Gordon Chamberlin <glac,AT,visualizeinc,DOT,com> writes:
> Firewalls would likely constrain the IP addresses behind them to the
> non-routable range (192.168.x.y).
Firewall != NAT.
Perfectly valid, worldwide-routable IP addresses can nonetheless be
firewalled from view on certain ports. A machine with an address in
ordinary, routable IP space might nonetheless be positioned behind a
firewalling router which precludes e.g. NNTP or SMTP, so as to avoid
use of firewalled hosts for spam-sourcing.
> How would you tunnel through a firewall in that case or any other?
For the NAT'ing firewall case, if _one_ endpoint is NAT'd and the
other is not, then the non-NAT endpoint can be set up with address
0.0.0.0 and port 0 for the mate's address, and the NAT endpoint can
then be responsible for establishing the connection to the non-NAT
If both endpoints are NAT'd, then yes, both ends fail to be able to
find the mate endpoint, without explicit port-forwarding at the