IPAddr

What is a DMZ

Using a DMZ is a very simple and risky way to forward ports. The DMZ takes an ip address of a computer on your network, and forwards all ports to that computer. This is really nice if you are having problems forwarding ports for some program. It can be a life saver if your router will not allow you to properly forward ports. It also has a huge downfall. The computer that is in the DMZ is now wide open to internet traffic. Meaning that it will catch virii, and it will be at risk of being hacked. If you put a computer into the DMZ then please install a software firewall to help protect it.

Domain Blocking

Domain blocking is very similar to URL blocking. URL blocking allows or prevents computers from accessing certain websites. Domain blocking allows or prevents certain computers from accessing anything from certain domains.

You really have two options with domain blocking. You can allow or deny. If you allow by default you are allowing access to everything. You can then specify certain domains to prevent access to. Most routers use keywords to block domains. The more specific you can make these keywords the better. If you want to block funforless.com, use the funforless keyword. This will block any domain name with funforless in it. So it would block funforless.com. It would also block bobsfunforless.com. The smaller the keywords the more domains that will be blocked. Let's say we chose fun, for, and less for our keywords. That would block funforless.com as well. It would also block sportsfun.com, newsforteens.com, and skatefunpark.net. Keep in mind this is not only blocking access to websites. It also blocks ftp access, p2p access, news, everything to certain domains. So be careful with this tool.

If you deny then by default you are denying access to every domain. This would be a good thing to do, if you wanted your users to only access certain websites. This uses keywords as well. Everything would be denied by default, and then you could specify the domains you want to allow access to. It is as simple as that. Let us say you want to allow your users to view MSN.com. Well just specify msn. Keep in mind that this will allow them to access every domain with msn in it.

Filtering

In order to understand what a IP filtering does, you need to have a general idea of what a network is. I will try to layout the components of a network in a simple yet honest fashion. Once that has been done, I will tell you what IP Filtering does. If you have a good working knowledge of networking or have read this before by all means skip to the end.

Let's start with a very general network.

In the network we have one Router/Firewall and three computers. The router/firewall on this network provides internet access to the three computers below it. Any data(information) that flows to or from your network is referred to as traffic. So when you send an email, traffic is created on your network. The routers primary job is to route the traffic that is flowing to and from your network. We will go over this in more detail later on.

Let's take another look at this general network.

This network is divided up into two parts. The WAN(Wide Area Network) is represented in this figure by a blue circle. The LAN(Local Area Network) is represented by a green circle. These networks are kept separate by your router. Computers on the WAN(internet) can not directly communicate with the computers on the LAN(your network), and computers on the LAN can not directly communicate with computers on the WAN. When a computer on the WAN wants to communicate with a computer on the LAN, the computer on the WAN must send the data your router. The router then passes that data on to the computer in your LAN. The same thing is true for a computer on your LAN. When a computer on your LAN wants to send data to a computer on the WAN, it passes the data to the router. The router then sends that data out on the internet. The router needs to know where it is sending the data before it can send it to the right place.

I'm going to talk about MAC addresses and ip addresses. Every device that can connect to the internet has a MAC(Media Access Control) address. MAC address is sometimes called a physical address. It is called a Physical address because every physical component that connects to the internet has one. This makes the MAC address physical, because you can consider it physically labelled to the device. As far as we are concerned the MAC address never changes. Never changing gives it another property that resembles a physical component.

By itself the MAC address is not all that useful, because computers can not communicate with just a mac address. They need an ip address as well. The ip address is a set of numbers that are bound to the MAC Address. Usually the ip address is bound when the device is turned on. When you boot your computer, it goes on the internet by obtaining an ip address and binding it to the MAC address of your network card. Along with the ip address it also gets the default gateway. The default gateway is the ip address of the router. Now the computer knows how to send information to the internet(through the router), and the router knows how to send information to your computer(to your ip address). One other thing your computer gets when it boots up is a subnet mask. The subnet mask basically tells your computer how many other ip addresses it has in the group of ip addresses it belongs to. If you want to know more about subnets take a look at our Subnetting page. Well lets go ahead and assign ip addresses and MAC addresses on our network. I'm going to leave the subnet's off. The default gateway for all the computers on this network is the internal ip address of the router.

In the picture above the ip addresses are the numbers that have the 10.0.0.x form. The MAC address have the xx-xx-xx-xx-xx-xx form. These are standard forms of MAC address and IP addresses. The numbers will be different for every network, but MAC addresses will always have dashes and IP addresses will always have periods. Take note that your router has two IP addresses and two MAC addresses. One of your routers ip addresses is an external ip address, the other is an internal ip address. You can think of these two addresses as doors. The external ip address is a door into your network from the internet. The internal ip address is a door from your network to the internet. When a computer on your network wants to send data to the internet, it actually sends the data to the internet ip address of your router. The router then passes that data out onto the internet. When a computer on the internet wants to send data to a computer on your network, it sends the data to your routers external ip address. The router then decides whether it should send that data on to a computer on your network.

IP Filtering IP filtering is very simple. You can do two things with ip filtering. First, you can prevent certain ip addresses from accessing the internet. Every ip address is made up of ports. Second, ip filtering can also block certain ports from accessing the internet. I'm going to break this explanation down into two sections, because ip filtering can do two completely separate things.

Preventing an ip address from accessing the internet.

IP filtering allows you to prevent a single ip address or range of ip addresses from accessing the internet. Doing this will prevent them from getting email, viewing web pages, using p2p software, ftping files, basically doing anything internet related. While this sounds pretty powerful, it is actually pretty worthless. Let's say that you prevent someone on the ip address 192.168.1.5 from accessing the internet. It is very easy for them to change their ip address. If the changed it to something like 192.168.1.6 they would have full access to the internet. Blocking a range of ip addresses does not really help out. They would only have to steal an ip address of a computer that had internet access, to regain their internet access. If you want to prevent certain computers from accessing the internet, you would be much better off using a MAC filtering option. With MAC filtering you can specify which MAC addresses you want to allow to connect to the internet. MAC addresses are physical addresses, and very hard to change.

The real power of ip filtering comes with the ability to block ports. Let's say that you want to prevent coworkers from using bittorrent at work. All you would have to do is specify all ip addresses, usually done with an asterisk, and then specify the port range used by bit torrent. You wouldn't even need to specify all the ports, just a couple would probably prevent it from working. Port 6969 is vital to that program. You could do the same thing for many other applications. Afraid coworkers are talking to much at work? Shutdown their icq/aim/yahoo messenger by blocking ports required by those programs. You can do this without effecting certain people, just leave certain ip address out of the blocked range.

Firewalling

In order to understand what a router/firewall does, you need to have a general idea of what a network is. I will try to layout the components of a network in a simple yet honest fashion. Once that has been done, I will try to conceptually break down firewalling.

Let's start with a very general network.

In the network we have one Router/Firewall and three computers. The router/firewall on this network provides internet access to the three computers below it. Any data(information) that flows to or from your network is referred to as traffic. So when you send an email, traffic is created on your network. The routers primary job is to route the traffic that is flowing to and from your network. We will go over this in more detail later on.

Let's take another look at this general network.

This network is divided up into two parts. The WAN(Wide Area Network) is represented in this figure by a blue circle. The LAN(Local Area Network) is represented by a green circle. These networks are kept separate by your router. Computers on the WAN(internet) can not directly communicate with the computers on the LAN(your network), and computers on the LAN can not directly communicate with computers on the WAN. When a computer on the WAN wants to communicate with a computer on the LAN, the computer on the WAN must send the data your router. The router then passes that data on to the computer in your LAN. The same thing is true for a computer on your LAN. When a computer on your LAN wants to send data to a computer on the WAN, it passes the data to the router. The router then sends that data out on the internet. The router needs to know where it is sending the data before it can send it to the right place.

I'm going to talk about MAC addresses and ip addresses. Every device that can connect to the internet has a MAC(Media Access Control) address. MAC address is sometimes called a physical address. It is called a Physical address because every physical component that connects to the internet has one. This makes the MAC address physical, because you can consider it physically labelled to the device. As far as we are concerned the MAC address never changes. Never changing gives it another property that resembles a physical component.

By itself the MAC address is not all that useful, because computers can not communicate with just a mac address. They need an ip address as well. The ip address is a set of numbers that are bound to the MAC Address. Usually the ip address is bound when the device is turned on. When you boot your computer, it goes on the internet by obtaining an ip address and binding it to the MAC address of your network card. Along with the ip address it also gets the default gateway. The default gateway is the ip address of the router. Now the computer knows how to send information to the internet(through the router), and the router knows how to send information to your computer(to your ip address). One other thing your computer gets when it boots up is a subnet mask. The subnet mask basically tells your computer how many other ip addresses it has in the group of ip addresses it belongs to. If you want to know more about subnets take a look at our Subnetting page. Well lets go ahead and assign ip addresses and MAC addresses on our network. I'm going to leave the subnet's off. The default gateway for all the computers on this network is the internal ip address of the router.

In the picture above the ip addresses are the numbers that have the 10.0.0.x form. The MAC address have the xx-xx-xx-xx-xx-xx form. These are standard forms of MAC address and IP addresses. The numbers will be different for every network, but MAC addresses will always have dashes and IP addresses will always have periods. Take note that your router has two IP addresses and two MAC addresses. One of your routers ip addresses is an external ip address, the other is an internal ip address. You can think of these two addresses as doors. The external ip address is a door into your network from the internet. The internal ip address is a door from your network to the internet. When a computer on your network wants to send data to the internet, it actually sends the data to the internet ip address of your router. The router then passes that data out onto the internet. When a computer on the internet wants to send data to a computer on your network, it sends the data to your routers external ip address. The router then decides whether it should send that data on to a computer on your network.

When we setup firewalling we are telling the router which computers(IP addresses) we will allow data to be sent to. We can define rules for data that is coming into our network, and data that is travelling out of our network.

Firewalling

Generally when you setup a firewall, you want to set it up to block everything coming into your network. Most people don't really care about what is leaving their network, because they are causing the outgoing traffic to be sent. For instance, a virus free network would almost never catch a virus if it was not plugged into the internet. Viruii come from somewhere, usually infected computers on the internet. So if you prevent those computers from sending you information, you protect your computers from viruii. The same is true for hackers. Prevent access to your network from the internet, and unless you know a hacker, you will never be hacked. So after everything is blocked, we can then go back an allow the traffic needs to be allowed into the network. Some traffic needs to be allowed into your network applications that require port forwarding. I'm going to write guides on how to block traffic and allow it through various routers. It has to be done per router, because every router is different. Please keep in mind the concepts presented above. Knowing them will make your configuration go much easier.

Program/FunctionTCP PortsUDP Ports
ABC6881-6999 
Active Worlds3000,5670,7000-7100,7777 
Age of Empires2302-2400,60732302-2400,6073
AIM Talk5190 
AIM Video IM1024-50001024-5000
Apple Remote Desktop3283,59003283,5900
AudioReQuest80,3663,3664,4665,2020,424280,3663,3664,4665,2020,4242
Bay VPN500500
BearShare6346 
BitComet12242 
BitTornado10000-1000410000-10004
BitTorrent6881-6889 
Black and White2611-2612,6500,6667,279002611-2612,6500,6667,27900
Broadvoice VOIP 69,5060-5063,10000-20000
Buddy Phone 700-701
Buzz 3D VideoChat10529 
Calista IP Phone 3000
CarbonCopy321023-16801023-1680
CQPhone24960 
Cu-SeeMe Cornell 7648
Cu-SeeMe White Pine 7648,24032
CUseeMe-CUworld1503,5222,5223,76487648,24032
DC++14121412
Delta Three PC to Phone12053,1208312080,12120,12122,24150-24179
Dialpad1584,1585,5121051200,51201
DINA DVR Server5000 
DINA RMC1099,5000-5001,8080 
Direct Connect375-425375-425
Direct Connect14121412
DirectX 7476242300-2400
DirectX 8 2302-2400,6073
DirectX 8.1 2302-2400,6073
DVC-1000 DVC-11001720,15328-1533315328-15333
Echolink 5198,5199
Flight Simulator 20002300-2400,476242300-2400
Flight Simulator 20022300-2400,476242300-2400
Flight Simulator 2004 2302-2400,6073,23456
FTP21 
FW1 VPN259259
Ghost Recon2346-23482346-2348
Gnutella63466346
Gnutella63466346
Go2Call20902090,2091
Graal Online14900-1499914899
Halo802302,2303
HTTP80 
HTTPS443 
I2P8887 
iChat51905190
ICQ51905190
ICUII2000-2001 
IL 2 21000
IPSEC 500
iSpQ2000-2002 
iSpQ VideoChat2000-2002 
KALI2213,66662213,6666
Laplink15471547
Limewire63466346
Lingo VoIP 1020-1032,5060-5065,10000-20000
Links2300-2400,476242300-2400,6073
Live For Speed Server6339263392
Lock On1030810308
Lotus Notes13521352
mIRC Chat6660-6669 
mIRC DCC - IRC DCC1024-5000 
mIRC IDENT113 
Moove9793,9795 
Motorola Ojo 5060,5010-5017
MSN Game Zone6667,28800-290006667,28800-29000
MSN Game Zone (DX)6667,28800-290006667,28800-29000
MSN Messenger1863,6891-6900,69016901
MySQL Server3306 
NetMeeting 2.0 through 3.01522,389,1503,1720,17311024-65535
NexusDB16000 
NTP123123
OpenFT1215,12161215,1216
PalTalk2090,2091,20952090,2091
PC Anywhere56315632
Point-to-Point Tunneling Protocol1723 
POP3110110
Remote Anything3996-40003996-4000
Remote Desktop33893389
Secure Planet VPN9555 
Shiva VPN22332233
SlingBox50015001
SMTP2525
SQL-Server (Microsoft)14331433
SSH2222
TalkSwitch93935060,6000-6006,6010-6016,6020-6026,6030-6036
TeamSpeak14534,512348767-8768
TELNET2323
Terminal Services33893389
TightVNC5800 (web browser), 5900 (WinClient)-
TribalWeb3728 
Ultima5001-5010,7775-7777,7875,8800-8900,99995001-5010,7775-7777,7875,8800-8900,9999
Ventrilo37843784
VideoReQuest22,299222,2992
VidPhone3000-30053000-3005
VNC5500,5800,59005500,5800,5900
WinGate VPN809809
WINMX6699 
XBConnect86028602
Xbox Live307488,3074
Xlink Kai 30000
Yahoo Messenger80