# Is Port Forwarding risky ?



## john_rambo (Sep 11, 2014)

Hi,
I dual boot FreeBSD 10 and Ubuntu. I have done port forwarding on Linux for Transmission with a custom apparmor profile in enforce mode but not on FreeBSD because I am not sure if its safe or not.

When I Google I see a lot of discussions on this subject not specific to BSD, Linux or Windows but the fact is there are a lot of conflicting views.  

So, what do you guys think ? If I open a port in PF for Transmission will that make the installation less secure ?

When I say less secure I am asking about two things, the root and the user's data which is the /home/username.


----------



## kpa (Sep 11, 2014)

Ignore 99% of the discussions you find on the web, they are based on pure ignorance on the subject. 

If you have to expose a service to the internet for whatever reason you either have the service directly listening on the public IP address/port combination or you do a port forward from the same public IP/port pair to the host that actually runs the service. Either solution is equally secure/unsecure. What matters is how secure the actual service is and how well it handles malicious input and common attacks and what the attacker could do if the service had a security hole that could be exploited. Running services as root should be avoided at all costs because that would allow the attacker to do absolutely everything if there was a critical vulnerability in the service, that's why most services run under their own unprivileged user or even as the nobody user.

In case of Bittorrent you don't have much choise but to open/forward the TCP listening port. If you don't open it nobody can connect to your client and ask it which pieces of the torrent(s) it has and you would be "snubbed" very quickly because your client would then only download but not upload anything.


----------



## john_rambo (Sep 11, 2014)

@kpa

In that case do you think its better to run a torrent client inside a jail ?


----------



## kpa (Sep 11, 2014)

john_rambo said:
			
		

> @kpa
> 
> In that case do you think its better to run a torrent client inside a jail ?



It may be allthough the service doesn't run as root and at least the net-p2p/transmission has a good security track record as far as I know.


----------

