Allowing incoming connections
A firewall’s job is to block bad packets and allow good packets. At the very simplest level your router’s firewall does this by blocking any connections that were initiated by outside hosts and allows anything that was initiated from the inside. That’s why you can request Web pages from your computer, but people can’t open your file shares from the outside.
Most applications behave under these circumstances. Firewalls have been around for ages, even before the first home router. The nature of the Internet is also client-server, which means you (the client) request stuff from the server, and not the other way around.
That’s not to say there aren’t applications that break this mold. Peer-to-peer file sharing and online gaming are two notable examples. In these applications, the server sometimes has to push data to you, or you must accept a connection from another client to pull a piece of data. The firewall prevents this.
Port forwarding is a feature that lets you take certain inbound connections and forward them to a particular host on the inside of your network.
The firewall is preventing incoming connections for a good reason — they’re usually insecure. When setting up port forwarding, be careful to only forward what you need.
To set up port forwarding, follow these steps:
1. Determine the port to be forwarded, which should be provided by the application or its documentation.
Figure 2-4 shows a dialog from a file-sharing program, indicating that the incoming port is 59534.
Figure 2-4:
Determining the port to be forwarded.
Every application is different, and some (like the one above) choose random inbound ports. Just because the example above uses port 59534 doesn’t mean that your application will.
2. Navigate to the Port Forwarding menu in your wireless router’s administrative interface, which is shown in Figure 2-5.
3. Ensure that Port Forwarding is selected. Check under Service Name to see if the name of the protocol is there.
Figure 2-5:
The port forwarding configuration screen.
Adding a custom service
The NETGEAR router comes with some predefined port forwarding protocols. If your protocol isn’t on the list, you have to add it.
1. Select the Add Custom Service button to get to the screen shown in Figure 2-6.
2. Fill in the details about the port to be forwarded.
The name of the service is what you want it to be.
There is only one port to be forwarded, so I’ve put that in as both the starting and ending ports. Finally, the traffic is to be forwarded to 192.168.1.100, which is my laptop.
3. Click Apply, and you are taken back to the port forwarding screen showing your new configuration (see Figure 2-7).
Figure 2-6:
Adding a custom service.
Figure 2-7:
The port forwarding screen showing the new configuration
Forwarding a known service
If the service is already known to the router, such as FTP, then you can select it from the main menu and enter the address of the server. Allowing incoming FTP traffic would be helpful if you wanted to set up a file server on the inside of your network.
Port triggering
The downside to port forwarding is that you have to know the address of the computer that wants to use the forwarding. This inconvenience is usually minor, but if it is a problem for you, then port triggering is an option.
Port triggering waits for an internal computer to make a predetermined type of connection to the outside. Upon seeing the connection, the router sets up a port forward to that computer.
The configuration of a port trigger is similar to that of a port forward, except that you must identify the outbound traffic, and you don’t need to specify an internal host.
Usually a port forward will suffice, though, and if you need a port trigger, then your application’s documentation will specify that.
DMZ server
In the security field, a demilitarized zone (DMZ) is a network that’s in between the inside and the outside, and all traffic must pass through a firewall. Companies put servers that they want to be Internet accessible in there, such as Web and e-mail servers. The servers can’t be trusted as much because they’re exposed to the Internet, so the firewall also dictates how the server can talk back to the company’s internal network.
The DMZ server on a home router is the catch-all host that all unknown traffic gets sent to. Think of it as a port forward of all the ports to one server. Good or bad, incoming traffic gets sent to the server you specify.
Browse to the WAN Setup screen shown in Figure 2-8 to set up a DMZ server. Select the check box and type the address of the server, and all the bad guys can talk to your internal device.
Avoid using this feature. That computer is going to get a lot of attacks. That same computer is also free to talk to any computer on your internal network, so if it gets compromised, you can expect more to follow.
Figure 2-8:
The WAN setup screen.
VPN passthrough
Your employer might let you work at home using a virtual private network (VPN) tunnel. This gives your computer a secure tunnel over the Internet back in to your place of employment.
VPNs don’t always play nicely with home routers. If you’re having problems with your VPN, check to make sure that the VPN passthrough options are enabled (also shown in Figure 2-8).
