Hi, All, This is a 'general' question on LnS and UDP hole punching. Info about UDP hole punching can be found here: http://en.wikipedia.org/wiki/UDP_hole_punching General speaking, It allows an effective P2P connection for 2 clients both behind NAT. An example is Skype. So, to make it work, client A (behind Nat A) should connects to a port of Nat B (say, 50000) and vice verse for client B. The question is: the port on Nat B (50000) is actually a random number and by default LnS blocks all other UDP connections except the allowed ones. So, to let these kinds of cnnections (Skype, etc ) fully work, seems LnS has to allow ALL UDP connections. Any comments, corrections would be greatly appreciated.
Hi nuser No Sir, no Sir, no Sir! Allowing all UDP connections ? Why ? The UDP connections specific to ANY programs must be controlled by YOU (with the help of your FW).... Some programs like Skype and eMule makes attempts to start connections (in TCP or UDP) from a random local port to a random remote port. This is unaccceptable, easy to forbid and this have no effect on the performances of these programs... The implementation is quite simple: 1- Your rules set must used specific rules for applications 2- The local and remote ports are controlled via these specific rules (TCP and UDP) 3- A "garbage collector" rule is placed after the list of the specific rule to block all other connection for this specific application... Remember this ? {R.80443,02}; [TCP] { Http/Https Skype } followed by this garbage collector: {R..9999999}; [TCP] < Skype: forbidden ports ! >> and this {T. 4672,11}; [UDP] { eDONKEY - KAD } {T. 4672,10}; [UDP] { eDONKEY - list srvr } followed by this garbage collector: {T..9999999}; [UDP] < eMule Random Connections ! >> and both programs fully works... Have a nice day !
Are you guys aware of this article: http://www.heise-security.co.uk/articles/82481 I never use skype Thomas
Hi Thomas M May be... I read (fast ) the article you give in your post... looks good... On my side I guess I founded a way to have a better control over Skype: In UDP and TCP... (no more connections from random ports...) For the IP addresses this is an other story: Skype is a P2P program... I read the article in depth later... Take care.
Thanks, Climenole, Thomas, There would be a nightmare for LnS's UDP rule if: (1) Alice and Bob both behind NATs; (2) They want a P2P connection (Not thought relay of skype server) Anyway, if LnS block ALL other UDP connections (by default), Alice and Bob can still speak to each other (in this case, the audio data are relayed by skype server).
