In computer networking, a firewall pinhole is a port that is not protected by a firewall to allow a particular application to gain access to a service on a host in the network protected by the firewall.
Leaving ports open in firewall configurations exposes the protected system to potentially malicious abuse. A fully closed firewall prevents applications from accessing services on the other side of the firewall. For protection, the mechanism for opening a pinhole in the firewall should implement user validation and authorization.
For firewalls performing a network address translation (NAT) function, the mapping between the external IP address, port socket and the internal IP address, port socket is often called a pinhole.
Pinholes can be created manually or programmatically. They can be temporary, created dynamically for a specific duration such as for a dynamic connection, or permanent, such as for signaling functions.
Firewalls sometimes automatically close pinholes after a period of time (typically a few minutes) to minimize the security exposure. Applications that require a pinhole to be kept open often need to generate artificial traffic through the pinhole in order to cause the firewall to restart its timer.
See also
- ICMP hole punching
- Internet Gateway Device Protocol (UPnP IGD)
- NAT hole punching
- NAT Port Mapping Protocol (NAT-PMP)
- NAT traversal
- Port Control Protocol (PCP)
- Port forwarding
- Port triggering
- TCP hole punching
- UDP hole punching
References
"IPv6 Pinholing: Tutorial & Examples". www.catchpoint.com. Retrieved 2024-02-26. https://www.catchpoint.com/benefits-of-ipv6/ipv6-pinholing ↩
Ancuta Onofrei, Andreea; Rebahi, Yacine; Magedanz, Thomas (2010-03-20). "Preventing Distributed Denial-of-Service Attacks on the IMS Emergency Services Support through Adaptive Firewall Pinholing" (PDF). International Journal of Next-Generation Networks. 2 (1): 1–17. doi:10.5121/ijngn.2010.2101. http://www.airccse.org/journal/ijngn/papers/0310ijngn1.pdf ↩