Safety of leaving ports open
-
I’m trying to get going on Falcon-Online and it needs some ports to be open. I am using a router that needs to be restarted when changing open ports.
I was wondering what was the problem with leaving ports open indefinitely. Does that pose significant security issues?
Thanks in advance,
Fed
-
Most routers do not care if you’ve left a rule active or not for port forwarding. If there isn’t something on your end trying to use that port, they typically close them up despite your rules.
You can check the status of the ports you have rules for at Gibson Research Center https://www.grc.com/x/ne.dll?bh0bkyd2 The best response you’d be looking for when querying ports is “Stealth,” meaning that not only did the check not get through, but the router doesn’t even respond to the request.
-
HailRider… In the short term u r never safe in internet. Period. If a guy knows what he is doing and has u on his sights then u r done deal.
U already have open ports… else u couldn’t communicate with internet at all.
Other guys cause of ISP or router problems fly with DMZ on which means all their ports are open wide.
So it’s not that much of a matter. I have those ports and others as many thousands of Falcon users and others for decades…
U never know when u will step on them but shit happens…
U can use also a Software firewall or play with enable disable of your routers setting…
Falcon works ok if u know how to set them up.
But u should mostly fear other apps that have access to Internet then Falcon. I never heard a story of a guy got hacked or a virus by just letting Falcon access Internet on those ports. -
I’m trying to get going on Falcon-Online and it needs some ports to be open. I am using a router that needs to be restarted when changing open ports.
I was wondering what was the problem with leaving ports open indefinitely. Does that pose significant security issues?
Thanks in advance,
Fed
Unless your system has been infected with a Trojan or Virus of some sort which is listening on the ports in question, there is like slim to no risk of having those ports open.
That being said, it’s not impossible but if there isn’t any software listening on those ports there’s not much a hacker can do.
-
HailRider… In the short term u r never safe in internet. Period. If a guy knows what he is doing and has u on his sights then u r done deal.
U already have open ports… else u couldn’t communicate with internet at all.
Other guys cause of ISP or router problems fly with DMZ on which means all their ports are open wide.
So it’s not that much of a matter. I have those ports and others as many thousands of Falcon users and others for decades…
U never know when u will step on them but shit happens…
U can use also a Software firewall or play with enable disable of your routers setting…
Falcon works ok if u know how to set them up.
But u should mostly fear other apps that have access to Internet then Falcon. I never heard a story of a guy got hacked or a virus by just letting Falcon access Internet on those ports.lol…. port 80 is pretty safe to leave open I think.
you could in in theory be added to a botnet by leaving your ports open. you have a firewall? anti virus? youre good.
-
misunderstanding that port 80 is safe. Its not the port that is causing the risk problem. Its the application that is using it.
And we all know how buggy they are: Firefox, chrome, IE, Opera, Safari you name them. They all have potential flaws -
misunderstanding that port 80 is safe. Its not the port that is causing the risk problem. Its the application that is using it.
And we all know how buggy they are: Firefox, chrome, IE, Opera, Safari you name them. They all have potential flawsstay away from IE and webkit youll be fine.
firefox for the win!
-
Normally you only have open ports when you host a service (port 80 == webserver, 21 == ftp, 22 == ssh etc).
Normally you do not host a webserver, so when you browse the www, your target port is 80, but your own port used is mostly dynamically allocated, and nat’ed on the router (there it might become used as an other port).
Also generally a browser shouldn’t listen on a port. It just connects to a server, make its request, get its response and close the connection. If it keeps it’s connection open, still it shouldn’t listen but only stay connected to the one it made the connection to. (Falcon does it different from what I know, it makes a connection to the server, and also listens on the same socket. The server forwards your IP:Port to the other clients, and they may create a connection to you and vice versa too).
(Skype tries to use port 80, funny story, my father wanted to run XAMPP, but skype was launched before. Because of that, Apache was not able to create a socket on Port 80. Also Teamviewer tries to use Port 443 and 80 first, because those ports are mostly permitted to pass the firewall)The problem is not what we know but what we don’t know.
That’s the reason why you shouldn’t forward all ports to your computer.
But I don’t get the point why you should forward your ports. I’m not doing it as long as I am not hosting IVC and Falcon server, and I don’t have any problems. Normally, the NAT/PAT of your router should forward the data to you once your connection is set up.
On the other hand, there is no standart in NAT/PAT process and I also had strange moments with different routers, if you really face problems, and you’re sure there is no other possible solution, than sure you have to do it.
It is not like destroying the gates to hell -
Hard drives space is so cheap that a dual boot system where one is purely Falcon related is reasonable. Port issues then not a concern as in unlikely event of a problem its easily sorted and no security issue
-
I’m using a dual boot system on a Mac - using Bootcamp. I got windows just for Falcon…
I am only worried because I have to open ports on my router. So now, the ports are open for all the other computers on the house - all Macs. If I open them only when I will be using online falcon, then I have to reboot the router. That would be a nuisance. But maybe that would be best.
Any comments would be greatly appreciated.
-
As posted… ports communicate when the program connects… if the program is not there then there is nothing to communicate with, so no problem… No need to restart the router.
-
A small hint regarding router restart:
Some routers save the port forward rules only when you decide to “restart and save changes”.
Meanwhile the new port forward rules are set only temporarily.
If your router would loose power, the rules won’t exist on next start. -
If you have a router doing what a router should, then ONLY the one machine (Falcon4 PC) is seen from outside. The other machines are hidden.
You can also set the rule as trigger, but it need some handycraft. In this case the inside machine does not need to be explicitly named, so other PC:s might open it also - but that would be quite strange, and a malware on them does not usually NEED to have an outgoing rule to work.
When you are not playing Falcon4, and the rules is static, then the safety depends if there is “something else” (a malware) listening to those ports. Once again, if you have a network active malware in your system, having the ports closed is not any guarantee. I would say you can have them ports open for your flight sim PC without much of a problem.
You much more probably have UPnP allowed in the router, and that is decades of more grave safety threat.
-
I’m trying to get going on Falcon-Online and it needs some ports to be open. I am using a router that needs to be restarted when changing open ports.
I was wondering what was the problem with leaving ports open indefinitely. Does that pose significant security issues?
Thanks in advance,
Fed
Hi
Here’s a more complete, or verbose, explanation. A port is just a number used on a network connection to route that connection to a listening program. So when falcon is set up as a server it tells Windows “if any connection comes in with any of the port numbers in the range 2934-2937 attached to it, please connect that connection to me”. If falcon isn’t running as a server, or isn’t running at all, then in theory any connection that comes in with one of those port numbers will simply be dropped. Think of it as windows saying, “I know you want to connect to port 2934, but nobody’s home”. In this case it doesn’t matter whether Windows denies the connection or your firewall does.
But, there can be a problem if there’s malware already on your system. If you had a virus/trojan that decided to listen for instructions on port 2934 whenever falcon is not running, then someone from outside trying to communicate with that virus could do so if the port weren’t blocked by your firewall. And if your firewall didn’t block that port outbound too then it could happily connect to other computers it knows are listening on that port. This is simplistically how botnets work.
So in conclusion. If you are certain your machine doesn’t have malware (anti-virus programs reduce the chance of infection but don’t eliminate it) then leaving ports 2934-2937 open is perfectly fine and probably what most people do. If you are very security conscious, you’ll open and close the ports as needed.
Hope that helps a little.
A
EDIT: I read TKorho’s explanation only after writing this one. He basically says the same thing. Repetition was unintended.
-
Got it. Thanks everybody!! So let me summarize here for my setup:
I leave the ports open on my router.
When I run Windows from the bootcamp partition, falcon can communicate, because the windows firewall will allow falcon to communicate through it’s firewall, and the router will let communication go through those ports.
When I run Mac OSX on the other partition, the Mac firewall will block those ports. Also, there are no programs, presumably, listening to those ports. So, that partition, as well as other Mac computers in my house, should be safe.
Correct?
-
the weakest point in network/pc/etc security is the user. if the user is not carefull with the configuration of the sys/network he can compromise anything…
@HailRider what you state is true (there are other variants in the “equation” but the general idea is the one you stated above)
plus ports are usualy application specific or protocol specific.
F-4 ports are not in the “well known” list (ie port80 & 8080 are for http[transferring web pages]) so you should be ok
more info lies on the pure networking side… (socket address/osi model/netstat etc…) -
The ports are 2934-2935, the 6 and 7 are not used anymore. And you need UDP only, there is no TCP traffic at all.
Even the present malware should have the knowledge to use these specific ports, and as said above, they are not well known ports… So it would be rare happenstance that a malware would listen to those ports only, and another malware would try to connect to it. And especially with UDP packets.
It is far easier for the present malware to punch through with UPnP or use port 80 for outgoing or so.
With triggering you can use your OWN outgoing 2934 UDP traffic as the trigger, and open the inbound ports on the trigger condition. This would be already quite safe (but again would not protect from present and by happenstance Falcon4-ports-savvy malware…).
-
I rename my disk drives
ex: Z:, seems the software’s look for usually. My 2 cents
Programs that use ports only open when using the “ported” program
-
I rename my disk drives
ex: Z:, seems the software’s look for usually. My 2 cents
Programs that use ports only open when using the “ported” program
Heheh, nice idea.
-
UDP is pretty much harmless. Just block NETBIOS ports like 135-139, 445, and so on.
And try to disable unnecessary stuff like ‘remote registry’ etc