How to Configure your Port Mapping Tab
The Port Mapping Tab allows you to open your Firewall selectively.
Port Mapping is a tool that allows you to selectively open up your Airport Base Station Firewall. By Default, a NAT router will not allow any queries to machines behind it. Thus, a hacker on the internet will only get as far as the router. As long as the router itself is not compromised, all machines "behind it" are safe from exterior attacks.
Port Mapping is a process of making holes into the wall of the Firewall to allow external machines to contact machines at specific ports and IP addresses within your network. Thus, you can start doing things like running web-servers... yet every exposed machine is also a security risk, as external computers can (and will!) contact it, whether you publicize it or not. Besides enabling a firewall on that machine (see the sharing control panel in OSX), I would also avoid storing any data on that machine that I wouldn't mind sharing with the rest of the world... That way, if the machine is compromised, no important data is lost.
Anyway, if running a web-server or hosting Halo multiplayer slugfests is not in your current plans, then skip to the Access Control Tab...
Using a web server as an example, internet denizens would need access to port 80 on your web-server. To connect, they would have to enter the IP address that has been assigned to your base station (unless you use a Dynamic DNS service, see below). Any queries sent to port 80 on the ABS (i.e. the "Public Port") would then be directed to the server and port number you specify (i.e. "Private Port"). Typically, it is best to use the same port numbers for public and private if you want to run a public service like a web-server. However, you can play with port numbers to enhance security for services you only want to use yourself.
But, you should educate yourself on what default ports exist first. Otherwise your private port might get pestered with all sorts of "foreign" queries it won't understand.
Here are some default ports:
- 21: File Transfer Protocol (FTP)
- 22: Secure Shell (SSH)
- 25: Simple Mail Transfer (SMTP for e-mail)
- 80: World Wide Web-server
- 110: Post Office Protocol (POP for e-mail)
- etc. For a complete list, see the IANA list of port numbers.
The only potential trouble is "finding" your home network while you are away since most of us have dynamically assigned IP addresses. That is, the IP address is assigned by the ISP and it can change at any time, even if your home network stays connected continuously.
This is where shareware solutions(OS X or OS 9)and Dynamic IP services come in. Organizations like DynDNS.org, Static.net, etc. allow you to assign a name to your home network that will always correspond to the current IP address of your home network (they update the DNS tables as the IP number changes). Thus, you'll never have to remember the IP number associated with home. Very Nifty!
The only other tip I offer is that I would not use the ABS DHCP server to assign the IP address of any machine behind the firewall that hosts a service. Since the IP address you enter in this control panel is static, you'd otherwise risk not being able to connect to the machine that you assigned to host your services. After all, the DHCP server in the ABS may decide to change the IP of your web-server... Hence, you could be trying to connect to a printer instead of the web-server.
More capable DHCP servers like the one found in the excellent IPNetRouter package allow you to assign static and dynamic IP addresses via DHCP. Thus, you get your cake and eat it too: Servers and Printers can benefit from static IPs while not requiring any fiddling/manual IP assignments. For some reason, the makers of routers like the Apple Base Stations do not seem to support static IPs based on the MAC address of attached devices. Oh well.
As you can tell, Port Mapping is for serious web-geeks who want to host a bevy of services from the comfort of their home while protecting the rest of their network. I wish that Apple could extend its rendez-vous technology to keep track of servers behind the firewall instead of requiring some hard-coding by the user.