Port Forwarding

[Charles K. Lee II]

On Mon, Jan 13, 2003 at 08:23:20PM -0600, Seth Dimbert wrote:
> It was easy: in the LinkSys Admin webpage, I simply sent port 80 to the
> Linux Box's IP address.
> 
> That's the same process you've described here, right?

Yes.

> If so, I have another question. Since I upgraded the Firmware on the Router,
> I've gained more options on the Forwarding Page (which used to be the "Port
> Forwarding Page"). Now I can choose between:
> 
>  - The Default screen

I've never used a Linksys router, so I'm assuming that the default screen
gives you the defualt behavior you described above.

>  - UPnP Forwarding

This is a protocol developed by Microsoft that allows applications on
computers behind a NAT router to alter the port forwading rules on the
router itself dynamically.  Applications have to be UPnP aware to take
advantage of this functionality.

For example, say you have multiple Windows XP machines with users from each
machine using the Remote Assistance functionality.  Since Remote Assistance
is UPnP aware, when a user fires it up, the application will tell the
firewall to start forwarding the standard Remote Assistance port to the
machine the user is at.  Later, when another user on another machine wants
to do the same thing, his computer will tell the router to start forwarding
the port to his machine.

As you can see, this allows for dynamic forwarding with minimal
administrator intervention.  However, since the protocol is in it's infancy,
my guess is that it may not be very robust from a security standpoint.

>  - Port Triggering

Port triggering is another mechanism to dynamically alter forwarding rules,
but is less flexible than UPnP.  It's best illustrated with an example.

When connecting to an IRC server, most servers will initiate a connection to
port 113 on the client computer to get user information from an ident
deamon.  When you've got multiple computers behind a router, the connection
to port 113 is normally stopped at the router or can be forwarded to single
machine behind the router.  This can be problematic since valid user info
will only be known by the computer that's actually initiating the
connection.

Port triggering allows you to specify that when an outgoing connection to an
IRC server is made (port 6667), incoming connections on the ident port (port
113) should be temporarily directed to the to the machine that initiated the
connection.  This way, everybody will be able to connect to their favorite
IRC servers with minimal hassle.

> I've used UPnP Forwarding to allow packets to hit ports 80, 21, 22 and
> 10000, all on the TCP Protocol, not the UDP (whatever THAT is).

TCP stands for Transmission Control Protocol and is a connection oriented
protocol. That basically means that it makes sure that all the data you send
gets to the recipient correclty.

UDP is the User Datagram Protocol.  It's a connectionless protocol. The
best way to think of it is as 'fire and forget'.  The packets are sent and
no followup is done to make sure that they actually got to their
destination.  UDP is used for things like DNS (since there's not much data
being sent and it's relatively simple to make another request if a reply
isn't recieved) and for online games (UDP has less overhead than TCP, so
lots of data can be sent quickly, with the caveat that excessive packet loss
can ruin your game).

> Can you - in your casual style - explain what some of these options mean?

I know you didn't ask _me_, but I thought I'd give it a shot anyway.  Did my
explanations make sense?

-- 
chuckx | Charles K. Lee II
chuckx (at) cold-sun . com
http://www.cold-sun.com