAT firewall...in your words:

> 1. Consider the Server as the Chat Server
> 2. Client1 and Server are in the same private network.
> 3. The network is connected to the internet through firewall.

see, the server there is behind a firewall.

You may not realize it, but this makes a huge difference.  Look at this information about SOCKS:

"Applications use SOCKS in a very similar way to Winsock. Unlike HTTP application-layer proxies, which can connect to a server given only the DNS address, a SOCKS connection requires a legitimate IP address. Therefore, clients on the internal network must have the capability to resolve DNS addresses on the external network. Fortunately, most proxy servers that support SOCKS also provide DNS services.

Once the application knows the IP address of the destination server, it makes a request to SOCKS to communicate with the application server. This request will include the IP address of the server, information about the type of connection, and the user’s identity."

-- taken from http://www.windowsitlibrary.com/Content/386/18/4.html

Hopefully you took note of the reoccurrence of the phrase "IP address" in reference to the destination server...in your case, as we've established, you have your destination server behind a Firewall.  Now, ask your network administrator this question: if you want to setup a server on your internal network with an IP address that is reachable from the outside, would they have to do any configuration of the Firewall?

They should tell you that yes, some configuration will be necessary.

I urge you to use just a little bit of common sense on this.  Honestly ask yourself this question: if people can connect to servers on your internal network with out any configuration of the firewall, then of what possible use is the firewall in the first place?

Thank you and goodnight.

Hi j-trobec,
      Thanks for enlightening me. You were right and the link was very useful. Please post more links of  SOCKS.  But i am a little confused here. If the scernario is like i have mentioned before


----------------------------------\          /                    \        / ----------------------------------            
                                            \       /                       \     /    
    -----------     ------------        \   /     ----------         \  /                    --------------
   | Client1  |   |  Server |          ||      |Client2 |         ||                    |  Client3   |
    -----------     ------------        /   \     ----------         /  \                    --------------
             LAN 1                       /      \                        /     \                    LAN 2
----------------------------------/         \   Internet       /        \-----------------------------------
                                                  |                            |
                                                  |                            |
                                              firewall/NAT1         firewall/NAT2

 Now lets consider i have port forwarded the well known port of the pc that hosts the chat server
and gave it a domain name and IP address to be accessible from outside. Now any clients from
outside can have direct communication through normal socket connections without worrying about
the  NAT/firewall. So SOCKS doesn't come into picture for this type of clients. In the above
scenario Client2 can connect to Chat Server without worrying about SOCKS.
            Now Client3 cannot directly communicate with Chat Server as it is in a different n/w. So
 as you said it should implement a SOCK client. In this scenario i have two conflicating thoughts
 so please help me on this

     1. If i am not wrong the Chat Server should act as  the socks server. That means i have to implement both SOCKS client and SOCKS server. The SOCKS Server will be implemeted at each and every Chat Server and the SOCKS client will be implemented for every Chat Client.

     2. Or is it that i have to only implement SOCKS Client and the SOCKS Server is already
implemented by most of the proxy server(or NAT or firewalls). So in the above scenario
firewall/NAT2 will be the SOCKS server and Client3 will be the SOCKS client for communication
to be made possible between the Chat Server and the Client3. I think this is more right option.
 But i want a clarification bcoz in this case i am assumming that each and every proxy server avaliable in market or currently deployed have support for SOCKS included.

Hi j-trobec and TheLearnedOne,
    The SOCKS solution works only when the port 1080 which is the default port for SOCKS is open. In most cases
 the port is closed by administrator due to security issues. The only protocol that is allowed by most firewalls is HTTP as Web
 Browsing is the common activity that takes place in a priavate LAN. So most firewall bypassing techniques are based on  taking
 advantage of HTTP by using HTTP tunneling. An example in this regard is Quicktime as given by the link

   http://developer.apple.com/documentation/QuickTime/QTSS/Concepts/chapter_2_section_14.html

 While the HTTP commands post and get can be used for uploading and downloading files how can HTTP be used for building
 a chat application. Is there any example application or source code on how to make use of HTTP tunneling for building
 firewall bypassing Chat applications. Any link or idea in this regard will be appreciated.