Port Forwarding- What is bad about having open ports?

[EmoHz]

Today I fixed my network and was able to successfully set up a static IP address. Before , there was a bridge that upon deletion, or being disabled, would disable me from connecting to the internet. Turned out my ethernet was set up for a static ip not dynamic.

I am using a SBG900 and now that i have a static ip i can forward ports necessary for steam and the multiplayer games. My question is this, if i have ports forwarded for these games, does that leave me vulnerable having open ports? I have a newer cable modem from linksys that hasnt been connected yet due to the fact that it lacks wireless capabilities.

Also, is there a difference between having an open port and forwarding a port, or are they both the same thing?

 

[palladin9479]

Ok some definitions for you.

"Ports" are a 16-bit number that acts like a mailbox / communication channel for your network interface. Every packet received by your system must have a destination port number, and based on this the network stack will know which application to send the packet to.

An "Open Port" is a port that your network device accepts packets on, it may have absolutely nothing to do with the packets and thus the packets may be deleted, but the port still accepted the packet and read its header. A "Closed Port" is a port where your device will either actively refuse (send a response) or completely ignore (no response) packets on. Open Ports can be bad / good depending on your security posture.

Example, Application A is expecting to receive packets on port 3030, your FW / computer is blocking port 3030 and thus Application A will never receive any packets. Conversely malicious code can be hidden inside packets and accepting them on arbitrary ports can cause your system to be hacked and infected. Rule of thumb is to close any ports you don't expect traffic on, only open the ones you know you'll need.

"Port Forwarding" is router speak for NAT Masquerading. What happens is Application A wants to receive packets on 3030 but it's IP address is 192.168.1.10, a private IP address. You Gateway device needs to have an entry put in its table stating that all packets received on port 3030 need to be forwarded to 192.168.1.10 so that Application A can receive them.

Most of this is automatic, but not always.

 

[EmoHz]

So forwarding ports for steam and other multiplayer games on the internet is not dangerous?

 

[palladin9479]

Depends on the game. You shouldn't have to enable any of that, any decent router / gateway device will have NAPT detection and tracking enabled by default. At least not if you plan on just being a client.

Now are you trying to "host" games on your PC or run your own dedicated server? Firewall rules will prevent unsolicited traffic from reaching inside your network, even if that traffic would otherwise be a valid incoming connection.

 

[EmoHz]

To play multiplayer you must have NAT open, but when i disable NAT in my router, no one is able to connect via wifi. I figured if i forwarded the ports i wouldn't need to disable nat.

Trying to be able to play the game without inconveniencing everyone else in the household.

 

[EmoHz]

BTW the game is COD MW2

 

[The_O]

Yeah, I am trying to find if port forwarding is dangerous for a certain game that I have.

 

[Guest]

Palladin has given a very good answer. Whether an open port is "dangerous" or not is dependent on what that port maps through to.

Having an open port means that it will respond to connection attempts such as ports scans, though having said that most script kiddies normally scan for well known ports, as these offer services that may have documented vulnerabilities and exploits, then fire up their copy of MetaSploit. Having an obscure port number open lessens the likelyhood of you showing up on an attackers radar so to speak.

It also depends on the service that is being offered on that port, having something like 23 (Telnet) 3389 (Terminal Services) or 5900 (VNC) for example is not a good idea as these are well known and if breached could give system wide access to the attacker. Similarly having a port open to a service with an un-patched vulnerability could allow the attacker to gain access and then attempt to elevate their privileges.

So if the game is using an obscure port number, and the network service of the game has no known vulnerabilities then you're probably OK. However using NAT will make it safer.