Firewalls, Hotlink Protection, and IP Addresses

By

Old Tom

OT Scripts

I learned something today, and so I thought I'd pass along the information. But first, why should you care? You probably don't. But... the more you know how servers work, the better chance you have of understanding what's going wrong, when something *does* go wrong.

In this case, something went wrong when converting to name-based IP addresses.

On our old dedicated server (mine and Jojasa's), each domain had its own unique IP address. On the new server, all domains have the same IP address, and it's up to the Apache server software to figure things out from there. If you look up 209.215.97.148, you'll find that twenty or more domains point to that IP address.

That's fine, and that's as it should be. So, what's the problem? To explain that, I need to explain how your browser works under the covers... which just might be interesting, because it also explains how sitesuckers can steal your bandwidth.

Suppose you want to go to
http://www.otscripts.com/product/index.html?oldtom. You click on the link, but what actually happens? Let's look at that in detail.

To connect to a server across the Internet, you need an IP address. We know the domain we're looking for is otscripts.com, but that's not good enough. You've heard of DNS entries, or nameservers? That's where the nameserver comes into play. (DNS stands for Domain Name Server.) The nameserver looks up otscripts.com, and determines that it's at IP address 209.215.97.148.

In order to actually grab that web page from otscripts.com, we need to *connect* to the server. It's like talking to someone at a distance... in order to speak with them on the phone, you have to actually dial their number, and they have to answer the phone. On the Internet, that's called making a "socket" connection. In order to make the socket connection, you need to specify the IP address, and the port number.

Think of the port numbers as different phones in the same building. If you want to do some ftp file transfers, you call up port 21. Web pages are port 80. If you're doing a telnet login, that's port 23; secure shell (ssh) is port 22, and so on. Normally you don't care about that... your ftp program already knows to aim for port 21, and your browser knows to aim for port 80.

But... consider that from the server's point of view. The "ftp guy" is sitting there listening, waiting for the "port 21" phone to start ringing. The web server is listening to port 80; ssh is listening to port 22; and so on. The "ftp guy" is just sitting there waiting, hoping that you'll fire up your ftp program and transfer some files. The "web page guy" is likewise sitting right by port 80, listening, listening, listening.

Did you know that *your* computer at home, has these same guys listening, listening, listening? Did you know that somebody can find *your* IP address, and can pop into your house to see if anybody is sitting by the "phone" waiting for a call? If you're on dsl or cable, with a static IP address and your computer is always on, it's not hard to find you. Have you heard of a "port scan" or a "firewall" or "zone alarm"? The firewall's entire purpose, is to keep these intruders from connecting to the "guys" listening on your computer's ports.

Your computer *does* have a port 80, and a port 23, and so on... the key question is, does your computer answer the phone when an intruder calls. The firewall (e.g., ZoneAlarm) is aimed at keeping that intruder out. A "port scan" is when the intruder tries to get an answer on port 1, then port 2, then port 3, and so on.

But, I digress. The server *does* listen to these connection requests. So, your browser requests a "socket connection" to IP address 209.215.97.148 port 80. If the otscripts.com server is listening (and it better be!), it picks up the phone, so to speak, and waits to hear what you have to say.

Continued on Page 8