QnapCloud Ports and Security

[presenceofmind]

Hello all,

Ive got my qnap apps behind apache with ssl talking to Qnapcloud

app port -> apache ssl -> router port forward -> qnapcloud

It works fine, some cases I have to configure the router to forward a port and thats ok.

The question is. Ive noticed some ports are available in qnapcloud even when I don't forward them in the router.

This is a huge problem because some of those ports are not using ssl.

How can I 100% block those ports from being available on the internet via qnapcloud?

Cheers

[dolbyman]

NEVER expose QNAP apps to the web. Plenty of malware around.

Disable uPnP and leverage a VPN server (on router or dedicated firewall) to access your NAS from WAN

[presenceofmind]

Why are there ports available on qnapcloud even when port forward is not enabled for them?

Is it uPnP? Should I turn it off and do it manually? But those ports are not in the list.

I also noticed this new QuFirewall app. Will it allow me to block those ports?

[dolbyman]

not sure what you mean by "ports available on qnapcloud"

ports are forwarded from router to NAS, qnapcloud would only be the DDNS service

[presenceofmind]

I have an app running in port 3000 , I proxy this port to another port 3043 with ssl.

I add only port 3043 to the router (port forward).

for some reason qnapcloud.com:3000 works.

I want to block port 3000 and let only port 3043 to be available online.

Cheers

[dolbyman]

then something on your router is still listening to port 3000

check the port forward table on the (unknown) router model

to be sure, disable uPnP and do it all by hand

[Mousetick]

I have an app running in port 3000 , I proxy this port to another port 3043 with ssl.

I add only port 3043 to the router (port forward).

for some reason qnapcloud.com:3000 works.

If qnapcloud.com:3000 works inside your LAN, it's normal, as the app on the NAS is still listening to port 3000, and you're bypassing your router WAN firewall.
You need to test qnapcloud.com:3000 from outside your LAN, to verify it's blocked.
Also if you want to completely block port 3000 even inside your LAN, you may be able to configure the app that's listening on port 3000 to only listen to the loopback interface (127.0.0.1), if the app allows this kind of configuration, it should work since the apache proxy is running on the same host.

[presenceofmind]

Also if you want to completely block port 3000 even inside your LAN, you may be able to configure the app that's listening on port 3000 to only listen to the loopback interface (127.0.0.1), if the app allows this kind of configuration, it should work since the apache proxy is running on the same host.

Yes thats it. The apps dont give this feature. Can it be done in another way? Firewall perhaps.

Cheers