So in general, you’re right. The rest of the internet can only “see” your router and send traffic to it. That means if some rando wants to push a file transfer directly to your computer, they simply can’t. You might even be running something like an FTP server on the computer. But when the router gets their “Hi, I want to connect to the FTP server” message, it responds, “I do not run an FTP server, sorry.”

But how does traffic get back to your computer when you ask for a web page? Well, that’s the router’s job. Your computer has to tell the router, “Ask Reddit to send me this page.” The router nods and sends the request to reddit. Reddit thinks it’s the router asking for the page so it sends the page to the router. The router remembers that your computer ASKED for that data so the router happily redirects it to your computer.

That’s how Outlook works. It ASKS servers outside of itself for data. The router always assumes if you ASK for data then it’s OK to “forward” the response to you. But this only works for one “connection”. If for some reason after that is over reddit decides to send more stuff to you, the router’s liable to ignore it or respond, “I didn’t ask for this.”

That’s why there’s a feature called “port forwarding”. Sometimes you want to run a program that EXPECTS people from the outside to ask it the questions, like when you host a video game server. To make that work, usually the program tells you “I use this port”. Think of ports like “channels” your computer can use, each network connection has about 65,000 of them and a program is free to use any of them above 1024. (The first 1024 are reserved for a lot of core internet services, this gets a little complex.) So your video game server might tell you it’s going to use port 54678. You have to go tell your router, “If you get someone asking to connect to port 54678, please send that to the computer with this IP address inside your network even if I haven’t asked for it first.”

So when the person tries to send data to your router, the router says, “Ah, port 54768, I’m supposed to pass this along.” and it does. That person still doesn’t know your ‘inside’ IP address. You’ve just kind of poked a hole in your router to let people get through. Obviously, if two different computers “inside” the network want to use the same port, one of them has to change. (There are some things you can do to deal with this but let’s keep it simple.)

There are also some tools that seem to “magically” get around this, but it’s really not any more complicated. Tools like LogMeIn Hamachi can help people connect to your computer even when you can’t mess with your router’s port forwarding.

What that does is set up a “Virtual Private Network” or “VPN”. You’ve probably heard some Youtubers shill for one. It’s a fancy name to say your computer connects to some other computer that agrees “Let’s pretend I’m your router.” Since YOU started this connection to that computer, your real router doesn’t get in the way. So in that situation the way it works is:

1. Your computer asks to open a connection to your VPN service.
2. Your router sees this outgoing request and passes it on.
3. When the VPN service responds your router remembers you asked for this and passes it back to you.
4. You tell someone else the IP address *of the VPN computer*, which is now acting like a second router.
5. They try to connect to the VPN’s IP address and port number.
6. The VPN sends that data to your router.
7. Your router passes it along because you opened this connection yourself.
8. You get the data, and the other person only knows about your VPN’s computer’s IP address.

VPNs can do a lot of other things, like encrypt the traffic so your router can’t snoop on what you’re doing. But for this question what’s important is the way they work is sort of like having a 2nd router “on the other side” of your current router, and that can let you do things your router might not normally let you do.

And to summarize, generally the rule is:

* If you ask an external site for some data, your router will let that data get back to your computer.
* If you did NOT initiate a connection with the external site, your router will block it UNLESS you have used a feature like “port forwarding” to tell the router to let that data through.

There is NOT a standard, easy way for someone to just randomly upload a file to your computer. There are hard, malicious ways to do it, but they *usually* require you to do something silly like install a program that pokes a hole they can slip data through. A long time ago some OSes had VERY very insecure file sharing setups that people could trick into accepting files, and that was also a time when fewer people used routers. So that’s when the scariest stories come from and that’s also part of why it takes a lot of steps to enable public file sharing *and* we still tend to configure routers to prevent it from happening.

So in general, you’re right. The rest of the internet can only “see” your router and send traffic to it. That means if some rando wants to push a file transfer directly to your computer, they simply can’t. You might even be running something like an FTP server on the computer. But when the router gets their “Hi, I want to connect to the FTP server” message, it responds, “I do not run an FTP server, sorry.”

But how does traffic get back to your computer when you ask for a web page? Well, that’s the router’s job. Your computer has to tell the router, “Ask Reddit to send me this page.” The router nods and sends the request to reddit. Reddit thinks it’s the router asking for the page so it sends the page to the router. The router remembers that your computer ASKED for that data so the router happily redirects it to your computer.

That’s how Outlook works. It ASKS servers outside of itself for data. The router always assumes if you ASK for data then it’s OK to “forward” the response to you. But this only works for one “connection”. If for some reason after that is over reddit decides to send more stuff to you, the router’s liable to ignore it or respond, “I didn’t ask for this.”

That’s why there’s a feature called “port forwarding”. Sometimes you want to run a program that EXPECTS people from the outside to ask it the questions, like when you host a video game server. To make that work, usually the program tells you “I use this port”. Think of ports like “channels” your computer can use, each network connection has about 65,000 of them and a program is free to use any of them above 1024. (The first 1024 are reserved for a lot of core internet services, this gets a little complex.) So your video game server might tell you it’s going to use port 54678. You have to go tell your router, “If you get someone asking to connect to port 54678, please send that to the computer with this IP address inside your network even if I haven’t asked for it first.”

So when the person tries to send data to your router, the router says, “Ah, port 54768, I’m supposed to pass this along.” and it does. That person still doesn’t know your ‘inside’ IP address. You’ve just kind of poked a hole in your router to let people get through. Obviously, if two different computers “inside” the network want to use the same port, one of them has to change. (There are some things you can do to deal with this but let’s keep it simple.)

There are also some tools that seem to “magically” get around this, but it’s really not any more complicated. Tools like LogMeIn Hamachi can help people connect to your computer even when you can’t mess with your router’s port forwarding.

What that does is set up a “Virtual Private Network” or “VPN”. You’ve probably heard some Youtubers shill for one. It’s a fancy name to say your computer connects to some other computer that agrees “Let’s pretend I’m your router.” Since YOU started this connection to that computer, your real router doesn’t get in the way. So in that situation the way it works is:

1. Your computer asks to open a connection to your VPN service.
2. Your router sees this outgoing request and passes it on.
3. When the VPN service responds your router remembers you asked for this and passes it back to you.
4. You tell someone else the IP address *of the VPN computer*, which is now acting like a second router.
5. They try to connect to the VPN’s IP address and port number.
6. The VPN sends that data to your router.
7. Your router passes it along because you opened this connection yourself.
8. You get the data, and the other person only knows about your VPN’s computer’s IP address.

VPNs can do a lot of other things, like encrypt the traffic so your router can’t snoop on what you’re doing. But for this question what’s important is the way they work is sort of like having a 2nd router “on the other side” of your current router, and that can let you do things your router might not normally let you do.

And to summarize, generally the rule is:

* If you ask an external site for some data, your router will let that data get back to your computer.
* If you did NOT initiate a connection with the external site, your router will block it UNLESS you have used a feature like “port forwarding” to tell the router to let that data through.

There is NOT a standard, easy way for someone to just randomly upload a file to your computer. There are hard, malicious ways to do it, but they *usually* require you to do something silly like install a program that pokes a hole they can slip data through. A long time ago some OSes had VERY very insecure file sharing setups that people could trick into accepting files, and that was also a time when fewer people used routers. So that’s when the scariest stories come from and that’s also part of why it takes a lot of steps to enable public file sharing *and* we still tend to configure routers to prevent it from happening.

Other good answers here but will add more detail and something I’m not seeing mentioned elsewhere.

Network communication operates in several distinct layers (See: [The OSI Model](https://s7280.pcdn.co/wp-content/uploads/2018/06/osi-model-7-layers-1.png)) – Your router is basically just concerned with the Physical (physical cabling), data link (Raw network protocol, almost always Ethernet), Network (IP data packets and routing), and Transport (TCP, UDP packets) layers. It exists to route packets on a local network consisting of any number of devices to and from where they want to go, and gatekeep anything that shouldn’t be happening with a firewall.

In order to actually download something or otherwise interact with you in a meaningful way, your computer is also handling things (in addition to the above layers) on the Session (OS-side Sockets/port sessions), Presentation (OS-level usage of specific protocols such as IMAP for mail), and Application (Application-specific usage of Presentation layers).

Normally when you download mail to say, outlook – Outlook the application reaches out at the application and presentation layers, the OS gets that request and opens up a network socket on the Session layer, the for example IMAP packet will be looped into a TCP packet on the transport layer and sent out through an ethernet frame on the data link layer, then out the physical cable on the physical layer to your router which then needs to route it out to your modem and to the mail server. The mail server then responds with whatever you ask for, including a file download. The mail server isn’t so much pushing a file to you, as you’re asking for a file and it’s sending it to you.

In order for someone to send a file to you from an outside network, highly specific conditions would be required on both your router and computer across all layers. The router would need to accept unsolicited inbound requests, allow it to be routed to a specific computer/know where to route it to, and on the specific port being used. The computer then would need to also be accepting those same requests and ports, allow that to be passed to a specific application or service on the local computer, and that specific application or service would need to accept that unsolicited file.

Other good answers here but will add more detail and something I’m not seeing mentioned elsewhere.

Network communication operates in several distinct layers (See: [The OSI Model](https://s7280.pcdn.co/wp-content/uploads/2018/06/osi-model-7-layers-1.png)) – Your router is basically just concerned with the Physical (physical cabling), data link (Raw network protocol, almost always Ethernet), Network (IP data packets and routing), and Transport (TCP, UDP packets) layers. It exists to route packets on a local network consisting of any number of devices to and from where they want to go, and gatekeep anything that shouldn’t be happening with a firewall.

In order to actually download something or otherwise interact with you in a meaningful way, your computer is also handling things (in addition to the above layers) on the Session (OS-side Sockets/port sessions), Presentation (OS-level usage of specific protocols such as IMAP for mail), and Application (Application-specific usage of Presentation layers).

Normally when you download mail to say, outlook – Outlook the application reaches out at the application and presentation layers, the OS gets that request and opens up a network socket on the Session layer, the for example IMAP packet will be looped into a TCP packet on the transport layer and sent out through an ethernet frame on the data link layer, then out the physical cable on the physical layer to your router which then needs to route it out to your modem and to the mail server. The mail server then responds with whatever you ask for, including a file download. The mail server isn’t so much pushing a file to you, as you’re asking for a file and it’s sending it to you.

In order for someone to send a file to you from an outside network, highly specific conditions would be required on both your router and computer across all layers. The router would need to accept unsolicited inbound requests, allow it to be routed to a specific computer/know where to route it to, and on the specific port being used. The computer then would need to also be accepting those same requests and ports, allow that to be passed to a specific application or service on the local computer, and that specific application or service would need to accept that unsolicited file.

Explainations here are so much more useful than all the studying I’ve tried to do since failing my IT GCSE 20 years ago.

Thanks!

Other good answers here but will add more detail and something I’m not seeing mentioned elsewhere.

Network communication operates in several distinct layers (See: [The OSI Model](https://s7280.pcdn.co/wp-content/uploads/2018/06/osi-model-7-layers-1.png)) – Your router is basically just concerned with the Physical (physical cabling), data link (Raw network protocol, almost always Ethernet), Network (IP data packets and routing), and Transport (TCP, UDP packets) layers. It exists to route packets on a local network consisting of any number of devices to and from where they want to go, and gatekeep anything that shouldn’t be happening with a firewall.

In order to actually download something or otherwise interact with you in a meaningful way, your computer is also handling things (in addition to the above layers) on the Session (OS-side Sockets/port sessions), Presentation (OS-level usage of specific protocols such as IMAP for mail), and Application (Application-specific usage of Presentation layers).

Normally when you download mail to say, outlook – Outlook the application reaches out at the application and presentation layers, the OS gets that request and opens up a network socket on the Session layer, the for example IMAP packet will be looped into a TCP packet on the transport layer and sent out through an ethernet frame on the data link layer, then out the physical cable on the physical layer to your router which then needs to route it out to your modem and to the mail server. The mail server then responds with whatever you ask for, including a file download. The mail server isn’t so much pushing a file to you, as you’re asking for a file and it’s sending it to you.

In order for someone to send a file to you from an outside network, highly specific conditions would be required on both your router and computer across all layers. The router would need to accept unsolicited inbound requests, allow it to be routed to a specific computer/know where to route it to, and on the specific port being used. The computer then would need to also be accepting those same requests and ports, allow that to be passed to a specific application or service on the local computer, and that specific application or service would need to accept that unsolicited file.

Explainations here are so much more useful than all the studying I’ve tried to do since failing my IT GCSE 20 years ago.

Thanks!

Explainations here are so much more useful than all the studying I’ve tried to do since failing my IT GCSE 20 years ago.

Thanks!

Basically speaking, your home router functions like a mail room at an office building. All messages and packages in and out of that building pass through that mail room before being sent to the recipients. This room knows about both the outside world (public IPs) and the people throughout the building (Devices with the 192.168.x.x. IPs that are not valid on the Internet).

This metaphorical room dominantly relies upon a system of rules that depends on the way the package is marked (source and destination port numbers + source and destination IP addresses). When someone within the building sends a message out to the world asking someone outside for something like a web page, the mail room makes a note in a ledger (called a “sessions table” in the router) that records the markings, then changes the package’s source address to the building’s public address (this is called “network address translation”). This says that there is a reply expected.

When one or more packages like that web page arrives as a reply to the building’s public address, the mail room goes over the ledger and sees who was expecting it with that arrangement and sends the packages to the designated internal recipient. If there is no entry in the ledger, the mail room doesn’t know how to deliver it, it throws the packages in the garbage and depending on policy, tells the sender it was thrown in the garbage (“connection refused”).

To keep the ledger light, when an entry in the ledger is unused for a time, the mail room strikes it out.

In this metaphorical world, email is like a PO Box. That PO Box exists at an outside post office represented by your email provider’s servers. When someone in that building accesses their email, they basically are sending a request to the post office asking for the post office to deliver a package with everything in the PO Box via the building’s ‘mail room’ according to these same rules.

There is are special occasions (like port forwarding) where a special note is made on the wall of the mail room saying anything received with a specific number written on it (i.e. destination port number) to the building’s public street address, it is directed to a pre-arranged internal party. This can be for anything from a web server (port 80, 443) or a game server.

Basically speaking, your home router functions like a mail room at an office building. All messages and packages in and out of that building pass through that mail room before being sent to the recipients. This room knows about both the outside world (public IPs) and the people throughout the building (Devices with the 192.168.x.x. IPs that are not valid on the Internet).

This metaphorical room dominantly relies upon a system of rules that depends on the way the package is marked (source and destination port numbers + source and destination IP addresses). When someone within the building sends a message out to the world asking someone outside for something like a web page, the mail room makes a note in a ledger (called a “sessions table” in the router) that records the markings, then changes the package’s source address to the building’s public address (this is called “network address translation”). This says that there is a reply expected.

When one or more packages like that web page arrives as a reply to the building’s public address, the mail room goes over the ledger and sees who was expecting it with that arrangement and sends the packages to the designated internal recipient. If there is no entry in the ledger, the mail room doesn’t know how to deliver it, it throws the packages in the garbage and depending on policy, tells the sender it was thrown in the garbage (“connection refused”).

To keep the ledger light, when an entry in the ledger is unused for a time, the mail room strikes it out.

In this metaphorical world, email is like a PO Box. That PO Box exists at an outside post office represented by your email provider’s servers. When someone in that building accesses their email, they basically are sending a request to the post office asking for the post office to deliver a package with everything in the PO Box via the building’s ‘mail room’ according to these same rules.

There is are special occasions (like port forwarding) where a special note is made on the wall of the mail room saying anything received with a specific number written on it (i.e. destination port number) to the building’s public street address, it is directed to a pre-arranged internal party. This can be for anything from a web server (port 80, 443) or a game server.