Ask HN: Why shouldn't I use port forwarding?

7 点作者 pkdpic超过 2 年前

For a very simple home server set up. Like literally just a windows machine running an express app with port forwarding on my home wifi. Why exactly is this sketchy again?

11 条评论

akerl_超过 2 年前

What makes you think you shouldn't?Basically all the ways of exposing a service running in your house boil down to "port forwarding" in one way or another. You can use a cloud service (or a cloud server you run) to forward the traffic. The only relevant factors, as far as I can figure, are:1. If you port forward on your router, you're exposing your home IP to folks who access your service. That may or may not be something you're OK with2. You have to keep any DNS or hardcoded IPs up to date if your home IP changes. Pretty doable via a number of different methods, with varying lag time depending on how you do it.3. Somebody who finds a vulnerability in the service you're running have a foot in the door to your home LAN. But that's a factor with "making home services available on the internet", not specifically with port forwarding on your router.The thing that I would say is a bad idea is what many routers refer to as "DMZ" mode or similar, where you broadly send incoming connections to a system. That's got a lot more risk since you have to be a lot more cautious about what services are listening on your server.

评论 #33198000 未加载

drpixie超过 2 年前

Just take care. Port forwarding is perfectly valid, and sometimes the only practical way to do things. But:- only open/forward the ports you need.- only expose ports that use appropriate security - try to avoid plain-text, NEVER use easy to guess passwords; prefer encrypted sessions and properly secured logins (eg. ssh keys).- be very aware of what is listening on the open ports. Some Windows ports expose dangerous services, and/or do so without authentication!( Really, we shouldn't need firewalls because there should be NO dangerous services exposed on any machine. But older boxes were so full of problems that firewalls became the default way to manage the situation ... "we don't know what services to enable/disable, and they'll get re-enabled on the next OS update!@!, so we'll default to blocking everything using a firewall. )- update, update, update. It seems like almost all code is broken. It's just a question of how badly, so it's very important to keep any exposed services up-to-date to limit the time you're exposed to know-bad software.- you WILL be attacked - not personally but by the millions of bots randomly trying addresses/ports and guessing ids/passwords. Something like fail2ban is useful to discourage such attacks, but you WILL be attacked and MUST be prepared for it.- monitor the machine - the scourge of the interwebs is boxes sitting out there sending spam and/or performing DOS attacks because the owner doesn't keep an eye on them !%@$!#@$!!

评论 #33198263 未加载

blmayer超过 2 年前

My home setup uses port forwarding and it is much safer than DMZ, that exposes your entire device. I forwarded port 443 to a higher port on my RPi so I can serve TLS traffic using an unprivileged port, without the need of a root user, this alone is a great security improvement.Setting this up was done on my router, and was really easy, the advantage over DMZ is that I stay behind my router's firewall and DoS protection system and other protections.I had dynamic IP from my ISP so I had to use a DDNS service, I chose ddclient[1], which is a very simple and ease to setup daemon. And it really works, never had DNS issues.Now I acquired a static IP plan from my ISP, so I could ditch DDNS, the result is a simpler setup. It is being a pleasure to self-host. If my setup has any security holes please let me know. :-)All in all the hardest part was buying the plan on my ISP, their customer service sucks.PS.: In Brazil it is illegal for ISPs to block users from doing home servers or block some ports, but all major ISPs do it, so buying a static IP plan as a company was the easy solution. Plans for companies normally come with all ports unlocked and NAT disabled.---[1] <a href="https://ddclient.net/" rel="nofollow">https://ddclient.net/</a>Edit: Fix typos.

评论 #33238644 未加载

monkmartinez超过 2 年前

I use cloudflare tunnels. No need to do anything to my router. I have 1 open publicly accessible port (80) exposed to the internet via Docker container. In order to reach that port, you have to traverse the tunnel with TLS and my home IP is never exposed and always updated except to Cloudflare. Literally one command and few configs to set up on Cloudflare to proxy traffic to my localhost and various subdomains.You can have application level security enabled on Cloudflare's side for administrative interfaces, like portainer. That adds another level of security and there are a multitude of ways to verify (Email, token, one time pin, etc.). Super, super easy to set up.I am a dolt when it comes to networking and don't trust myself to make the correct configurations. I no longer pay for a VPS for my simple blog. I don't want to spend my time becoming an expert Sys Admin/Network Admin... so I chose to go with a tunnel.

评论 #33198844 未加载

icedchai超过 2 年前

Your ISP might detect the inbound traffic and shut you down. Most residential ISPs have a "no servers allowed" clause.Better to tunnel traffic back to you, either through a 3rd party service (Cloudflare tunnels, like someone else mentions) or through a VPS that you control. That way, your home IP address is not directly exposed.There is still some security concerns having a server directly on your home network. For example, if it was compromised it could access other systems on your LAN. With a more sophisticated router, you could mitigate that (isolate by putting it on its own network, block most outgoing traffic, etc.) The typical home router won't have the features for that.

评论 #33204494 未加载

chunk_waffle超过 2 年前

Are you planning to use this just for yourself. Or, are you planning to start a SaaS company from your home?A flood of requests, bots, or even a ddos attack can cause issues with your internet connection. If you use that same connection for work for example that can be a serious issue.Unless you have a static IP address you'll have to deal with the IP changing.If there is a vulnerability in your express app, it could lead to the compromise of other machines and other parts of the network (unless this windows machine is isolated from the rest of your LAN.)Just things to consider, probably not deal breakers!

评论 #33198838 未加载

ggm超过 2 年前

It's the kind of caveat which carries it's own penalty. If you do it, its unlocking that one window above the second storey you believe nobody can reach from a drainpipe and anyway the window is too small, and you forget about somebody coming in via the roof and being thin and flexible.Just don't forget you opened it, what you attach to it, and how to configure and disable it.If the protocol(s) you use can support authentication, do that.Don't enable an inbound telnet port to your routers admin# console state basically.

nikau超过 2 年前

If your app has a vulnerability someone can exploit it and gain access to your home server.Best pragmatic approach I found when I needed to expose a service from home was to configure port knocking - the port would appear closed until I sent a series of tcp port open attempts in a particular sequence.

dossy超过 2 年前

Who says it's a problem? Can you link to some material that you're referencing that makes you ask this?

评论 #33198309 未加载

dusted超过 2 年前

This is perfectly acceptable and should be universially encouraged. True good old fashioned self-hosting, the way god intended.It'd ditch the wifi and run cable, but that's only because it's better.

pGuitar超过 2 年前

I used port forwarding for my Wireguard VPN... worked great....