[wellylug] Router piercing
Cliff Pratt
enkidu at cliffp.com
Sat Dec 10 12:33:00 NZDT 2005
Bret Comstock Waldow wrote:
> Hi,
>
> I'm just getting started working out how to do this, and wondered if anyone
> had some suggestions what to look at and to ignore. I'm looking for a
> conceptual fix on the whole business.
>
> The immediate situation is that I and I friend both have broadband connections
> going through Linksys WRT54G NAT routers, with factory firmware.
>
> We would like to establish a connection that allows us to share desktops, use
> voip, share files, without compromising the security of our machines.
>
Any file sharing means that you will have to allow a number of
*incoming* ports to be open for your friends to connect into your
machine. You will need to allow ports out from your machine if your
router blocks them. Many don't.
Opening ports into your private network is often called 'pin-holing'.
This is an obvious security risk, so you need to open only those ports
that you really need to open. If all you want to do is share files, then
you could set up "WevDAV" and pinhole port 443 to your (internal)
webserver so that others can access files via https.
Or you could set up an FTP server (can be a pain and is not particularly
secure) or allow ssh access on port 22 which is secure but may give your
friends too much power over your system - you would essentially give
them shell access that way!
If you want to do Samba (SMB) or NFS you will need to open a number of
ports, some of them dynamic, so this hardly secure!
If you allow a lot of access to your server you might want to look at
setting up a chroot environment. This is a small portion of your machine
that *looks* like all the machine to a user. Then you do need to worry
so much about high security. You shouldn't *forget* totally about
security even then!
Cheers,
Cliff
More information about the wellylug
mailing list