-
Notifications
You must be signed in to change notification settings - Fork 1
Socket.IO and firewall software
After finding out that nearly 3% out of 100k requests were from beyond a firewall and thus unable to reach our Node instance on port 4000, we needed to come up with an alternative (fallback) port. However, there's personal firewalls, and some of them are known to block WebSockets.
Some networks also interrupt WebSocket traffic over port 80 -- we've found several schools (even ones that don't filter Facebook) having trouble with WebSockets. Moving WebSocket traffic to port 443 (with and without SSL) fixed the problem.
An excellent test/diagnostic page for WebSockets network compatibility exists at: http://websocketstest.com/
We also tested a number of firewall software:
All tests were done in a Virtual Machine (parallels 6) running Windows XP. Only one of the software packages were installed per test and the Virtual Machine was rolled back to a clean snapshot after each run. The software was tested with the default settings and the "zomg paranoid panix button" settings.
I've done two tests:
- with no special firewall rules on the host machine
- with port 4000 blocked on the host machine, to emulate the VM being behind some corporate firewall.
The client js will initially try to connect to port 4000 and fall back to ports 80 or 843, if that doesn't work. I also tested different orders for port 80 and 843, to make sure both work (or not).
These tests were preformed using a non-https connection. Browser cache was disabled, cookies cleared between each testing run. I used Chrome and Firefox (3.6). Where possible, I checked in IE as well, but since IE doesn't kill cookies when you tell it to, I mostly tried in browsers that do. This exercise is painful enough as it is...
- Non-WebSockets connections were never an issue
- WebSockets are not blocked by most firewalls. (Only Avast, AVG and BitDefender block)
- Most blocking firewalls do allow WebSockets on port 443
In alphabetical order:
- AVG Internet Security 2012
- Avast Internet Security
- Avira Antivirus Premium
- Bitdefender Total Security 2012
- Comodo Internet Security Pro
- ESET Smart Security 5
- Kaspersky Internet Security
- McAfee Total Protection 2011
- Microsoft Security Essentials
- Norton Internet Security 2011
- Online Armor++
- Panda Internet Security
- Privoxy
- Trend Micro Titanium Maximum Security 2012
- Windows Defender
- ZoneAlarm Extreme Security
- Chrome can do its WebSockets magic through any available port
- Other browsers can connect through any available port
- Chrome can do its WebSockets magic through any available port
- Other browsers can connect through any available port
The only change I made was removing the local network from the friends list. Production sites tend to be outside that range as well.
- With no firewall active, all browsers connect to port 4000
- FF / IE, firewall blocks 4000: both 80 and 843 work
- Chrome, FW: Oh dear, Avast eats our WebSocket at port 80. This is what got me to add port 843 to the list of options in the first place (well, @3rd-Eden told me, actually). Lo and behold: port 843 works.
Note, this research was done using avast 6.0.1289 or older. The version 6.0.1367 seems to fix at least some of the issues.
Interestingly enough, McAfee notified me of a Trojan my VM appeared to have, and that Windows Defender and Avast never mentioned. Interesting.
- With no firewall active, all browsers connect to port 4000.
- Firewall on: Both 80 and 843 work, for all browsers.
- Chrome can do its WebSockets magic through any available port
- Other browsers can connect through any available port
- Chrome can do its WebSockets magic through any available port
- Other browsers can connect through any available port
- It does however block WebSocket connections from localhost
- Chrome can do its WebSockets magic through any available port
- Other browsers can connect through any available port
- Chrome can do its WebSockets magic through any available port
- Other browsers can connect through any available port
Interestingly enough, Comodo cried wolf about the entries in the hosts file that Parallels put there, classing it as a trojan. It also claimed to find a worm in Silverlight that no other package had found.
I assume Comodo's free firewall is the same as the one included in this package, so I didn't test it separately.
- Chrome can do its WebSockets magic through any available port
- Other browsers can connect through any available port
- Chrome can do its WebSockets magic through any available port
- Other browsers can connect through any available port
The first one to ask questions about the browser opening connections to Node on port 4000. After that it's smooth sailing.
- No questions asked about port 80 or 843 under Firefox
- WebSockets get blocked on all ports, despite AVG's logs showing the connection was allowed.
- Non-websocket transports work fine, apart from the initial question whether the user wants to allow their browser to connect to the internet.
The trial version wouldn't let me enable the firewall... There is some web protection stuff in there, but it doesn't block any connectivity.
Bitdefender has a fair bit of options to make the firewall super paranoid. Wonderful, let's switch on ALL the options... =]
- Allows Firefox to connect on any port
- WebSockets are blocked, but Chrome falls back to XHR-polling (interestingly enough, this does not happen with other antivirus products; there, Chrome just fails to connect. Might be an issue with my test code). Bitdefender logs it as stealth traffic.
- Chrome can do its WebSockets magic through any available port
- Other browsers can connect through any available port
- Chrome can do its WebSockets magic through any available port
- Other browsers can connect through any available port
I used Privoxy's default settings. Since the user can cook up any rule they want, it would be possible to block the handshake, I think, but I don't consider it very likely.
- Chrome can do its WebSockets magic through any available port
- Other browsers can connect through any available port