Firewalls, NAT, security
First of all, some notes about what ANGEL APPLICATION does:
not provide anonymity, because you cannot have accountability while sacrificing identity. And backups require accountability, otherwise they are not reliable
not intend to be a file sharing tool, although one could possibly use it that way
not use trickery when passing through IP networks. No hole punching, no backdoors
- rely on the end user to make their data (either encrypted or unencrypted) visible to others, e.g. end-users must ensure connectivity
Firewalling
If you use ANGEL APPLICATION to backup data from others, it is recommended to provide the backup to the other peers, so that it can be recovered. Also, it is best for the maintenance algorithm to see each "clone" in order to allow good redundancy.
If you want others to backup your data or want to help increase the redundancy of the backups you are doing of others, you have to provide your local repository to the other peers.
For both scenarios, you have enable the "provider" in ANGEL APPLICATION and allow incoming connections to port 6221 (tcp). Generally speaking, enabling the "provider" is part of the concept, disabling it or disallowing connections to it usually makes no sense. See also the page on port numbers.
No other incoming connection need to be allowed.
NAT
If you are stuck behind a NAT router, you might have difficulties providing your repository to the network. Historically, the reason for NAT is the lack of IP addresses in IPv4. ANGEL APPLICATION does work fine with IPv4, but does not provide any built-in mechanism to work around the limitations of NATs.
If you want easy and omnipresent connectivity, you can use Miredo. Miredo is an open source implementation of Teredo, a protocol to enable IPv6 connectivity over IPv4 and also to traverse NAT routers transparently using a globally routable IPv6 address. In other words: this technology allows your computer to be reachable from the internet even if it is stuck behind a NAT router. Teredo has been part of Windows XP since SP2 and is also part of Microsoft Vista. Its open-source counterpart Miredo is available for a wide range of alternative platforms, including Mac OS X and Linux. If you have Miredo installed, you should activate IPv6 in the preferences of ANGEL APPLICATION.
See our guide on Miredo for more information.
You can, of course, also do it "old school", and use port forwarding from your router. This requires slightly more end user work and only works if you stay behind the same router.
Security
Some issues have been raised and answered so far:
Miredo allows all incoming traffic by default. We recommend adding firewall rules to the Miredo tunnel interface to allow only connections incoming to port 6221 and any outgoing connections. This really is not an issue with ANGEL APPLICATION. See our guide on Miredo for more information.
- Private data in your repository. Until ANGEL APPLICATION has a good way of setting up your own repository and encrypting it, we recommend that you don't put any data in the repository that you don't want to be visible to the internet.
- Exploits, worms, remote vulnerabilities. We have taken great care to make the network processes safe. For example, the "provider" process that listens on the network for incoming connections has no functionality to write to your filesystem, except for a small exception to set filesystem attributes inside the repository. This already gives good security. Also, because it is running as a separate Unix process, it does not have access to your private crypto-keys to alter/change/ read or tamper the data in your repository.