shapj@us.ibm.com wrote:
>
> Thank you.
>
> I believe it is possible for the recipient to learn the sender's IP address
> during the accept() system call.
>
> Unfortunately, the port number learned thereby is generally not the port on
> which the VAT accepts connections. Since firewalls can also remap port
> numbers, this might be a problem.
>
> A user-run VAT will accept connections on a user-space port number, which
> is allocated pretty well randomly. Firewalls generally suppress
> connections to all non-privileged port numbers unless associated with a
> protocol they understand.
>
> In short, you can't rely at all on being able to build an inbound TCP
> connection across a firewall unless to a well-known protocol. A rendevous
> proxy sitting in public space might help...
Aha! Something we agree on - a rendezvous proxy is one solution (but would it have to support ridiculous numbers of simultaneous connections?) - the other is to assign a port number and build a proxy (though I'd guess for many sites you could just use plug-gw and use a locally assigned port - but that comes back to my earlier point - someone has to configure what to say when asked "how do I talk to you". Frankly, I'd much rather have 10 minutes of pain figuring out how to configure that than hours trying to fix broken software trying to guess how my firewall works).
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He told me to try to be in the
first group; there was less competition there."
- Indira Gandhi