Discussion on how to enable peers who are behind a restrictive firewall in there network

[yipperr]

hey, i thought it would be usefull to have a discussion about this

so to start out my university like almost all enterprise and insitutions employs a gateway that acts as a firewall/filter to restrict shape and otherwise drop traffic that suits them (common firewalls i have seen McAfee,Untangle,Sonicwalll,pfsense etc sure there more)

now the most restrictive one's employs(my case McAfee) a combination of

1. Layer3 filtering to block select blacklisted protocol (bittorent,openvpn,ssh, and many more)
   and allow only whitelisted one http (my case)
2. only allow http service tcp ports 443 and 80
3. only allow tcp as a transport protocol all udp port are blocked except port 53 which is filtered for only dns protocol the gateway is allowed to be sent a udp packet on port 53 (outbound port 53 is blocked for the internet which mean no using 3rd party dns like google dns and open dns)

now the obvious way to create a tunnel with an other server is an easy way to go about it but not the purpose for the discussion

now how this effects torrents:
1)all modern trackers have changed to udp protocol so there no way for torrents to track,announce
2) since only outbound and inbound over tcp 443 and 80 is only possible that mean the client will not be able to connect to the other peers on the swarm on there listening port (mostly some a very high port number )
but since the neutered client can accept incoming connection request from peers one of the ALLOWED listening port 443 and 80,
if for example in a case scenario the neutered client is able to notify the tracker that it possess all the pieces to a torrent and all the peers can hence connect to the said client and torrent with it.
Now something i have noticed playing around with how most of the gateways do there layer3 filtering is that they look for some kind of signatures within the packets for the protocol effectively dropping them if it matches. some form of obfuscation of the protocol can result in this filter to be circumvented
Case in point the openvpn protocol is filtered and dropped but when another less common tunnel protocol was used i was able to make a successful tunnel

So my point is it is definitely possible to get the neutered peers into the swarms i would like to see a discussion on the practicability and complexity to achieving this without any huge changes to the protocol and using existing techniques

1):disabling utp solves the whole udp transport firewall rule
2):a proxy would be the best to communicate over the udp tracker to track announce the torrents
the proxy has to be a http or socks one( with port change to 443 or 80)
3) some new scheme to download torrents by not being able to make connection with other peers but somehow letting them know that you are a neutered client and asking them (nicely lol) to connect the neutered client to torrent happily this would be a very interesting bep proposal :)

[yipperr]

what nobody cares for the people behind corporate gateways ? :(

[feross]

If we implement Protocol Encryption (#69) that might prevent the ISP tampering with your traffic.

The other issues you brought up are more complex. If UDP is blocked, all modern trackers won't work and the DHT won't either. You're out of luck. You'll need to find an HTTP tracker.

[yipperr]

the vuze torrent client allows a proxy for trackers only mode where tracker request goes over a proxy not the peer connections so any socks proxy over 443 or 80 will solve that issue

Protocol Encryption can solve layer3 filtering of these firewalls but is useless because these firewalls block all ports except 443 and 80 so there is no way for the torrent client to send outgoing connection to the listening port of the other peers in theBitTorrent swarm which is admittedly always in the 6000-65500 range can be random ports also with the random feature in new client ( but obviously never service ports like 443 and 80)

since in these firewall traffic is allowed as incoming and outgoing over 443 and 80 only
there is no way for the client to actively connect to the other peers on there client listing port even after getting the peerlist from the udp tracker over the sock proxy

some way of letting the other clients know when they get the peerlist from the tracker (maybe with a flag) that this client is behind a firewall and hence can't connect directly so all client when they come across such a peer they should connect to the peer even if he/she has no pieces to trade with at the current time (just started the torrent) i don't know if such a change will effect the bitorrent network effiiceny

[feross]

Supporting proxies is a can of worms that I don't want to support at the moment. There are too many other pressing issues that need to be fixed first. Sorry.

[yipperr]

don't understand what you mean by supporting a proxy i was referring to an option in the client for people to input there own . implementing protocol encryption by itself is useless in some isp without implementing proxies because some isp gateway server and dns servers blacklist popular tracker domain and ip's
i'm in no way requesting a feature or asking for anything just wanted to start a discussion
(as the title states) to hear people ideas to solve the problem and since webrtc approach is as new a p2p protocol can get right now thought people could have somen valid input

[Estevo-Aleixo]

Firewall punching. You open the outbound path of a firewall by doing a socket connect to a peer ip and port at similar time to when the remote peer tries to connect to your ip and port (you negotiated the port and ip and time through an allowed/trusted third party) each firewall thinks the connection was initiated by the local entity. (I am not sure if the tcp syn syn-ack and ack flags are availiable for modification with websockets but just this implementation without modified flags could bypass some firewalls.

[yipperr]

@Estevo-Aleixo
wow ..firewall punching actually solves this problem can be implemented as separate http tracker on one of the valid ports that trades information regarding the ports between the neutered clients which allows them to establish a connection and start using the bittorrent protocol on the valid ports allowed.... as for the layer 3 filter mse ,pe and phe on the BitTorrent protocol will solve that

[lock]

This thread has been automatically locked because it has not had recent activity. To discuss futher, please open a new issue.