Understanding Port Forwarding

First of all, Happy Valentine’s Day everyone! Today is my first Valentines Day as a married man. My wife and I celebrated on Valentines Day Eve after work yesterday. Today we’re heading out to our favorite little coffee shop back in Gresham, Cafe Delirium, then we’ll have dinner at a little Lebanese restaurant (we love all kinds of ethnic food), followed perhaps by an independent flick somewhere in Portland. I hope you all enjoy your V-day as much as we will! Now on to the good stuff…

Port forwarding is required when users from outside your network need unsolicited access to a resource inside your network. By unsolicited, I mean that the service inside your network has absolutely no idea the outside user exists, or where they are coming from, but they should have access anyway. That sounds fairly abstract, I know. Let me give you a real-world example.

Christina is a web-design student. In order to work on her class projects she needs a web server. Christina has a couple of options – she can sign up for hosting from a company like Dreamhost, or she can setup a free web server on a computer in her own home. Christina doesn’t have a lot of money to spare, but he’s tech savvy so she installs WAMP on a spare desktop, and can access it from her laptop on her home network using the web address http://192.168.1.100. I didn’t bother making that URL “clicky” because it isn’t really going to work. You aren’t going to be able to see Christina’s work using that address unless you click on it while connected to her home network. The reason is that all addresses in the 192.168.x.x range are private addresses according to the IANA and it is against the rules to route that IP address range over the public internet.

Christina can access herwebsite when connected to her home network, but she can’t see it from school yet. She needs to configure her router, a device sitting between her home computer and her internet service provider, to recognize certain incoming network traffic and forward that traffic to her spare desktop computer where WAMP is installed. By “certain incoming network traffic”, I mean incoming HTTP, or web traffic for which TCP port 80 is reserved.

Armed with this information, Christina logs into her home wireless router using the address http://192.168.1.1 which is the default address for just about any residential router. There’s a port-forwarding section where multiple forwarding rules can be created. She creates a new rule that looks something like this (it will look slightly different on your router):

Application: HTTP
Start: 80
End: 80
Protocol: TCP
IP Address: 192.168.1.100

What this rule says is that if an unsolicited TCP connection is requested from outside the network on TCP port 80, forward that request to the computer at 192.168.1.100 on the inside of the network. Once Christina saves her settings and restarts her router, the rule is in effect and all the pieces are in place for Christina to access her home web server from her laptop while she’s at school.

But wait! What address should Christina use to get there? Remember that http://192.168.1.100 only works when she’s on the same network as her web server? Christina needs to find out her “public IP” designated to him by her internet service provider. The easiest way to do this is to visit What is My IP or ask Google while connected to her home network. These sites will echo the address you appear to reach them from. Christina discovers her IP address is 69.26.23.22 (this is not Christina’s address, it’s random) so when she’s at school she can simply type http://69.26.23.22 in her web browser and, voila! She is able to view the website hosted on her desktop computer at home from school (or anywhere else in the world with internet access).

Okay, I’ve glossed over a lot of details here so that I could illustrate the basics, but there’s one little hiccup Christina is bound to experience. Internet service providers for residential customers rarely give you a static IP address. This means that eventually the public IP Christina uses to connect to her home network will probably change. There is no warning, eventually she will just receive a new IP address from her ISP, and if she’s out and about when this happens, then he’ll have no idea how to access her website until she gets home again.

Enter Dynamic DNS! What is Dynamic DNS? DDNS is a service provided by a third-party like No-IP which allows you to register an easy to remember address like Christina.no-ip.org. Using their service, Christina.no-ip.org will always point to Christina’s home network no matter how many times her public IP address is re-assigned by her ISP.

How does DDNS work? From a high level it’s pretty simple. A small program is installed on any computer on Christina’s home network, and Christina enters her DDNS credentials in the settings. From here on out, this little program will periodically check-in with the DDNS provider, and each time it does this the provider “sees” the source address which is Christina’s public IP. If the source address is different than the last check-in, they update their records to ensure that Christina.no-ip.org always points to the last known IP address of Christina’s home network.

I hope you found this information helpful! It is just one example of the many, many reasons you may need to configure port forwarding. Other reasons include…

  • Gaming – some internet-enabled games require special port-forwarding rules
  • File Sharing – some file sharing programs only work if you forward designated ports. Remember though, sharing digital movies and music is almost always illegal!
  • Security – Networked IP cameras and video management systems almost always require port-forwarding rules for remote access

 

February 14, 2012 at 4:00 pm

Website Redesign & More

After-hours computer serviceYou may have noticed that the website looks a little different. Well, I finally came up with my very first logo! Now that I have it, it’s time to build my site around that style and color scheme! My goal with the logo and website design is to reflect how I feel about technology, and how I prefer to run my business; with a playful sense of professionalism.

You can expect to see little changes here and there over the coming weeks, especially in the service menu where I’ll be re-evaluating the way services are charged. I believe that flat-rate repairs are where it’s at. Paying by the hour is scary from the customers perspective, so I will continue to offer flat-rate service.

I’ve noticed a couple of service providers that are now offering what I would classify as insurance plans. The idea is that you pay some amount of money each year which covers just about all your possible computer service needs (minus parts of course). I’m a big fan of this idea, and I believe it to be especially valuable for families with teens who are likely to infect their computer(s) with a virus at least a couple times a year.

Finally, I want to make a shout out to the owner and team over at Happy Hamster Computer Repair. It probably seems counter-productive to promote a competing computer repair shop, but after reading through their site and blog I have to say I was impressed. If you are looking to buy a computer, or prefer to work with a well-established local computer repair shop, they are a wonderful option. They seem to have a great work ethic, highly skilled technicians, and customer service is their top priority. If I was in the market for a new day-job, I would compete for the next available position there or attempt to build up my own business on the same tenets.

That’s all for now, happy computing!

/Josh

February 12, 2012 at 2:07 pm

Update

Fixit is still providing the same great service, but is now located on the west side in Beaverton! The news is coming a little late since we moved last May, but we will be moving within Beaverton next month to a new location closer to my day job.

Speaking of my day job, last year my job title changed to Senior Support Engineer since I made the lateral shift from System Administrator. This has really freed up my time after-hours since I am no longer on the hook for critical systems issues when I’m not “on the clock”.

I have an awfully embarrassing confession to make. At some point last year FixitPNW was hacked. Yes, I was hacked. No one is immune! I had another domain hosted for an old online gaming team I was a part of in my teens called Apocalyptic Visions. I had found and old backup of the site and put it up for nostalgia. It was a (very geeky) counter-strike clan site which used an old version of PHPBB for the forum which I didn’t bother to update since the site wasn’t in use anymore.

Well, it turns out the forum was so outdated that there were known security flaws that had been exploited in order to gain access to a user account which was also used on FixitPNW.com. With root access to the site, they successfully defaced it.

I have learned my lesson however. Any of my sites that use a third-party CMS like WordPress or Drupal, or that use forum software are kept up-to-date. I’ve also verified that all hand-built sites use the best strategies to avoid cross-site scripting (XSS) and SQL injection including refreshing session ID’s, and sanitizing all un-trusted variables such as cookies and GET/POST variables.

Security is a constantly evolving topic. As such it is my mission to stay on top of the latest in web security, and to always build with security in mind instead of implementing security as an afterthought. Like Mulder said in one of my favorite old TV shows, “Trust No One”.

February 9, 2012 at 10:40 am

Day-job Projects

I returned from my week-long trip to Denmark on April 2nd. While I was there I worked with my counterpart at HQ to plan our upgrade from Active Directory 2003 to 2008 which we completed on the 9th. The upgrade process started at 7am PDT with us backing up our existing servers using a couple different methods just in case one of them failed. The backup process alone took 4-5 hours! In total we spent 15 consecutive hours on a Saturday to get all Domain Controllers up to date.

Now I’m on to project #2 where we are connecting a new 1st floor office to our main office on the 4th floor. We have a contractor doing the wiring, so my job is to configure the network so that the user and VoIP VLAN’s are available in the new office. The offices will be connected by three pairs of fiber connected to gigabit layer 2/3 switches. Last night I spent an extra 5 hours at work getting our backbone configured to add the downstairs switch. Unfortunately we are using DLink equipment, so it is a bit difficult to find information about certain features and they use slightly different terminology than Cisco equipment.

I was able to get the two backbone switches into stacking mode, and got limited connectivity to the downstairs switch. Tonight I will be staying late again to polish up the setup and test that workstations, IP phones, and the camera lab works. If so, then we will be on schedule for our support department to move into the new office on Monday!

Needless to say, the long hours at my day-job mean that I have little time for anything else. What spare time I have, I am spending with my fiancée, Amanda who proposed to me in Newport after I returned home from Denmark! These projects will be completed soon though, and I’m looking forward to having more time to put into FixIT 🙂

April 12, 2011 at 9:08 am

Travelling Next Week

I am leaving for Denmark on a business trip tomorrow so I will not be available again until Sunday, April 3rd. If you have any non-urgent problems, please feel free to contact me by e-mail or leave a voicemail for me!

March 25, 2011 at 8:43 am

Computer Techs Required to Report Child Pornography

I heard some interesting news on the radio during my commute this morning. House bill 2463 is nearly ready to be signed into law. The bill requires computer techs like myself to report child pornography to the authorities along with the customer’s name and address when those images are discovered while providing prescribed services. Here is an excerpt from the amended bill which is now awaiting senate approval:

A person commits the crime of failure to report child pornography if the person, in the course of processing or producing a photograph, motion picture, videotape or other visual recording, either commercially or privately, has reasonable cause to believe that the visual recording being processed or produced, or submitted for processing or production, depicts sexually explicit conduct involving a child and fails to report that fact to the appropriate law enforcement agency.

Some consider this an invasion of privacy, but the bill doesn’t grant computer techs the right to “snoop” through your files. It is clearly stated that the law will only apply if sexually explicit photographs or video are discovered through normal work processes. No one is being granted permission to actually go looking for illegal content, and no one is allowed to monitor systems in any way either. Section 4 of the bill explains that computer techs shall be immune from liability unless their method of finding the illegal content is considered misconduct…

Any person, their employer or a third party complying with this section in good faith shall be immune from civil or criminal liability in connection with making the report, except for willful or wanton misconduct.

If you have photos of your children naked in the tub or running around the living room topless, you need not fear being reported. The definition of child pornography is very specific. Photos or videos are only considered child pornography is they depict “sexually explicit conduct involving a child”. Failure to report such content would be a class A misdemeanor and punishable by one year imprisonment or a $6,250.00 fine, or both.

I’m glad to see that computer techs are being protected by the law for reporting this kind of thing, but I’m a bit ashamed that we need a law to specifically protect us for it. You can read more about house bill 2463 here.

Obviously I’m for this bill being passed into law, but I can see why some people might consider it a invasion of privacy, totalitarian, or a bit “1984”. How do you feel about this becoming law?

March 17, 2011 at 1:06 pm

Secure Erase vs DBAN

This article is a follow-up to this one about using DBAN (Deriks’s Boot and Nuke) to securely wipe all information off of your hard drive. I was recently reminded of a utility called Secure Erase which is actually much better at the job than DBAN.

Secure Erase is a free tool issued by the Center for Magnetic Recording Research (CMRR). The most interesting thing about the tool is that it doesn’t actually do any disk wiping itself – the tool sends a command to your hard drive and your hard drive takes it from there.

There are committees which govern the specifications for various computer hardware interfaces, and the ones responsible for the ATA and SCSI interfaces (for hard drives) were requested by the US government to include a secure disk wiping option in the command set for all hard drives. So now, any hard drive which is about 15GB or more in size has this built-in program to wipe all the data on the drive when a specific command is received.

I’ve found Secure Erase to run MUCH faster than DBAN (about an hour or less in most cases), but the most important difference is that DBAN and other similar tools will not wipe information off of areas of your hard drive that have been determined to be “bad”. These bad sectors can often be recovered without too much effort, and any data in them could be read even if the disk was wiped.

The Secure Erase command, however, will wipe the entire disk from beginning to end regardless of whether a sector is bad or not. So lets see – it’s faster, and more effective. I’m thinking Secure Erase is a big win over DBAN.

DBAN still has its place though as it is capable of wiping USB attached drives, and flash drives. Since Secure Erase sends a very specific command to directly attached hard drives, it won’t work with external USB or firewire attached drives, or anything that isn’t considered a “hard drive” like a USB flash drive, or memory card etc.

You can find more information, and download Secure Erase here.

March 17, 2011 at 12:15 pm

Video Surveillance Today

Remember those late nights watching Cops? They would show video of convenience store robberies where the images were so grainy and of such poor quality that you sometimes couldn’t tell whether the robber was a man or a woman. Most of the time these videos could not actually be used to identify the perpetrator. All they were good for was to record a series of events. Fortunately video Surveillance has come a long way since then. Not only can surveillance cameras be used to reliably identify a person, but they can be used for facial recognition, license plate recognition, and even behavioral analytics to detect loitering, slip and falls, tailgating and more.

If you are looking to setup video surveillance for your home or business, you first need to consider exactly what it is you want to record. Some of the things you should consider are…

  1. Daytime or nighttime recording, or both?
  2. Do you need to be able to identify people? From what distance? Do you need detail, or do you just need to know your house isn’t on fire?
  3. Do you want to be able to look in all directions, or do you want fixed camera views?
  4. How long do you want to store recorded video?
  5. Do you want to view recorded video on your computer, or over the internet on another computer or mobile device (iPhone, iPad, Android, BlackBerry etc.)
  6. Wired or wireless cameras?
  7. Do you want to integrate with your door and window sensors?
  8. Do you want e-mail alerts when motion is detected or doors are opened?

For a simple but flexible solution you can pick up an out-of-the-box solution from Lorex or Q-See for roughly $500 which includes an 8-channel DVR with 4 cameras included, and an LCD monitor to display them. You can add 4 additional cameras, and view video locally, or over the internet from a computer or iPhone. This system is great for basic surveillance needs, and has a low cost of entry. If you want more advanced features like integration with door/window sensors, lights, pan/tilt/zoom (PTZ), e-mail alerts or the ability to record on specific events like when a door is opened at a certain time of day or night, then you’ll need to invest a bit more into the system.

The best way to accomplish the kind of surveillance system described above, in my experience, is to use IP cameras and video management software. IP cameras could be considered “smart” surveillance cameras. They all run a flavor of linux and can be directly controlled from your computer for viewing or configuration using a built-in web server. Most of the time they can be setup with their own motion detection rules and alerts, but the video management software you choose can usually do this on its own. If that isn’t cool enough, they typically deliver a higher quality image than analog cameras. It is not uncommon now for IP cameras to have 5 megapixel image sensors.

Some IP cameras, like those from Mobotix, can be configured to record on motion to an SD card or to your computer. If you want more flexibility than that, you can pick up free video management software which supports the most common needs of an entry-level surveillance system, or you can explore some of the many options out there which range from “dirt-cheap” to “you want how much?”. Just remember, you get what you pay for!

For the last five years I have worked for a video management software company. In my time here I have setup license plate recognition for an airport parking garage in the mid-west, played with facial recognition, assisted with data recovery for criminal investigations, and helped members of various government organizations. If you ever have any questions, or need help setting up a surveillance system for your home or business, now you have a friend in the surveillance business!

March 7, 2011 at 11:30 am

When Delete Isn’t Good Enough

If you’ve already read this article about data recovery, then you know that when you delete files on your computer they are not gone forever. If you haven’t, then this news may come as a shock: when you delete files, whether you use Windows or Mac or Linux, they can be found and recovered unless you perform a secure erase using third-party software. This is because when you delete a file, you are simply giving Windows permission to write new files over the space where the file is located.

When computer owners retire an old computer after an upgrade, they often drop it off at Goodwill or sell it on Craigslist without thinking much about what’s on the hard drive. Do you file your taxes electronically? Do you bank and shop online? If so your passwords, credit card numbers, and social security number could be stolen by even amateur computer enthusiasts using free data recovery tools. Before you sell, donate or give away old computers (even “broken” ones), you should “wipe” the drive(s) clean. There are many tools out there for this, but the crowd favorite by a wide margin is Derik’s Boot And Nuke, aka DBAN.

DBAN sanitizes your hard drive by writing patterns of “garbage” data across the entire hard drive several times. Think of it like taking a Sharpie to the pages of a book making it completely unreadable. The process is simple, but can take hours. Start by downloading the latest version, then burn the ISO file to a CD. Make sure to backup your important data, because you won’t be able to recover it after running DBAN! When you’re ready, reboot the victim-computer with your DBAN CD inserted. Here is what the process looks like…

Caption
Type "autonuke" and press enter, unless you want to experiment with settings then simply press enter at the prompt...
Caption
Using autonuke, DBAN will automatically find your hard drive and start wiping it...
Caption
In potentially several hours, the process will be complete and you can shutdown the computer.

Of course… if you plan to recycle the computer through an E-Cycle program you can pull the hard drive out of the computer and simply take a hammer to it. The grey dust and chunks that come out of the hard drive are the remnants of the glass/steel platters that used to store all your files. Not only is it the most secure way to destroy the data on a hard drive, but it’s a lot more fun!

March 3, 2011 at 11:00 am 1 comment

FixIT Yourself – Free Antivirus and Diagnostics

Yesterday I shared with you a free hard drive diagnostic utility from Seagate called SeaTools. Today I want to share with you the first of two free antivirus boot-disks. I like this one from AVG because not only does it automatically update itself with the latest virus definitions, but it bundles MemTest86+ to test your computers memory for problems along with a few other useful tools including a ping utility, file recovery utility, and registry editor for advanced users.

You can download the AVG Rescue CD (get the ISO version), and burn it to CD using ImgBurn or your CD burning program of choice. See my previous post for steps on creating a CD from an ISO file. Obviously if you have an infected computer, you will probably need to do this on a different computer unless you are able to work around the problems associated with your virus infection (pop-ups, slowness, crashes etc). Once you have the disk, simply insert into the infected computer and reboot. From here the process is simple and straight-forward. The AVG Rescue CD starts up, asks you to update the virus definition database from the internet, then you run a scan and do what you wish with the results (DELETE!).

If you’re still a bit skiddish, I’ve put together a slideshow of what the process should look like. Enjoy!

Caption
Press Enter at the first screen to launch the AVG Rescue CD with default settings...
Caption
Accept the license agreement...
Caption
Choose Yes to download the latest virus definitions...
Caption
Choose Online and press enter...
Caption
Highlight "priority 4" and press the space bar to select, then press enter...
Caption
The latest updates will be downloaded which can take a few minutes...
Caption
Choose Scan...
Caption
Choose Volumes
Caption
Highlight each volume and press the spacebar to select, then press enter...
Caption
Select these options for a thorough scan...
Caption
Go grab a bite to eat while AVG scans your computer. This can take a while!

March 2, 2011 at 12:00 pm

Older Posts


Beaverton, OR

Josh Hendricks
971-217-8489
josh@fixitpnw.com

Hours:
  • Weekdays after 4pm
  • Weekends any time