Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Automatically enable and disable a router's DMZ Internet
If you connect to the internet through a router, you may occasionally want to expose your computer directly to the internet for things like BitTorrent, serving up web pages, or logging into your computer from work. Most consumer-grade routers have a "DMZ" feature that allows one internal user to be exposed to the internet. If you have a Linksys router, the following code will automatically enable the DMZ feature for your IP address:
  1. Open Terminal and type pico activatedmz to open a new document for editing.

  2. Paste in the following two lines of code. This code assumes the Linksys default IP address 192.168.1.1 and default password admin -- hopefully you've changed that! So make any changes if necessary. Remove the line wraps shown in each line, replacing them with a space to make two long lines of code:
    Line #1: lastdigit=`ifconfig | grep netmask | grep -v 127.0.0.1 
             | awk {'print $2'} | sed 's/192.168.1.//'`
    Line #2: curl http://192.168.1.1/apply.cgi
             -d "submit_button=DMZ&change_action=&action=Apply
             &dmz_enable=1&dmz_ipaddr=$lastdigit"
             -u admin:admin -s > /dev/null
    
  3. Hit Ctrl-X, then Y to save the document and close pico.

  4. Type chmod u+x activatedmz to make the script executable.

  5. Type ./activatedmz to run the script and expose your computer to the internet.
To automatically disable DMZ and again protect your computer from the internet, create another file called deactivatedmz and paste in the following single line of code -- again, remove the line breaks and replace them with a space:
Line #1: curl http://192.168.1.1/apply.cgi
         -d "submit_button=DMZ&change_action=&action=Apply&dmz_enable=0&dmz_ipaddr=0"
         -u admin:admin -s > /dev/null
Again, type chmod u+x deactivatedmz to make it executable, then type ./deactivatedmz to run it. I found it helpful to use Platypus to turn these UNIX scripts into GUI apps. I now have an "Activate DMZ" and a "Deactivate DMZ" icon in my Dock -- easy as a light switch. If you want to know how this works, or do this with a different brand of router, keep reading for a behind-the-scenes look.

Here's how I figured this out...
  1. Install the Web Developer Extension for Firefox.
  2. Open your router configuration page (at http://192.168.1.1 or whatever) in Firefox. Go to the DMZ page.
  3. On the Web Developer Extension toolbar, click Forms, then click Convert POSTs to GETs
  4. Fill out the DMZ page (to turn it on) and hit submit.
  5. You should see a long URL in the address bar -- copy it somewhere. Everything before the question mark (?) is the address of the form. Everything after the question mark is the list of variables to submit. For example, this was my URL (with line breaks for a narrower display):
    http://192.168.1.1/apply.cgi?submit_button=DMZ
    &change_action=&action=Apply&dmz_enable=1&dmz_ipaddr=3
    You'll notice the variables dmz_enable=1 and dmz_ipaddr=3, which activate the DMZ for my IP address 192.168.1.3. To deactivate the DMZ, I have to change the variables to dmz_enable=0 and dmz_ipaddr=0.
Because the DMZ form asks me to enter the last digit of my computer's IP address, I needed a way to get that from the Terminal. Here's the breakdown:
  1. ifconfig | grep netmask | grep -v 127.0.0.1 | awk {'print $2'} - returns the local IP address 192.168.1.3
  2. sed 's/192.168.1.//' - strips out the first three numbers and returns just the 3
  3. lastdigit=`` - saves the 3 to a variable called $lastdigit
And a breakdown of the curl statement:
  1. curl http://192.168.1.1/apply.cgi - the address of the form (everything before the ? from above)
  2. -d "submit_button=DMZ&change_action=&action=Apply&dmz_enable=1&dmz_ipaddr=$lastdigit" - the variables (everything after the ?)
  3. -u admin:admin - the username and password of your router
  4. -s > /dev/null - silences the output
Hope that makes thing somewhat clearer...
    •    
  • Currently 1.00 / 5
  • 1
  • 2
  • 3
  • 4
  • 5
  (1 vote cast)
 
[24,482 views]  

Automatically enable and disable a router's DMZ | 20 comments | Create New Account
Click here to return to the 'Automatically enable and disable a router's DMZ' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Automatically enable and disable a router's DMZ
Authored by: rflo on Oct 19, '05 08:08:48AM

Why not open the ports you need instead of activating the DMZ? Putting any machine except a stripped server in a DMZ is dangerous.

---
Ronald Florence



[ Reply to This | # ]
Agree
Authored by: sudogeek on Oct 19, '05 08:31:04AM

I can only agree. If you're not sure what ports are active or used because the documentation is poor (like pcAnywhere), you can briefly set up your computer as a DMZ address. Then connect using whatever program/service of interest, like Acquisition or BitTorrent, and run "netstat -a" in a terminal session. Note which ports are active and whether thay are TCP or UDP. Then, take the computer out of the DMZ and open the appropriate ports.



[ Reply to This | # ]
Agree
Authored by: Greedo on Oct 19, '05 08:39:29AM
Or install somthing like Little Snitch, which will alert you when an application is trying to connect over a non-standard port.

[ Reply to This | # ]
Also agree
Authored by: Brock Lee on Oct 19, '05 08:46:11AM

I also agree. Open ports on the router selectively (which is a capability of three different brands of consumer-grade routers I've used -- Linksys, D-Link, Belkin). Don't expose the entire system.

P.S. FWIW, D-Link has given me the most problems with wireless compatability.



[ Reply to This | # ]
Agree also
Authored by: timhaigh on Oct 19, '05 04:01:25PM

DMZ's are dangerous for security.

I just open the ports I need in my firewall. All the reasons stated in the OP's hint for opening a DMZ don't make sense at all.

Bittorrent. If you use Azureus you only need to open 1 tcp port, and 1 udp port for decentralised tracking.

Serving Web pages you only need to open tcp port 80

Remote Logging via SSH you need to open tcp port 22 and if using public key authentication it is very secure.



[ Reply to This | # ]
Automatically enable and disable a router's DMZ
Authored by: gvaughn on Oct 19, '05 08:42:59AM

This is a powerful technique. I've done something similar to dialup the modem attached to my SMC router. Yeah, it seems weird to share a dialup connection over wireless, but it lets me sit in the easy chair :-)

Not to be critical, but the two calls to grep and the one to sed could all be accomplished within awk. I don't have the book with me, but the general syntax is /matchstring/ {actions} where the matchstring could handle what you're using grep for. There's also a builtin function in awk called, I think, gsub that does the same thing as sed's s/match//.



[ Reply to This | # ]
Thank you
Authored by: Whosawhatsis on Oct 19, '05 12:33:05PM

Thank you. I get so sick of people using grep for things that awk should be doing.

Learn to use awk correctly: http://www.vectorsite.net/tsawk.html

---
I was offered a penny for my thoughts, so I gave my two cents... I got ripped off.



[ Reply to This | # ]
Thank you
Authored by: kps on Oct 19, '05 05:47:42PM
I get so sick of people using awk for things that sed should be doing :-)
ifconfig | sed -n -e '/127.0.0.1/d' -e 's/.*inet \(.*\) netmask.*/\1/p'
(I also get sick of macosxhints eating backslashes.)

[ Reply to This | # ]
Thank you
Authored by: Whosawhatsis on Oct 20, '05 05:06:03PM
To get the same output using awk:
ifconfig | awk '$1 ~ /^inet$/ && $2 !~ /^127.0.0.1$/ {print $2}'
Shorter, and no backslashes to be stripped out :P

---
I was offered a penny for my thoughts, so I gave my two cents... I got ripped off.

[ Reply to This | # ]

Automatically enable and disable a router's DMZ
Authored by: peragrin on Oct 19, '05 09:09:04AM

If memory serves bit torrent is 6880-6889 normally using 6880 &6881 for control


My linksys router allows me to activate and deactive ports pre-configured ports to selected IP's. Bit torrent, a couple of game servers, FTP, ssh are all in there but not enabled unless I want them to be.

soon the linksys will be leaving me, and i will setup airport base station to due something similar.

---
I thought once I was found but it was only a dream



[ Reply to This | # ]
Bit-torrent FAQ
Authored by: gshenaut on Oct 19, '05 09:47:20AM
has a section on which ports to open here.

Greg Shenaut

[ Reply to This | # ]

Automatically enable and disable a router's DMZ
Authored by: signal15 on Oct 19, '05 09:25:10AM

I think you can do this with snmp also. Should be able to figure out the OID with snmpwalk and then use snmpset to change the values.



[ Reply to This | # ]
Non Unix- Non network person's question...
Authored by: stealthgeek on Oct 19, '05 11:36:27AM

I have a question that maybe will seem naive to you and will surely reveal my lack of computer knowledge to informed people like you lots... Here it is: won't the built-in OS X firewall still protecxt the computer even if the router DMZ is activated?

---
Stealthgeek



[ Reply to This | # ]
Non Unix- Non network person's question...
Authored by: mistersquid on Oct 20, '05 05:21:20PM

Yes, Mac OS's built-in firewall does offer protection. However, a router at the Internet gateway offers an additional layer of protection, especially since most routers are incapable of offering most services (e.g. ftp).

If one does expose a computer as a DMZ host, the safest thing to do is to offer only those services that are absolutely necessary. Below, I see some people suggesting port-forwarding. This is a solution only when one is offering between one and ten services. If you are hosting, for example, AFP, BitTorrent, DNS, HTTP, HTTPS, POP, POP SSL, SSH, SMTP, VNC--you quickly run out of port-forwarding ranges and you don't necessarily want to turn your DMZ on and off.

Or, if your port-fowarding slots are mostly full and you want to log on to World of Warcraft for an hour or two and don't want to change your port-forwarding settings, a quick cmd-Tab to Terminal and a few keystrokes will set you up with the script detailed in this hint.

Routers do offer an additional layer of protection, but that protection comes at the price of convenience.



[ Reply to This | # ]
Automatically enable and disable a router's DMZ
Authored by: tidjj on Oct 19, '05 01:52:17PM

A simple way to do it is to permanently turn on DMZ on a single address and to change your computer's IP address to jump in or out the virtual DMZ.

No need to keep clear passwords accessible to ones eyes...

This way to run needs to get rid off DHCP. It makes it easy to put any computer within the LAN in the DMZ.



[ Reply to This | # ]
Automatically enable and disable a router's DMZ
Authored by: digitol on Oct 20, '05 02:03:24AM

Cool hint, although unless i'm mistaken; this is like going around the block to go next door. Simply config an ip for DMZ; set the value ip high, then just change your macs ip config to the according ip when you wish to DMZ. If you give the DMZ ip .50 then you will need 50 + computers on DHCP to ever reach this "accidentely" alternatively you could set the rest of your network on static/manual config ip's.



[ Reply to This | # ]
In a perfect world, yes
Authored by: Whosawhatsis on Oct 20, '05 04:25:12PM

Some routers don't allow you to use a manually-assigned IP address unless it is set to use them, which means that all computers must have them. This is quite annoying when you're using a portable and joining other networks as well.

---
I was offered a penny for my thoughts, so I gave my two cents... I got ripped off.



[ Reply to This | # ]
Automatically enable and disable a router's DMZ
Authored by: irfanr on Oct 20, '05 04:29:38PM

This is a cool hint! Thanks for that. In addition to the DMZ opening, one can also activate built-in firewall to protect the computer, which can also be done by running a command along or after this script. For BitTorrent clients, I use Azureus with UPnP plug-in and that seem to work with all routers that support UPnP. This saves me from opening DMZ port. I wish there were more internet apps with UPnP support between Mac and other devices or a central UPnP control on OS X so that other apps can use it when needed.

- Irfan



[ Reply to This | # ]
Automatically enable and disable a router's DMZ
Authored by: Whosawhatsis on Oct 20, '05 04:59:51PM
Here's the one-line version that I came up with for mine (a different linksys model). I encapsulated it in applescript and run it using butler so there are no annoying windows or icons to deal with.
curl "http://192.168.1.1/Gozila.cgi?P4Status=1&exIP3=`ifconfig |
 awk '$1 ~ /^inet$/ && $2 !~ /^127.0.0.1$/ {sub ("192.168.1.", "", $2);
 print $2; exit}'`" -u admin:admin -s > /dev/null

---
I was offered a penny for my thoughts, so I gave my two cents... I got ripped off.

[ Reply to This | # ]

Easier Way to Do This
Authored by: John Strung on Oct 23, '05 01:50:43PM

There is a much easier way to do this. Go the the LinkSys Admin program and turn on DMZ. Hit Apply. Before you hit Continue, bookmark the page. This bookmark will then automatically turn on DMZ. You can to the same for any other setting in the LinkSys Admin program - turn port forwarding on or off, change ports, etc.



[ Reply to This | # ]