# Is port forwarding/opening safe?



## aj_brown_99 (Nov 27, 2008)

I have posted here in the past and you guys solved my problem in no time, so I'm hoping you can help me here too. Basically what I need is more of an explanation as opposed to helping solve a problem.

I do a lot of torrenting, but my dad thinks that forwarding my ports for better speeds is unsafe. I am kind of getting fed up because I have extremely fast internet yet I am getting quite slow download speed when torrenting. The main reason that my dad thinks that opening the ports is unsafe is because I am using the internet connection from my basement, where he runs his business. He thinks that if I open up my ports, then a virus could get through to his work computers. I am connected to his network through a wired router that a few of his work computers are also attached to. 

So my question is this: I am fairly sure that opening a single port for use with uTorrent would not cause a security risk for any of the computers (there may be some small risk for me but I am not too worried about that). Am I right about this? Also, please provide an explanation as to why or why not it would be safe to open the ports, because I will hopefully show this thread to my dad to convince him to let me open the ports (as long as I get an answer).

Thanks in advance, and I hope you will be able to help me out ,
Adrian


----------



## avisitor (Jul 13, 2008)

Please read the site rules before you post:



Rules said:


> *P2P Instructions* - We do not support P2P file sharing applications and any threads requesting help for such will be closed. This includes Kazaa, Bearshare, WinMX, and the like. If you're interested in the topic, you are free to discuss it on our site (and please visit StealingIsIllegal.com), but information on how to use them will not be provided.


We can't provide help on how to make your torrenting faster, despite whatever your reasons for using BitTorrent may be. Using BitTorrent is a really good way to get a virus, BTW.


----------



## Jason08 (Oct 13, 2008)

Opening 1 port is not nessecary dangerous.
There are a few ports (in the link) that can be very dangours, but I don't think uTorrent requires any of them to be forwareded.
Otherwise, opening a few ports is fine, but when you start saying over 100, then there is a better change of getting a virus.
Speaking of a virus, if you have a software firewall on, that will greatly reduce the changes of a virus even reaching the PC.

http://forum.portforward.com/YaBB.cgi?num=1119090637


----------



## zx10guy (Mar 30, 2008)

I beg to differ about opening ports not being dangerous. When you open ports on any security device like a firewall, you are essentially punching holes in what the firewall will block. Because of the nature of services like Torrents requires you to allow any source IP to enter your network, you are creating a bigger issue. If you can mitigate the hole in your firewall by specifying a specific source address, you lessen the risk to your network.

This is the reason why services like Torrenting are always blocked on most corporate networks. And why you should respect your father's work network and stop Torrenting on his work network. Frankly, I'm suprised your father even allows you to use his work equipment in that manner as if it were me, you would get zero ability to do what you're doing now.

And Torrenting on a work network is not only dangerous as to having malicious code being pushed onto the network, but you're also allowing hackers to gain access to your internal network. Both huge no nos.

I expect this thread to be locked soon anyways.


----------



## avisitor (Jul 13, 2008)

Torrents also allow shady type people access to your network


----------



## Jason08 (Oct 13, 2008)

But generally, though, opening just 1 or 2 ports usually isn't all that dangerous.
Unfortunately, as brought up before, torrents (request help for it) usually aren't allowed at this forum.


----------



## zx10guy (Mar 30, 2008)

Jason08 said:


> But generally, though, opening just 1 or 2 ports usually isn't all that dangerous.
> Unfortunately, as brought up before, torrents (request help for it) usually aren't allowed at this forum.


I still disagree. The devil is in the details. Anyone can run a port scanner which will just sweep as many ports as the hacker feels like doing. And doing all 65,000 some odd ports isn't all that big a deal. In addition, most people when they do open up ports don't think about the security implications. As such they are running the well known ports like FTP (port 21), RDP (3389), etc, etc, without changing them to some more obscure port where the hacker would have to go hunting for it. In this case here, the OP has to keep the Torrent ports on their common standard ports or the Torrents won't work.

Like I said, opening ANY port is a security hole. How much of a risk depends on what you open up, where the port forward is going, any access rule applied to the port forward, and how you have your network set up behind the firewall.


----------



## avisitor (Jul 13, 2008)

I wholeheartedly agree with you, zx10guy. Opening ports, especially for something like torrents, opens up more insecurities in your network. Generally speaking, only open ports when you must; set access rules: IP range, time of day, days of the week, etc. 

Personally, I only have a few ports open, one points to my fully virtualized web server running a hardened version of Ubuntu Server 8.10 and the other few point to an SSL-VPN concentrator.


----------



## zx10guy (Mar 30, 2008)

Yep, avisitor, we're in total agreement here. It's amazing how many people don't think about what they're really doing when they open up ports on their firewall. It's similar to your house. You can have all the doors locked, but you're still vulnerable if a thief figures out you left a window unsecured.

I have ports open on my firewall too. Probably more than many people who are more anal about security than I am would like. But I also have a setup where network traffic is very segmented behind the firewall. The direclty attached network to the edge firewall is my DMZ. I don't care what gets clobbered there. If any of my boxes get nailed, I just rebuild it. But I don't allow squat through the other segmented areas of my network from the DMZ. The only way you're gettng through is if you've figured out how to breach the VPN connection which is required to get through.


----------



## darcdante (Dec 19, 2008)

Yea, I have some open also, but I don't worry too much about it. I haven't had a problem as of yet.


----------



## Jason08 (Oct 13, 2008)

True, I have had several ports opened a few months ago and it actually turned out when I had a hard drive crash it was not on the PC that had the ports open, but another network PC that only had ports open in the software firewall, and not the router.


----------



## DoubleHelix (Dec 10, 2004)

Network settings have absolutely nothing to do with physical damage to hardware.


----------



## reno1217 (Feb 2, 2008)

wholes in the firewall can absolutely kill a hard drive. a trojan or a virus which can be sent through an open whole can make the hard drive spin constant and can and will kill a hard drive.. i have seen it happen.. 
dont believe me? check out a pc with a virus that cause's constant hard drive access and it spins out of control and will kill it 50 times faster.

but a whole in a firewall will not damage hardware in its self but can and will in other ways.


----------



## JohnWill (Oct 19, 2002)

reno1217 said:


> wholes in the firewall can absolutely kill a hard drive. a trojan or a virus which can be sent through an open whole can make the hard drive spin constant and can and will kill a hard drive.. i have seen it happen..
> dont believe me? check out a pc with a virus that cause's constant hard drive access and it spins out of control and will kill it 50 times faster..


IMO, this is hogwash! Most server hard disks run continuously 24/7, and they frequently exhibit better lifetimes than desktop disks. The hard disk is designed to run that way, and software can't cause it to "spin out of control". I'm not sure where you're getting this idea from, but I'd rethink your sources of information!


----------



## reno1217 (Feb 2, 2008)

i have had a virus and see what it can do to a hard drive.. not all virus or trojans, but some will cause a hard drive to constantly try to access which in turn will cause a premature failure, if you dont believe this then i dont know what to tell you. but its common sense..
its like miles on a car the more you get the more that starts to go wrong..


----------



## reno1217 (Feb 2, 2008)

getting away from the op question anyway.
yes opening a port is dangerous.. like everyone is saying, it is opening wholes to your pc. thats just the simple answer.. i am no expert and am not trying to act like one just throwing in my 2 cents.


----------



## JohnWill (Oct 19, 2002)

Well, I don't believe it, and there's really nothing you can tell me that will suddenly convince me.

Things that might eventually wear out a hard disk are start/stop cycles, a typical hard disk is rated at 50,000 cycles. OTOH, reading/writing/seeking have no practical limit, and will have very little effect on the MTBF of the drive. Shock and vibration is another killer of disks, again that's an external physical event, not a usage event.

Your contention simply isn't supported by the vast body of experience of most hard disk users.


----------



## Jason08 (Oct 13, 2008)

Yeah. From what some people are saying in this topic, anyone who has enabled DMZ for at least a couple weeks, then, has probably gotten hacked or gotten a virus.


----------



## avisitor (Jul 13, 2008)

Jason08 said:


> Yeah. From what some people are saying in this topic, anyone who has enabled DMZ for at least a couple weeks, then, has probably gotten hacked or gotten a virus.


People are running Windows, you know 

In all seriousness, having your hard drive constantly being accessed will not kill it, nor will having it run 24/7. I have several servers that have been running for thousands of hours with near continuous access that have not died.


----------



## aj_brown_99 (Nov 27, 2008)

Ok, well it seems to me that the general consensus is that I was totally wrong, and that opening the ports can be quite dangerous, especially since I'm networked to my dad's work computers. Oh well, I guess I'll just have to put up with slower speeds. 

I would probably open up the ports anyways, if there were no risk to the valuable work equipment. Right now, there is virtually no risk for him, since I have no ports open, and all my torrents come from trusted sources (i.e. I always make sure that it is from a trusted website and that there are positive user reviews), and also I always have anti-virus software running.

I know this is probably a very stupid question, but is there any simple way to keep using my dad's internet, but not be in any way connected to his computers so that if I got a virus on my computer there would be no risk for his computers? I'm guessing the answer is no, but it's worth a shot.

P.s. sorry if this is violating rules, but as moderators have posted here and not removed the thread, I am not too worried about it.


----------



## JohnWill (Oct 19, 2002)

If you want to have a "trusted" subnet, you can simply stick a secondary router daisy-chained onto the primary router and put all the "protected" computers on the secondary router.

Depending on what kind of servers or VPN applications run on the "trusted" network, you may have to use the DMZ to allow it direct access through the primary router, but that will protected those machines from anything that happens on the primary router's subnet.


----------



## aj_brown_99 (Nov 27, 2008)

JohnWill said:


> If you want to have a "trusted" subnet, you can simply stick a secondary router daisy-chained onto the primary router and put all the "protected" computers on the secondary router.
> 
> Depending on what kind of servers or VPN applications run on the "trusted" network, you may have to use the DMZ to allow it direct access through the primary router, but that will protected those machines from anything that happens on the primary router's subnet.


Ok, this seems very complicated to my ears but it seems to me that it is not as difficult as it sounds. Are you saying that I should configure it so that from the primary router, i would connect another router, and then connect all of the work computers to this router? Or are you saying that I would connect my computer to the second router and the work computers to the original router? Also, what is DMZ, and how would I use it?
Thanks for the help with this solution.

By the way, how on earth did you manage to accumulate more than 80,000 posts??


----------



## JohnWill (Oct 19, 2002)

aj_brown_99 said:


> Ok, this seems very complicated to my ears but it seems to me that it is not as difficult as it sounds. Are you saying that I should configure it so that from the primary router, i would connect another router, and then connect all of the work computers to this router? Or are you saying that I would connect my computer to the second router and the work computers to the original router? Also, what is DMZ, and how would I use it?
> Thanks for the help with this solution.


The second router is the "secure" router, and blocks any attempts by connections from the primary router to connect to machines on the "secure" router. The DMZ is a capability for routers to route all port requests through to the attached machine. This basically says that any incoming port requests from the WAN side would be directed to the connection in question. In our configuration, that connection would be the WAN connection of our "secure" router. The DMZ configuration is done on the primary router, and the "secure" router is configured to connect to that IP address on the primary router. You can then allow/disallow any incoming requests from Internet sources you desire on the "secure" router. This allows you to have servers, etc. on the "secure" side.



> By the way, how on earth did you manage to accumulate more than 80,000 posts??


One at a time.


----------



## Jason08 (Oct 13, 2008)

lol. I've seen him at another computer forum with 33,000 posts.
I think he has earned the honor here of "The TSG Networking King"


----------



## aj_brown_99 (Nov 27, 2008)

Ok, Johnwill, I understand what you are getting at, but would have no idea how to set it up. If you don't mind, would you give me a quick overview of what I would need to do in order to configure this way (eg. buy this router, go here and set this up etc.) so that I can decide if it is worth my while to go through with it?


----------



## JohnWill (Oct 19, 2002)

I thought I did tell you what you needed to do.

What part exactly is the problem? When you have a second router, we can help you get it working, but posting for an unknown environment is most likely a waste of my time at this point.


----------



## Jason08 (Oct 13, 2008)

I'm suprised this thread isn't locked yet. I already kind of provided something that should helpif you can see it in an earlier post I made.


----------



## JohnWill (Oct 19, 2002)

Jason08 said:


> I'm suprised this thread isn't locked yet


Why would we do that? We're here to help people, not snub them.


----------



## Jason08 (Oct 13, 2008)

I think you need to read posts #1 and #2 carefully. That's why I'm saying I'm surprised it's not locked. For the same reason as these topics.

http://forums.techguy.org/networking/786857-utorrent-speeds-port-fowarding-linksys.html

http://forums.techguy.org/networking/784134-internet-works-fine-except-downloading.html

http://forums.techguy.org/networking/787151-upload-speed-capped-100-kb.html

What am I missing??


----------



## JohnWill (Oct 19, 2002)

Well, Jason, you're right! I somehow overlooked the P2P issue, I must have been sleeping! 

From the TSG Rules, which you should have read when you joined.



> *P2P Instructions* - We do not support P2P file sharing applications and any threads requesting help for such will be closed. This includes Kazaa, Bearshare, WinMX, and the like. If you're interested in the topic, you are free to discuss it on our site (and please visit StealingIsIllegal.com), but information on how to use them will not be provided.
> 
> We are aware that there are legal applications for file sharing but we have chosen to take this postion as we cannot determine when the assistance requested is for illegal or legal purposes and the illegal far outweigh the legal in this medium.


This thread is closed.


----------



## ~Candy~ (Jan 27, 2001)

The slow speeds probably mean your ISP is watching you. You might tell daddy


----------

