Can port ranges be setup on Airports?
 

I've tried poking around and didn't come up with much, I have alot of high ports open on my network due to gaming and other such things. Unfortunately the apple airport only allows for a dozen or more so ports to be forwarded before the add button gets grayed out. Is there a way to use port ranges rather then just single ports per listing? Thanx

I've never seen an Airport's config menu, but lacking a better reply by someone else, have you tried entering the port as a range? IE, 7300-7399 for example.

I don't have an airport base station either, but I would like to think you can enter ports the same way you can in Apple's firewall.
A single port 1234
Multiple ports 1234, 2334, 2344
A port range 1234-2000
A combination 1234-2000, 1234, 2334, 5555-6000

When you enter the number it only allows 6 digits allowing for the max port number you could use i.e port 60000, and it dosen't allow dashes or commas to my knowledge....

I found this on the apple site... it will work, but may not be something you want to do.

Actually that kinda helps alot, but yea I am not too sure if I want to do that, opening thousands of ports is not really what i had in mind, i just need more than 20. I could save a few if i shut off telnet and ftp but i use them both frequently....Well this points me in the right direction, thanx for your help.

From the screen shots on this page
http://www.portforward.com/apple/Air...forwarding.htm
it looks like you can export and import port maps. Maybe you can set up 2 or 3 groups and just swap them around depending on what game you want to play... still not ideal, but it might be better than forwarding all traffic to your computer.

i never thought i'd say this....but my kingdom for a linksys!!!!
 

Hmm that just might work, except i'd have to reboot my airport after each change, and i have a dns address via dyndns.org so i'd would have to be updated each time cuz who really wants to remember their newly changing ip address each time :) Well i'll figure something out, it wouldn't be such a big deal if i didn't remote into my machine so much....(that right there requires like 3-5 ports.) Thanx for your help

Telnet and ftp are both "hey look, world, here's my username and password in cleartext!" protocols. You would be wise to not use either of those and use ssh and sftp instead. And not only are you far far less likely to be hacked using ssh and sftp, but they both use the same port (22), so you've just saved another port mapping.

trevor

No, they are not. You make it sound like using FTP would be like screaming your password in the middle of a crowd. In reality, the ability for someone to actually sniff that traffic on a wired network is extremely limited and difficult.

The Airport Extreme sure seems to have a lot of limitations. Is there any reason to pay $200 for it when a $70 Linksys does so much more?

I KNEW someone would say that, and trust me I know, my logs are full daily of people trying to hack my machine. They are only open at certain points during the day though. I leave them on in the morning, i come to work, i telnet to my machine ,start VNC (cuz i never remember to start it at home) then turn on the firewall and shut them off....i use ftp to browse my computer from work via my IE window. I would use ssh, but I am required to use ssh at work and my hosts file is supplied by a server on my network at work, the kicker (and i swear if i ever met who did this i will kill them) if i delete my hosts file off my computer I have to wait for an admin to come fix it, because without a ghost hosts file on my system it won't pull the actuall one down from the network, and so therefore the key isn't recognized by my computer at home and bam....i can't ssh, i am sure there is some geek way around it, but my path to geekdom has yet to be reached and i have no idea how to work around it....so for now this is how i do things....but it would be so much easier if airports could have ranges.....thanx guys

--------
I love my airport, and that is the only complaint about it, is that it has no port ranges to forward....when i lived at home, it was my firewall for my network, (which had a windows machine on it) and in the days of spyware and spam my parents windows machine never had a problem. When i moved out and took it with me, my parents began getting slammed with spyware and such....i know spyware on a mac is not really a problem....but that is one plus...it acts as a lovely filter to the outside world. :cool:

1
If you need to have more open ports than your Airport can handle, get a router that can. Carlos' suggestion is good concerning that point.

2
Password sniffing on unencrypted protocols is trivial.
The only mitigation factor here is how much you trust the people who see your packets fly by.
Carlos, you should know better, if you're not familiar with dsniff, have a look and think about it...

3
Running your machine as an exposed host is an extremely bad idea unless all services you run on that machine are supposed to be reachable via the internet.

I guess that the limitations are not an issue for most people and that the Airport is more reliable. That is certainly the case for me. My neighbours have a LinkSys and they often call me to reconfigure it when they lose their Internet connection. Sometimes I let them use my Airport connection if time is pressing and their LinkSys isn't working. When I try to get into the config page on the LinkSys, it is often extremely slow to come up - several minutes - who knows why.
And I don't forward any ports on the Airport.

No, it's extremely easy to sniff cleartext usernames and passwords. The myth that using a switch makes it difficult to sniff cleartext passwords has been repeatedly proven false time and time again. Off the top of my head, dsniff (especially in conjunction with arpredirect) http://www.fif3.com/howto/archives/002053.html and ethereal http://www.ethereal.com/download.html will both easily give you usernames and passwords. I'm sure there's many more such tools as well.

If you would like to read an interesting discussion of this, there are many on the net, including this one.

Really, it is screaming your username and password in the middle of a crowd. It's just that the crowd is not filled with the average folks at your local grocery store, they are the folks who already want to own your computer and use it for their evil purposes.

FTP and telnet are leftovers from a time when people could trust the other people on the network to act in a responsible and socially acceptable manner. Those days are past.

Trevor

When you say "hosts file", are you referring to /etc/hosts? I don't see what that has to do with ssh. Or are you referring to ~/.ssh/known_hosts? Or are you referring to /etc/ssh_host* (of which there are several files)? And can you explain the problem more?

Trevor

------
Yes the known_hosts file....it is "ghosted" not sure if that is the correct, but basically for control issues, and and all systems I need to ssh to, are controlled via a "master" file that is sent to my machine when ssh out of it, but for this to work there is essentially a "blank" known_hosts file sitting on my machine at work. I have no idea how it works or why it is done this way, the people at my company are admin crazy, yet get this, all the systems in our stores are logged into as the root user by the helpdesk and basically any support staff....yea i know, you can laugh now.... :D

------

Oh and it isn't really a problem per se, i was just explaining why i have telnet and ftp open, i would love to use SSH, but my options are limited while at work, and i use my computer to stream music to me at work (beats killing my ipod battery) so i need to VNC into my computer at home, etc etc, like i said, i know it isn't the most secure way, but i live on my computer at home, and i use the whodo command often so i know if someone gets in...no one ever has, and if they do, i can fix anything they break in moments....I agree with all you guys that it is not the safest way at all, but the chances of it happening are slim. All i wanted was more stinkin ports to forward lol. Thanx to everyone who offered ideas...maybe apple will allow ranges in the newer firmware installments....i can dream :p

oh for anyone interested, a buddy of mine took the whodo command off of unix, and made it work for Mac OS X...if you're interested....here

---------

#!/bin/sh

# Author: Arthur Foster
# Date: 4/20/2003

# Description:
# Show who is logged on and what they are doing.
# This program simulates the "whodo" command from Unix.


LongOutput=no
Header=yes
while [ $# -gt 0 ]
do
case "$1" in
-l) LongOutput=yes;;
-h) Header=no;;
--) shift; break;;
-*) Usage;;
*) break;; # First file name
esac
shift
done

echo ''

[ $# -gt 0 ] && User="$1"

if [ "$LongOutput" = no ]
then
[ $Header = yes ] && {
date
uname -n
}

who | while read Name Tty Mon Day Time Host Rest
do
if [ ! $Host ]
then
Host="Console"
fi

if [ $Tty ]
then
[ -n "$User" -a "$User" != "$Name" ] && continue
echo "--------------------------------------------------------------"
echo "$Tty $Name $Time" | awk '{printf("%s\t%s\t%7s\n", $1, $2, $3)}'
echo ""
case "$Tty" in
*tty*) T=`echo "$Tty" | sed -e 's:.*tty\(..\).*:\1:'`;;
*) T=`echo "$Tty" | sed -e 's:/dev/\(..\).*:\1:'`;;
esac

ps -ct $T | tail +2 | while read pid tty stat time command
do
echo "$pid $time $command" | awk '{printf("%12s\t%7s\t\t%s\t%s\n", $1, $2, $3, $4)}'
# echo " $pid $time $command"
done
fi
done
else
if [ $Header = yes ]
then FirstLine=1
else FirstLine=3
fi

if [ -z "$User" ]
then
w
else
w | grep "$User"
fi | tail +$FirstLine
fi

echo ''

---------------

Put a hundred bucks on the table. I'll give you my IP address and the addresses of all my servers which I access in cleartext, and I'll match the $100 if you can capture a single password.

Not likely unless enough people ask for it:
http://www.apple.com/macosx/feedback/

But note that there are 3rd-party Airport basestation configuration utilities available - maybe one of these will allow you to configure more ports.

Carlos, as I clearly stated, I'd need to control at least one machine somewhere on the route between you and the server you use with cleartext passwords to sniff packets.
Given that, all your passwords are mine.

How easily and by whom that physical or administrative access can be gained, varies quite a lot.

And it should be up to everyone to assess that risk.

But you'll probably agree that denying how easy it is to sniff cleartext traffic, even in most switched contexts, is no less than a misrepresentation of the truth.

trevor provided some pointers to more sniffing-tools, they're readily available and easy to use.

In security matters, one should always err to the safe side and those who are unaware of risks should be informed.

However, with only the data you volonteer and provided all of your systems are correctly administered, and no doubt they are, +I+ would not be able to sniff passwords.
But are you sure the switches at your colo are immune to an ARP-spoofing rack-neighbour ?

--------

for a 100 bucks even i'd try , and i've never hacked anything lol

You're challenging me to break the law for $100? The answer is clearly no. Please don't ever ask me to do anything illegal again.

Sniffing requires having an account on a box on your subnet, or on a router over which your data passes. Since I (presumably) am not on your subnet, and don't own any of the routers between you and your remote servers, it is not a matter of simply installing dsniff.

So, I would first have to break into someone else's computer. This would be a computer owned by someone else who has not asked to be broken into. This is not the kind of person I am, and I hope that this is not the kind of forum that condones those things.

Trevor

Guys you're all pretty brilliant, you keep arguing like this, you're gonna just look dumber and dumber.....so boys don't make me seperate you :D

Very nice! I get ttyp# perfectly, where # is the terminal window(s) that I have open.

Am I supposed to get the error
ps: /dev/ttyconsole: No such file or directory
? That is presumably the GUI user logged in.

Trevor

------
yea i get it too, it is because at work when we had unix, it presumes a few things that don't apply on a mac...i am sure it could be fixed, but i just ignore it.

:rolleyes: Uh huh. Right. It's not against the law if I tell you to do it. Do you think I break the law every time I attack one of my clients' systems for vulnerability testing?

Yup. I'm out. I don't feel like explaining theory vs. reality once again.