Asking for advice on port forwarding/dmz

Since I'm a computer idiot, I don't know which of these options is safer:

I am going to start using a private network program to swap photos with friends and family around the country. For this program to work, I have to open a specific block of ports (successive). I use a Linksys router with an ethernet cable connection to my puter and I have to decide on using DMZ function of the router or forwarding just those specific ports on the router and using a static IP on my main machine. I'm thinking the most secure way would be to forward those ports and then disable port forwarding when I'm done using the program, but, again, I don't know much about this. I'm using Windows 2000pro.

thanks for any help.

What sort of private network program?
Are you going to run a VPN using PPTP or IPsec?
Or something else?

Are you using DHCP (from the router)?
Is the router doing Network Address Translation (NAT)?
Does the router have a firewall?

Are you using DSL or Cable or DialUp?
If DSL or Cable, is there a Cable/DSL modem in the picture too?
Do you get a static IP from you ISP?

I would not use the DMZ unless I had a machine I was confident could
resist attacks, which does not sound like the case here.

It's going to be difficult to do this if you don't have a static
IP from you ISP, I think, so your friends and family will be able
to find you at the same internet address all the time.

I appreciate the help.

I would've mentioned the program but it can also be used as a private P2P for, literally, any kind of file and Mr. Skinner asked me not to talk about P2P programs on this site--i didn't think it was ok so I posted about it in the ask mods forum and he said no. (Maybe a mod could let me know if it's ok if I sent bemildred a pm with the program name?) It does set up a VPN I believe as there is no central server---direct connection. Please understand that me to computers is Bush to everything.

Yes to all three. I use the router for my laptop (mac with wifi) so I can read the newspaper from my couch and I have my PC directly connected to the router with an ethernet cable. The router is the Linksys BEFW11S4 which, I'm almost positive, has a firewall built in. I also use Zone Alarm as a software backup.

The problem stemmed from the fact that this program is supposed to be UPNP but after configuring Zone Alarm, it wouldn't work. After starting the program "Active Ports", it showed that I had a TCP established connection with the correct port and UDP listening with the correct port (this program is essentially an IRC program) but my invited friends couldn't see me. However, when I plugged my computer into my cable modem directly (bypassing the router) it worked--they could see me with no other configuring. My ISP uses dynamic IP addresses, but by forwarding only the 3 ports on my router that the program requires and manually setting a static IP with my windows LAN settings, it aslo worked. The only reason I don't like this is that everytime I have to use this prog., I have to manually set up static IP, subnet data, config the router, etc. It takes a little while. DMZ seemed to be an easier solution but without a physical DMZ machine before my main computer, I'm worried about safety. I just blew my tax refund on a nice MSI Neo2 and an AMD64 so if some jack*** decides to blow me up I'm out a decent chunk of change. I know I could bypass my router but I don't personally trust software firewalls like hardware firewalls with software backup. DMZ worries me for obvious reasons.

I did try to contact both Linksys and the makers of this program but I haven't gotten any help. I sincerely appreciate any help you might have.

You should learn more about the firewall on the LinkSys.

What is the static IP you are setting up? Are you using one of the
designated private network addresses? (See below.)

After you set up the static IP, what do you tell your family and
friends that allows them to find you? (Not all of it, but give
me an idea or example of how you choose it).

I share pictures with family and friends via email, using Yahoo
Groups, it works rather well and is simple.

It is my understanding that for your friends out there in internetland
to find you, they have to have a valid internet address for you,
which would be the external (WAN) address on your cable modem. The modem
would then foward traffic to the router, which would forward it to
the proper internal machine (yours).

The following address ranges are designated for use on private networks:

Table 2-1. IP Address Ranges Reserved for Private Use:
Class Networks
A 10.0.0.0 through 10.255.255.255
B 172.16.0.0 through 172.31.0.0
C 192.168.0.0 through 192.168.255.0

My DSL modem uses addresses in the 172.16.0.0 range, and the
Router uses addresses in te 192.168.0.0 range, which it assigns
to my home boxers using DHCP.

It appears that your WiFi router uses the 192.168.0.0 range in the
internal network, normally.

the static ip is from your "c" section below. For my friends to find me all they have to do is sign on. You pick a username and your friend/family member "invite" you. It's that simple. All this thing does is use IRC client--think Yahoo Messenger ("add a friend" "invite") with on the fly photo sharing, voip, chat, etc. That's what has got me so twisted--i can't figure out why it won't work when other IRC does. After a week of trying everything, I've resigned myself to those two choices---forward a few ports on the router or use DMZ. When I do one of those two things, it works. I just don't know if one is inherently safer than the other. Unless i'm missing something glaring though, I can't use it without messing with/bypassing my router.

Do you think it'd be ok if sent you a pm with the name?

I still don't quite get this, but I can say I would recommend the
port forwarding over the DMZ.

The IRC setups I know about (and I don't study on it) involve a
server somewhere that knows who everybody is (or how to find out)
and that does the forwarding/connecting. My guess right now is that
that "server" thinks "you" are the router because of the NAT that it's
doing.

If you could figure out a way to forward the ports to your machine
without setting the IP (still using DHCP) then you would be set.
My router has means to do that, and also something called "virtual
server" which appears to me to allow you to export just your sharing
ports to the outside, which would have the same effect.

If I get the name, I can do a bit of looking around and figure it
out.

That is the correct solution, assuming their documentation is not
bullshit. You are passing through only their ports, and the
connections are encrypted (192 bits) so nobody short of the NSA is
going to break into the TCP circuit.

They are running a service that manages all the identification stuff,
sort or like I thought.

The static IP address you are using is fine, it's a private network
address, so nobody can route to it directly from out there in IP-land.
Just set it that way and leave it, as long as it's a 192.168.nnn.nnn
address. Everybody out there in IP-land thinks you are the cable modem
anyway.

thanks for your help, that's what I'll do. I hope I can return the favor someday.

peace