Unlocking Internet doors when you need access

Every bit of Internet security advice you've ever read warns you to clamp down on incoming access to the computers on your home or office network. Turn on a firewall. Enable anti-virus software that scans every inbound message or downloaded file. Use a broadband gateway that hides your computers from the Internet.

That's good advice, but only for unsolicited inbound access. You want to repel scoundrels trying to probe your network or your computers.

But what if you need access to computers when you're not physically on the same network? Many remote-access tools fail because of how Internet service providers limit remote access for a combination of security and technical reasons.

One of two approaches often works: software that can create a connection out from your network to a central server; this is how Skype and iChat hook together chatters. Or open up your network just a little bit; this depends on your ISP's security settings, among other factors.

Computers and other devices connect over the Internet using Internet Protocol (IP) addresses. These addresses define the location of networks to other computers so they can reach each other.

There are public and private IP addresses, however. Public addresses — such as a home on a public street — can be reached by anyone on the Net. Private addresses are more like homes in some gated communities; the public street number tells you where the community is, but each home inside has a number of its own.

Most home networks and many office ones use private addressing because there's a kind of shortage of current-generation IP addresses. (It's more about addresses being unevenly distributed than a true lack.) A piece of software in a Wi-Fi or broadband router handles how privately numbered computers send requests to and receive responses from other machines, such as Web servers, on the public Internet.

The first way around this blockage is by using a program that connects to a server. While Skype and iChat can tunnel their way in and out of a privately numbered network to allow multiway chats, neither allows remote control.

iChat will add a form of this called Screen Sharing in Leopard in October ($129 for the whole operating system; no upgrade pricing). But Screen Sharing requires multiple participants, not an unattended machine. Skype can work with Timbuktu Pro remote-control software, but TB2 costs $180 for a two-computer license, a hefty sum for a home user.

Only recently did an alternative to Skype plus TB2 appear: LogMeIn Free for Mac. The clearly labeled free software is installed on all the comptuers you want to control (https://secure.logmein.com/products/mac/download.asp, Mac OS X 10.4.9 or later). There are also free Windows versions available. A small program handles making your computer available, while you can use Safari or Firefox to control a machine remotely.

The developer, LogMeIn, makes for-fee software for more advanced users and technical-support purposes, but the free version should be enough for most home and small-business users. The test version lacks file-transfer support.

In testing LogMeIn Free for Mac over the past two months, I found it quite usable and look forward to its full release.

If your needs go beyond remote control, however, you have another approach: punching a small hole in the barrier between your private network and the Internet. Most routers support port mapping, which connects a service on a private computer, such as file sharing, with a reachable address on the router. The router hands incoming traffic off the appropriate computer. (Ports are to IP addresses as apartment numbers are to apartments: Once you've reached the main address, you figure out which door or port to knock on.)

To use port mapping, you first need to determine whether your ISP offers a public IP address. I recently switched my home service to Qwest DSL, which included that address in setup instructions online. Without a public address, you can't proceed.

Second, find the port of the service you're trying to open up. If you'd like to connect to Personal File Sharing on a home computer from elsewhere, that's port 548. (Read an 8-year-old, but still accurate article in TidBITS for more details on ports: db.tidbits.com/article/5291.)

Third, figure out the private IP address of the computer that you want to share a service from. This used to be a bit tricky, as those addresses can change every time you restart the router or your computer. With many non-Apple routers and the newest Apple AirPort Extreme base station, you can fix a private address to a computer, however.

Finally, you map the port to the private IP address. This varies enormously by router. For Apple's base station, the instructions are in a downloadable guide: Designing AirPort Extreme 802.11n Networks (manuals.info.apple.com/en/DesigningAirPortExtreme802.11nNetworks.pdf) on page 53. For other routers, consult the manual, often only available as an online download.

I don't like to leave my Internet doors unlocked, but using one of these two approaches offers you the chance to get the data you need away from home.

Glenn Fleishman writes the Practical Mac column for Personal Technology and about technology in general for The Seattle Times and other publications. Send questions to gfleishman@seattletimes.com. More columns at www.seattletimes.com/columnists