Benjamin Coates wrote: > > >From Mr.Bad <mr.bad at pigdog.org> > > >So, is the following statement true? > > > > "You can run a Freenet node behind a firewall iff > > > > a) The firewall allows the node to make outbound connections > > on arbitrary ports. > > Are there a significant number of firewalls that allow you to make outbound > connections, but not on arbitrary (1024-5000) ports? Would it be worthwhile > to have the node take a range of ports to make outbound connections on?
Most firewalls nowadays, or at least the ones being managed by competent admins, take a "Deny by default" approach. In other words, not only on inbound but also on outbound connections, *all* connections are denied unless explicitly approved. I agree with what seems to be the general consensus that trying to make Freenet overly firewall-friendly is going to be a waste of most of the effort as it's probably about as friendly as it's going to get in all honesty. (with one exception, covered below.) FWIW and only tangentially related - I *am* running a Freenet node behind my firewall at home, but it required some trickery. Note that at home, I only have the "deny by default" on inbound connections. Outbound connections all simply get masqueraded. (So does that make me an "incompetent admin", too trusting or just lazy? :) If I were using "deny by default" on outbound connections as well, I would have just given up on getting Freenet to run as a node behind the firewall. Nonetheless, I still ran into one thing that kept me stumped for a while. Here's the issue I ran into and a small change that would help the situation: My external address is dynamically assigned (cablemodem) but stays relatively persistent for several weeks at a time. I have a Linux box acting as a firewall directly connected to the cablemodem, running iptables with the 2.4 kernel. I set up a DNAT rule that forwarded connections to "19114" to the cablemodem address to the machine on my internal home network running as a Freenet node. The problem is that if I set "nodeAddress" to the machine's "real" internal address, that's the address that gets advertised to the rest of
