如果你正在阅读这篇文章,恭喜你!您正在使用端口 80 和 443(用于 Web 流量的标准开放网络端口)成功地与 Internet 上的另一台服务器进行交互。如果这些端口在我们的服务器上被关闭,您将无法阅读本文。封闭的端口使您的网络(和我们的服务器)免受黑客攻击。
我们的网络端口可能是开放的,但您的家庭路由器的端口不应该是开放的,因为这为恶意黑客打开了一个漏洞。但是,您可能需要不时使用端口转发允许通过 Internet 访问您的设备。为了帮助您了解有关端口转发的更多信息,您需要了解以下内容。
什么是端口转发?(What Is Port Forwarding?)
端口(Port)转发是本地网络路由器上的一个过程,它将连接尝试从在线设备转发到本地网络上的特定设备。这要归功于网络路由器上的端口转发规则,该规则与对网络上设备的正确端口和 IP 地址的连接尝试相匹配。
本地网络可能有一个公共 IP 地址,但内部网络上的每个设备都有自己的内部 IP。端口(Port)转发将这些外部请求从 A(公共 IP 和外部端口)链接到 B(请求的端口和网络上设备的本地 IP 地址)。
为了解释为什么这可能有用,让我们假设您的家庭网络有点像中世纪的堡垒。虽然您可以向外看,但其他人无法查看或突破您的防御——您可以免受攻击。
由于集成了网络防火墙,您的网络处于相同的位置。您可以访问其他在线服务,例如网站或游戏服务器,但其他互联网用户无法访问您的设备。吊桥升起,因为您的防火墙会主动阻止来自外部连接的任何企图破坏您的网络。
但是,在某些情况下,这种保护级别是不可取的。如果您想在家庭网络上运行服务器(例如使用 Raspberry Pi(using a Raspberry Pi)),则需要外部连接。
这就是端口转发的用武之地,因为您可以将这些外部请求转发到特定设备,而不会影响您的安全性。
例如,假设您在内部 IP 地址为192.168.1.12的设备上运行本地 Web 服务器,而您的公共 IP 地址为80.80.100.110。由于端口转发规则,将允许对端口80 ( 80.90.100.110:80 )的外部请求,并将流量转发到192.168.1.12上的端口 80(port 80)。
为此,您需要将网络配置为允许端口转发,然后在网络路由器中创建适当的端口转发规则。您可能还需要在网络上配置其他防火墙,包括Windows 防火墙(Windows firewall),以允许流量。
为什么要避免使用 UPnP(自动端口转发)(Why You Should Avoid UPnP (Automatic Port Forwarding))
在本地网络上设置端口转发对于高级用户来说并不困难,但它会给新手带来各种困难。为了帮助克服这个问题,网络设备制造商创建了一个名为UPnP(或通用即插即用(Universal Plug and Play))的端口转发自动化系统。
UPnP背后的想法是(现在也是)允许基于 Internet 的应用程序和设备在您的路由器上自动创建端口转发规则以允许外部流量。例如,UPnP可以自动为运行游戏服务器的设备打开端口并转发流量,而无需在路由器设置中手动配置访问权限。
这个概念很棒,但遗憾的是,执行是有缺陷的——如果不是非常危险的话。UPnP是恶意软件的梦想,因为它会自动假定在您的网络上运行的任何应用程序或服务都是安全的。UPnP 黑客网站(UPnP hacks website)揭示了许多不安全因素,即使在今天,网络路由器也很容易包含这些不安全因素。
从安全的角度来看,最好谨慎行事。与其冒着网络安全风险,不如避免使用UPnP进行自动端口转发(并在可能的情况下完全禁用它)。相反,您应该只为您信任且没有已知漏洞的应用程序和服务创建手动端口转发规则。
如何在您的网络上设置端口转发(How to Set Up Port Forwarding on Your Network)
如果您要避免UPnP并希望手动设置端口转发,通常可以从路由器的 Web 管理页面进行。如果您不确定如何访问它,通常可以在路由器底部或路由器文档手册中找到相关信息。
您可以使用路由器的默认网关地址连接到路由器的管理页面。这通常是192.168.0.1或类似的变体 - 在 Web 浏览器的地址栏中输入此地址。您还需要使用路由器提供的用户名和密码进行身份验证(例如admin)。
使用 DHCP 保留配置静态 IP 地址(Configuring Static IP Addresses Using DHCP Reservation)
大多数本地网络使用动态 IP 分配来为连接的设备分配临时 IP 地址。一段时间后,更新 IP 地址。这些临时 IP 地址可能会被回收并在其他地方使用,并且您的设备可能分配有不同的本地 IP 地址。
但是,端口转发要求用于任何本地设备的 IP 地址保持不变。您可以手动分配静态 IP 地址,但大多数网络路由器允许您使用DHCP保留在路由器的设置页面中为某些设备分配静态 IP 地址。
不幸的是,每个路由器制造商都不同,下面屏幕截图中显示的步骤(使用TP-Link路由器制作)可能与您的路由器不匹配。如果是这种情况,您可能需要查看路由器的文档以获得更多支持。
首先,使用网络浏览器访问网络路由器的网络管理页面,并使用路由器的管理员用户名和密码进行身份验证。登录后,访问路由器的DHCP设置区域。
您可能能够扫描已连接的本地设备(以自动填充所需的分配规则),或者您可能需要为您希望为其分配静态 IP 的设备提供特定的 MAC 地址。(specific MAC address)使用正确的MAC地址和您希望使用的 IP 地址创建规则,然后保存条目。
创建新的端口转发规则(Creating a New Port Forwarding Rule)
如果您的设备具有静态 IP(手动设置或在DHCP分配设置中保留),您可以移动以创建端口转发规则。这方面的条款可能会有所不同。例如,一些TP-Link路由器将此功能称为虚拟服务器(Virtual Servers),而Cisco路由器则以标准名称(端口转发(Port Forwarding))来称呼它。
在路由器 Web 管理页面的正确菜单中,创建新的端口转发规则。该规则将需要您希望外部用户连接的外部端口(或端口范围)。(external)此端口链接到您的公共 IP 地址(例如,公共 IP 的端口80为80.80.30.10)。
您还需要确定要将流量从外部(external)端口转发到的内部(internal)端口。这可能是同一个端口或替代端口(以隐藏流量的目的)。您还需要提供本地(local)设备的静态 IP 地址(例如192.168.0.10)和使用的端口协议(例如TCP或UDP)。
根据您的路由器,您可能能够选择一种服务类型来自动填充所需的规则数据(例如端口 80的HTTP或端口 443 的(HTTP)HTTPS)。配置规则后,保存它以应用更改。
附加步骤(Additional Steps)
您的网络路由器应自动将更改应用到防火墙规则。对打开的端口进行的任何外部连接尝试都应使用您创建的规则转发到内部设备,尽管您可能需要为使用多个端口或端口范围的服务创建额外的规则。
如果您遇到问题,您可能还需要考虑向您的 PC 或 Mac 的软件防火墙(包括Windows 防火墙(Windows Firewall))添加额外的防火墙规则,以允许流量通过。例如, Windows 防火墙(Windows Firewall)通常不允许外部连接,因此您可能需要在Windows 设置(Windows Settings)菜单中进行配置。
如果Windows 防火墙(Windows Firewall)给您带来困难,您可以暂时禁用它(disable it temporarily)以进行调查。但是,由于(Due)存在安全风险,我们建议您在解决问题后重新启用Windows 防火墙,因为它提供了针对(Windows Firewall)可能的黑客攻击(possible hacking attempts)的额外保护。
保护您的家庭网络(Securing Your Home Network)
您已经了解了如何设置端口转发,但不要忘记风险。您打开的每个端口都会在路由器防火墙之外增加一个漏洞,端口扫描工具(port scanning tools)可以找到并滥用该漏洞。如果您需要为某些应用程序或服务打开端口,请确保将它们限制为单个端口,而不是可能被破坏的巨大端口范围。
如果您担心家庭网络,可以通过添加第三方防火墙(adding a third-party firewall)来提高网络安全性。这可以是安装在您的 PC 或Mac上的软件防火墙,也可以是安装在您的网络路由器上的 24/7 硬件防火墙(如Firewalla Gold),以同时保护您的所有设备。
What Is Port Forwarding and How to Set It Up On Your Router
If you’re rеading this article, congratulations! You’re succеssfully interacting with another server on the internеt using ports 80 and 443, the standard open network ports fоr web traffic. If these ports were closed on our server, you wouldn’t be able to read this article. Closed ports keep your network (and our server) safe from hackers.
Our web ports might be open, but your home router’s ports shouldn’t be, as this opens a hole for malicious hackers. However, you may need to allow access to your devices over the internet using port forwarding from time to time. To help you learn more about port forwarding, here’s what you’ll need to know.
What Is Port Forwarding?
Port forwarding is a process on local network routers that forwards connection attempts from online devices to specific devices on a local network. This is thanks to the port forwarding rules on your network router that match the connection attempts made to the correct port and IP address of a device on your network.
A local network may have a single public IP address, but each device on your internal network has its own internal IP. Port forwarding links these outside requests from A (the public IP and external port) to B (the requested port and local IP address of the device on your network).
To explain why this might be useful, let’s imagine that your home network is a little like a medieval fortress. While you can look out beyond the walls, others can’t look in or breach your defenses—you’re secure from attack.
Thanks to integrated network firewalls, your network is in the same position. You can access other online services, such as websites or game servers, but other internet users can’t access your devices in return. The drawbridge is raised, as your firewall actively blocks any attempts from outside connections to breach your network.
There are some situations where this level of protection is undesirable, however. If you want to run a server on your home network (using a Raspberry Pi, for instance), outside connections are necessary.
This is where port forwarding comes in, as you can forward these outside requests to specific devices without compromising your security.
For example, let’s assume you’re running a local web server on a device with the internal IP address 192.168.1.12, while your public IP address is 80.80.100.110. Outside requests to port 80 (80.90.100.110:80) would be allowed, thanks to port forwarding rules, with the traffic forwarded to port 80 on 192.168.1.12.
To do this, you’ll need to configure your network to allow port forwarding, then create the appropriate port forwarding rules in your network router. You may also need to configure other firewalls on your network, including the Windows firewall, to allow the traffic.
Why You Should Avoid UPnP (Automatic Port Forwarding)
Setting up port forwarding on your local network isn’t difficult for advanced users, but it can create all types of difficulties for novices. To help overcome this issue, network device manufacturers created an automated system for port forwarding called UPnP (or Universal Plug and Play).
The idea behind UPnP was (and is) to allow internet-based apps and devices to create port forwarding rules on your router automatically to allow outside traffic. For instance, UPnP may automatically open ports and forward traffic for a device running a game server without the need to manually configure access in your router settings.
The concept is brilliant, but sadly, the execution is flawed—if not extremely dangerous. UPnP is a malware’s dream, as it automatically assumes that any apps or services running on your network are safe. The UPnP hacks website reveals the number of insecurities that, even today, are readily included with network routers.
From a security point of view, it’s best to err on the side of caution. Rather than risk your network security, avoid using UPnP for automatic port forwarding (and, where possible, disable it entirely). Instead, you should only create manual port forwarding rules for apps and services that you trust and that have no known vulnerabilities.
How to Set Up Port Forwarding on Your Network
If you’re avoiding UPnP and want to set up port forwarding manually, you can usually do so from your router’s web administration page. If you’re unsure how to access this, you can usually find the information on the bottom of your router or included within your router’s documentation manual.
You can connect to your router’s admin page using the default gateway address for your router. This is typically 192.168.0.1 or a similar variation—type this address into your web browser’s address bar. You’ll also need to authenticate using the username and password supplied with your router (e.g. admin).
Configuring Static IP Addresses Using DHCP Reservation
Most local networks use dynamic IP allocation to assign temporary IP addresses to devices that connect. After a certain time, the IP address is renewed. These temporary IP addresses may be recycled and used elsewhere, and your device may have a different local IP address assigned to it.
However, port forwarding requires that the IP address used for any local devices remain the same. You can assign a static IP address manually, but most network routers allow you to assign a static IP address allocation to certain devices in your router’s settings page using DHCP reservation.
Unfortunately, each router manufacturer is different, and the steps shown in screenshots below (made using a TP-Link router) may not match your router. If that’s the case, you may need to look through your router’s documentation for more support.
To begin, access your network router’s web administration page using your web browser and authenticate using the router’s administrator username and password. Once you’ve signed in, access your router’s DHCP settings area.
You may be able to scan for local devices already connected (to autofill the required allocation rule) or you may need to provide the specific MAC address for the device you wish to assign a static IP to. Create the rule using the correct MAC address and the IP address you wish to use, then save the entry.
Creating a New Port Forwarding Rule
If your device has a static IP (set manually or reserved in your DHCP allocation settings), you can move to create the port forwarding rule. The terms for this can vary. For instance, some TP-Link routers refer to this feature as Virtual Servers, while Cisco routers refer to it by the standard name (Port Forwarding).
In the correct menu on your router’s web administration page, create a new port forwarding rule. The rule will require the external port (or port range) that you wish outside users to connect to. This port is linked to your public IP address (e.g. port 80 for public IP 80.80.30.10).
You’ll also need to determine the internal port that you wish to forward the traffic from the external port to. This could be the same port or an alternative port (to hide the traffic’s purpose). You’ll also need to provide the static IP address for your local device (e.g. 192.168.0.10) and the port protocol in use (e.g. TCP or UDP).
Depending on your router, you may be able to select a service type to automatically fill the required rule data (e.g. HTTP for port 80 or HTTPS for port 443). Once you’ve configured the rule, save it to apply the change.
Additional Steps
Your network router should automatically apply the change to your firewall rules. Any outside connection attempts made to the opened port should be forwarded to the internal device using the rule you created, although you may need to create extra rules for services that use several ports or port ranges.
If you’re having trouble, you may also need to consider adding extra firewall rules to your PC or Mac’s software firewall (including Windows Firewall) to allow the traffic through. Windows Firewall won’t usually allow outside connections, for instance, so you may need to configure this in the Windows Settings menu.
If Windows Firewall is causing you difficulty, you can disable it temporarily to investigate. Due to the security risks, however, we’d recommend that you re-enable Windows Firewall after you troubleshoot the issue as it provides added protection against possible hacking attempts.
Securing Your Home Network
You’ve learned how to set up port forwarding, but don’t forget the risks. Each port you open adds another hole past your router’s firewall that port scanning tools can find and abuse. If you need to open ports for certain apps or services, make sure you limit them to individual ports, rather than huge port ranges that could be breached.
If you’re worried about your home network, you can boost your network security by adding a third-party firewall. This could be a software firewall installed on your PC or Mac or a 24/7 hardware firewall like the Firewalla Gold, attached to your network router to protect all of your devices at once.
