Tommi Virtanen wrote:
On Wed, 2005-04-06 at 11:18 +0200, Antoine Pitrou wrote:
But the real difference here between UDP and TCP, is that when you open an outbound TCP connection, incoming TCP traffic will only be allowed *for that connection*. Whereas if you send an outbound UDP message, *all incoming UDP traffic* towards the originating address/port will be enabled (at least on some NAT boxes).
This makes it easy for P2P systems to exchange messages between two NATted clients without any proxying/tunnelling mechanism: you just have to "punch a hole" by sending sporadic outgoing UDP traffic from your UDP socket and then you can receive all UDP traffic coming to that socket. You can't do that with TCP.
You can't do that with NATted UDP, either. Quite many firewalls want to match all of the (srcIP, srcPort, dstIP, dstPort) to match.
Exactly. It depends entirely on what you do with NAT. Some NAT boxes are stricter than others - but in principle I block anything weird or undesirable - most notably protocol hacks of this nature designed to circumvent firewalling. Eugene -- -- =============================================== Reedflute Software Solutions Telephone -> +27 18 293 3236 General information -> info@reedflute.com Project information -> projects@reedflute.com Web -> www.reedflute.com ===============================================