Lets start with some basic concepts.
Port Fowarding is a 2 part thing.
First what is a port?
Think of your network like a house a fully steel building.
Nothing is getting through that steel building, but now you want to add a door or a window.
These are now Ports into your house. The port is only secure as the layer of security you've applied to it, a glass door vs a steel door.
So, by default, you router / firewall is configured to have no ports (open) so to speak.
So when you open a port, you are allowing traffic into your network.
You want to make sure that traffic is going where you intend it (port forwarding, more on that in a second)
And that the transmission is secure.
2 scenarios:
We all know
blue iris runs on port 80 http un-ecrypted traffic.
You can use other ports, but the bottom line is the traffic is un-encrypted.
This allows for people to use
tools like wireshark on a shared network to analyze your unecrpyted traffic and can capture your credentials.
Which why you want to use and SSL Cert to encrypt your traffic (https), which commonly used on port 443, you can use any port you want.
Well, a real and typical webserver, like Apache, Nginx and IIS have the ability for you to configure self-signed or third-party signed certificates.
However, blue iris's built-in webserver does not have this capability.
So, the recommend option has been to utilize s-tunnel to encrypt your traffic pver 443 and re-route it back to port 80 locally.
There are other options. I use Sophos UTM firewall in a VM. This has a feature to utilize my firewall's SSL connection to route traffic to blue iris.
It can have it's flaws too.
The other option would be to run a reverse proxy locally on the server using one of the above mentioned web servers and re-route the traffic that way, but its a bit of a learning curve.
So, some other key points.
When ever you have a port open, anyone can knock on the door, and yes they will knock. I have over 20K hits a day from places all over the world.
So, if you have weak passwords, they will keep knocking with different password until one opens the door, so make sure they are a strong and different than anything other passwords.
Secondly, hackers scan for common ports like 443 and 80, so if you want to be more secure, you could use a different random port in the higher ranges say: 57321
Something that is far from common.
Keep in mind though, certain wireless networks will block people from utilizing those ports... so you might not be able to connect from everywhere unless you were on the cell network.
Lastly, you could keep most of it closed and access your network through a VPN. Then connect to blue iris, again more configurations, but not to bad.
And finally, port forward is really just the redirection of an open port.
You can open port 1234 on your router, but the router has nothing running on port 1234, thus you port forward to route port 1234 to your blue iris server, where you've configured stunne to run on port 1234...
It's a lot to digest, so let me know if you have any further questions.