Ask HN: Why shouldn't I use port forwarding?
For a very simple home server set up. Like literally just a windows machine running an express app with port forwarding on my home wifi. Why exactly is this sketchy again?
23 comments
What makes you think you shouldn't?
Basically all the ways of exposing a service running in your house boil down to "port forwarding" in one way or another. You can use a cloud service (or a cloud server you run) to forward the traffic. The only relevant factors, as far as I can figure, are:
1. If you port forward on your router, you're exposing your home IP to folks who access your service. That may or may not be something you're OK with
2. You have to keep any DNS or hardcoded IPs up to date if your home IP changes. Pretty doable via a number of different methods, with varying lag time depending on how you do it.
3. Somebody who finds a vulnerability in the service you're running have a foot in the door to your home LAN. But that's a factor with "making home services available on the internet", not specifically with port forwarding on your router.
The thing that I would say is a bad idea is what many routers refer to as "DMZ" mode or similar, where you broadly send incoming connections to a system. That's got a lot more risk since you have to be a lot more cautious about what services are listening on your server.
Basically all the ways of exposing a service running in your house boil down to "port forwarding" in one way or another. You can use a cloud service (or a cloud server you run) to forward the traffic. The only relevant factors, as far as I can figure, are:
1. If you port forward on your router, you're exposing your home IP to folks who access your service. That may or may not be something you're OK with
2. You have to keep any DNS or hardcoded IPs up to date if your home IP changes. Pretty doable via a number of different methods, with varying lag time depending on how you do it.
3. Somebody who finds a vulnerability in the service you're running have a foot in the door to your home LAN. But that's a factor with "making home services available on the internet", not specifically with port forwarding on your router.
The thing that I would say is a bad idea is what many routers refer to as "DMZ" mode or similar, where you broadly send incoming connections to a system. That's got a lot more risk since you have to be a lot more cautious about what services are listening on your server.
> The thing that I would say is a bad idea is what many routers refer to as "DMZ" mode or similar, where you broadly send incoming connections to a system. That's got a lot more risk since you have to be a lot more cautious about what services are listening on your server.
Got to agree with that - realistically the DMZ machine is almost FULLY exposed to the internet. Have a "DMZ machine" but open only the ports specifically required for whatever service is provided.
If you "DMZ machine" can see the rest of your home network, then so can anyone/anything that breaks into your "DMZ machine"!
And see my previous reply re take care with is made accessible.
Got to agree with that - realistically the DMZ machine is almost FULLY exposed to the internet. Have a "DMZ machine" but open only the ports specifically required for whatever service is provided.
If you "DMZ machine" can see the rest of your home network, then so can anyone/anything that breaks into your "DMZ machine"!
And see my previous reply re take care with is made accessible.
Again, extremely helpful, thank you (both of you) for all the wisdom here!
Just take care. Port forwarding is perfectly valid, and sometimes the only practical way to do things. But:
- only open/forward the ports you need.
- only expose ports that use appropriate security - try to avoid plain-text, NEVER use easy to guess passwords; prefer encrypted sessions and properly secured logins (eg. ssh keys).
- be very aware of what is listening on the open ports. Some Windows ports expose dangerous services, and/or do so without authentication!
( Really, we shouldn't need firewalls because there should be NO dangerous services exposed on any machine. But older boxes were so full of problems that firewalls became the default way to manage the situation ... "we don't know what services to enable/disable, and they'll get re-enabled on the next OS update!@!, so we'll default to blocking everything using a firewall. )
- update, update, update. It seems like almost all code is broken. It's just a question of how badly, so it's very important to keep any exposed services up-to-date to limit the time you're exposed to know-bad software.
- you WILL be attacked - not personally but by the millions of bots randomly trying addresses/ports and guessing ids/passwords. Something like fail2ban is useful to discourage such attacks, but you WILL be attacked and MUST be prepared for it.
- monitor the machine - the scourge of the interwebs is boxes sitting out there sending spam and/or performing DOS attacks because the owner doesn't keep an eye on them !%@$!#@$!!
- only open/forward the ports you need.
- only expose ports that use appropriate security - try to avoid plain-text, NEVER use easy to guess passwords; prefer encrypted sessions and properly secured logins (eg. ssh keys).
- be very aware of what is listening on the open ports. Some Windows ports expose dangerous services, and/or do so without authentication!
( Really, we shouldn't need firewalls because there should be NO dangerous services exposed on any machine. But older boxes were so full of problems that firewalls became the default way to manage the situation ... "we don't know what services to enable/disable, and they'll get re-enabled on the next OS update!@!, so we'll default to blocking everything using a firewall. )
- update, update, update. It seems like almost all code is broken. It's just a question of how badly, so it's very important to keep any exposed services up-to-date to limit the time you're exposed to know-bad software.
- you WILL be attacked - not personally but by the millions of bots randomly trying addresses/ports and guessing ids/passwords. Something like fail2ban is useful to discourage such attacks, but you WILL be attacked and MUST be prepared for it.
- monitor the machine - the scourge of the interwebs is boxes sitting out there sending spam and/or performing DOS attacks because the owner doesn't keep an eye on them !%@$!#@$!!
this is all extremely helpful thank you so much for taking the time to write it all out!
My home setup uses port forwarding and it is much safer than DMZ, that exposes your entire device. I forwarded port 443 to a higher port on my RPi so I can serve TLS traffic using an unprivileged port, without the need of a root user, this alone is a great security improvement.
Setting this up was done on my router, and was really easy, the advantage over DMZ is that I stay behind my router's firewall and DoS protection system and other protections.
I had dynamic IP from my ISP so I had to use a DDNS service, I chose ddclient[1], which is a very simple and ease to setup daemon. And it really works, never had DNS issues.
Now I acquired a static IP plan from my ISP, so I could ditch DDNS, the result is a simpler setup. It is being a pleasure to self-host. If my setup has any security holes please let me know. :-)
All in all the hardest part was buying the plan on my ISP, their customer service sucks.
PS.: In Brazil it is illegal for ISPs to block users from doing home servers or block some ports, but all major ISPs do it, so buying a static IP plan as a company was the easy solution. Plans for companies normally come with all ports unlocked and NAT disabled.
---
[1] https://ddclient.net/
Edit: Fix typos.
Setting this up was done on my router, and was really easy, the advantage over DMZ is that I stay behind my router's firewall and DoS protection system and other protections.
I had dynamic IP from my ISP so I had to use a DDNS service, I chose ddclient[1], which is a very simple and ease to setup daemon. And it really works, never had DNS issues.
Now I acquired a static IP plan from my ISP, so I could ditch DDNS, the result is a simpler setup. It is being a pleasure to self-host. If my setup has any security holes please let me know. :-)
All in all the hardest part was buying the plan on my ISP, their customer service sucks.
PS.: In Brazil it is illegal for ISPs to block users from doing home servers or block some ports, but all major ISPs do it, so buying a static IP plan as a company was the easy solution. Plans for companies normally come with all ports unlocked and NAT disabled.
---
[1] https://ddclient.net/
Edit: Fix typos.
Tried to buy a static IP address from my ISP, responded that it's only offered to users of their "business" plans. The business plans: same up/down as I'm receiving now, but for more $$$. -_-
I use cloudflare tunnels. No need to do anything to my router. I have 1 open publicly accessible port (80) exposed to the internet via Docker container. In order to reach that port, you have to traverse the tunnel with TLS and my home IP is never exposed and always updated except to Cloudflare. Literally one command and few configs to set up on Cloudflare to proxy traffic to my localhost and various subdomains.
You can have application level security enabled on Cloudflare's side for administrative interfaces, like portainer. That adds another level of security and there are a multitude of ways to verify (Email, token, one time pin, etc.). Super, super easy to set up.
I am a dolt when it comes to networking and don't trust myself to make the correct configurations. I no longer pay for a VPS for my simple blog. I don't want to spend my time becoming an expert Sys Admin/Network Admin... so I chose to go with a tunnel.
You can have application level security enabled on Cloudflare's side for administrative interfaces, like portainer. That adds another level of security and there are a multitude of ways to verify (Email, token, one time pin, etc.). Super, super easy to set up.
I am a dolt when it comes to networking and don't trust myself to make the correct configurations. I no longer pay for a VPS for my simple blog. I don't want to spend my time becoming an expert Sys Admin/Network Admin... so I chose to go with a tunnel.
Any idea if you can "tunnel" to a proper public IP which is static? I recently did some digging and realized you can pay to get "reserved egress IP's" on cloudflare, curious if this would work for this?
I am not sure regarding that specific case. I can tell you this: You need a domain name with DNS setup to point at cloudflare for the tunnels to work. The domains can be at namecheap, DO, or anywhere where you can modify the DNS provider tags. At least one machine needs to run the tunneling service. I believe it should be the host that will serve the traffic.
Yes. I serve my websites from my home network over a reverse ssh connection to a vps. I only need the vps for it's static ip. Not that fast, but my sites are small. There are open source solutions for this as well.
Interesting, are you just using a passthrough proxy like squid? I've encountered issues routing ssh connections through the proxy.
Your ISP might detect the inbound traffic and shut you down. Most residential ISPs have a "no servers allowed" clause.
Better to tunnel traffic back to you, either through a 3rd party service (Cloudflare tunnels, like someone else mentions) or through a VPS that you control. That way, your home IP address is not directly exposed.
There is still some security concerns having a server directly on your home network. For example, if it was compromised it could access other systems on your LAN. With a more sophisticated router, you could mitigate that (isolate by putting it on its own network, block most outgoing traffic, etc.) The typical home router won't have the features for that.
Better to tunnel traffic back to you, either through a 3rd party service (Cloudflare tunnels, like someone else mentions) or through a VPS that you control. That way, your home IP address is not directly exposed.
There is still some security concerns having a server directly on your home network. For example, if it was compromised it could access other systems on your LAN. With a more sophisticated router, you could mitigate that (isolate by putting it on its own network, block most outgoing traffic, etc.) The typical home router won't have the features for that.
You would be better of to switch provider. ISP should have one purpose, provide internet access, not control what you do with it. Here they don't even block SMB, let alone other services. If one couldn't open services to the outside ISP would be out of business, in an era of IoT, almost everyone I know has at least one webcam exposed. Is it secure? well, depends on the person who set up the thing. Blocking common ports it's a router feature, but you can turn it off. Just stay away from those shady ISPs. I've been running my own HTTPS server, SSH bastion host and VPN without any issue for years.
I agree with you, but in many areas (of the US, at least) you are stuck with 1 or 2 ISPs at the most. They'll tell you to upgrade to a business account or GTFO.
Are you planning to use this just for yourself. Or, are you planning to start a SaaS company from your home?
A flood of requests, bots, or even a ddos attack can cause issues with your internet connection. If you use that same connection for work for example that can be a serious issue.
Unless you have a static IP address you'll have to deal with the IP changing.
If there is a vulnerability in your express app, it could lead to the compromise of other machines and other parts of the network (unless this windows machine is isolated from the rest of your LAN.)
Just things to consider, probably not deal breakers!
A flood of requests, bots, or even a ddos attack can cause issues with your internet connection. If you use that same connection for work for example that can be a serious issue.
Unless you have a static IP address you'll have to deal with the IP changing.
If there is a vulnerability in your express app, it could lead to the compromise of other machines and other parts of the network (unless this windows machine is isolated from the rest of your LAN.)
Just things to consider, probably not deal breakers!
Curious if anyone has experimented with a dynamic DNS edge solution that allows you to literally have a "dynamic static IP" basically an actual public IP that doesn't change that points to your dynamic IP?
I had a client ask for this admittedly bone-headed config - ironically their DB server requires an IP not a domain name (which in most cases more than suffices for DyDNS).
I had a client ask for this admittedly bone-headed config - ironically their DB server requires an IP not a domain name (which in most cases more than suffices for DyDNS).
It's the kind of caveat which carries it's own penalty. If you do it, its unlocking that one window above the second storey you believe nobody can reach from a drainpipe and anyway the window is too small, and you forget about somebody coming in via the roof and being thin and flexible.
Just don't forget you opened it, what you attach to it, and how to configure and disable it.
If the protocol(s) you use can support authentication, do that.
Don't enable an inbound telnet port to your routers admin# console state basically.
Just don't forget you opened it, what you attach to it, and how to configure and disable it.
If the protocol(s) you use can support authentication, do that.
Don't enable an inbound telnet port to your routers admin# console state basically.
If your app has a vulnerability someone can exploit it and gain access to your home server.
Best pragmatic approach I found when I needed to expose a service from home was to configure port knocking - the port would appear closed until I sent a series of tcp port open attempts in a particular sequence.
Best pragmatic approach I found when I needed to expose a service from home was to configure port knocking - the port would appear closed until I sent a series of tcp port open attempts in a particular sequence.
This is perfectly acceptable and should be universially encouraged. True good old fashioned self-hosting, the way god intended.
It'd ditch the wifi and run cable, but that's only because it's better.
It'd ditch the wifi and run cable, but that's only because it's better.
I used port forwarding for my Wireguard VPN... worked great....