[wellylug] Router piercing

Cliff Pratt enkidu at cliffp.com
Sat Dec 10 12:33:00 NZDT 2005


Bret Comstock Waldow wrote:
> Hi,
> 
> I'm just getting started working out how to do this, and wondered if anyone 
> had some suggestions what to look at and to ignore.  I'm looking for a 
> conceptual fix on the whole business.
> 
> The immediate situation is that I and I friend both have broadband connections 
> going through Linksys WRT54G NAT routers, with factory firmware.
> 
> We would like to establish a connection that allows us to share desktops, use 
> voip, share files, without compromising the security of our machines.
> 
Any file sharing means that you will have to allow a number of 
*incoming* ports to be open for your friends to connect into your 
machine. You will need to allow ports out from your machine if your 
router blocks them. Many don't.

Opening ports into your private network is often called 'pin-holing'.

This is an obvious security risk, so you need to open only those ports 
that you really need to open. If all you want to do is share files, then 
you could set up "WevDAV" and pinhole port 443 to your (internal) 
webserver so that others can access files via https.

Or you could set up an FTP server (can be a pain and is not particularly 
secure) or allow ssh access on port 22 which is secure but may give your 
friends too much power over your system - you would essentially give 
them shell access that way!

If you want to do Samba (SMB) or NFS you will need to open a number of 
ports, some of them dynamic, so this hardly secure!

If you allow a lot of access to your server you might want to look at 
setting up a chroot environment. This is a small portion of your machine 
that *looks* like all the machine to a user. Then you do need to worry 
so much about high security. You shouldn't *forget* totally about 
security even then!

Cheers,

Cliff




More information about the wellylug mailing list