A Java-based program wants to get its port forwarded to my machine through our WiFi router/firewall.
The owner of the house/network doesn’t like any kind of security hole. I can understand that. Is there a way to keep it from being a risk?
Apparently the router is changing my local IP every time I connect. Can a Linksys router be told to forward a port to a certain machine, not a certain address? Would it make a difference?
What kind of things are we trying to prevent here? Are there any steps I can take to get this program’s performance up without compromising the owner’s machine, which is also on the WiFi network?
Well, a properly forwarded port provides no security issues beyond those that the service handling that port introduce. For example, I forward ports for VNC and Remote Desktop through my router to the one 2K box on my network. So long as neither of these services has problems with password insecurity, buffer overflows, etc. etc., I’m fine, and have the convenience of being able to log on to this PC from wherever I happen to be. If someone guesses a password or discovers that typing in ‘ILuvBill’ for a username always gets you logged in, then I’ll decide that was a bad idea.
So long as you trust this one program to be able to handle anything anybody throws at it, it’s not a problem to anybody, though I’d check for ‘security updates’ on whatever this program is occasionally.
Speaking of which, the fact that it’s Java based doesn’t really help. While you don’t tend to get much help with P2P apps around here to avoid septic lawyerism, knowing the program name might give someone an idea on how secure it is. (ie, ssh = quite secure. IIS = not so much).
I’m having the same issue with a DLink router; port forwarding is configured by IP address and yet the thing wants to dish out IP addresses dynamically. As far as I can see, the solution would be to set up the IP of the cleint machine as static, but within the subnet, then tell the router to expect this (on mine, it’s a case of reserving addresses. However, I tried this and it just didn’t work at all, but I can’t see why - All the settings looked fine.
BTW, to be extra safe, you could install a software firewall on the client computer - this should allow you to set up a custom rule for the port number you’re forwarding - then you can make sure that only the application you want is able to listen on that port.
Most of these routers have an option to turn DHCP service off. But even if it’s on, you can always configure your machine to use a static IP. Just make sure you assign it one outside of your router’s DHCP range.
No. Usually this is done with static DHCP - forcing the router to always give the same address to your computer. My old Linksys WRT54G didn’t come with static DHCP, but after installing the Satori firmware, I was able to set it up on the administration page.
I now have a D-Link DI-624, and on that router, you can set up static DHCP on the DHCP page. But note that the addresses you use for static DHCP have to be within the regular (dynamic) DHCP range.
You can also just manually assign an IP address on your computer, skipping DHCP entirely, and in that case, it should be outside the DHCP range.