[nikblack]

The article is about how it negotiates NAT using forged UDP packets. What is more interesting is how it actually gets past firewalls.

It exploits common default rules in firewalls. ie. to allow web surfing, a firewall will allow port 80, but most of the time it will allow both outbound and inbound 80, rather than just outbound. Skype will listen on a bunch of common ports (80, 25, 110, 443, etc.) and blast out connection requests, and then wait to see which port it actually receives a response on. It will also fall back on using UPnP to find a way through - a protocol that is often overlooked by network admins.

If you netstat while running skype, you will see it listening on a bunch of ports. It often prevents a local web server from starting up. The way it does this is a lot more interesting than the actual NAT punching - skype and kazaa will almost always find a way in and out of a network and they are a pain to block. Joost is also using the same tech stack.

[jdbeast00]

"ie. to allow web surfing, a firewall will allow port 80, but most of the time it will allow both outbound and inbound 80"? outbound http traffic uses ephemeral ports, not 80.

[evgen]

Outbound firewall rules almost never limit the source port, 99.99% of them only limit the destination port. If party A can accept packets on port 80 then almost any client out there can connect to the service on that port. The point being made is that a lot of default firewall rules allow traffic to any port 80 destination and accept traffic from any source to the local port 80.

[bcl]

The UDP packets are not forged. If they were egress and ingress filtering would block them.