The safe way to open a computer on your network to the Internet is to map the ports needed for gaming or other activities. Plus: some software firewall “attack” messages explained.
By Joe and Ron of Neighborhood Techs
Q. I have a DSL connection and I use Hotmail to communicate with a friend in another city via voice chat while playing online games. Everything works fine when my computer is connected directly to the DSL modem, but when I try to do it through my Linksys BEFSR41 router, neither the games nor the chat will work. Can you help me with this problem?
A. When your computer is connected directly to your DSL modem, traffic flows unfettered between your computer and your friend’s, allowing you to play online games and engage in voice chat. Put the router into the equation, and some or all of the traffic that support these capabilities is being blocked by default. It’s a feature, not a bug.
First determine which ports are required by the features you are using, and configure your router’s port mapping feature to forward those ports to your machine. (Your friend, incidentally, will probably need to so the very same thing on his or her end.)
The ports necessary for online gaming will depend on what game you are playing or what online gaming service you are using. This information should be provided in the documentation and/or on the Web site.
When you say you’re using Hotmail to chat, I think you mean Windows Messenger, of which Hotmail is the e-mail component. As it turns out, configuring a firewall to support the advanced features of Windows Messenger can be difficult (it uses a lot of dynamically-assigned ports), and it may not even be possible depending the equipment you and your friend have. There is a lot of technically detailed information available at http://www.microsoft.com/windowsxp/pro/techinfo/deployment/natfw/default.asp regarding how to configure firewalls and Network Address Translation (NAT) routers to work best with Windows Messenger.
Microsoft recommends Universal Plug and Play (UPnP) compatible routers in order to use all of Windows Messenger’s features. They’re better able to manage the constantly changing port mappings that are needed. You may want to consider getting a router that supports UPnP, or checking to see if your (and your friend’s) current router can be upgraded to support it.
A quicker and easier way to accomplish what you want would to be to put your computer into the router’s DMZ (demilitarized zone) which would let the router pass any traffic it encountered to your PC. However, this is not advisable (nor is keeping your PC connected directly to your DSL modem, for that matter) because it leaves the computer vulnerable to attack. Only do this on a PC that doesn’t carry important data.
Q. I recently installed a Linksys Cable/DSL router on my home network. I also have BlackIce Defender running on my Windows 2000 Professional system, and the firewall has reported several “attacks” since I installed the router. The router says that UDP port probes were coming from v2.vc.scd.yahoo.com, and v7.vc.scd.yahoo.com. There was also an entry about address 126.96.36.199, saying “HTTP GET data contains script.” How were these external addresses able to access my internal client through the router?
A. The reason your software firewall is logging the first two “attacks” is likely because you’re running Yahoo! Messenger software on your computer. The IP addresses and domain names that were flagged are Yahoo! servers that provide Yahoo! Messenger’s voice chat capabilities. The application uses UDP to transmit voice data, so use of the voice chat feature could cause these sorts of entries to appear. If you point your browser to that address, you’ll see an informational message that discusses this in more detail.
Even if you weren’t using the voice chat feature at the time the entry was recorded, it could be due to the application scanning to see what ports were available for this type of traffic.
An HTTP GET is typically the result of clicking a link on a Web page. You likely clicked on a link that referenced back to the address recorded by the log and the data returned by probably contained a script which BlackIce deemed harmful. Whether it actually was or not is impossible for me to say, but the fact that the address does not resolve back to a domain name could indicate less-than-honorable intent.
I did determine that the address is owned by Digex, a Web Hosting firm, so if you see a lot of these entries in the future, you may want to contact Digex and ask which of their customers is using this address, to better determine whether or not this individual or organization is the source of an actual attack.
Finally, you asked how the external addresses were able to access your internal client through the router. The router automatically allows traffic from an external address if it is in response to a request that originated inside your network.
Whenever a program like Yahoo! Messenger (or any other IM client or similar application, for that matter), is running, it has the ability to proactively initiate connections to communicate with its servers. You can be sure that the program has one or more open connections to its servers whenever it is running, and if that weren’t the case, you wouldn’t be able to communicate with anyone unless you initiated the connection yourself.
The last log entry represents a similar situation. The data coming from that address was in response to a request from your browser (the HTTP GET), so the router considered it allowable traffic and let it through.
Most hardware firewalls can detect certain types of common IP-based attacks, but they generally pay more attention to where the traffic is coming from as opposed to what kind of traffic it is. This is why software firewalls are usually good compliments to a hardware router.