Subject RE: [firebird-support] Firebird Ver 1.5 + Events + Firewall/Router. Questions
Author Nigel Weeks
Setting up firewalling on a Firebird server is fairly easy

Rule 1: Allow all traffic from your LAN to your server port 3050, inwards
Rule 2: Allow all traffic out from your server (all ports) to your lan,
outwards only, with pinholes to get packets back
Rule 3: Deny all other traffic.

This means:
clients can connect in on Rule 1, and get data back on Rule 2.
Events can be sent via Rule 2
Unauthorised connections are blocked by Rule 3

In FreeBSD's "ipfw" rules, this looks like (Assuming the NIC is device tl0):

add 1000 allow tcp from any to me 3050 in via tl0
add 2000 allow ip from me to any out via tl0 setup keep-state
add 65535 deny ip from any to any


-----Original Message-----
[]On Behalf Of jarrod_petz
Sent: Thursday, 6 July 2006 11:06 AM
Subject: [firebird-support] Firebird Ver 1.5 + Events + Firewall/Router.

I just wanted to make some enquires as to how events work in Firebird
ver 1.5.

Our development team is currently using the events feature of Firebird
to do asynchronous message passing between a server and multiple
clients over a local area network. A rough outline of what we are
doing is described below

1. A client is going to make a request to a server process that will
take a long time to return data. Rather then block the client until
the data is ready we allow them to continue working. The client will
register an event in the Firebird database and start listening to the
event before making the call to the server to start retrieving its data.

2. The server receives the request to retrieve data from the client
along with the details of the database event it should post to when
the data is ready. The server process proceeds to do its work and will
post to the event when finished.

3. The client process listening to the database event is notified when
the server process is finished and can access the data it wanted.

Everything seems to run fine when the Windows firewall is turned off
or when the fbserver.exe is permitted in the firewall exception rules.
However if the firewall is active with only port 3050 open for
Firebird our application locks up and stalls when the client tries
registering the event in step one. Sometimes this also
stalls/crashes/locks the fbserver process as well bringing down the
entire system. I can see from using a port monitor that fbserver.exe
seems to start a new server on a new random port for each client that
registers a event. No doubt this is probably for the client to connect
and listen to for when the server posts to the event. However should
the windows firewall be blocking these new random ports? If so what is
the recommended way to configure a Firebird server so event work, both
on a intranet and behind a router which I believe will have the same
problem however most routers wont be able to allow a certain
executable on a certain machine to open ports? Should the fbserver.exe
not be punching holes in NAT/firewalls by sending an outgoing packet
to the person registering the event?

For example
1. Client from connects to database hosted on
on well known port 3050. This works as 3050 is well known and we have
put rules into NAT/Firewall to allow connection on this port either
from the intranet or WAN it doesn't matter

2. Client registers an event. fbserver.exe kicks off a new
connection/server for the client to listen to for the event. It does
this by
a) Requesting a port to use from the OS
b) Sending a packet to the client via the new port specifically to
punch through any firewall or NAT that may block the client connecting.
c) Sends the details of the new connection to the client so it can be
established at their end(Allowing the user to punch through their
firewall/NAT if they have it).

I can provide code samples and further details if required. Currently
our dev environment is using Delphi3 and IBObjects. Any information
that people can provide or ideas would be of great help.


__________ NOD32 1.1645 (20060705) Information __________

This message was checked by NOD32 antivirus system.

[Non-text portions of this message have been removed]