Hello!

I almost finished the Table Top Gaming and Dulux Oz Tutorial series.

My computer knowledge is casual and my biggest concern is port forwarding. Can someone explain me in short and human language what it exactly does (the wiki's I find on the net sound like Chinese to me :)) and what the possible risks, if any, are?

Does a large part of the community have an interest in non D&D/Pathfinder/D20 rpg's? My first exposure to the community seems to be D&D dominant. :)

Thanks a lot!

I'll try. Assuming you have an ADSL connection to the Internet, you probably have a router which provides a local Wifi network and if you try to go to a web page, it will forward your request to your ISP. This process of detecting whether an IP address is local or out on the Internet and forwarding requests out to the Internet is called routing.

Now if you run a web server on one of your computers in the local Wifi network, another computer in that Wifi network can probably connect to that computer. But people outside on the Internet cannot connect to that web server because the connection will come to the router from outside and the router will throw it away - because it's from the Internet. The reason for this is that while you might not be running a webserver on one of your computers - you could be running some other server without knowing it, and someone out on the Internet could connect to it, exploit a bug in it, and gain control of your computer. The other reason the router will throw away that request is that it will not know which computer to forward it on to - you have multiple computers on your Wifi network after all.

So if you want to run a web server, Minecraft server or Fantasy Grounds server (or any other server) on one of your local Wifi network computers, only computers on your local Wifi network can connect to it. If you want computers out there on the Internet to be able to get to it, you need some things:

1. You need to know the *external* IP address of your router. People outside will need to know this. You can find yours here: https://www.whatsmyip.org
2. You need to tell your router which computer on the local Wifi network is running the server - the *internal* IP address.
3. You need to tell your router which port the server uses. A port is like a channel on a computer. So a web server will listen for connections on port 80, Fantasy Grounds listens on port 1802.

In your router setup, the place you configure the port and internal IP address is usually called NAT, Port Mapping or Port Forwarding.

As for the security risk of doing this - opening port 1802 to the outside world means that anyone on the Internet can connect to that port on your computer - so your friends can connect to Fantasy Grounds! But also anyone else can. That's why you set up a password for the server. Still, it's possible that there's a bug in Fantasy Grounds and in theory someone out there could happen to find your router listening on that port, connect through to your computer, know about the bug, exploit the bug, bypass the password and gain some measure of remote control over Fantasy Grounds or even more.

Personally, I consider this a small risk because I don't leave the server running permanently and because I trust that the programmers at Smiteworks are professionals who've done a proper job of securing the application. Ultimately, any server you run, you have to put some trust in those who wrote it.

Personally, I consider this a small risk because I don't leave the server running permanently and because I trust that the programmers at Smiteworks are professionals who've done a proper job of securing the application. Ultimately, any server you run, you have to put some trust in those who wrote it.

Thanks for your excellent response. What's the exact process of not leaving the server running permanently? Just to be sure we understand each other perfectly. :)

Any reactions to the community question would be awesome too, people. :D

Just close FG when your game is done.

There has not been a single verified report of someone being hacked via FG.
There is a risk in having an open port. The risk in this case is very small. There is more risk in reading your email or browsing websites.

I run 5e and Castles&Crusades (a d20 variant) but also Dungeon World, Trail of Cthulhu and Call of Cthulhu.
You will fill a 5e game much quicker than most other things because... well... because thats what most people want to play. Over 70% of rpg games run almost everywhere are D&D or a close variant (5e, PF, 3.5e, 4e). This is reflected in sales numbers, convention numbers, FGs stats and Roll20s stats.

There are lots of Savage Worlds games and GMs here - but perhaps not enough Savage players.

There has not been a single verified report of someone being hacked via FG.
There is a risk in having an open port. The risk in this case is very small. There is more risk in reading your email or browsing websites.

This. The risk of having a port open is limited by what you have a port open to. In order for someone to "hack" a system via an open port:

- The application or service that is "listening" on that port needs to be running.
- The hacker needs to be able to determine what that application or service is.
- The hacker needs to be able to know what types of commands to issue to that application or service to do what they want to do.

In the case of Fantasy Grounds it's only "listening" on port 1802 when the DM has a campaign loaded, so unless you leave your campaign open all the time then the first point is negated.

As for knowing what the application or service is, I suppose it's possible that a hacker could port scan you--while you have a campaign open--and see that port 1802 is opened and then google around a bit to see what programs may use that port. However even assuming that they discover it's Fantasy Grounds, there's little they'd be able to do. I don't see someone spending a bunch of time to find ways to issue commands to a listening Fantasy Grounds client given that there's no actionable information in the program--your name, your address, nothing that would be "worth it" to datamine.

This gives an idea of the split of games played on FG: https://www.enworld.org/forum/showthread.php?464923-FANTASY-GROUNDS-Confirms-D-amp-D-5E-Lead-On-VTTs It's a year old now, but it is still a good representation - although 5E is probably higher now. You can tell when FG got 5E support, but this didn't significantly reduce the number of non-5E games being played.

As you can see from this, and what damned mentioned above, the vast majority are the popular d20 variants. But there is still a lot of games from other systems being ran, you will just have to be more patient and active to look for them. And you'll see a resurgence in Call of Cthulhu - lots of new conversions coming out and the prospect of the 7E ruleset conversion coming soon.

This. The risk of having a port open is limited by what you have a port open to. In order for someone to "hack" a system via an open port:

- The application or service that is "listening" on that port needs to be running.
- The hacker needs to be able to determine what that application or service is.
- The hacker needs to be able to know what types of commands to issue to that application or service to do what they want to do.

In the case of Fantasy Grounds it's only "listening" on port 1802 when the DM has a campaign loaded, so unless you leave your campaign open all the time then the first point is negated.

As for knowing what the application or service is, I suppose it's possible that a hacker could port scan you--while you have a campaign open--and see that port 1802 is opened and then google around a bit to see what programs may use that port. However even assuming that they discover it's Fantasy Grounds, there's little they'd be able to do. I don't see someone spending a bunch of time to find ways to issue commands to a listening Fantasy Grounds client given that there's no actionable information in the program--your name, your address, nothing that would be "worth it" to datamine.

This is pretty accurate but it is worth noting that is absolutely possible that another application could be listening on port 1802 if/when FG is not running. Applications that do not have a specific port that they listen on will usually communicate on the next available port (from 1024 and up to 65535) and this port number usually increments depending on the programming model.

Ultimately hackers/scripters etc will go for the biggest bang for their effort. The number of computers running FG at any one time vs the number of open telnet or ssh ports, or smtp or pop ports etc... and the value of the possible data to steal...

Thank you for all the clear responses: it was all written in human language. :)

Well, I hope I can find me some Savage players; there are so many Savage Worlds setting I would like to run and explore. :bandit:

Savage Worlds is a very popular ruleset here and there ARE soooo many good Savage settings :)
5e does steal most of the light though!

D&D definitely leads the number of games being played, but the FG community plays Savage Worlds and other systems that have strong ruleset support a little more frequently than they do in the wild as far as I can tell. For instance, Savage Worlds has very strong support here and so it shows up higher in the rankings on FG as a result than what it does on other online platforms. There are some community run games of other systems like Star Wars Edge of the Empire that seem to have a pretty good showing too, despite not having an officially licensed ruleset available.

The community related responses in this thread, for games being run and player base, raises my spirit! :D

Don't forget Das Schwarze Auge, that has consistently shown in the upper single to lower double percentages.

Don't forget Das Schwarze Auge, that has consistently shown in the upper single to lower double percentages.

Err... closer to 2% - but that is still a big chunk.