Announcement

Collapse
No announcement yet.

Do I need to port forward - Solved!

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    #31
    Do I need to port forward?

    Ther is some risk in doing this. It is important to understand the difference between, explicitly allowing traffic to/from a given public a port to a device on your internal networ, port forwarding, and putting a device in the DMZ.
    1. the DMZ opens the entire surface area of a network node to the Internet. This bypasses the firewall's normal function.
    2. A port forward opens a port and forwards it to a network node. This bypasses the firewall's normal function.
    3. Allowing/denying traffic by type allows the firewall to continue normal function

    Having your management interface publicly accessible means that any user on the public Internet can access your HS3 management interface.

    At minimum I would recommend SSL encrypting the page, forcing all logons to use a password, binding myhs to a non-admin account, and setting up anti-hack features in your HS3 install.

    I would still recommend we identify the traffic for myhs and see if it is possible to tell your firewall to allow the traffic.

    Sent from my iPhone using Tapatalk

    Comment


      #32
      Originally posted by Kerat View Post
      1. the DMZ opens the entire surface area of a network node to the Internet. This bypasses the firewall's normal function.
      I disagree with this statement.

      Only individual ports should be open on the firewall from the WAN to your DMZ interface.

      A DMZ is an isolated network allowing no access or better control of what internal servers the DMZ hosted servers can communication with. Yes, there is higher risk exposing ports to the internet. However, all ports on all DMZ hosted servers should not exposed to the internet simply by putting a server in the DMZ.

      If you port forward (and firewall allow) from the internet to your internal non-DMZ servers, then if the exposed service is compromised, then your internal non-DMZ network is compromised. Placing your internet accessible servers in the DMZ and blocking all DMZ to LAN/WLAN ports prevents your internal network from being compromised.

      IMO, if you do not have a firewall appliance/device then you should not port forward.
      Len


      HomeSeer Version: HS3 Pro Edition 3.0.0.435
      Linux version: Linux homeseer Ubuntu 16.04 x86_64
      Number of Devices: 633
      Number of Events: 773

      Enabled Plug-Ins
      2.0.54.0: BLBackup
      2.0.40.0: BLLAN
      3.0.0.48: EasyTrigger
      30.0.0.36: RFXCOM
      3.0.6.2: SDJ-Health
      3.0.0.87: weatherXML
      3.0.1.190: Z-Wave

      Comment


        #33
        Originally posted by lveatch View Post
        I disagree with this statement.



        Only individual ports should be open on the firewall from the WAN to your DMZ interface.



        A DMZ is an isolated network allowing no access or better control of what internal servers the DMZ hosted servers can communication with. Yes, there is higher risk exposing ports to the internet. However, all ports on all DMZ hosted servers should not exposed to the internet simply by putting a server in the DMZ.



        If you port forward (and firewall allow) from the internet to your internal non-DMZ servers, then if the exposed service is compromised, then your internal non-DMZ network is compromised. Placing your internet accessible servers in the DMZ and blocking all DMZ to LAN/WLAN ports prevents your internal network from being compromised.



        IMO, if you do not have a firewall appliance/device then you should not port forward.


        What you are describing is a conventional DMZ hosted in a firewall sandwich (firewall from public Internet and firewall from the rest of the Internal network. Only specific inbound/outbound traffic on specific ports would be allowed in or out from the public Internet or the internal network. The problem is that in home router environments DMZ is described as follows:

        "a feature that allows only one (1) local user to be exposed to the Internet for special purposes like Internet gaming or video conferencing." - https://www.linksys.com/us/support-a...icleNum=140747

        There is no mention of only allowing inbound/outbound traffic on a specific port.


        Sent from my iPhone using Tapatalk

        Comment


          #34
          Originally posted by Kerat View Post
          What you are describing is a conventional DMZ hosted in a firewall sandwich (firewall from public Internet and firewall from the rest of the Internal network.
          Hence my last statement.
          Len


          HomeSeer Version: HS3 Pro Edition 3.0.0.435
          Linux version: Linux homeseer Ubuntu 16.04 x86_64
          Number of Devices: 633
          Number of Events: 773

          Enabled Plug-Ins
          2.0.54.0: BLBackup
          2.0.40.0: BLLAN
          3.0.0.48: EasyTrigger
          30.0.0.36: RFXCOM
          3.0.6.2: SDJ-Health
          3.0.0.87: weatherXML
          3.0.1.190: Z-Wave

          Comment


            #35
            Do I need to port forward?

            I agreed that a conventional firewall sandwich is a better DMZ design, The description I provided is inline with the description linksys provides on their DMZ feature.


            Sent from my iPhone using Tapatalk

            Comment


              #36
              Hey guys,
              Think we found the problem..The dang router died! Brand new router and it kept doing all sorts of strange things. All my security cameras quit working, then I did a simple restart/reboot on the router and it set itself back to defaults! I popped my old Netgear router in place and everything works. Getting an exchange from Amazon. Just wanted to let you guys know what I found.

              Cheers,

              John

              Comment


                #37
                Glad to hear you got it working.


                Sent from my iPhone using Tapatalk

                Comment

                Working...
                X