Whitelist firewall settings for BlueIris

reflection

Getting the hang of it
Joined
Jan 28, 2020
Messages
156
Reaction score
96
Location
Virginia
I just finished scanning my BI for used ports and update my firewall settings for it. Figured I would share this. The goal here is to whitelist BI so that only the minimal ports/protocols are allowed - everything else is denied. This should lock down BI as much as possible. Sorry if someone already posted this.

Notes:
These are stateful firewall rules that track the connection and allow return traffic.
These FW rules are applied directly in front of BI.
If your FW also supports layer 7 context aware inspection, enable that too.

1. Permit BI to cameras for RTSP (TCP 554)
2. Permit BI to DNS server (UDP 53) (you probably only need this during updates (see note below), but it's safe to allow).
3. Permit BI to NTP server (UDP 123) (keep accurate time for your logs)
4. Permit from any to BI on TCP 8080 - only needed if you configured remote viewing and used 8080 and stunnel
5. Permit home-network-subnets to BI on RDP (only if you run headless and RDP into your BI server)
6. Permit home-network-subnets to BI on TCP 81 (only if you have the BI webserver running on port 81)
7. Permit BI to any on port TCP 2195 (this is for push notifications if you have an Apple device).
8. Block any to any for all other traffic (this means BI can't talk out either).

If you want to periodically update BI or update Windows, change rule 7 to "Block from any to BI" so that it can talk outbound.
If you are using your BI machine for other things besides BI, then of you would have to take those other things into consideration.
 
Last edited:

reflection

Getting the hang of it
Joined
Jan 28, 2020
Messages
156
Reaction score
96
Location
Virginia
Edited the original post and added "Permit BI to any on port TCP 2195 (this is for push notifications if you have an Apple device)."
 
Top