UDP打孔 [英] UDP hole Punching
问题描述
我有一些关于使用UDP打洞的问题。基于维基 http://en.wikipedia.org/wiki/UDP_hole_punching
I've got some questions regarding hole punching with UDP. Based on the wiki http://en.wikipedia.org/wiki/UDP_hole_punching
1)要在两方(在NAT之后的客户端,非NAT的服务器)建立UDP会话,客户端只需向服务器发送一个数据包,然后允许会话两种方式(发送和接收)通过防火墙?意思是客户端可以从服务器接收太多。
1) To set up a UDP session between two parties (the client which is behind NAT, server which is non-NAT) does the client simply have to send a packet to the server and then the session is allowed both ways (send & receieve) through the firewall? Meaning the client can receive too from the server.
2)UDP打孔:两个客户端首先合并到服务器,然后服务器将客户端端口/ ip发送到其他客户端,其他在这些端口。这是正确的吗?
2) UDP Hole punching: Two clients first conenct to the server, then the server gives a client port / ip on to other clients, so the clients send packets to each other on those ports. Is this coorrect?
3)如果#2为真,为什么防火墙允许从另一个IP接收数据,而不是在那个端口上使用连接?听起来像一个大的安全漏洞,应该很容易过滤?
3) if #2 is true, Why would firewalls allow data to be received from another IP than the one used in making the connection on that very port? Sounds like a big security hole that should easly be filtered? I understand that source IP spoofing would trick it, but this?
提前感谢
Johan
Thanks in advance, Johan
推荐答案
1)是的,用最合理的防火墙,除非你在极端偏执的模式下配置它。
1) Yes, with most reasonable firewalls, unless you configure it in extremely paranoid mode.
本文更详细地解释了这一点,但其想法是客户之一向另一个公共IP发送数据报。然后,该数据报被丢弃,但是其他客户端知道它被发送,因为第一个通过服务器告诉它。然后,另一个客户端将数据报发送回第一个数据报到第一个数据报源自的同一端口。由于在第一个客户端的NAT记住有来自该端口的数据包,它认为传入的数据报是对第一个的答复。这里的问题是找出哪个公共端口NAT将选择发送第一个数据报,但大多数NAT以可预测的方式做它,所以它几乎总是工作正常,有时只是不是从第一次尝试。
2) Not exactly. This article explains it in more detail, but the idea is that one of the clients first sends a datagram to the other's public IP. Then this datagram is discarded, but the other client knows that it was sent because the first one told it through the server. Then the other client sends a datagram back to the first one to the same port from which the first datagram originated. Since NAT at the first client remembers that there was a packet from that port, it considers the incoming datagram to be a reply to the first one. The problem here is to figure out which public port NAT will choose to send the first datagram, but most NATs do it in a predictable way so it almost always works fine, sometimes just not from the first try.
这篇关于UDP打孔的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
