- What are "Open Port" Alarms?
- Why this is a problem?
- How to identify 'good' vs 'bad'?
- What action I can take?
- What if you need to open a port for IoT products?
What are "Open Port" Alarms?
Open ports are UDP or TCP ports on your routers that are open to the world and can accept connections from the outside.
Firewalla Open Port Alarm is triggered by detecting ports opened by UPnP protocol.
The main purpose of UPnP is to punch a hole in your router's NAT. NAT is a service that translates a public IP into private IP by mapping ports at the transport layer ... (because IPv4 addresses are running out). This translation blocks incoming traffic to your home (somewhat like a poor man's Firewall).
For example, you have a NAS (Network Attached Storage) device and you want to access it from outside. There are two ways to do it:
1. You manually open a port to that NAS device by doing a port mapping;
2. You use UPnP.
Why this is a problem?
UPnP is silent. It is like, you buy a Roomba vacuum, and at night this Roomba vacuum will automatically open your door so the service people can help it clean out the trash, and closes it when they are done.
Some malicious software will use this capability to allow a remote attacker to gain control over devices on your network.
In general, UPnP is not bad, without it, things like video conference, VoIP, and gaming may just be slower. We are not discouraging you to use it, but the first step is awareness. What this alarm does is pretty simple, it allows you to "know" which service on which device is opening ports.
Here are some applications/services often seen to open ports on home devices:
How to identify 'good' vs 'bad'?
Firewalla can only identify the name of the service and the duration of the port to be opened.
When you receive such an alarm, it is your choice to block it or leave it there. Most services will close the open port when it is done. If you trust the service, just ignore the alarm. For example, WhatsApp is an end-to-end encrypted communication service. You may receive an open port alarm when you use its voice call or video chat.
But those that permanently open themselves to port 80 or 443 or 22 are asking for trouble. If you have concerns or you don't know what the service is, block it. You can always remove it from blocking rules afterward.
What action I can take?
- Archive: This alarm will be moved to the Archive list. When another open port is detected, you'll receive another alarm.
- Mute: You can choose to mute a certain port or all the Open Port alarms on the device/network/all devices. When a mute setting is created, neither alarm nor App notification will be generated when similar activities happen again. Learn more about Alarms.
- Block: A rule will be created to block inbound traffic to that local port automatically. It supports applying the blocking rule on the device only/network/global. The blocking rule will show up in the Rule list.
What if you need to open a port for IoT products?
If you have that one device (usually a home security camera) that may require a port to be opened on your router (port forwarding for example) to be accessed remotely.
What you can do is use the VPN Server feature when you are remote and access the device just as you are on the home network without port forwarding. The VPN Server will force encryption and prevent direct access to your IoT devices directly.