How do I Handle Open Port Alarms?

1. What Are Open Port Alarms?
2. Why Are Open Ports A Problem?
3. How Do I Identify 'Good' vs 'Bad' Alarms?
4. How Do I Handle Open Port Alarms?
5. What If I Need To Open A Port?

1. What Are "Open Port" Alarms?

Open ports are UDP or TCP ports on your routers that are open to the world and can accept connections from the outside.

A Firewalla Open Port Alarm is triggered by detecting ports opened by a UPnP protocol.  

The main purpose of UPnP is to punch a hole in your router's NAT. NAT is a service that translates a public IP into private IP by mapping ports at the transport layer (because IPv4 addresses are running out). This translation blocks incoming traffic to your home (like a very weak firewall). 

For example, say you have a NAS (Network Attached Storage) device and you want to access it from outside your local network. There are two ways to do it: 

1. You manually open a port to that NAS device through port mapping
2. You use UPnP

Learn more about Open Ports.

2. Why Are Open Ports A Problem?

UPnP is silent. It is as if you have a Roomba that automatically opens your door for a serviceperson to take out the trash at night, and then closes it when they are done. Sometimes, malicious entities will use this "open door" to allow an attacker to gain control over your devices. 

In general, UPnP is not bad. Without it, things like video conferencing, VoIP, and gaming would be slower. We are not discouraging you to use it, but the first step of cyber security is awareness. Open port alarms allow you to know which service on which device is opening ports.

Here are some applications/services we often see opening ports on home devices:

•  WhatsApp

• uTorrent

3. How Do I Identify 'Good' vs 'Bad' Alarms?

Firewalla can only identify the name of the service that opened the port and the duration that the port will be opened for.

When you receive such an alarm, it is your choice whether to block it or ignore it. Most services will close the open port when they're done. If you trust the service, just ignore the alarm. For example, WhatsApp is an end-to-end encrypted communication service. You may receive an open port alarm when you use its voice call or video chat. 

However, services that permanently open Port 80, 443, or 22 are asking for trouble. If you have concerns or don't know what the service is, block it. You can always remove the blocking rule later.

4. How Do I Handle Open Port Alarms?

• Archive: This alarm will be moved to the Archive list. When another open port is detected, you'll receive another alarm.
• Mute: You can choose to mute a certain port or all the Open Port alarms on a device, a network, or all devices. When a mute setting is created, neither an alarm nor app notification will be generated when similar activities happen again. Learn more about Alarms.

• Block: A rule will be created to automatically block inbound traffic to that local port. It supports applying the blocking rule on the device only, on the network, or globally. The blocking rule will show up in the Rules list.

5. What If I Need To Open A Port?

If you have a device that requires an open port, you can set up secure port forwarding on your Firewalla Purple or Gold. Port forwarding allows you to access a local device or server from outside your network. Learn more about how to configure port forwarding.

Alternatively, you can use the Firewalla VPN Server feature to access the device without port forwarding. The VPN Server allows you to connect to your home network remotely and will force encryption and prevent direct access to your IoT devices.

You can also allow UPnP on a particular LAN. To do this, navigate to Network > NAT Settings > Port Forwarding > toggle UPnP on and apply to your desired LAN.