Please explain port forwarding..

In article <F_Iqc.15$kK3.6@newsfe6-win>, says...
> I have a NAT router with an SPI and several PCs on a peer network. I have a
> good understanding of networks but....
>
> I have never been able to get what is really happening with port forwarding.
> Even though I have usefully configured my router to forward ports, I don't
> *really* know what I am doing.
>
> So, If I configure my NAT router to forward port 10,000 to 192.168.0.26 on
> my network does that mean?....

Forwarding, means that the port specified that arrives inbound on the
specified public IP address (in case you have more than one) will be
forwarded to the specified internal IP address - no filtering, just all
data on port X will be forwarded to that IP.

So, assuming that you are using a simple NAT router on a DSL/Cable
connection with 1 public IP address:

Forwarding -

IP Address PORT Enable
192.168.10.200 80 X
192.168.10.200 443 X

In the above example, all inbound traffic on your Public IP address for
ports 80/443 will be forwarded to the internal IP of 192.168.10.200.

If you had more than 1 public IP and a router that handles it, you can
create rules that allow you to specify the public ip, port, internal ip,
port, and enable/disable.



--
--

(Remove 999 to reply to me)

Leythos

In article <3AJqc.19$kK3.9@newsfe6-win>, says...
>
> "Leythos" <> wrote in message
> news:...
> > In article <F_Iqc.15$kK3.6@newsfe6-win>, says...
> > > I have a NAT router with an SPI and several PCs on a peer network. I
> have a
> > > good understanding of networks but....
> > >
> > > I have never been able to get what is really happening with port
> forwarding.
> > > Even though I have usefully configured my router to forward ports, I
> don't
> > > *really* know what I am doing.
> > >
> > > So, If I configure my NAT router to forward port 10,000 to 192.168.0.26
> on
> > > my network does that mean?....
> >
> > Forwarding, means that the port specified that arrives inbound on the
> > specified public IP address (in case you have more than one) will be
> > forwarded to the specified internal IP address - no filtering, just all
> > data on port X will be forwarded to that IP.
> >
> > So, assuming that you are using a simple NAT router on a DSL/Cable
> > connection with 1 public IP address:
> >
> > Forwarding -
> >
> > IP Address PORT Enable
> > 192.168.10.200 80 X
> > 192.168.10.200 443 X
> >
> > In the above example, all inbound traffic on your Public IP address for
> > ports 80/443 will be forwarded to the internal IP of 192.168.10.200.
> >
> > If you had more than 1 public IP and a router that handles it, you can
> > create rules that allow you to specify the public ip, port, internal ip,
> > port, and enable/disable.
>
> Thanks for your reply.
>
> So is port forwarding a security risk?
>
> If I understand you correctly, **any** packet arriving at my routers WAN
> address destined for port 10,000 will be forwarded straight on to
> 192.168.0.26.
>
> So would someone scanning my network see port 10,000 as open or closed?
>
> Or if there was a worm going around that tried to get in via port 10,000
> would it get straight through to 192.168.0.26?
>
> ..still confused.. /

Any data sent to port 10000 will be forwarded directly to the internal
address - there is no filtering, nothing, it just goes directly to it.
it would be considered OPEN to anyone.

So, if you opened port 1433/1434 (MS SQL PORTS) and forwarded them to
your MS SQL server, you would be compromised in a short time since there
are still many traces of the SQL Slammer worm running around.

If you need port forwarding you need to secure the machine that is the
destination of the forward - meaning that if you were running a web
server behind the router, you had better have locked it down (based on
the Web Server OS vendor suggestions), be running a strong Anti-virus
package, and have changed all accounts/passwords so that they don't
match any accounts/passwords on your other machines.

Port forwarding is not a security threat, it's a normal way of doing
business - a threat would be the unsecured machine that is the
destination of the port forwarding. The best rule is that if you don't
know what you are doing, if you don't know how to secure it, if you are
unsure in any way, don't forward.

--
--

(Remove 999 to reply to me)

Leythos

I have a NAT router with an SPI and several PCs on a peer network. I have a
good understanding of networks but....

I have never been able to get what is really happening with port forwarding.
Even though I have usefully configured my router to forward ports, I don't
*really* know what I am doing.

So, If I configure my NAT router to forward port 10,000 to 192.168.0.26 on
my network does that mean?....

1. Any request **initiated** from the internet on port 10,000 to my WAN
address will go straight through the router to 192.168.0.26?

2. The above is wrong and only data that 192.168.0.26 has specifically
requested and initiated on port 10,000 will get into my LAN.

3. If number two is correct then I am more confused, because I thought that
if an internal machine initiated the request then the router would be aware
of that fact and let the *reply* come back in through the appropriate port.
If this were true then there would be no need to forward ports!! Arghh!

You can see my confusion :O(

Help!

thx

Paul

Paul H

"Leythos" <> wrote in message
news:...
> In article <F_Iqc.15$kK3.6@newsfe6-win>, says...
> > I have a NAT router with an SPI and several PCs on a peer network. I
have a
> > good understanding of networks but....
> >
> > I have never been able to get what is really happening with port
forwarding.
> > Even though I have usefully configured my router to forward ports, I
don't
> > *really* know what I am doing.
> >
> > So, If I configure my NAT router to forward port 10,000 to 192.168.0.26
on
> > my network does that mean?....
>
> Forwarding, means that the port specified that arrives inbound on the
> specified public IP address (in case you have more than one) will be
> forwarded to the specified internal IP address - no filtering, just all
> data on port X will be forwarded to that IP.
>
> So, assuming that you are using a simple NAT router on a DSL/Cable
> connection with 1 public IP address:
>
> Forwarding -
>
> IP Address PORT Enable
> 192.168.10.200 80 X
> 192.168.10.200 443 X
>
> In the above example, all inbound traffic on your Public IP address for
> ports 80/443 will be forwarded to the internal IP of 192.168.10.200.
>
> If you had more than 1 public IP and a router that handles it, you can
> create rules that allow you to specify the public ip, port, internal ip,
> port, and enable/disable.

Thanks for your reply.

So is port forwarding a security risk?

If I understand you correctly, **any** packet arriving at my routers WAN
address destined for port 10,000 will be forwarded straight on to
192.168.0.26.

So would someone scanning my network see port 10,000 as open or closed?

Or if there was a worm going around that tried to get in via port 10,000
would it get straight through to 192.168.0.26?

...still confused.. /

Paul H

In article <L4Lqc.26$kK3.9@newsfe6-win>, says...
> Thanks a million for this, the penny is starting to drop..;O)
>
> One more thing..
>
> A common reason for a home user to mess with port forwarding is for gaming.
> Given what I now understand, why should a gamer have to do this? I can
> understand why exchange or SQL server would need port forwarding but why
> would a game need this just for multiplayer purposes, especially if he is
> **not ** running a server just a workstation and wants to join in the online
> fun?
>
> Thanks, last question..(promise)

Most games do not require PF, they only require it if they are acting as
a listen/dedicated server. I play a couple games online with up to 32
players and no PF is needed - unless I run a server.

For games that require PF to be setup, they are just poorly implemented
- they should know that people need to sit behind some form of NAT.


--
--

(Remove 999 to reply to me)

Leythos

On Wed, 19 May 2004 17:31:25 +0100, "Paul H" <>
wrote:

>
>"Leythos" <> wrote in message
>news:...
>> In article <3AJqc.19$kK3.9@newsfe6-win>, says...
>> >
>> > "Leythos" <> wrote in message
>> > news:...
>> > > In article <F_Iqc.15$kK3.6@newsfe6-win>, says...
>> > > > I have a NAT router with an SPI and several PCs on a peer network. I
>> > have a
>> > > > good understanding of networks but....
>> > > >
>> > > > I have never been able to get what is really happening with port
>> > forwarding.
>> > > > Even though I have usefully configured my router to forward ports, I
>> > don't
>> > > > *really* know what I am doing.
>> > > >
>> > > > So, If I configure my NAT router to forward port 10,000 to
>192.168.0.26
>> > on
>> > > > my network does that mean?....
>> > >
>> > > Forwarding, means that the port specified that arrives inbound on the
>> > > specified public IP address (in case you have more than one) will be
>> > > forwarded to the specified internal IP address - no filtering, just
>all
>> > > data on port X will be forwarded to that IP.
>> > >
>> > > So, assuming that you are using a simple NAT router on a DSL/Cable
>> > > connection with 1 public IP address:
>> > >
>> > > Forwarding -
>> > >
>> > > IP Address PORT Enable
>> > > 192.168.10.200 80 X
>> > > 192.168.10.200 443 X
>> > >
>> > > In the above example, all inbound traffic on your Public IP address
>for
>> > > ports 80/443 will be forwarded to the internal IP of 192.168.10.200.
>> > >
>> > > If you had more than 1 public IP and a router that handles it, you can
>> > > create rules that allow you to specify the public ip, port, internal
>ip,
>> > > port, and enable/disable.
>> >
>> > Thanks for your reply.
>> >
>> > So is port forwarding a security risk?
>> >
>> > If I understand you correctly, **any** packet arriving at my routers WAN
>> > address destined for port 10,000 will be forwarded straight on to
>> > 192.168.0.26.
>> >
>> > So would someone scanning my network see port 10,000 as open or closed?
>> >
>> > Or if there was a worm going around that tried to get in via port 10,000
>> > would it get straight through to 192.168.0.26?
>> >
>> > ..still confused.. /
>>
>> Any data sent to port 10000 will be forwarded directly to the internal
>> address - there is no filtering, nothing, it just goes directly to it.
>> it would be considered OPEN to anyone.
>>
>> So, if you opened port 1433/1434 (MS SQL PORTS) and forwarded them to
>> your MS SQL server, you would be compromised in a short time since there
>> are still many traces of the SQL Slammer worm running around.
>>
>> If you need port forwarding you need to secure the machine that is the
>> destination of the forward - meaning that if you were running a web
>> server behind the router, you had better have locked it down (based on
>> the Web Server OS vendor suggestions), be running a strong Anti-virus
>> package, and have changed all accounts/passwords so that they don't
>> match any accounts/passwords on your other machines.
>>
>> Port forwarding is not a security threat, it's a normal way of doing
>> business - a threat would be the unsecured machine that is the
>> destination of the port forwarding. The best rule is that if you don't
>> know what you are doing, if you don't know how to secure it, if you are
>> unsure in any way, don't forward.
>>
>> --
>> --
>>
>> (Remove 999 to reply to me)
>
>Thanks a million for this, the penny is starting to drop..;O)
>
>One more thing..
>
>A common reason for a home user to mess with port forwarding is for gaming.
>Given what I now understand, why should a gamer have to do this? I can
>understand why exchange or SQL server would need port forwarding but why
>would a game need this just for multiplayer purposes, especially if he is
>**not ** running a server just a workstation and wants to join in the online
>fun?
>
>Thanks, last question..(promise)
>
>:O)

Port mapping allows inward connections through the NAT.

So if a gamer needs to connect to your machine this allows
him to do so from outside. There is not restriction on the
outgoing connections from your network.
--
Jim Watt
http://www.gibnet.com

Jim Watt

"Leythos" <> wrote in message
news:...
> In article <3AJqc.19$kK3.9@newsfe6-win>, says...
> >
> > "Leythos" <> wrote in message
> > news:...
> > > In article <F_Iqc.15$kK3.6@newsfe6-win>, says...
> > > > I have a NAT router with an SPI and several PCs on a peer network. I
> > have a
> > > > good understanding of networks but....
> > > >
> > > > I have never been able to get what is really happening with port
> > forwarding.
> > > > Even though I have usefully configured my router to forward ports, I
> > don't
> > > > *really* know what I am doing.
> > > >
> > > > So, If I configure my NAT router to forward port 10,000 to
192.168.0.26
> > on
> > > > my network does that mean?....
> > >
> > > Forwarding, means that the port specified that arrives inbound on the
> > > specified public IP address (in case you have more than one) will be
> > > forwarded to the specified internal IP address - no filtering, just
all
> > > data on port X will be forwarded to that IP.
> > >
> > > So, assuming that you are using a simple NAT router on a DSL/Cable
> > > connection with 1 public IP address:
> > >
> > > Forwarding -
> > >
> > > IP Address PORT Enable
> > > 192.168.10.200 80 X
> > > 192.168.10.200 443 X
> > >
> > > In the above example, all inbound traffic on your Public IP address
for
> > > ports 80/443 will be forwarded to the internal IP of 192.168.10.200.
> > >
> > > If you had more than 1 public IP and a router that handles it, you can
> > > create rules that allow you to specify the public ip, port, internal
ip,
> > > port, and enable/disable.
> >
> > Thanks for your reply.
> >
> > So is port forwarding a security risk?
> >
> > If I understand you correctly, **any** packet arriving at my routers WAN
> > address destined for port 10,000 will be forwarded straight on to
> > 192.168.0.26.
> >
> > So would someone scanning my network see port 10,000 as open or closed?
> >
> > Or if there was a worm going around that tried to get in via port 10,000
> > would it get straight through to 192.168.0.26?
> >
> > ..still confused.. /
>
> Any data sent to port 10000 will be forwarded directly to the internal
> address - there is no filtering, nothing, it just goes directly to it.
> it would be considered OPEN to anyone.
>
> So, if you opened port 1433/1434 (MS SQL PORTS) and forwarded them to
> your MS SQL server, you would be compromised in a short time since there
> are still many traces of the SQL Slammer worm running around.
>
> If you need port forwarding you need to secure the machine that is the
> destination of the forward - meaning that if you were running a web
> server behind the router, you had better have locked it down (based on
> the Web Server OS vendor suggestions), be running a strong Anti-virus
> package, and have changed all accounts/passwords so that they don't
> match any accounts/passwords on your other machines.
>
> Port forwarding is not a security threat, it's a normal way of doing
> business - a threat would be the unsecured machine that is the
> destination of the port forwarding. The best rule is that if you don't
> know what you are doing, if you don't know how to secure it, if you are
> unsure in any way, don't forward.
>
> --
> --
>
> (Remove 999 to reply to me)

Thanks a million for this, the penny is starting to drop..;O)

One more thing..

A common reason for a home user to mess with port forwarding is for gaming.
Given what I now understand, why should a gamer have to do this? I can
understand why exchange or SQL server would need port forwarding but why
would a game need this just for multiplayer purposes, especially if he is
**not ** running a server just a workstation and wants to join in the online
fun?

Thanks, last question..(promise)

:O)

Paul H

"Paul H" <> writes:

]I have a NAT router with an SPI and several PCs on a peer network. I have a
]good understanding of networks but....

]I have never been able to get what is really happening with port forwarding.
]Even though I have usefully configured my router to forward ports, I don't
]*really* know what I am doing.

]So, If I configure my NAT router to forward port 10,000 to 192.168.0.26 on
]my network does that mean?....

]1. Any request **initiated** from the internet on port 10,000 to my WAN
]address will go straight through the router to 192.168.0.26?

Any packet on the internet has a From address, a From port, a To address
and a To port as part of its header. When the router sees the To address
of your machine with To port number, it rewrites the packet to have the
To address of the machine you are forwarding to and the To port of that
machine you want that packet forwarded to and sends it out over the
internal part of the lan. . Whan it gets a From address with that From
port on the internal machine, it rewrites the packet, substituting the
From address of your machine or router and the From port.


So. say you are forwarding port 1000 on machine A to port 55 on machine
B
So the packet rewriting would look like

External Lan Internal Lan
From X To A:1000 ------> Router -----> From X To B:55

From A:1000 To X <-------Router <------- From B:55 To X
from th

]2. The above is wrong and only data that 192.168.0.26 has specifically
]requested and initiated on port 10,000 will get into my LAN.

]3. If number two is correct then I am more confused, because I thought that
]if an internal machine initiated the request then the router would be aware
]of that fact and let the *reply* come back in through the appropriate port.
]If this were true then there would be no need to forward ports!! Arghh!

What if you want port 80 (http) on machine A to actually be handled by
machine B instead. So you would port forward port 80 on A to port 80 on
B.
This would come from the outside with no prior communication.

NAT is for translating stuff intiated internally. Port forwarding is for
stuff initiated from outside.



]You can see my confusion :O(

]Help!

]thx

]Paul

Bill Unruh

"Paul H" <> writes:


]Thanks for your reply.

]So is port forwarding a security risk?

]If I understand you correctly, **any** packet arriving at my routers WAN
]address destined for port 10,000 will be forwarded straight on to
]192.168.0.26.

Yes.


]So would someone scanning my network see port 10,000 as open or closed?

Open.

]Or if there was a worm going around that tried to get in via port 10,000
]would it get straight through to 192.168.0.26?

Yes.


It is a security threat is things are not set up properly.

NAT is not, since stuff coming from outside is only forwarded if it is
to a port which perviously sent stuff to that external machine from that
port. Ie, NAT does not respond to external requests. Port forwarding
does.

Bill Unruh

"Paul H" <> writes:



]A common reason for a home user to mess with port forwarding is for gaming.
]Given what I now understand, why should a gamer have to do this? I can
]understand why exchange or SQL server would need port forwarding but why
]would a game need this just for multiplayer purposes, especially if he is
]**not ** running a server just a workstation and wants to join in the online
]fun?

Because other gamers may send him packets "out of the blue"-- ie without
him having previously intiated a particular intereaction with that
particualar machine.

Bill Unruh