Port Forwarding/Triggering

By FiB3R
in Smart Home, Network & Security

 Share

Recommended Posts

Grand Master

FiB3R

Posted
Posted

I'm trying to understand port forwarding/triggering a little better.

 

From what I gather, opening a port on your router is not a risk in and of itself, unless there is an application or service listening on that port.

 

So if a vulnerability exists, or is found in the future for the application or service using that port, you are then open to that exploit, but only while that application or service is running.

 

If that is correct, then the security part of this is ######, right?...

 

"Comparing with port forwarding, port triggering is a little more secure and it is dynamic. When your application need to open a port in your router, the port triggering function integrated with our Router Port Forwarding software will do this for you. When you don't need it, what you need to do is just close the software, this will automatically close the port in your router, this will increase your computer security."

http://routerportforwarding.com/

 

http://portforward.com/store/pfconfig.cgi?advertid=7

Link to comment
https://www.neowin.net/forum/topic/1298230-port-forwardingtriggering/
Share on other sites
Grand Master

+BudMan MVC

Posted
  • MVC
Posted

Port trigger can open a port when it sees some sort of traffic, it can not magically know when it should open something.  So for example if your application sends traffic out on port X, it can be set to then forward port  Y to IP address 192.168.9.100

 

This is not any more secure than having the port open, and application not running anyway.  To be honest triggering has little use, its best use if changing the forward.  So lets say it sees traffic to A it can forward to IP address A, if it sees traffic on port B it can forward to IP B..  All comes down to the feature set of the router on how fancy you can get with what happens when you see a trigger.

 

If what you want to do is host up 80 on your webserver, then port forwarding would be what you want.  Since what would trigger the forward?

 

Now if you using an application like ftp, and it saw you send traffic out on 21, it could then forward in ports you have set for the passive range on the data connection.

 

Another option is UPnP, this can open a port for a game or application based upon the application asking the router to do so. Its even smart enough to say hey that port is in use, pick another one, etc.  But the security concern his is application can ask for any port to be open without you actually knowing about it. So while you think you have no ports open into your machines behind your router - pretty much lots of them could be.  Many router manufactures have now decided that out of the box UPnP should be OFF.  And user has to enable it if they want to use it.. The problem with it is there is no auth method, so while you might want application X to be able to open a port, you don't want Y, Z and application K to be able to do it.. 

 

What exactly are you wanting to do that you need to open up ports to the public internet?  To be honest other than maybe a game, there is little reason for general user to open up a port.  Opening up services to the public internet is not something that you should do without thinking it through.  Its not only that they might exploit your machine(s) they could use such a service to attack other machines from your connection or send spam, etc. etc. 

Grand Master

FiB3R

Posted
  • Author
Posted

Thanks for the clarification, @BudMan

I'm not actually trying to do anything at the moment, other than learn something.

The only times I have forwarded ports in the past, has been for bittorrent clients, and as you say, games.

Grand Master

BinaryData

Posted
Posted
  On 22/05/2016 at 09:47, FiB3R said:

Thanks for the clarification, @BudMan

I'm not actually trying to do anything at the moment, other than learn something.

The only times I have forwarded ports in the past, has been for bittorrent clients, and as you say, games.

Expand  

Also, be aware when you do open ports, there are bots and crawlers that will check your IP. I got hit by it from the University of Michigan and it freaked me out. When I setup an FTP Server, I saw about 10 attempts per minute with attacks, SSH/SFTP was even worse. BudMan received more attempts than I did.

 

I was also a noob and opened up RDC Ports, I've closed all but one right now, and it's only open while I'm at work. BudMan will shake his finger at me for that.

Grand Master

+BudMan MVC

Posted
  • MVC
Posted

Your going to get hit with scans be it the port open or not.. Comes down to if the port open they get to what your running, if its running.  Yeah ssh/ftp/telnet/rdp going to get probed for all the time.. Lots and lots of traffic to those ports.  Which is why you don't open up stuff unless you have it secured.

 

I see hits to my openvpn server all the time.. So?  I have it secured..  I need it, its pretty impossible to lock it down to only allow me since I am not sure were me will be when I need it ;)  They don't have the right certs, they can not auth to it, Trying to hide it on some other port doesn't make it any more secure.  It might remove some noise from your log, but that is not security.

 

But sure running ssh or ftp is going to get bombed..  Last couple hits on 21, not running ftp they still hit your IP..

21blocked.png

 

Tiggering doesn't make anything more or less secure.  For example in your bittorrent example, You could setup so when your bittorrent client did something like search for a torrent and you saw say 80 traffic to somewhere specific it forwards ports 6881 udp to your your machines IP.  So the prob in most soho routers, is when does that go off?  Not really listed, hard to find in the doc's - does it even go off?

 

There really is no difference of just forwarding the port you want/need and turning off the application that listens on the port..Now its quite possible something else could come up with that port as a source port to create other traffic outbound, so something could end up listening on that port..  But it wouldn't be listening for any connection, it would be listening for specific return traffic from the IP It talked too, etc.

 

To be honest, in all my years on the net, before there was a net even ;)  Have never actually found a good use case for triggers, I personally have never had a use for them ever..

 

And where it could be useful as say a poor mans UPnP to flip traffic being forwarded from one IP to another depending on who is using something or going somewhere specific, the implementation of feature in the router is so basic to make it pointless.. Example here is from linksys emulator of some current firmware..  What good is this nonsense?

 

linksysporttrigger.png

 

It can only forward ports to the machine that sent traffic out.  Nowhere in the doc does it say when that times out, or when it turns off.

This topic is now closed to further replies.
 Share
Go to topic listing