|
Explaining DMZ’s
and Port Forwarding
for home networking, broadband routers, and NAT connection sharing
First some definitions (greatly simplified)
Ports: Applications running on TCP/IP
open connections to other computers using something called ports. Ports
allow multiple applications to reside on a single computer - all talking
TCP/IP. Ports are another set of numbers AFTER the standard IP address.
Applications often hide these port numbers to reduce the complexity of
TCP/IP. Example: web services (HTTP) reside on port 80 by default. To reach
this web site, you could type http://www.homenethelp.com:80 into your
browser. The 80 is the default port number for the HTTP protocol so typing
it is not necessary. There are 65535 available ports. Here is a list of some ‘ well
known ports’.
 Port Forwarding: A broadband router or other
NAT application (like ICS) creates
a firewall between your internal network and the internet. A firewall
keeps unwanted traffic from the internet away from your LAN computers. A
‘tunnel’ can be created through your firewall so that the computers on
the Internet can communicate to one of the computers on your LAN on a single port. This
is handy for running web servers, game servers, ftp servers, or even video conferencing.
This is called port forwarding. One of your computers could run
a web server (port 80) while another computer could run an FTP server
(port 23) - both on the same IP address.
DMZ: This is a feature that is included on some routers but
is not in Internet sharing software. A DMZ allows a single computer
on your LAN to expose ALL of its ports to the Internet. When doing this,
the exposed computer is no longer ‘behind’ the firewall.
Port Forwarding vs DMZ
A DMZ is far easier to set up than port forwarding
but exposes your entire computer to the Internet. Sometimes TCP/IP
applications require very specialized IP configurations that are difficult
to set up or are not supported by your router. In this case, placing your
computer in the DMZ is the only way to get the application working.
Placing a computer in the DMZ should be considered ‘temporary’ because
your firewall is no longer able to provide any security to it.
Port forwarding can sometimes be difficult to configure, but provides a
relatively safe way of running a server from behind a
firewall. Since only a single port (or small series of ports) is
exposed to the Internet, the computer is easier to secure. Additionally, port forwarding allows you
to run multiple kinds of servers from different computers on your lan. (see above diagram)
Many broadband routers have special port forwarding
configuration screens for standard applications (FTP, WWW, Mail, etc) and
special screens for custom applications.
Other References:
Network Basics and
Infrastructure FAQ
How TCP/IP works (RFC793)
List of Well Known Ports
Applications and Games
Below is a
list of ports used for many applications and games. This is a list
of the most common configurations needed to use the applications from
behind a NAT based sharing device like a CALE/DSL ROUTER or Microsft
ICS. Most applications work fine without configuration when making an
outgoing connection. All applications need some kind of port
forwarding when you need to act as a server to take incomming
connections.
If
you need more help than what is provided here, take it to the Message Forums, don't write me directly. | 
about Port Forwarding vs DMZ
Menu:
