Back to home

legal.disclaimerTitle

Last updated: 18.02.2026

legal.disclaimerBanner

1. Nature of the Service

fxtun is a reverse tunneling platform that exposes local network services to the public internet via HTTP subdomains, TCP ports, and UDP ports. By using this service, you acknowledge that you are making local services accessible from anywhere on the internet.

This document describes the inherent risks of TCP and UDP tunneling and your responsibilities when using these features.

2. TCP Tunneling Risks

TCP tunnels forward raw TCP connections from a dynamically assigned public port to your local service. This means:

  • Full network exposure: any device on the internet can connect to your service via the assigned public port. There is no built-in authentication or access control at the tunnel level;
  • Protocol transparency: fxtun forwards TCP traffic as-is without inspection, filtering, or modification. If your local service has vulnerabilities, they become remotely exploitable;
  • Common dangerous services: exposing SSH (port 22), databases (MySQL 3306, PostgreSQL 5432, Redis 6379, MongoDB 27017), RDP (3389), or administrative interfaces without proper authentication is extremely risky;
  • Brute-force attacks: publicly exposed services will receive automated login attempts within minutes. Weak or default credentials will be compromised;
  • Data interception: TCP connections between the fxtun server and external clients are unencrypted unless your service uses TLS. Sensitive data may be intercepted in transit.

3. UDP Tunneling Risks

UDP tunnels forward datagrams from a public port to your local UDP service. Additional risks include:

  • Amplification attacks: UDP services (DNS, NTP, memcached, SSDP) can be abused as amplification vectors in DDoS attacks. If your service responds with larger payloads than received, it may be exploited;
  • Spoofed source addresses: UDP has no built-in connection state. Attackers can send packets with forged source addresses, potentially making your service participate in reflection attacks;
  • No delivery guarantees: UDP provides no ordering, retransmission, or congestion control. Sensitive applications must handle packet loss at the application level;
  • Stateless exposure: without connection tracking, any party can send datagrams to your service at any time without an established session.

4. Shared Risks (TCP & UDP)

  • Port scanning: your assigned public port will be discovered by automated scanners (Shodan, Censys, Masscan). Expect reconnaissance traffic within hours;
  • No network isolation: the tunnel bypasses your local firewall, NAT, and network policies. Services that were safe behind your network perimeter become directly accessible;
  • Session persistence: tunnels remain active until explicitly closed. A forgotten tunnel keeps your service exposed indefinitely;
  • Shared infrastructure: fxtun is a shared platform. While we isolate tunnel traffic, the public IP addresses and ports are shared infrastructure;
  • Service availability: tunnel connectivity depends on fxtun infrastructure availability. Do not rely on tunnels for production or mission-critical workloads.

5. Recommended Security Measures

Before exposing any service via TCP or UDP tunnels, we strongly recommend:

  • Authentication: ensure your service requires strong authentication. Never expose services with default or empty credentials;
  • Encryption: use TLS/SSL for TCP services whenever possible. For UDP, use DTLS or application-level encryption;
  • Firewall rules: configure your local service to restrict access by IP address if possible, even when tunneled;
  • Monitoring: actively monitor tunnel connections and traffic. Use the fxtun dashboard to track active tunnels;
  • Minimal exposure: only expose the specific service and port needed. Close tunnels when no longer in use;
  • Rate limiting: configure rate limits on your local service to mitigate brute-force and abuse attempts;
  • Regular updates: keep exposed services patched and up to date.

6. Disclaimer of Liability

fxtun provides tunneling infrastructure on an "as is" and "as available" basis. We do not:

  • Filter, inspect, or validate traffic passing through TCP and UDP tunnels;
  • Provide intrusion detection, intrusion prevention, or firewall services;
  • Guarantee protection against attacks, unauthorized access, or data breaches;
  • Accept responsibility for the security configuration of your local services.

You are solely responsible for the security of services you expose through fxtun tunnels. By using TCP or UDP tunneling features, you acknowledge these risks and accept full responsibility for any consequences, including but not limited to unauthorized access, data loss, service disruption, or third-party claims.

For full liability terms, see Terms of Service sections 11 and 12.

7. Abuse Reporting

If you observe suspicious or malicious activity originating from fxtun infrastructure, please report it via our Abuse Contact page.