Skip to content
This repository

After finding out that nearly 3% out of 100k requests were from beyond a firewall and thus unable to reach our Node instance on port 4000, we needed to come up with an alternative (fallback) port. However, there's personal firewalls, and some of them are known to block WebSockets.

Some networks also interrupt WebSocket traffic over port 80 -- we've found several schools (even ones that don't filter Facebook) having trouble with WebSockets. Moving WebSocket traffic to port 443 (with and without SSL) fixed the problem.

An excellent test/diagnostic page for WebSockets network compatibility exists at: http://websocketstest.com/

We also tested a number of firewall software:

Test environment

All tests were done in a Virtual Machine (parallels 6) running Windows XP. Only one of the software packages were installed per test and the Virtual Machine was rolled back to a clean snapshot after each run. The software was tested with the default settings and the "zomg paranoid panix button" settings.

I've done two tests:

  • with no special firewall rules on the host machine
  • with port 4000 blocked on the host machine, to emulate the VM being behind some corporate firewall.

The client js will initially try to connect to port 4000 and fall back to ports 80 or 843, if that doesn't work. I also tested different orders for port 80 and 843, to make sure both work (or not).

These tests were preformed using a non-https connection. Browser cache was disabled, cookies cleared between each testing run. I used Chrome and Firefox (3.6). Where possible, I checked in IE as well, but since IE doesn't kill cookies when you tell it to, I mostly tried in browsers that do. This exercise is painful enough as it is...

TL;DR

  • Non-WebSockets connections were never an issue
  • WebSockets are not blocked by most firewalls. (Only Avast, AVG and BitDefender block)
  • Most blocking firewalls do allow WebSockets on port 843

Test Results

In alphabetical order:


Windows Defender

  • Chrome can do its WebSockets magic through any available port
  • Other browsers can connect through any available port

Microsoft Security Essentials

  • Chrome can do its WebSockets magic through any available port
  • Other browsers can connect through any available port

Avast Internet Security

The only change I made was removing the local network from the friends list. Production sites tend to be outside that range as well.

  • With no firewall active, all browsers connect to port 4000
  • FF / IE, firewall blocks 4000: both 80 and 843 work
  • Chrome, FW: Oh dear, Avast eats our WebSocket at port 80. This is what got me to add port 843 to the list of options in the first place (well, @3rd-Eden told me, actually). Lo and behold: port 843 works.

Note, this research was done using avast 6.0.1289 or older. The version 6.0.1367 seems to fix at least some of the issues.

McAfee Total Protection 2011

Interestingly enough, McAfee notified me of a Trojan my VM appeared to have, and that Windows Defender and Avast never mentioned. Interesting.

  • With no firewall active, all browsers connect to port 4000.
  • Firewall on: Both 80 and 843 work, for all browsers.

Norton Internet Security 2011

  • Chrome can do its WebSockets magic through any available port
  • Other browsers can connect through any available port

ESET Smart Security 5

  • Chrome can do its WebSockets magic through any available port
  • Other browsers can connect through any available port
  • It does however block WebSocket connections from localhost

ZoneAlarm Extreme Security

  • Chrome can do its WebSockets magic through any available port
  • Other browsers can connect through any available port

Panda Internet Security

  • Chrome can do its WebSockets magic through any available port
  • Other browsers can connect through any available port

Comodo Internet Security Pro 2011

Interestingly enough, Comodo cried wolf about the entries in the hosts file that Parallels put there, classing it as a trojan. It also claimed to find a worm in Silverlight that no other package had found.

I assume Comodo's free firewall is the same as the one included in this package, so I didn't test it separately.

  • Chrome can do its WebSockets magic through any available port
  • Other browsers can connect through any available port

Kaspersky Internet Security 2011

  • Chrome can do its WebSockets magic through any available port
  • Other browsers can connect through any available port

AVG Internet Security 2012

The first one to ask questions about the browser opening connections to Node on port 4000. After that it's smooth sailing.

  • No questions asked about port 80 or 843 under Firefox
  • WebSockets get blocked on all ports, despite AVG's logs showing the connection was allowed.
  • Non-websocket transports work fine, apart from the initial question whether the user wants to allow their browser to connect to the internet.

Avira Antivirus Premium

The trial version wouldn't let me enable the firewall... There is some web protection stuff in there, but it doesn't block any connectivity.

Bitdefender Total Security 2012

Bitdefender has a fair bit of options to make the firewall super paranoid. Wonderful, let's switch on ALL the options... =]

  • Allows Firefox to connect on any port
  • WebSockets are blocked, but Chrome falls back to XHR-polling (interestingly enough, this does not happen with other antivirus products; there, Chrome just fails to connect. Might be an issue with my test code). Bitdefender logs it as stealth traffic.

Trend Micro Titanium Maximum Security 2012

  • Chrome can do its WebSockets magic through any available port
  • Other browsers can connect through any available port

Online Armor++

  • Chrome can do its WebSockets magic through any available port
  • Other browsers can connect through any available port

Privoxy

I used Privoxy's default settings. Since the user can cook up any rule they want, it would be possible to block the handshake, I think, but I don't consider it very likely.

  • Chrome can do its WebSockets magic through any available port
  • Other browsers can connect through any available port
Something went wrong with that request. Please try again.