Relative to Port forwarding and security, I have a question!

Discussion in 'Tomato Firmware' started by ratchet, Mar 22, 2009.

  1. ratchet

    ratchet Addicted to LI Member

    When I'm at my children's homes I wake my home desktop with Tomato, a magic packet and port forwarding. In the Tomato Port Forwarding there is the option to "Forward only if from this address." Given that my children probably have Dynamic IPs, is it possible to somehow secure the port with a password or only allow from my laptop's MAC address or "from the name of an application"? Thank You!
  2. humba

    humba Network Guru Member

    If you want security.. go VPN. With OpenVPN you could have a password, certificate or both (it also allows integration with tokens). If you go for a solution like sslexplorer, you could even do one time passwords via email (or preferably sms).
    And MAC restrictions are only possible on a switched network.. as soon as you have routers in between (which you naturally have for anything going over the Internet) you can only work on layer 3 (ip addresses) or above (e.g. layer 4 with tcp or udp ports).

    Some people also use ssh tunneling - you can find examples of that on the board as well.

    Basically with port triggering you're relying on security through obscurity and that's not really security (hence your asking if it's possible to add a password shows that you're aware of that) - however, having a password would mean a separate application that runs on the router (like a vpn deamon) which performs the authentication. With VPN you could then access the routers web interface from the lan to send your wol packet (or do it from the commandline I presume) - and you'd also have secured the connection to your home desktop at the same time so it's really two for two.
  3. fyellin

    fyellin LI Guru Member

    For any question of security, what is the thread you're worried about, and how much time, effort, and money are you willing to expend to alleviate it? At least as you've described it, a certain magic packet to a certain magic port wakes up your Desktop. And if some hacker got her hands on this info, she'd be able to....wake up your desktop.

    If the thought of someone else waking up your desktop keeps you awake, too, then by all means a VPN is the way to go. While the VPN tunnel is up, your laptop thinks it's on your home LAN, and you can restrict these services to LAN only.
  4. ratchet

    ratchet Addicted to LI Member

    The thought of just waking my PC, which I admit is probably very remote (no pun intended) is not what concerns me. It is my understanding that the intruder can then possibly take control of the PC. The password is disabled since I'd have no means to take control of it (enter the pass) until a password was entered.
  5. bigclaw

    bigclaw Network Guru Member

    If the port-forward is used only to wake up your PC, then it's what it is. Nothing more and nothing less. The security on your PC must be tightened regardless how you turn on your PC to prevent an intruder from taking control of it.

    It's better to treat WOL port-forward and PC security as two largely separate, but interconnected issues, because they really are.
  6. fyellin

    fyellin LI Guru Member

    I hope I'm misunderstanding you. It sounds like you're saying that after you wake up your PC, then anyone can access it without a password. The only security you have is that no one else can wake it up.

    If so, and you're really worried about security, you need to fix this soon. No one should be allowed access to your LAN except through carefully filtered port forwarding. If you allow logins from the outside, you need to have either really good passwords or authentication.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice