4

The possibility to enable port forwards for any hosts inside the LAN has of course security implications. The problem from my point of view is not that there are bad users, but bad hosts/programs and of course the problem of CSRF.

But for some applications it would be good to have such a thing. Other possibilities like statically forward ports seems also less secure because then the port will be open all the time - also you have to maintain static IP addresses for all internal hosts, that should be reached.

The question is now: is it really necessary to have open ports for certain applications like btsync or some kind of instant messanger? Should a program depend on UPnP or is it possible to live without it? (bad question, i know - because in any case i have to live with bad security or bad application behaviour...)

reox
  • 1,012
  • 1
  • 8
  • 10

1 Answers1

5

Any program that supports peer-to-peer communication needs to support some form of NAT traversal in order for two computers, both behind NAT gateways, to communicate with each other. Static port forwarding works, but is too confusing for most people to set up, while hole-punching isn't reliable and may require a trusted third-party server. This pretty much leaves UPnP and similar router-configuration protocols as the only solution.

Mark
  • 34,390
  • 9
  • 85
  • 134
  • 1
    but as said here http://security.stackexchange.com/questions/38631/what-are-the-security-implications-of-enabling-upnp-in-my-home-router UPnP is quite dangerous and static ports does not work - so how can you overcome this problem? – reox Jul 14 '14 at 13:36
  • [Hole punching](https://en.wikipedia.org/wiki/Hole_punching), which requires tricking a NAT gateway into thinking an incoming packet is a reply to an outgoing packet when it isn't. – Mark Jul 14 '14 at 19:50