How do firewalls react to UDP port scans?

I am trying to write a freeware client/server program that needs to scan the
server's ports for the server's open UDP port.

Before I get too deep into this, are there any problems that I need to know
of if I send a probe UDP packet that looks for the server to all ports on at
the server's target IP?

The reason I am asking is that some users of this freeware server will be
behind NATs and I may have to probe for the external port assigned to the
internal server by the NAT device. The client would send an encrypted
string that the server would know how to respond to. If this encrypted
value is not what the server expected, no communication would take place.

Any help you can give would be greatly appreciated.

Re: How do firewalls react to UDP port scans?

"smerf" wrote in message
news:xrFTg.16014$vi3.4025@bignews3.bellsouth.net...
>I am trying to write a freeware client/server program that needs to scan
>the server's ports for the server's open UDP port.
>
> Before I get too deep into this, are there any problems that I need to
> know of if I send a probe UDP packet that looks for the server to all
> ports on at the server's target IP?

Send one UDP packet to scan all ports? I'm not sure this is possible the
way you have described it.

> The reason I am asking is that some users of this freeware server will be
> behind NATs and I may have to probe for the external port assigned to the
> internal server by the NAT device. The client would send an encrypted
> string that the server would know how to respond to. If this encrypted
> value is not what the server expected, no communication would take place.

Most client/server apps more typically will require you to either manually
configure the NAT firewall so that it will work, or know how the NAT is
configured and manually configure the client and server so it will work.
Most client/server apps also more typically have a standard port number for
the server that is recommended to be configured as a static port number in
NAT.

How is the NAT set up? Are you sure the server's port will change to an
unknown value during the NAT? How is it that the NAT port being used is not
already known? I would expect the client's source port to change
dynamically, but the server's destination port to be known by whoever
configured the NAT.

Re: How do firewalls react to UDP port scans?

"karl levinson, mvp" wrote in message
news:uL08SJQ5GHA.1248@TK2MSFTNGP03.phx.gbl...
>
> "smerf" wrote in message
> news:xrFTg.16014$vi3.4025@bignews3.bellsouth.net...
>>I am trying to write a freeware client/server program that needs to scan
>>the server's ports for the server's open UDP port.
>>
>> Before I get too deep into this, are there any problems that I need to
>> know of if I send a probe UDP packet that looks for the server to all
>> ports on at the server's target IP?
>
> Send one UDP packet to scan all ports? I'm not sure this is possible the
> way you have described it.

What I meant was that the server (behind NAT1) will be expecting an
encrypted value from the client (behind NAT2).

I would send this same encrypted info to all UDP ports on the server's known
external IP to get a valid connection to the server. Of couse this would
mean sending a packet for each possible port, but the packet contents would
all be the same.

Sorry for the confusion.

>> The reason I am asking is that some users of this freeware server will be
>> behind NATs and I may have to probe for the external port assigned to the
>> internal server by the NAT device. The client would send an encrypted
>> string that the server would know how to respond to. If this encrypted
>> value is not what the server expected, no communication would take place.
>
> Most client/server apps more typically will require you to either manually
> configure the NAT firewall so that it will work, or know how the NAT is
> configured and manually configure the client and server so it will work.
> Most client/server apps also more typically have a standard port number
> for the server that is recommended to be configured as a static port
> number in NAT.
>
> How is the NAT set up?

I will not know. Neither may the server operator. Think of it as a P2P app
using UDP behind NATs.

>Are you sure the server's port will change to an unknown value during the
>NAT?

I don't want the end user to have to configure firewalls or NATs. I want
this to be as simple as possible for them.

Being behind a NAT (and not setting up any manual port forwarding) means
that the NAT will choose an unused port at random for outbound UDP
connections (just like it does for HTTP connections when you surf the web).

So, the external port for the server will be unknown.

>How is it that the NAT port being used is not already known?

See above.

>I would expect the client's source port to change dynamically, but the
>server's destination port to be known by whoever configured the NAT.

I am really trying to make this as simple as possible by not requiring the
end users to set ports in their NAT or Firewall. Also, some people may want
to use the software but not have access to the NAT or Firewall to make
manual changes.

do not read, just a test.

testing

Re: How do firewalls react to UDP port scans?

"smerf" writes:

>What I meant was that the server (behind NAT1) will be expecting an
>encrypted value from the client (behind NAT2).

Do you want to tr5y to 're-invent' a wheel?

http://linide.sourceforge.net/nat-traverse/

just asking, Holger

Re: How do firewalls react to UDP port scans?

smerf wrote:

> I am trying to write a freeware client/server program that needs to scan
> the server's ports for the server's open UDP port.
>
> Before I get too deep into this, are there any problems that I need to
> know of if I send a probe UDP packet that looks for the server to all
> ports on at the server's target IP?
>
> The reason I am asking is that some users of this freeware server will be
> behind NATs and I may have to probe for the external port assigned to the
> internal server by the NAT device. The client would send an encrypted
> string that the server would know how to respond to. If this encrypted
> value is not what the server expected, no communication would take place.
>
> Any help you can give would be greatly appreciated.


Your answer is determined by the question of, is this static or dynamic NAT
you are talking about?

If it is dynamic, like the majority, but not all, NAT implementations, you
won't be able to scan as the ports are added to firewalls nat table in a
dynamic "client port" -> "firewall's external port" mapping. In other words
in Dynamic NAT configurations there is no incoming access allowed (Internet
to internal pc), generally speaking (there are special proxy ports to allow
some protocols to function correctly).

That is, if I fully understand your question. No guarantee there...

Imhotep

Re: How do firewalls react to UDP port scans?

smerf wrote:

>
> "karl levinson, mvp" wrote in message
> news:uL08SJQ5GHA.1248@TK2MSFTNGP03.phx.gbl...
>>
>> "smerf" wrote in message
>> news:xrFTg.16014$vi3.4025@bignews3.bellsouth.net...
>>>I am trying to write a freeware client/server program that needs to scan
>>>the server's ports for the server's open UDP port.
>>>
>>> Before I get too deep into this, are there any problems that I need to
>>> know of if I send a probe UDP packet that looks for the server to all
>>> ports on at the server's target IP?
>>
>> Send one UDP packet to scan all ports? I'm not sure this is possible the
>> way you have described it.
>
> What I meant was that the server (behind NAT1) will be expecting an
> encrypted value from the client (behind NAT2).
>
> I would send this same encrypted info to all UDP ports on the server's
> known
> external IP to get a valid connection to the server. Of couse this would
> mean sending a packet for each possible port, but the packet contents
> would all be the same.

Are you trying to do this to find the "secret" port???

> Sorry for the confusion.
>
>>> The reason I am asking is that some users of this freeware server will
>>> be behind NATs and I may have to probe for the external port assigned to
>>> the
>>> internal server by the NAT device. The client would send an encrypted
>>> string that the server would know how to respond to. If this encrypted
>>> value is not what the server expected, no communication would take
>>> place.
>>
>> Most client/server apps more typically will require you to either
>> manually configure the NAT firewall so that it will work, or know how the
>> NAT is configured and manually configure the client and server so it will
>> work. Most client/server apps also more typically have a standard port
>> number for the server that is recommended to be configured as a static
>> port number in NAT.
>>
>> How is the NAT set up?
>
> I will not know. Neither may the server operator. Think of it as a P2P
> app using UDP behind NATs.
>
>>Are you sure the server's port will change to an unknown value during the
>>NAT?
>
> I don't want the end user to have to configure firewalls or NATs. I want
> this to be as simple as possible for them.
>
> Being behind a NAT (and not setting up any manual port forwarding) means
> that the NAT will choose an unused port at random for outbound UDP
> connections (just like it does for HTTP connections when you surf the
> web).

Correct...

> So, the external port for the server will be unknown.

It will be dynamic...

>>How is it that the NAT port being used is not already known?
>
> See above.
>
>>I would expect the client's source port to change dynamically, but the
>>server's destination port to be known by whoever configured the NAT.
>
> I am really trying to make this as simple as possible by not requiring the
> end users to set ports in their NAT or Firewall. Also, some people may
> want to use the software but not have access to the NAT or Firewall to
> make manual changes.


Honestly, I think you will need a server in the middle. For example,
Client-A connects Internet-Server-A then Client-B connects to
Internet-Server-A, Next, they can use the Internet-Server-A as a kind of
packet proxy (for lack of a better techie word)...

This would allow you to not force any users to reconfigure their NAT
Routers, etc and would be seemless...


Just a thought...


Imhotep