Chapter 1Firewalls can also block outbound traffic. This may be done to stop malicious
software that finds its way onto internal network devices from calling home or
sending spam e-mail.
Because firewalls block network traffic, they can cause obvious problems for network
applications. When testing our applications over a network, we need to be sure that
the firewalls that exist between our devices are configured such that they let our
application's traffic through. Usually, this means that we need to make sure that the
ports which we need are open on the firewall for the traffic between the source and
the destination IP addresses to flow freely. This may take some negotiating with
an IT support team or two, and maybe looking at our operating system's and local
network router's documentation. Also, we need to make sure that our application
users are aware of any firewall configuration that they need to perform in their own
environments in order to make use of our program.
Network Address Translation
Earlier, we discussed private IP address ranges. While they are potentially very
useful, they come with a small catch. Packets with source or destination addresses
in the private ranges are forbidden from being routed over the public Internet! So,
without some help, devices using private range addresses can't talk to devices using
addresses on the public Internet. However, with Network Address Translation
(NAT), we can solve this. Since most home networks use private range addresses,
NAT is likely to be something that you'll encounter.
Although NAT can be used in other circumstances, it is most commonly performed
by a gateway at the boundary of the public Internet and a network that is using
private range IP addresses. To enable the packets from the gateway's network to
be routed on the public Internet as the gateway receives packets from the network
that are destined for the Internet, it rewrites the packets' headers and replaces the
private range source IP addresses with its own public range IP address. If the packets
contain TCP or UDP packets, and these contain a source port, then it may also open
up a new source port for listening on its external interface and rewrite the source
port number in the packets to match this new number.
As it does these rewrites, it records the mapping between the newly opened source
port and the source device on the internal network. If it receives a reply to the new
source port, then it reverses the translation process and sends the received packets to
the original device on the internal network. The originating network device shouldn't
be made aware of the fact that its traffic is undergoing NAT.