problem with firewalls blocking all ports for bind() call

I have a suite of programs that work client-server, and that are often configured to work on a single machine. In that situation, I call bind to get an available socket from the server, note the information in the local registry (this is for Windows) and listen on the socket. The code is roughly as follows: sockaddr_in socketName; memset(&socketName, 0, sizeof(socketName)); socketName.sin_family = AF_INET; socketName.sin_port = (::htons (0)); socketName.sin_addr.s_addr = ::htonl (INADDR_ANY); if (::bind (fMainSocket, (sockaddr*) &socketName, sizeof(socketName)) == SOCKET_ERROR) { _Module.LogEvent (_T ("Failed to bind to socket on port %d"), proxyPort); throw SilentException (); // throw to get into the catch block's clean-up } const int kBackLogLimit = SOMAXCONN; if (::listen (fMainSocket, kBackLogLimit) == SOCKET_ERROR) { _Module.LogEvent (_T ("Failed to listen to socket on port %d"), proxyPort); throw SilentException (); // throw to get into the catch block's clean-up }

This works fine. However, when clients have some firewalls installed, such as Norton Internet Security, it seems to default to blocking all socket binds. Usually the client gets a scary dialog that says that the program is trying to listen for connections to other compters. I believe at other times it simply blocks the connection without any alert at all (perhaps because this code is part of a service that can be run at startup, which might be an awkward time to bring up the alert) So my question is whether there is a way to set up the request so that firewalls do not perceive it as a threat. Also, it might be a good idea to take the threat seriously, in which case my other question is how can I modify the code so that it only accepts connections from the local machine?

Reply to
Sterling Wight
Loading thread data ...
[snipped detailed explanations]

No. Most of these personal firewalls are crap, written by people who understand neither networking nor network security. There are exceptions of course, but the majority of the software I've seen does some fantastic stupid things.

Listen to localhost only,

socketName.sin_addr.s_addr = ::htonl (INADDR_LOOPBACK);

....but I wouldn't be to sure those pesky personal firewalls would understand the difference, it'll probably percieve it as a threat anyways. But testing won't hurt. Good luck.

Reply to
Eirik Seim

This was absolutely perfect, it fixed the problem with firewalls AND improved the security of the software. Thank you so much.

Reply to
Sterling Wight

You're welcome! :)

Now, if only they'll start teaching about this in undergrad programming classes aswell... There are way to much software in the world that listens on every available address when it only needs loopback connectivity. Like the RpcSs service present in most all Windows systems that cannot be turned off (well, it can, and I did, but doing so wrecked the whole test system as most everything depends on it -- the ability to start and stop services amongst other things ...) or configured to listen only to the loopback address. AFAIK Microsoft didn't fix this until the XP Service Pack 2.

Could be I've missed out on how to hack the register to make the RpcSs service behave, but google just couldn't seem to help.

Reply to
Eirik Seim Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.