I have a beginners question. I have a small network behind a NAT
router. I need to add a PC that will function as a low volume Web
server. I think that the safest way to do this to to place the Web
server behind a NAT router and have the rest of the network behind a
second NAT rounter.

The configuration would be:

Connect the DSL line to the first router.
Connect the Web server to the first router.
Connect the first router to the second router.
Have all other PCs connected to the second router.

Is this a good solution? If not what should I do?

--
..Bill.

Kerry Liles wrote:

> It would be simpler and cheaper to put the webserver PC in the DMZ of
> the (only) router. That way, any compromise of it would not permit
> cross-contamination of the other PCs behind the same router (at least

FYI, that is exactly the opposite of what the article at
http://www.grc.com/nat/nat.htm say. The machine in the DMZ has the same
access to the internal network as any other machine on the internal
network and is, therefore, a major security hole.

> as I understand things). The introduction of an additional router
> doesn't add much to the equation in the configuration you are
> suggesting. You may also want to go here and read this information
> (which may help):

The articles are excellent. Many thanks. They show exactly how to do
what I need using two NAT routers to isolate the Web server from the
Internet, except for the ports that are forwarded to it, and isolate
the other machines on the internal LAN from the Web server in case it
is compromised.

--
..Bill.

mea culpa. I guess I should read what I recommend!
My apologies and kudos to you for reading carefully... I dont know what I
was thinking (likely nothing at all)

"comprehension isn't all that it is hyped to be..."

"Bill" <no@no.com> wrote in message
news:zPZxj.11$2e4.112@eagle.america.net...
> Kerry Liles wrote:
>
>> It would be simpler and cheaper to put the webserver PC in the DMZ of
>> the (only) router. That way, any compromise of it would not permit
>> cross-contamination of the other PCs behind the same router (at least
>
> FYI, that is exactly the opposite of what the article at
> http://www.grc.com/nat/nat.htm say. The machine in the DMZ has the same
> access to the internal network as any other machine on the internal
> network and is, therefore, a major security hole.
>
>> as I understand things). The introduction of an additional router
>> doesn't add much to the equation in the configuration you are
>> suggesting. You may also want to go here and read this information
>> (which may help):
>
> The articles are excellent. Many thanks. They show exactly how to do
> what I need using two NAT routers to isolate the Web server from the
> Internet, except for the ports that are forwarded to it, and isolate
> the other machines on the internal LAN from the Web server in case it
> is compromised.
>
> --
> .Bill.

From: "Bill" <no@no.com>

| Kerry Liles wrote:
|
>> It would be simpler and cheaper to put the webserver PC in the DMZ of
>> the (only) router. That way, any compromise of it would not permit
>> cross-contamination of the other PCs behind the same router (at least
|
| FYI, that is exactly the opposite of what the article at
| http://www.grc.com/nat/nat.htm say. The machine in the DMZ has the same
| access to the internal network as any other machine on the internal
| network and is, therefore, a major security hole.
|
>> as I understand things). The introduction of an additional router
>> doesn't add much to the equation in the configuration you are
>> suggesting. You may also want to go here and read this information
>> (which may help):
|
| The articles are excellent. Many thanks. They show exactly how to do
| what I need using two NAT routers to isolate the Web server from the
| Internet, except for the ports that are forwarded to it, and isolate
| the other machines on the internal LAN from the Web server in case it
| is compromised.
|

I don't see a need for two Routers.

One Router is all thats needed. If it is a standard HTTP server forward TCP port 80 to the
Web Server. If it also uses SSL, port forward TCP port 443 to the web server IP address as
well. Make the Web Server a static address.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

David H. Lipman wrote:

> I don't see a need for two Routers.
>
> One Router is all thats needed. If it is a standard HTTP server
> forward TCP port 80 to the Web Server. If it also uses SSL, port
> forward TCP port 443 to the web server IP address as well. Make the
> Web Server a static address.

Are you saying that there is no way that a hacker could hack into the
Web server PC if port 80 is forwarded? If so, that is great.

--
..Bill.

From: "Bill" <no@no.com>

| David H. Lipman wrote:
|
>> I don't see a need for two Routers.
>>
>> One Router is all thats needed. If it is a standard HTTP server
>> forward TCP port 80 to the Web Server. If it also uses SSL, port
>> forward TCP port 443 to the web server IP address as well. Make the
>> Web Server a static address.
|
| Are you saying that there is no way that a hacker could hack into the
| Web server PC if port 80 is forwarded? If so, that is great.
|

Well if you have a vulnerability on said server and the miscreant uses TCP port 80 then
yes... it could still be hacked. But that would be the case in any other solution noted as
well.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

David H. Lipman wrote:

> Well if you have a vulnerability on said server and the miscreant
> uses TCP port 80 then yes... it could still be hacked. But that
> would be the case in any other solution noted as well.

If I understand the two papers on the Gibson Research site referenced
in Kerry Liles' earlier post, using two NAT routers with the Web server
between the two and the rest of the computers behind the second router
makes it impossible for the Web server to access the rest of the
computers on the network. It is impossible for a computer on the WAN
side of a NAT router to access computers on the LAN side of the NAT
router. OTOH, computers on the LAN side can access the computer on the
WAN side (the Web server). For the $30 cost of a second NAT router it
seems like very cheap insurance.

--
..Bill.

From: "Bill" <no@no.com>

| David H. Lipman wrote:
|
>> Well if you have a vulnerability on said server and the miscreant
>> uses TCP port 80 then yes... it could still be hacked. But that
>> would be the case in any other solution noted as well.
|
| If I understand the two papers on the Gibson Research site referenced
| in Kerry Liles' earlier post, using two NAT routers with the Web server
| between the two and the rest of the computers behind the second router
| makes it impossible for the Web server to access the rest of the
| computers on the network. It is impossible for a computer on the WAN
| side of a NAT router to access computers on the LAN side of the NAT
| router. OTOH, computers on the LAN side can access the computer on the
| WAN side (the Web server). For the $30 cost of a second NAT router it
| seems like very cheap insurance.
|

Insurance ? from what ?

I don't see a problem or a need for two NAT Routers.

So the web server can be seen by LAN side nodes and vice versa. What's the problem ?

Remember SOHO Routers have high latency. Two NAT Routers means you effectively double the
latency.

BTW: GRC -- what a laugh.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

Hi...

I've read some of the other replies, and there is a lot of good ideas
there. Let me relate what I ended up doing, and sort of 'why'.

Originally I put my server on port 80, and set my router to forward any
inbound port 80 traffic to it. Seemed to be a straight forward
approach. I tried to lock that computer down as tightly as possible so
hackers wouldn't be able to easily break into it. That does require the
router knows the ip address for the computer you are forwarding to! The
Netgear router I use will reserve IP addresses for specific MAC
addresses within the dynamic range it hands out. So any time the server
computer is booted, it would request an IP via DHCP, and the router
would always hand it the same address. If you want to used static IP
addresses, I see nothing wrong with that -- I guess a computer that is
only a server really doesn't need to know where DNS servers are, and so
on.

Watching the activity on the server, I was surprised at the number of
connection attempts to it. Large numbers of attempts to connect, and
for each packet in, I was responding with several replies. That is
normal in a TCP handshake situation, until a connection is established
-- but that should almost immediate. And what got me even more
concerned, some of the attempts to connect to my server were from ip
addresses on the web that would never be trying to connect.

Keep in mind a connection can be made by a user either using a URL, or
an IP address. My friends were given the URL, but anyone who knew the
IP could use it directly.

I am on a DSL line, and, like many broadband residential services, the
IP address can change -- it is a dynamic IP rather than a static address
that never changes. So, I used a redirection service. The one I use is
DynDNS.org, but there other ones out there that do the same. For low
volume users, they are free. I supply them with my IP address, and they
supply me with a URL that gets linked to it. My router even has the
ability to automatically update the IP with them, should it change.

When I realized what was going on, I moved my server off of port 80 to
an unused port number. I also changed the port forwarding in the router
to forward the new address rather than 80. Now port 80 is not responded
to. I'm sure you've seen some URLs that have port numbers tacked on
(like :8080). Now, anyone who knew the URL and the port number could
still connect, but the casual bad guy scanning IP addresses would not
find it.

Obviously, the need for that port number on a URL isn't the greatest!
At DynDNS they have another feature where a URL on port 80 can get
forwarded to another URL using a different port. So, now I use for the
public URL one at DynDNS that doesn't require a port number, and it gets
forwarded to whatever IP address I happen to have at the time and at the
port I have set up for the server.

Actually, I have a couple of very low volume servers here, and this
allows me to have both on one DSL line with no problems.

I hope I haven't made this sound too complicated! It really turns out
to be straight forward!

....Bob

(For reference only, the original message follows)



Bill wrote:
>
> I have a beginners question. I have a small network behind a NAT
> router. I need to add a PC that will function as a low volume Web
> server. I think that the safest way to do this to to place the Web
> server behind a NAT router and have the rest of the network behind a
> second NAT rounter.
>
> The configuration would be:
>
> Connect the DSL line to the first router.
> Connect the Web server to the first router.
> Connect the first router to the second router.
> Have all other PCs connected to the second router.
>
> Is this a good solution? If not what should I do?
>
> --
> .Bill.

--
The FROM: email address has been set up for receiving SPAM.
Don't bother using it -- email to it won't be read.
Right now, you can use: posts01 [at-sign] kesters [DOT] org
(Until the scumbags figure that one out.)

From: "Bob Kester" <SpamPot@Frontiernet.net>

| Hi...
|
| I've read some of the other replies, and there is a lot of good ideas
| there. Let me relate what I ended up doing, and sort of 'why'.
|
| Originally I put my server on port 80, and set my router to forward any
| inbound port 80 traffic to it. Seemed to be a straight forward
| approach. I tried to lock that computer down as tightly as possible so
| hackers wouldn't be able to easily break into it. That does require the
| router knows the ip address for the computer you are forwarding to! The
| Netgear router I use will reserve IP addresses for specific MAC
| addresses within the dynamic range it hands out. So any time the server
| computer is booted, it would request an IP via DHCP, and the router
| would always hand it the same address. If you want to used static IP
| addresses, I see nothing wrong with that -- I guess a computer that is
| only a server really doesn't need to know where DNS servers are, and so
| on.
|
| Watching the activity on the server, I was surprised at the number of
| connection attempts to it. Large numbers of attempts to connect, and
| for each packet in, I was responding with several replies. That is
| normal in a TCP handshake situation, until a connection is established
| -- but that should almost immediate. And what got me even more
| concerned, some of the attempts to connect to my server were from ip
| addresses on the web that would never be trying to connect.
|
| Keep in mind a connection can be made by a user either using a URL, or
| an IP address. My friends were given the URL, but anyone who knew the
| IP could use it directly.
|
| I am on a DSL line, and, like many broadband residential services, the
| IP address can change -- it is a dynamic IP rather than a static address
| that never changes. So, I used a redirection service. The one I use is
| DynDNS.org, but there other ones out there that do the same. For low
| volume users, they are free. I supply them with my IP address, and they
| supply me with a URL that gets linked to it. My router even has the
| ability to automatically update the IP with them, should it change.
|
| When I realized what was going on, I moved my server off of port 80 to
| an unused port number. I also changed the port forwarding in the router
| to forward the new address rather than 80. Now port 80 is not responded
| to. I'm sure you've seen some URLs that have port numbers tacked on
| (like :8080). Now, anyone who knew the URL and the port number could
| still connect, but the casual bad guy scanning IP addresses would not
| find it.
|
| Obviously, the need for that port number on a URL isn't the greatest!
| At DynDNS they have another feature where a URL on port 80 can get
| forwarded to another URL using a different port. So, now I use for the
| public URL one at DynDNS that doesn't require a port number, and it gets
| forwarded to whatever IP address I happen to have at the time and at the
| port I have set up for the server.
|
| Actually, I have a couple of very low volume servers here, and this
| allows me to have both on one DSL line with no problems.
|
| I hope I haven't made this sound too complicated! It really turns out
| to be straight forward!
|
| ...Bob


Good Job!


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

I think you are trying to isolate the web server from your other LAN
clients. You might want to look into getting a router that supports VLANs.

--
JL

From: "Johnnie Leung" <jsleung@telecom-digest.zzn.com>

| I think you are trying to isolate the web server from your other LAN
| clients. You might want to look into getting a router that supports VLANs.
|

Certainly not a SOHO solution.

A managed Ethernet Switch would support VLANs in conjunction with a SOHO Router.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

Johnnie Leung wrote:

> I think you are trying to isolate the web server from your other LAN
> clients. You might want to look into getting a router that supports
> VLANs.

Other way around. I am trying to protect the other PCs on the LAN from
a Web server that gets hacked.

--
..Bill.

Thanks for the detailed explanation.


--
..Bill.

From: "Bill" <no@no.com>

|
| Other way around. I am trying to protect the other PCs on the LAN from
| a Web server that gets hacked.
|

You have to make sure that the web server is completely mitigated of vulnerabilities.
You can start with Secunia's Software Inspector run on the web server.
http://secunia.com/software_inspector

Lets say that the server was indeed hacked. For example an SQL Injection or a PHP exploit.
In such an instance, the hacker would most probably insert malicious code in your HTML files
such that an IFrame Exploit, or other exploit, is inserted such that the web site viewer is
taken to a another malicious web site that then causes a malicious file download. In this
case any of the above mentioned methodologies wouldn't help. Any LAN nodes or WAN nodes
loading the web page would be vulnerable. We are not talking about a virus on your web
server that would spread from the web server to the LAN nodes. That would not be a hack
attack. That would be a case of server infection. In that case the above mentioned
methodologies would help to mitigate this kind of threat. An example would be a SDBot that
infected the web server and then spread to the LAN nodes. However, BOTs don't use TCP port
80 (or an alternate such as 8080) and the NAT Translation of the Router would protect the
web server from getting infected from WAN nodes.

Having a web server and understanding the needs of securing it is a lengthy subject. You
have to look at all avenues and there are many.

I guess if you really want two NAT Routers, go for it. However, don't think that this is a
cure-all. It isn't. The most important thing is to have anti virus running on the web
server and making sure all software components, and I mean all, are kept up to date and all
vulnerabilities are mitigated. This means being proactive. Additionally as a web server,
it shouldn't be used to 'browse' the Internet. As a server, this would degrade is
information assurance level and make the web server vulnerable to infection. All browsing
should be done on workstations and only logon to the web server when updating it or
installing trusted applications.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

Thanks Dave. I think I now have a good understanding of how to approach
this project. I have learned a lot that would have taken much longer
without your help and you've convinced me that two routers are not
really necessary.

--
..Bill.

From: "Bill" <no@no.com>

| Thanks Dave. I think I now have a good understanding of how to approach
| this project. I have learned a lot that would have taken much longer
| without your help and you've convinced me that two routers are not
| really necessary.
|

YW and good luck in your project.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:mWbyj.7411$li.3045@trnddc06...
> From: "Johnnie Leung" <jsleung@telecom-digest.zzn.com>
>
> | I think you are trying to isolate the web server from your other LAN
> | clients. You might want to look into getting a router that supports
> VLANs.
> |
>
> Certainly not a SOHO solution.

Why not? I am using one such ('SOHO') router now for my residential
broadband connection.

> A managed Ethernet Switch would support VLANs in conjunction with a SOHO
> Router.

And managed switches are SOHO gear?

--
JL

"Bill" <no@no.com> wrote in message
news:7Ocyj.29$2e4.1163@eagle.america.net...
>
> Other way around. I am trying to protect the other PCs on the LAN from
> a Web server that gets hacked.

Doesn't matter which way. VLANs can't see one another, period.

--
JL

David H. Lipman wrote:

> Remember SOHO Routers have high latency.

Out of curiousity, how much latency does a SOHO router add? FWIW, I am
using a Linksys BEFSR41. Latency is a statustic the manufacturers don't
seem to publish (I wonder why<g>).

--
..Bill.

From: "Bill" <no@no.com>


|
| Out of curiousity, how much latency does a SOHO router add? FWIW, I am
| using a Linksys BEFSR41. Latency is a statustic the manufacturers don't
| seem to publish (I wonder why<g>).
|

I use a Linksys BEFR81.

They don't publish their numbers because they are higher then mangaed Ethernet switches.
This allows them to also be cheaper for the SOHO market where latency has lesss of an
impact.

When I was in communication with Linksys, prior to their acquisition by Cisco, they refused
to provide the information.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

From: "Johnnie Leung" <jsleung@telecom-digest.zzn.com>


>> Certainly not a SOHO solution.
|
| Why not? I am using one such ('SOHO') router now for my residential
| broadband connection.
|

What make and model SOHO Router are you using that is a Router combinerd with an Ethernet
Switch that supports VLANs.


>> A managed Ethernet Switch would support VLANs in conjunction with a SOHO
>> Router.
|
| And managed switches are SOHO gear?

No, A good managed Ethernet Switches are geared for the enterprise, not the SOHO market.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:Ddlyj.13226$ES.11519@trnddc05...
>
> What make and model SOHO Router are you using that is a Router combinerd
> with an Ethernet
> Switch that supports VLANs.

Draytek 2910VG.

If you are on a budget, you can get VLAN functionality by flashing supported
routers (like the ubiquitous WRT54G) with open source fimware such as
DD-WRT.

> No, A good managed Ethernet Switches are geared for the enterprise, not
> the SOHO market.

IOW, not really an option for the OP.

--
JL

From: "Johnnie Leung" <jsleung@telecom-digest.zzn.com>


|
| Draytek 2910VG.
|
| If you are on a budget, you can get VLAN functionality by flashing supported
| routers (like the ubiquitous WRT54G) with open source fimware such as
| DD-WRT.
|

That's a nice unit ~$250.00 US.

But I couldn't find information on it supporting VLANs.
ftp://ftp.draytek.com/DataSheet/Vigor2910_series_datasheet.pdf

It does look like an excellent VPN solution with dual LAN capability with load-balancing
that even supports ISDN.

And WallWatcher supports it.
http://www.wallwatcher.com/

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:1omyj.7703$v47.1280@trnddc08...
>
> That's a nice unit ~$250.00 US.
>
> But I couldn't find information on it supporting VLANs.
> ftp://ftp.draytek.com/DataSheet/Vigor2910_series_datasheet.pdf
>
> It does look like an excellent VPN solution with dual LAN capability with
> load-balancing
> that even supports ISDN.

Look at the mock-up web-based configuration:

http://www.draytek.com/demo/Vigor2910/index.htm

It looks exactly like the real thing but is non-functional (obviously).

There are numerous 2910 variants with added/removed WiFi, ISDN, and VoIP
functionalities. ISDN models are not available in the US (ISDN is almost
non-existent in N Am anyway).

--
JL

From: "Johnnie Leung" <jsleung@telecom-digest.zzn.com>


|
| Look at the mock-up web-based configuration:
|
| http://www.draytek.com/demo/Vigor2910/index.htm
|
| It looks exactly like the real thing but is non-functional (obviously).
|
| There are numerous 2910 variants with added/removed WiFi, ISDN, and VoIP
| functionalities. ISDN models are not available in the US (ISDN is almost
| non-existent in N Am anyway).
|

OK Thanx. I wonder why it isn't listed in their spec. PDF file ?

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:amnyj.13232$ES.1269@trnddc05...
>
> OK Thanx. I wonder why it isn't listed in their spec. PDF file ?

I just checked spec sheet, and it's definitely listed, under the last
section 'Network Features', as 'Port-Based VLAN'.

The URL to the PDF file should be
ftp://ftp.draytek.com/DataSheet/Vigor2910_series_Datasheet.pdf , where the
'D' in the second 'datasheet' is uppercased.

--
JL

"Bob Kester" <SpamPot@Frontiernet.net> wrote in message
news:47C8CAB4.AC3C6801@Frontiernet.net...
> Hi...
>
> I've read some of the other replies, and there is a lot of good ideas
> there. Let me relate what I ended up doing, and sort of 'why'.

Thanks for that Bob. I've just been reading up about this as I want to do
something similar for a small video server. Very helpful to know it all
works.

Is there a list of ports to avoid when doing this?

Thanks for that advice Dave. Would your advice be different if the server
was a video server?

Example..
http://www.aviosys.com/ipvideo9310.htm

How would you recommend exposing one of these to the internet without
risking making your home LAN vunerable?

From: "CWatters" <colin.watters@NOturnersoakSPAM.plus.com>

| Thanks for that advice Dave. Would your advice be different if the server
| was a video server?
|
| Example..
| http://www.aviosys.com/ipvideo9310.htm
|
| How would you recommend exposing one of these to the internet without
| risking making your home LAN vunerable?
|

The risks are the same. You need to know what UDP and/or TCP ports to forward to the Video
server.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

CWatters wrote:
>
> Thanks for that Bob. I've just been reading up about this as I want to do
> something similar for a small video server. Very helpful to know it all
> works.
>
> Is there a list of ports to avoid when doing this?

Well, I don't know on that. I guess it's a matter of keeping away from
the ones commonly used for any of the services that a hacker might be
looking for (telnet, ftp, mail, and so on). You can Google for port
assignments, and there are a lot of references out there.

I would probably try to keep away from the very low numbers (under
2000). If you go to GRC.COM and do a port scan, you want your entire
system to show up as 'stealth' -- or in other words not responding to
anything. I think by default, Steve scans up to 2000.

One side note on that -- when I did a port scan here, the router would
respond on the 'ident' service port -- maybe 113? Nothing I could do to
shut it up! I finally forwarded that port to an unassigned IP on the
LAN, and that fixed that problem. And, to keep yourself invisible, you
obviously don't want the router responding to any PING.

Back to your question -- since there are 64k ports to chose from, Your
computers will be using higher port numbers for their outbound requests
-- I'm not sure what would happen if you were using port 12345 for your
server, and a computer decided to connect out using that particular
one. I think the router is supposed to be smart enough to keep those
straight, but then most routers have a few quirks where things don't
work just right :-)

If you have a Linux box, there is a simple program 'netwatch' that can
be run to monitor traffic. It is a command-line utility, and simple to
use. It gets real interesting! And, if you do have Linux, there are a
number of hot-CD versions available (like Ubuntu) where you can simply
run off the CD without any installation.

When you mention 'small video server' I wonder if you are thinking of
something like the Slingbox. I haven't looked into those, but you might
be tied down as to what port they want to use.

Good Luck!

....Bob



--
The FROM: email address has been set up for receiving SPAM.
Don't bother using it -- email to it won't be read.
Right now, you can use: posts01 [at-sign] kesters [DOT] org
(Until the scumbags figure that one out.)

"Bob Kester" <SpamPot@Frontiernet.net> wrote in message
news:47CB51BA.8E95211F@Frontiernet.net...
> CWatters wrote:
> >
> > Thanks for that Bob. I've just been reading up about this as I want to
do
> > something similar for a small video server. Very helpful to know it all
> > works.
> >
> > Is there a list of ports to avoid when doing this?
>
> Well, I don't know on that. I guess it's a matter of keeping away from
> the ones commonly used for any of the services that a hacker might be
> looking for (telnet, ftp, mail, and so on). You can Google for port
> assignments, and there are a lot of references out there.
>
> I would probably try to keep away from the very low numbers (under
> 2000). If you go to GRC.COM and do a port scan, you want your entire
> system to show up as 'stealth' -- or in other words not responding to
> anything. I think by default, Steve scans up to 2000.
>
> One side note on that -- when I did a port scan here, the router would
> respond on the 'ident' service port -- maybe 113? Nothing I could do to
> shut it up! I finally forwarded that port to an unassigned IP on the
> LAN, and that fixed that problem. And, to keep yourself invisible, you
> obviously don't want the router responding to any PING.
>
> Back to your question -- since there are 64k ports to chose from, Your
> computers will be using higher port numbers for their outbound requests
> -- I'm not sure what would happen if you were using port 12345 for your
> server, and a computer decided to connect out using that particular
> one. I think the router is supposed to be smart enough to keep those
> straight, but then most routers have a few quirks where things don't
> work just right :-)
>
> If you have a Linux box, there is a simple program 'netwatch' that can
> be run to monitor traffic. It is a command-line utility, and simple to
> use. It gets real interesting! And, if you do have Linux, there are a
> number of hot-CD versions available (like Ubuntu) where you can simply
> run off the CD without any installation.
>
> When you mention 'small video server' I wonder if you are thinking of
> something like the Slingbox. I haven't looked into those, but you might
> be tied down as to what port they want to use.
>
> Good Luck!
>
> ...Bob
>
>

Thanks for that.

I was thinking of the server in some IP cameras or this kind of box that
converts a video cam to an IP cam.

http://www.rfconcepts.co.uk/video_web_server.htm
http://www.digidave.co.uk/product_info.php?products_id=105
http://www.amplicon.co.uk/Data-Comms/product/Video-Video-SED-2100-2979.cfm