Dolinar Newsday article...I don't think its been posted? I apologize for the jumbled format.
newsday.com
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
CONTINUING ED
Preparing to Poke Holes in a Firewall
Lou Dolinar. Dolinar can be reached by e-mail at dolinar@newsday.com
HAS THIS ever happened to you at your office? You've just installed a new piece of Internet software like Napster. You're eager to get up and running, collecting files. But for some reason the program does not work-it can't see the Internet, and can't seem to get out of the building. You call up the IT staff and someone tells you, sorry, you can't use that program because the firewall blocks it.
Welcome to the wonderful world of firewalls and ports. It is bad enough you have to deal with them in the office. Now, thanks to the miracle of modern computing, the whole mess has been downsized to fit your own home.
I have to apologize for this week's column for being both impenetrable and superficial. This is the kind of stuff that no one in their right mind should be expected to learn unless they do it for a living. Were I to try to do justice to the subject, we'd be stuck here, once a week, until Thanksgiving.
Unfortunately, the computer industry has imposed networking on us, and until they figure out a better way, you're going to put up with it. Take a look at www.scan-technologies.com/tutorials/ TCPIP%20Tutorial.htm if you need some basic concepts, and check out the various links for networking and broadband at www.dolinar .com.
Now ports and firewalls are an issue because, like most broadband users, you've probably networked one or two additional computers to your high-speed connection. Even modest security precautions can interfere with your ability to run networked games and file-sharing software.
Now that we've shown you how to set up and secure your network, this week we're going to give you some clues as to how to go about poking some essential holes in it.
We'll start with a little painful but grossly oversimplified technical explanation. Any type of information that travels over the Internet is broken up into bite-size pieces called packets, each of which travels independent of associated packets. A Web page, an MP3 file, an e-mail, they all combine in a packet soup.
Now these packets in effect are enclosed in envelopes, with the address of the sender and of the recipient, those IP (Internet Protocol) addresses we've been talking about. That's how a packet knows it's supposed to go to your computer, as opposed to your spouse's.
The packet needs additional information to tell it which program on your computer it is supposed to use. Obviously, you don't want packets from Quake showing up in your Web browser, nor do you want to try to read a RealAudio file with your FTP program.
Port numbers are the part of the information that associates a particular packet with a particular service, sort of like the way file extensions tell your Windows PC which programs are associated with which file type. In effect, the IP address delivers the message to the apartment building; the port number gets it to the right apartment. To extend a lame analogy a little further, some apartment buildings have doormen, some don't, and some don't even lock the front door.
Here's a rule of thumb: Any time you share a connection to the Internet, whether you're using software and a designated PC, or a hardware router, some ports are going to be blocked or unavailable to some computers. That's OK if you originate the request for information, as you do when you click on a link that requests a Web page. Your sharing software or hardware knows which computer on the network originated the request and thus it can direct the response to the appropriate computer. The only reason originating requests won't work is that the particular service is blocked deliberately by the firewall administrator.
Problems arise, however, when requests for information come from outside your network. Say you're running an FTP server on one of the computers on your home network. From the outside, the only thing visible-if at all-is the IP address of the router or computer that's running the file-sharing software. The internal address of the FTP server, as we noted a couple of weeks ago, is invisible. At that point, if the FTP server is to work, the firewall has to be specifically told to direct all inquiries for that specific port to a predetermined computer on the internal network. In general, that means only one computer on your internal network can run a specific service where requests originate outside the network.
Getting around the one-port-per-computer limitation tends to cost money. For example, you'll pay more for software or hardware that supports something called "triggered maps," which in effect lets a couple of computers share a port. A more standard approach, which raises a lot of security issues, allows you to put one computer outside the firewall, totally exposed to the Internet.
Another useful feature, which many products lack, is the ability to map ranges of ports. Some videoconferencing software, for example, needs to use a range of ports-say, everything between 1500 to 1550.
That's the general overview of why you might find that software won't work from behind your firewall. Beyond that, everything gets down to the specifics of the particular firewall and the particular program. Behavior is all over the map, and to get an application to run, you may have to pore over the site of the manufacturer, and consult your firewall provider as well. Networked games can be particularly troublesome. You'll get a good overview of the gory details of how to configure individual programs at www.timhiggins.com/sharing/special apps.htm.
Astute readers will note at this point that mapping ports opens a can of worms that we thought we had put the lid on a while back, since it requires you to assign specific ports to specific IP addresses. Like a lot of people, I'm much enamored of DHCP (Dynamic Host Configuration Protocol), which automatically assigns IP addresses and can, when Windows is having a good day, automatically configure your network for you. Unfortunately, when you use DHCP, the IP address of a computer can vary from one day to the next, depending on the order in which the computers are turned on. So if you want to map ports, you have to configure each computer manually.
Fun, huh? Having said all that, there are a couple of ways to get around the issue of blocked ports altogether. Assuming your Internet service provider allows you to have multiple assigned IP addresses, a scenario we explored three weeks ago, you simply plug your cable/DSL modem into a hub, and plug the rest of your computers into the same hub. (You can't do this with Cablevision's Optimum Online, but it does work with Bell Atlantic/Verizon.) Every computer has to log in independently and run the ISP's software. You'd be advised to run ZoneAlarm, which we've also written about in recent weeks, on each PC. Alternately, you could simply pay for another cable/DSL connection.
Next week we'll look at tools you can use to troubleshoot your network and broadband connection.
Dolinar can be reached by e-mail at dolinar@newsday.com. To buy printed copies of his earlier columns, call 800-2FINDOUT. |
