选择Windows机器上的TCP端口,如果需要(以编程方式)添加防火墙例外?
[英]Choose a TCP port on a Windows machine, add a firewall exception if necessary (programmatically)?
问题描述
Thank you for reading my post. 
感谢您阅读我的帖子。
Can you help me interpret what the following line from "netstat -anb" means: 您能帮我解释一下“ netstat -anb”中的以下行是什么意思:
Proto Local Address Foreign Address State TCP 192.168.2.241:52440 64.233.166.103:443 ESTABLISHED [firefox.exe]
In particular: 尤其是:
- does this mean that the TCP port 52440 is opened on the machine which IP is 192.168.2.241? 这是否意味着在IP为192.168.2.241的计算机上打开了TCP端口52440?
- does this mean "firefox.exe" is bound to this port? 这是否意味着“ firefox.exe”已绑定到该端口?
Can you guess how "firefox.exe" knew it could use this port (without interfering with another program already bound to that port)? 您能猜出“ firefox.exe”如何知道它可以使用此端口(而不干扰已经绑定到该端口的另一个程序)吗?
As a matter of fact, "firefox.exe" is using a lot of ports. 实际上,“ firefox.exe”正在使用大量端口。 For example, right now on 192.168.2.241, "firefox.exe" is using the ports nro 52163, 57019, 57022, 57030, 57045, 57046, 57049, 57051. 例如,现在在192.168.2.241上,“ firefox.exe”正在使用端口nro 52163、57019、57022、57030、57045、57046、57049、57051。
I am asking all this because I would like to write a program which binds to a TCP port to enable communication between the machine where the program is installed and a remote machine on the Internet using sockets. 我之所以这么问,是因为我想编写一个绑定到TCP端口的程序,以使安装该程序的计算机与使用套接字的Internet上的远程计算机之间能够进行通信。
Contrary to "Firefox" I need only one TCP port on the machine where the program will be installed. 与“ Firefox”相反,我在将要安装程序的计算机上仅需要一个TCP端口。
I only need this mechanism to work once, the first time the program is executed (this is not a permanent feature of the program). 我只需要这种机制在第一次执行程序时就能工作一次(这不是程序的永久功能)。
- How can this port be chosen? 如何选择该端口?
- How can this port be chosen programmatically (not manually)? 如何通过编程方式(而非手动方式)选择此端口?
- If there is a firewall preventing the use of any port/the chosen port, how is the program going to behave? 如果有防火墙阻止使用任何端口/所选端口,程序将如何运行?
- Can an exception be added programmatically to the firewall to open this port? 可以通过编程将例外添加到防火墙中以打开此端口吗?
The machine running the program is a Windows machine. 运行该程序的计算机是Windows计算机。
I would program this in C/C++. 我将用C / C ++对此进行编程。
Best regards. 最好的祝福。
Below is a complement to my original question. 以下是对我的原始问题的补充。
Well, my apologies, maybe you're right: maybe it's wrong to add an exception in the firewall of the user... What I mean by "adding an exception in the firewall of the user" is doing something like this: 好吧,我很抱歉,也许您是对的:在用户的防火墙中添加例外可能是错误的……我的意思是“在用户的防火墙中添加例外”正在执行以下操作:
netsh advfirewall firewall add rule name="An exn" dir=in action=allow protocol=TCP localport=6667 program="where/the/program/is/stored/prog.exe" enable=yes
Until now, I thought that, if an application was already "using" a TCP port for its own usage, no other application could "use" this very same port. 到目前为止,我认为,如果某个应用程序已经在“使用” TCP端口供其自己使用,则其他任何应用程序都无法“使用”该端口。 (I'm aware of the fact that the word "use" is very imprecise. I'd be glad to be able to formulate things more accurately...) I'm saying this because, as I need a TCP port, I was wondering if I could use an "already available" TCP port... (When I say "already available", I don't exactly know what I mean (maybe I would like to say "open" and "bindable" / or a port already "used" by another application): I'm thinking about TCP port 80 which is often "available"... Again, I wish I could be more specific about this.) (我知道“使用”一词非常不准确。我很高兴能够更精确地制定事物……)我之所以这样说是因为,因为我需要一个TCP端口,所以我我想知道我是否可以使用“已经可用”的TCP端口...(当我说“已经可用”时,我并不完全知道我的意思(也许我想说“开放”和“可绑定” /一个已经被另一个应用程序“使用”的端口):我正在考虑通常“可用”的TCP端口80。再次,我希望我可以对此做更具体的说明。)
Please let me try to reformulate what I'm willing to do. 请让我尝试重新制定我愿意做的事情。
- A user runs a program "setup.exe" on its machine "M". 用户在其机器“ M”上运行程序“ setup.exe”。
- "setup.exe" sends a message "m1" to an Internet remote server "RS". “ setup.exe”将消息“ m1”发送到Internet远程服务器“ RS”。
- "RS" sends back some information "m2" to "setup.exe" running on machine "M" through a TCP port. “ RS”通过TCP端口将一些信息“ m2”发送回运行在计算机“ M”上的“ setup.exe”。
To be able to allow this bidirectional communication between "M" and "RS", I need to "have" a TCP port on machine "M" from which "setup.exe" can receive information sent by "RS". 为了能够在“ M”和“ RS”之间进行双向通信,我需要“在”机器“ M”上具有一个TCP端口,“ setup.exe”可以从中接收“ RS”发送的信息。 ("RS" is not a problem to me, I can do anything I want on it). (“ RS”对我来说不是问题,我可以对它执行任何操作)。
Given the fact that I know nothing about "M" a priori apart from the fact that it is a Windows machine (in particular I do not know what kind of firewall protects it, etc.), I don't really know how to handle the problem correctly. 鉴于我对“ M”的先验知识一无所知,除了它是Windows计算机外(特别是我不知道哪种防火墙来保护它,等等),我真的不知道该如何处理。问题正确。 What I would like to avoid is having "setup.exe" fail silently without telling why the TCP port on machine "M" can't be "used". 我要避免的是让“ setup.exe”静默失败,而没有告诉我们为什么不能“使用”机器“ M”上的TCP端口。
Given the fact that I need to "have a TCP port available" for the program "setup.exe" running on machine M, what steps should I follow to make it as smooth as possible for the user. 考虑到我需要为在机器M上运行的程序“ setup.exe”“提供一个TCP端口可用”的事实,我应该采取哪些步骤来使其对用户尽可能地平滑。
Suppose I'm trying to "use" TCP port 6667, and suppose I'm not "allowed" to. 假设我试图“使用” TCP端口6667,并且假设我没有“允许”使用。 Apart from a firewall, or another application already "using" this port, what could be the reasons why this port is not available? 除了防火墙或其他已经“使用”该端口的应用程序之外,该端口不可用的原因可能是什么?
I simulated the two machines "M" and "RS" basically using this code http://msdn.microsoft.com/en-us/library/windows/desktop/ms737889%28v=vs.85%29.aspx . 我基本上使用以下代码http://msdn.microsoft.com/en-us/library/windows/desktop/ms737889%28v=vs.85%29.aspx来模拟这两个机器“ M”和“ RS”。
- I didn't add an exception to "M"'s firewall. 我没有在“ M”的防火墙中添加例外。
- The two programs on machines "M" and "RS" could communicate smoothly and correctly. 机器“ M”和“ RS”上的两个程序可以顺利且正确地通信。
- But as you pointed it out in your first answer, "there are no outbound port rules in the firewall at all" on these test machines... 但是,正如您在第一个答案中指出的那样,这些测试计算机上“防火墙中根本没有出站端口规则” ...
- So, I tried, as a simulation, to add an exception into the M's firewall in the section "Outbound rules" to block completely the connection to port TCP 6667 on machine "M": the scenario described above (steps 1) 2) 3)) fails in that case. 因此,作为模拟,我尝试在“出站规则”部分中向M的防火墙添加一个例外,以完全阻止与机器“ M”上的端口TCP 6667的连接:上述情况(步骤1)2)3 ))在这种情况下失败。
I hope this literature is not too indigestible and sorry for the approximations and misunderstandings. 我希望这些文献不是太难理解,并为这些近似和误解感到抱歉。
Thank you for helping. 感谢您的帮助。 Best regards. 最好的祝福。
1 个解决方案
解决方案1
-1 2014-08-21 10:39:24
does this mean that the TCP port 52440 is opened on the machine which IP is 192.168.2.241?
Possibly, but more probably it means there are no outbound port rules in the firewall at all, as there shouldn't be, being pointless. 可能,但更有可能的是,这意味着防火墙中根本没有出站端口规则,毫无意义,这毫无意义。
does this mean "firefox.exe" is bound to this port?
It means that socket of firefox.exe is bound to that port. 这意味着firefox.exe 套接字已绑定到该端口。 It can have many other sockets, and usually does. 它可以具有许多其他套接字,通常也可以。
I would like to write a program which binds to a TCP port to enable communication between the machine where the program is installed and a remote machine on the Internet using sockets.
You need to state whether your program is a client or a server. 您需要说明您的程序是客户端还是服务器。 If it's a client, it's exactly like Firefox, and you don't have a problem. 如果它是客户端,则与Firefox完全一样,并且您没有问题。 If it's a server, you have to bind to a port that is open for incoming in your firewall, and Firefox is completely and utterly irrelevant. 如果是服务器,则必须绑定到为传入防火墙打开的端口,而Firefox完全不相关。
Contrary to "Firefox" I need only one TCP port on the machine where the program will be installed.
Sounds like a server, but you need to tell us. 听起来像服务器,但您需要告诉我们。 For simplicity I am assuming it's a server from here on. 为了简单起见,我假设这是一台服务器。
I only need this mechanism to work once, the first time the program is executed (this is not a permanent feature of the program).
You don't need this mechanism to work at all. 您完全不需要这种机制。 You need the user to open the port. 您需要用户打开端口。 The user won't appreciate software that breaks his firewall configuration, assuming you can do it at all, which you shouldn't. 假设您完全可以这样做,那么用户将不会喜欢破坏防火墙配置的软件,而您不应该这样做。
How can this port be chosen?
By you. 由你。 Choose it now. 立即选择。 Use one that isn't reserved by IANA. 使用IANA尚未保留的内容。
How can this port be chosen programmatically (not manually)?
You can specify port zero but then you have to tell the user so he can open it at the firewall. 您可以指定端口零,但随后必须告诉用户,以便他可以在防火墙处打开它。
If there is a firewall preventing the use of any port/the chosen port, how is the program going to behave?
Incoming connections won't succeed so the program will do nothing. 传入连接将不会成功,因此该程序将不执行任何操作。
Can an exception be added programmatically to the firewall to open this port?
No idea, but it's a bad idea, see above. 不知道,但这是一个坏主意,请参见上文。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.