Lorex NVR Ports Not Opening
-
Ive got a Lorex NVR and I have allowed ports 40000 - 40100 however, I am still seeing in the logs this port 40058 is blocked.
Here is the Rule i have created.
Lorex IP is the IP Address (10.69.0.202) of the NVR and ports are the 40000:40100. I've allowed TCP and UDP for testing. The only way it will work now is if I open all ports. I'm on a static IP so setting up ddns is not necessary.
-
@technolust said in Lorex NVR Ports Not Opening:
I have allowed ports 40000 - 40100 however, I am still seeing in the logs this port 40058 is blocked.
I can only see this port as source in this log, but you've allowed destination ports.
-
@viragomann If I want the source device to get to the outside world don’t I need this opened on the destination? At least that’s how I was understanding it because on the source I allowed all ports thinking the source device can see all ports but outside coming in would only see the ports I allow in the destination.
-
@technolust
Yes, but the logs you've posted above don't show any block of the destination port range 40000 - 40100.
You can see only entries with 40058 as source port, not as destination. So you can not say, that it would be blocked. -
@viragomann Ok I'm confused now. What should it look like?
Allow ports 10000 & 15301 on the destination and remove 40000:40100?
-
@technolust what ports do you need to get to? Those are destination ports. Source ports are normally some random high port that the client uses to make the connection to the destination ports. You almost never have anything in there than any. It is very few applications or services that use a defined source port for making a connection.
Your log shows trying to go to ports 10000, and port 15301, are those the only 2 you would need. Then those would be the destination ports you allow, with source port being any.
-
@johnpoz I made the change so that source ports are any now but I have the hosts specified.
I have changed the ports to only the destination ports I found in the logs.
I feel like every time I add a port to the list a different port is being used. I just don't want to do any on the source and destitation but I might just have to for the specified IP Addresses.
-
@technolust what ports does the thing require? It should be listed on the website.. 52819 seems like a odd port..
That 8800 ports seems like a more normal port something would use outbound... You sure you were not looking at sorce ports in the firewall log..
What I would do is allow it all ports outbound. Log this rule.. And then if you want to lock it down to those ports after its been working for a while.. You will have a list of ports it uses.
Your not wanting any inbound unsolicited traffic? I would contact the maker of the thing to get a clear and concise list of what is needed inbound (if anything) and what ports does it use to talk to the internet too.. These ports would all be destination ports. Then setup the rules correctly for how you want them.
-
@technolust I was thinking the exact same thing. I removed the last three. The only ones on their site is 80, 443,123, 554, 35000, 35001, and 5050. I did those and no luck. I'm going to go back to allowing all but only the specific ip addresses. It worked but I don't feel comfortable.
-
@johnpoz Now I have it on any ip for destination and any port. Source IP is the NVR only but now its working.
-
@technolust I never understand, so you trust it enough to use it on your network. But you think what its going to be sending your video to china or something? It could do that on 1 port.. Your just making your life harder trying to lock it down to specific ports if you ask me.
Do you have your normal network locked down to specific only ports outbound, so you need to allow for these odd ports?
Locking down outbound ports is almost always an exercise in futility.. Lets say something is comprised - is the compromise guy that wrote the code just an idiot? Why would he not just use say 443? Thus hiding is traffic in with all the other normal internet traffic, etc.
Sure locking down outbound ports might stop some badly written whatever - but its too late already to be honest because the thing is already on your network, or infected whatever on your network already, etc.
If anything I would be worried about it talking to other stuff on the network, because if it was compromised - atleast it can't compromise any of my other stuff.. To the internet - have at it.. Unless you were just going to block all of its internet, specific ports seems like added busy work for no real bang in anything extra.
Better option would be to just log, and look now and then for -- hey WTF is that, that is odd.. And then if odd enough look into what it is.. This is for sure a less problematic in stuff not working, etc.
-
@johnpoz Well that is good to know that I'm not the only one who is like this is a SH*T ton of work. Partly because I want to learn (be better) at firewall administration. I was trying to pull off the zero trust but your right, an attacker is going to come in any path they can take. I use a different brand at work and don't have time to do just that so I figured I would learn building one at home.
Right now, I allow ports to specific devices. This is the only one that has given me such a huge headache. XBox was a bit hairy but I figured that one out. Has been a good learning experience.
Right now I allow all traffic to all devices internally. I'm going to take heed to your warning about that but how do I go about locking internal traffic down? As of now, I', going to just manage the logs its far easier.
-
@technolust This is what normally happens in the enterprise.. When we take over a customer, they normally have no clue to what ports are used by what.
So we log all the traffic for a while. Then at go through the ports, and say is this something want to allow?
Always better when bringing up something new to log and figure out what it uses before locking it down. Unless the maker/owner can provide a concise list of all ports and or IPs needed to talk too. The problem with many of these sorts of devices, and especially in games. Is they throw out a list of ports, but don't clarify if inbound or outbound, etc.
-
@johnpoz Exactly what I have been experiencing! Thank you so much for the help/information/confidence; I've been struggling and thinking how horrible I am at this. There is a lot to learn and building this pfsense out has been fun and eye opening. The community here certain is one of the best!
