There seems to be a lot of questions surrounding port forwarding and opening ports. If youíve seen my previous posts I usually recommend against opening up ports unless you know the ramifications of opening said ports. This post is a simple guide to what ports are and why you need to be careful when opening ports.

If there are mistakes or omissions let me know and I'll clean up the post.

The backbone of the internet and most networks today is a protocol called TCP/IP - actually these are two protocols - Transmission Control Protocol/Internet Protocol. There are entire text books written on TCP/IP but simply speaking - IP is the protocol that translates ip addresses to web addresses so that your web browser can translate Google to (There is a lot more going on but that is the simple explanation) TCP is the Transmission Control Protocol. This is the protocol when we talk about ports. There are a bunch of well known ports such as
80 - for HTTP
22 - for SSH
443 - for HTTPS
Here is a list from Wikipedia
List of TCP and UDP port numbers - Wikipedia, the free encyclopedia
Most programs that communicate over the internet take some TCP port. The most common - 80 is for web traffic. So when you type in Google - what happens is that IP goes out translates this to and then sends the traffic to port 80 - it would look like this (Meaning go hit that ip address on port 80 and do your request) - After all that your web browser presents you with the google home page. (Again a lot more is going on but that is the simple explanation)

How to Get To Your Home Network
To help get to your home network consider signing up for dynamic dns. There are several free services but the one with most built in support is DynDNS. Dynamic DNS: Free DDNS Service
You can create a free hostname (like
That way you donít have to figure out what your external ip address. Also there are scripts that run on most computers (and most routers) that will update dyndns when your IP address changes (because usually you have dynamic ip addresses on your home network) - Support -- Update Clients: Downloads for update clients, DDNS routers, DDNS hardware clients
My Netgear router has a setup page for syncing up with The Apple routers (Time Capsule, Airport Extreme, Airport Express) do not have this built in by default. This is one of the reasons I have Netgear doing my routing and my Time Capsule is only used for wireless and NAS. So if you only have Apple network hardware you can use a Mac client for example. - Support -- Update Clients -- DynDNS Updater for Mac Installation Guide

Back to Our Regularly Scheduled Program
So when a program says you need to open and setup a port on your router/firewall - what you are doing is exposing that port to the world, then forwarding that port to the waiting computer/device and application. So lets say you want to VNC into a machine on your home network. By default most home networks have all ports closed. What you do is on your router - you setup port forwarding. So you would forward port 5900 (the standard VNC port) to your computer IP address (for example Then in your VNC viewer you can put in your external IP address and port - then the port forward on your router should pass all that port onto your internal computer. So in theory you could go to a vnc viewer program from outside your network - type in - and you should be presented with a login screen for the computer to which you forwarded the port.

So this is really cool - one could setup a server - port forward the ports you need for remote access, and then have access from anywhere. Here is the rub - once you open a port - people/bots can start probing that port. When a port is closed - there is no response so most scripts move on. When a port is opened - whatever is waiting on that port usually gives a response. Then whatever is probing knows that something exists at that port.
Port scanner - Wikipedia, the free encyclopedia
Once your open port responds then you will see the attacks come. Letís continue with the VNC example. Letís say I write a script looking for responses on 5900. I find responds on that port. Well now I know that 5900 is available. I can try to connect to that port - and I will be presented with your login screen. Letís say you have a weak username/password - I can start a dictionary attack on your VNC login and will probably be successful in getting in. Even if you have a strong username/password - I can still try a brute force attack taking up your network resources. And now the 3rd problem - VNC isnít always encrypted so that you could be sending everything over the internet unencrypted such that anyone packet sniffing could find out sensitive data. Lastly the 4th problem - if you donít keep your system up to date, there could be exploits available in VNC that could cause it to crash (and let people inject code and gain control of your machine)
vnc vunerabilities - Google Search
If you donít update you could be susceptible to older known exploits.

Well that sucks. So you donít really want to open up ports unless you know what you are opening is
1 - secure (name/password is strong, use rsa keys, etc)
2 - up to date (as there may be exploits on older versions of software)
3 - encrypted (otherwise you run into problems with packet sniffing like firesheep)

What to do? There are several options like VPN or SSH - but as stated you need to make sure you meet the first 2 criteria at all times. I personally use a ssh server and port forward all my traffic. SSH is pretty good but out of the box it isnít all that secure. VPN is good to but usually you have to have server OSes to get the VPN ability. If there is interest I can follow up with a SSH setup post.