Firewalls and Proxies

Many users, particularly those with cable or DSL connections are now using a router or proxy server to connect several machines to DareNET over one link. This can create some unique problems, especially for users who have only one IP address assigned to them from their ISP forcing them to use Network Address Translation (NAT). Likewise many users are now implementing desktop firewalls to help protect their systems, if not configured correctly these can cause problems when connecting to IRC servers.

The aim of this FAQ is to provide an overview of the problems you may encounter and suggest some solutions. We cannot offer support for particular brands of hardware or software, please contact your vendor if you are unsure how to implement the suggestions given here on your particular system.

What is a Firewall?
A firewall is a piece of software or hardware which controls access to computers behind it on a network. They were previously found only on large, commercial networks where they protected machines on the local network from the Internet, however DSL, Cable and other always-on technologies have lead to the development of low cost consumer firewalls which are designed for desktop machines or small home networks. Some internet access devices (for example the SMC Barricade series of Cable/DSL routers) act as a hardware firewall, however the majority of users are using software firewalls such as Zone Alarm or Conseal.

What ports do I need to open?
You will need to open the port you connect to DareNET's server with and also the port for the Ident service on your machine. Normally, you will use port 6667 to connect to the server and port 113 for Ident Both ports must allow traffic in and out from at least the IP address of the server you are connecting to (it's probably easier to allow traffic from any IP address to these ports unless you have good reason not to). The Ident port must also allow incoming connections because the server you are connecting to will send an Ident request to port 113 on your machine if you block this port you will either have a username beginning with a tilde (~) or be unable to connect at all. You will also need to open the ports for your ISP's DNS service and possibly their DHCP service or you may find you are unable to use the internet at all (not just IRC!) - contact your service provider for details of these services and the ports they run on.

Doesn't that compromise the security of my machine?
Every rule you add which allows a machine to connect to you or you to connect to another machine reduces your security. Advanced configuration of firewalls is beyond the scope of this FAQ, however the risks posed by opening these ports are minimal and can in most cases be ignored. If you keep information on your machine which is so sensitive that even this minor risk worries you, you should consider whether the machine should even be connected to the internet in the first place, and if it is connected whether you should use if for IRC.

What about 'application firewalls' such as Zone Alarm?
These are very easy to configure and usually very effective. Most come with comprehensive online help and some have printed manuals which detail step by step how to set them up. You should be aware that in order for Ident to function properly you will need to grand your IRC client (or stand-alone Ident daemon if you're running one) rights to act as a server.

How do I bypass my School/College/Work firewall to access DareNET
You don't. Ask your firewall admin. or IT department to open the ports you need.

My firewall gets scanned by a DareNET IP address every time I connect, why?
When you connect to a DareNET server you are automatically scanned for any insecure proxy servers on your machine. If any are found, you are disconnected until you secure them. This is to prevent your system being used to launch attacks against our network and is as much for your own security as ours. If you do not wish to be scanned in this way, please do not connect to DareNET.

What is a proxy server?
A proxy server is a machine which allows you to connect to it and from there on to a second machine, acting as a relay point in-between. The most common use for proxies is to speed up web browsing by storing a copy of web pages on your local network for faster access, however proxy servers of one kind or another exist for almost all major internet protocols. Users of IRC usually use proxies to hide their true IP address either to help discourage network based attacks or to make them harder to trace while causing mischief.

I get G-LINED every time I connect using my proxy, why?
DareNET automatically g-lines any proxy server which permits anonymous access or which allows users to connect from anywhere on the internet without doing any kind of authentication. In addition, certain proxy servers have been banned because they have been a source of problems in the past (usually advertising or flooding) and their administrators have proved unresponsive to complaints.

Recently we have started using a number of proxy lists to assist us in keeping the network free of insecure proxy servers. If you're listed on these lists you will be g-lined with a message directing you to specific information regarding the problem. PLEASE FOLLOW THE LINK, you will not be able to connect to DareNET until you have resolved the problem and delisted your IP address. This process can take anywhere from a few minutes to several hours and DareNET staff CANNOT influence it in any way.

See our Fixing Insecure Proxies document for additional information.

Are proxy server's secure?
A proxy server is as secure as the machine it's running on and the configuration it's been set up with allows it to be. Proxies can be secure, however if the server box is not secure or the proxy server software is incorrectly configured, the proxy is not secure. You should also bear in mind that by connecting through a proxy you are potentially allowing a third part yo intercept and log all the data you send via that proxy, including any passwords or authentication data.

What do I need to do to connect to DareNET using a proxy server?
Your proxy server must only permit connections from your IP addresses OR it must use a username/password combination to secure access to it. Any server permitting public access without authentication will be banned from DareNET. Your proxy server's host must also run Ident to connect to certain DareNET servers or to connect from certain IP ranges.

I want to use a public proxy to hide my identity, why don't you allow them?
Public proxies are a continual source of abuse, often being used by people intent on causing havoc on our network. This and the difficulty of getting a response from the administrators of many such servers has forced us to ban all public proxies from DareNET.

My ISP forces me to use a proxy and it's banned, what can I do?
You should ask your ISP to contact DareNET's Abuse Team via abuse@darenet.org to discuss the issue. Please don't complain directly to us, you'll only be referred back to your ISP who is probably already well aware of the problem.

What is a Router?
A router is a device which allows you to connect your home network directly to a high-speed connection such as DSL or a Cable Modem. Some routers have built-in hubs, allowing you to connect your PC's directly to the router while others plug into a separate hub to provide access to all computers on your LAN.

What is NAT?
NAT stands for Network Address Translation, a process which allows several computers on a local network to share a single public IP address. It's often found on DSL and Cable routers to help overcome the fact that many suppliers only allow a single IP address for each subscriber to their service.

I have a 'real' IP address for every machine but I keep getting g-lined for not running Ident, what do I need to do to connect?
You will need to ensure that each machine which connects to DareNET is running an Ident server either as part of the IRC client or as a stand-alone program. You will also need to make sure that your router is allowing connections to and from your network on port 113.

I have only one IP address and use NAT to share it across several machines and get g-lined for not running Ident, what do I need to do to connect?
You will need to designate one machine as your Ident server and run a stand-alone Ident program on it. You will also need to set up a static route on your router which directs all traffic on port 113 to this machine. Each router handles this in a slightly different way, please contact your router vendor for details on how to implement static routes on your equipment.

I use Microsoft's ICS to share my connection and get g-lined for not running Ident, what do I need to do to connect?
ICS does not support Ident directly but can usually be persuaded to work. Please see our Microsoft ICS and Ident document for more information.

I use a server as a gateway and get g-lined for not running Ident, what do I need to do to connect?
You will need to run an Ident server on your gateway machine and ensure that requests to and from port 113 are not blocked.

I have one IP address and keep getting g-lined for running clones, how can I avoid this?
Contact our [mailto:abuse@darenet.org Abuse Team] and explain why you want to connect multiple machines in this way (e.g. granted a 'trust'). They will evaluate your application and advise you on how to proceed.