Bidirectional Networking

Bryan Olson fakeaddress at nowhere.org
Sat Dec 13 18:13:39 EST 2008 

Emanuele D'Arrigo wrote:
> Hey Bryan, thank you for your reply!
> 
> Bryan Olson wrote:
>>> Is it possible then to establish both a server and a client in the
>>> same application?
>> Possible, and not all that hard to program, but there's a gotcha.
>> Firewalls, including home routers and software firewalls, typically
>> default to disallowing connections in the 'wrong' direction. If the
>> client initiates all connections, you avoid a world of hassles.
> 
> Ah yes, I can see that. Uhm. I have absolutely no idea right now how a
> firewall works from a programming point of view and what happens in
> normal "residential" circumstances. I.e. it's clear that firewalls are
> configured to allow http traffic because I can browse the internet. Is
> that done leaving a specific port open? Or does the browser request
> the firewall to open a specific port for it and the firewall trust the
> browser to handle safely anything that comes through?

Software firewalls will often simply refuse incoming connections. The 
basic protection of the garden-variety home router comes from "network 
address translation" (NAT), in which case TCP connections initiated from 
the inside will generally work, regardless of port, and incoming 
connections will fail.

Internet server farms often enforce the other side of the client-side 
policy, with firewalls configured to disallow outgoing initiation of 
connections.

If the application need to work in restrictive environments where 
firewalls only pass known protocols, a popular approach to build the 
application protocol on top of HTTP, with all the required standard 
headers and a new content-type.

> I.e. in the case of the code in this thread, would it be the
> responsibility of the application to tunnel through the firewall and
> listen for connections 

I'm not clear on what that means.

> or would it be the responsibility of the user
> to configure the firewall so that the application can receive a
> connection?

That can be a huge hassle. The first choice is for the application to 
conform to popular firewall policies, so no special configuration is 
required.


-- 
--Bryan

More information about the Python-list mailing list