Comment by maffydub
12 years ago
I'm surprised this works... or at least works reliably. I understood many simple firewalls just blocked inbound SYNs (without performing any kind of IP address lookup). This would obviously prevent this mechanism from working. Is this not (or no longer) the case?
I am not an expert in this area, but from what I understand, firewalls keep a list of outbound connections. If inbound connection comes from a known destination IP+port, it will be forwarded to the internal "source" IP+port.
This is how I understand it: if both A and B are behind firewalls, they use C to reach an agreement about IPs and ports used. Then A sends a packet to B, which is silently dropped at B's firewall. Then B send a packet to A - since it looks like an "answer" to previous request it is forwarded by A's firewall to A. Then A sends another packet to B, which is also forwarded by B's firewall to B. Voila, connection made. :)
Note that this is just my understanding, so I would appreciate if someone more knowledgeable in this area would chime in.