What things need to be considered if I want to run my network application from behind a firewall?

Finlay McWalter

One of the biggest issues that you will face is that most firewall configurations prevent inbound connections (i.e. from the public internet into your network) to arbitrary machines (and on arbitrary ports).

In practice, this will often mean that no-one from the "outside" will be able to connect to your application (in java terms, your java.net.ServerSocket instance will never see any connections).

Possible fixes for this include:

  • run your application only outside the firewall, or in your network's DMZ
  • run a small relay proxy in the DMZ. Your main application connects to it, and it relays the contents of incoming streams over to your main application.
  • reconfigure your firewall to permit access to your application from outside the firewall - generally this will consist of telling it "allow connections to machine X on port Y"
You can also sometimes get some communications to work if you assume that at least one party is not behind a firewall - Napster and GNUtella both work if either party can accept connections - but if both parties are behind firewalls, then you won't get a connection. In java terms, this means making your program simultaneously try to establish outgoing (Socket) connections while listening for incoming connections too (ServerSocket).