Open Ports on the Router, Yes or No

[hodag]

OK, I am confused about something.  I had some problems getting my Obi WiFi working and finally got that sorted out, but in the meantime I had exchanged messages with Obi Support.  While I was trying to troubleshoot this myself I found this in the FAQ:

What ports should I keep open on my router/firewall?
In order for your OBi to be able to send packets w/o interruption, please configure your router as follows:

Allow Outgoing:
TCP Ports: 6800, 5222, 5223
UDP Ports: 5060, 5061, 10000 to 11000, 16600 to 16998, 19305
Allow Incoming on UDP Port: 10000

So I opened those, and mentioned that I had already done that when I messaged support.  When they replied they said:

"You don't need to do any configuration for port setting."

So that begs the question, do I need to open these ports on the router or not?  I have the ports programmed (but currently disabled while I was testing) so it is easy to enable them if necessary, but I don't like having open ports unless I really need them to be open.

What is the best practice for maximum functionality while maintaining a prudent level of security?

[JohnBowler]

>What is the best practice for maximum functionality while maintaining a prudent level of security?

Don't open *any* ports unless you are trying to solve a problem, and then only open them, see if the problem is solved and, if it isn't, close them afterward.  (This is what you did, so you know the right answer already :-)

Router security isn't very good anyway, opening any port numbered below 1000 is dangerous.  You can find more information here:

http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

It was my belief, though I may be mistaken, that normal router configurations allow the local side to open any port required; so those XMPP ports are opened by the OBi device receiving a message on a well-known port, hence the "allow outgoing".

I don't understand the idea of opening 10000 to incoming UDP.  That sounds *really* weird.  If you want you can try firing UDP at 97.90.108.156:10000 this is my Obi202, so the issue of opening or closing ports on a separate router doesn't apply.  If you find you can hack into me I'd be grateful if you would tell me (jbowler@acm.org)

[unoriginal]

I don't understand the idea of opening 10000 to incoming UDP.  That sounds *really* weird.  If you want you can try firing UDP at    . . . :10000 this is my Obi202, so the issue of opening or closing ports on a separate router doesn't apply.  If you find you can hack into me I'd be grateful if you would tell me (jbowler@acm.org)

It is my imperfect understanding that incoming on 10000 is for Obihai's registration, monitoring, proprietary communications, and general handholding of your device. I have that port open and my router reports basically a constant connection to an "Obitalk" server (via Amazon's AWS, aka "the cloud").

If Obitalk-network calls, auto provisioning, or auto firmware updating are important to you, you'll probably want port 10000 open to UDP. Conversely, if that stuff is disabled and/or less important to you than some unknown increase in privacy and security, you can probably ignore the FAQ's advice.

Then again, since Obihai has the ability to push firmware out to devices without explicit user consent (e.g. that "broken-Google-voice-firmware" update that was shoved out the door before Obihai was overwhelmed with irate people badgering tech support and flooding the forum), you might want to leave that port open anyways just to decrease the chances something Obihai does damage-control style doesn't brick your device.

[JohnBowler]

I said "don't open ports below 1000" before, I meant *above*.

I had my 202 behind a firewall that most certainly did not have 10000 open to *incoming* and I had no problems setting it up.  I moved the 202 to be the gateway/firewall/"router" for QoS reasons.  Don't open 10000 to incoming UDP; indeed, don't mess with your firewall unless you know what you are doing and have previously tied it down for outgoing ports, I didn't and it all worked for me.

The way this works is that firewalls typically allow incoming UDP or TCP on some ports below 1000; the "well-known" ports.  This is sufficient to allow an external system to initiate communication with things like local web servers, mail gateways and other known services, however the main security is provided by the functionality that takes a communication with the gateway; the first thing connected to your ISP, and redirects it to an internal device such as an OBi202.

This security is basically sound because to send something to your OBi the OBi has to first send something out on the same port.  Unless the OBi does this the gateway won't have a redirection entry in its table and simply can't send something back to the OBi.

Now it's possible to stop the OBi doing this; it's possible to block outgoing ports, but I can't see why anyone would block an outgoing port above 1000 unless they were either in the military or in the censorship business (like AT&T might block these ports because you can use an OBi for calling for a lot less money than AT&T charge.)  People block below 1000 because they want to block employees from doing chat, well, I guess that's censorship too.

As for 10000; if someone from OBiHai wants to correct me, please do so, but I strongly suggest that no one explicitly allows 10000 UDP incoming.  (The OBi will do it for you by initiating a communication on 10000 when it needs one.  It's kind of curious; 10000 is not a number I would expect to see being used for any official purpose because it just happens to be the first number in a particular sequence.  I rather suspect an OBiHai geek found that (s)he could work round a real bug by allowing incoming on it, and the misadvice stuck.)

John Bowler <jbowler@acm.org>