[okeee]

Because internet is set via a router, I need to forward some ports for some application to connect to internet. Ususally they state that I can pick any port number to forward, but I have no idea which ones are safe, and when I might accidentally open up too many ports. So how do I set a port correctly without making it vulnerable to outside attacks?

[lunarlander]

Well, if you do port forwarding, an attacker will know for sure that there is a PC at your IP address. Also, depending on the software that is receiving traffic, an attacker may be able to probe the software for responses to identify what it is. Then, the attacker will have to find an exploit that works on that application you have which can grant him access to your computer.

So, whether you choose to port forward or not depends on how much you trust the security of your application. Does it offer responses to anyone that comes knocking? Lets say the application dutifully answers the attacker that 'I am Sendmail', are there any weaknesses to exploit ? You can browse SecurityFocus or SANS's @Risk vulnerabilty lists to see if whitehats have identified any weaknesses. Even if you don't find anything at those sites, it may still possible that blackhats have a secret weapon that the whitehats don't know about. Also, the attacker may not target the application, but may target other parts of the machine like for example the TCP/IP stack of your exposed machine. For example Windows has a recent IGMP vulnerabilty. So it is most important that your machine has up to date windows patches, and that your application is up to date as well.

So you see, security folks will usually be very cautious when forwarding ports. They'll make sure Everything is patched and up to date. And try to expose the minimum surface area for an attacker to play with.

If your application allows you to choose which port to use, then you can choose anything above port 1024, as ports 1-1023 have standard uses by well known applications.