..ok it''s quite silly to create an firewall/nat right out of the blue, but it is an subject of interesst, and perhaps my choise of bachelor project. What should I look into for creating an Nat router on windows? I can''t find good info on this. I found some info in the MSDN - Platform SDK: RAS/Routing and RAS. Would you create an NAT with these api''s? or would you use other drivers? like winpcap... I''m actually looking for how to build an firewall, how to build an NAT. I have the basic knowledge about this, but not any windows specific stuff.

Have been googling all day, and the firewall issue seems less vague now. There is several ways to program an firewall since there is built in support for it several places. You can create an NDIS firewall which operates at a lower level, and a TDI Firewall that operates at an higher level.

..But I still wonder how I should route the packages around creating a NAT server. There seems to be alot of api''s that can be used i windows... but are they good enough? or would I just create another buggy ICS?

Playing ping intensive games through a NAT server, behind a firewall should work flawlessly, but I''m not sure how to attack the problem. hmm

any idea on how to go about NAT traversal? where i like others to connect to me even if i''m behind NAT. i can''t just connect to the ip address given by NAT, so i''m wonderin'' if anyone here knows how.

thanks.

Port forwarding on the NAT router.
You forward the port that your server is listening to, to a local machine and local port. All messages on that port will be routed to the local machine you entered.
You can't do this without intervention of the user.

You could make some passive mode though, when the server is behind NAT, you let the client listen and the server connect to the clients, but you'd first need to know the clients, so that's no good either.

Another thing I have read a bit about while studying P2P concepts are "rendezvous nodes". These nodes work as an inbetweenie to bridge network segments. The only thing I know it is applied in is discovery of nodes, but I think you can also use them to "connect" over UDP.
You have your rendezvous node that is not behind NAT, and all clients can retrieve a list of other clients and servers there... even the server. If a server sees a new client on the rendezvous node, it sends an UDP packet to this new client, and the client sends a packet to the new server.
In both instances the new "UDP connection" will be cached in the NAT routers.

RDZV - Rendezvous node
CL - Client
SRV - Server

CL -> RDZV -- Register with NAT address
SRV -> RDZV -- Register with NAT address
CL -> RDZV -- Get server
SRV -> RDZV -- Get Client
CL -> SRV -- CREATE UDP CACHE ENTRY Port y->x
SRV -> CL -- CREATE UDP CACHE ENTRY Port x->y
CL -> SRV -- Hello
SRV -> CL -- Hello

I'm pulling all of this right out of my arse, as I have no idea how NAT routers deal with UDP, but I guess that if you want NAT to support UDP you need to cache all new "connections". If NAT can support UDP by default, this has a chance of working if you can make both NATs make a correct cache entry using information stored on the rendezvous node.

[edited by - Structural on March 2, 2004 4:46:42 AM]

When I started to look into this matter, I thought firewall/NAT programming was done using socket programming, or some other windows api ... And there should be alot of ppl here with knowledge about this stuff.

But it seems that it''s harder than it looks like. First I need the Windows DDK, then either create an "Ndis hook driver" or an "Ndis intermediate driver" to catch all the packets. Then I can drop/let them through ... or alter the info inside the packet and route them around ... messy stuff.
Then you might want to control the TDI layer so you know what software on your computer deals with what packet...

anyway, I have found sourcecode for a simple ndis hook firewall, and TDI firewall ... and I''m sure there is some info on how to create a NAT stuff out of this ... even port throttle etc etc

BUT I''m STUCK without the DDK! And I need to find a better forum ( is there any better than gamedev? )

The big question! If you control the Ndis layer through hooking or an IM driver ... how secure are you against a hacker? and how secure are you if an trojan brings along their own drivers for controlling the ndis layer ... or even the NIC miniport driver?

anyway ... if ppl here wants the info/links I found about this stuff I''ll post it.

what if you don''t have access to the router? how can you achieve NAT traversal?