NullSH wrote:
My Cable / DSL router has UPnP features which I don?t plan on using. In my opinion enabling that feature on the router is a security risk (unless that is, I drastically misunderstood the way UPnP works)
Whole point of having a firewall running in the cable/dsl router is to NOT to have open ports. I don?t mind setting up static forwarding routes for bit tornado in whichever range I feel like. If normal programs can use UPnP to bypass the firewall and set up listening ports through the router so can backdoor Trojans, worms and viruses, and there goes up in smoke functionality of your routers "firewall" feature
You just shot down your own statement. When you setup static port fowarding, you already broke part of the router's firewall feature.
You don't understand the main key. When you statically forward port range,
those ports are opened for traffic to go through 24 hours per day. A simple probe will reveal all the ports your router is forwarding.
https://grc.com/x/ne.dll?bh0bkyd2
UPnP open the port when running and close it when done. So when some people probe for open ports while the job is done, they won't find any. Another way to say that is
it breaks part of the firewall to do it's job; then build back the full firewall when the job is done.
Backdoor Trojans, worms and whatever
can connect in to communicate
whether you use UPnP or not. As long as it is being run on the target machine
given that part of the router's firewall is broken (either statically or dynamically). For the case of statically, the worm can test all port for listening while outsider probe for your opened ports and target only those ports then wait for the worm to catch it. That's the reason why you don't completely rely on router's firewall. You should also use software firewall like ZoneAlarm which will ask you for permission when a new program is trying to listen on certain ports and/or trying to connect out.