问题
If firewalls block all incoming connections by default how do p2p technologies work? Like torrents, how do you connect to everyone who shares a file and get the information from them? Does it go through a relay server or something?
回答1:
I'm not up on everything about BitTorrent, as I am about general P2P connectivity techniques. Typically clients in a P2P network rendezvous on a common signaling server (e.g. SIP, XMPP, tracking server, web site) to exchange IP addresses,other meta data, and messages to bootstrap direct connections. Then use any of the following techniques below to get a communications session going:
Both sides attempt to connect to each other simultaneously - in case one side can't accept incoming connections, but is allowed to make outbound connections. Such is the case for the firewall scenario.
Hole punching (used in conjunction with above). Relays are not required per se, but do help insure connectivity when both peers are behind network devices that are difficult to traverse. There's both UDP Hole Punching as well as TCP Hole Punching techniques. More info here.
Relays, including TURN servers, can be deployed into a P2P network when direct connectivity is not possible. All your favorite video call applications deploy relays for these scenarios, but do their best to get peers directly connected to avoid the cost of relaying.
Bing for the following topics: STUN, TURN, ICE (Interactive Connectivity Establishment), libjingle, pjnath, libnice.
回答2:
If a firewall (as opposed to a NAT) intends to block incoming connections (which I believe they normally do), there's nothing you can do about it. You can try all the hole punching you like. This is achieved by just implementing a symmetric NAT, i.e. each pin-hole is open specifically for a ip,port-quadruple (source, destination port and IP).
BitTorrent is not likely to stop working just because you can't receive incoming connections, it will just be performing slightly worse. Chances are that there are at least some people on the swarm that can receive connections, and you just connect to them.
This is an old explanation of how being firewalled mostly just means worse performance.
EDIT:
The short answer to the "why" is that the majority of peers are not behind firewalls (just NATs).
回答3:
For posterity:
Short answer is, it's done via https://en.wikipedia.org/wiki/Hole_punching_(networking)
When you connect to google.com from your machine (which most likely sits behind a router and NAT) your machines IP address and NAT'ed port number get sends to google servers. Google uses these connection info to send search results to your machine.
You can think of google's servers similar to one node in the p2p network. Google were able to 'reach' you from their servers even though your router doesn't accept incoming connection. It's because they didn't initiate the connection (they don't know your ip:NATedport combination to initiate a connection). But your machine can make outbound connections and send/publish your ip:NATedport combo to outside world.
So both nodes in the p2p send their ip:NATedport combo to a third party site and exchange this info and start connecting (whoever got the info first) to one another.
回答4:
Let
F = # firewalled nodes,
O = # nodes with open incoming port,
T = F + O = total # of nodes,
P = O / T = fraction of total nodes that have open ports,
Cf = max # connections each firewalled node can have, and
Co = max # connections each open node can have.
Then,
Cf = O, ∵ firewalled nodes can only connect to open nodes
Co = T - 1, ∵ open nodes can connect to all other nodes (and once all the firewalled nodes have first connected to them)
so
Co / Cf = (T - 1) / O = 1 / P - 1 / O.
If T is large,
Co / Cf ≈ 1 / P.
So, for example, say half the nodes have open incoming ports: P = ½. Then,
Co / Cf ≈ 2,
which means that open nodes have ~2× the number of connections as firewalled nodes (meaning they are overburdened, but also meaning they have more visibility).
Thus, it is better for particular nodes and for the entire network to have P = 1; all nodes will be equally visible and equally burdened.
If P = 0, the network won't work at all ∵ no one will be able to initiate connections to other peers.
来源:https://stackoverflow.com/questions/14926807/if-firewalls-dont-accept-incoming-connections-by-default-how-do-p2p-networks-wo