How did Chia open port 8444 on my router?

I was just logged in to my router, and under the port forwarding section, it shows the service name “chia” is forwarding that data to my local IP address (of my full node Chia box).

How could Chia software, or any software, access my router to make that change?

I had once needed ftp to forward to a service on my local machine. I had to log-in to my router, drill down to the port forwarding section, and type in the port numbers and IP address, etc.

Chia never asked for my router’s login credential. So how did it make that port 8444 forwarding entry in my router’s port forwarding rules?

UPnP (20 chars aaaaa)

1 Like

Chia didn’t make that change in your router. No possible way. Maybe you got drunk and did some IT work.

Normally UPnP is enabled in most routers. But having a port-forward rule called chia pointing to your specific internal IP, that is different. But I’m positive it wasn’t done by the chia software.

Are your sure it is UPnP (8444). Maybe someone (hacker) has added a port forward to your router and masked it with the chia name. What port(s)?

1 Like

Perhaps I am having a senior moment, and not remembering setting up that rule more than a year ago.

I just do not remember doing it. But I must have, because I cannot see any other way for it to happen.

It is port 8444.
Is UPnP an OS feature, or a router feature?
I do not recall seeing any UPnP options in my router’s settings.

No hackers. I have the router’s remote administration disabled, and I do not have the default password on my router. The port forwarding setting is correct, and belongs there. I just do not remember making the entry. I am losing my mind. :wink:

UPnP is “Universal Plug and Play”. Below is a link to a pretty good description of it. Just ignore the click-baity scorched earth warning of a title. The entire article is a good read if you want to learn. For a quick read, jump to the “What is UPnP used for?” section for the cliff notes.

1 Like

UPnP is an old and well-established advertisement / discovery protocol (upnp.org / http://upnp.org/resources/documents/UPnP_UDA_tutorial_July2014.pdf). It can be supported by any LAN device (e.g., OS or printer / router).

However, some providers abuse it, and let it be manipulated from outside (e.g., some versions of cable modems to snoop on your LAN / all devices / all network traffic). (I participated in protocol enhancement sessions, where cable modem people were pushing to have external access to the whole network, as they needed some fuzzy logs from devices that may eventually be on some networks - basically a carte blanche to do whatever they wanted.) And of course, as everything else, more advanced malware can use it to do further harm, although that is just a postmortem as such malware needs to be there first.

On the other hand, if not UPnp/DLNA, it would be really challenging for some people to use a LAN based printer, or make some audio / video calls, or access all your music and movies sitting on your NAS

The entry in your router has nothing to do with protocol, but rather how that router shows what is enabled / happening. Yes, the expected behavior is that if a device requests a port to be opened, it should not be listed in the “standard” section of port-forwarding rules. However, I would not bet on that some routers showing it there to just show what is happening on your network (what if marked correctly has value).

Yes, there is a possibility that somewhere in his router it may list what devices on the network are using that port. But there is no way that the router would know to name it “chia”. That is a rule that was manually setup.

Never say never.

During the SSDP discovery message exchange, Chia can use whatever friendly name it wants (or not provide, as that is an optional field). Further down the line, when it is asking for that rule to be implemented, it can provide whatever friendly name it wants as well (again, optional). It is up to the presentation layer on the router side what to show and where. So, potentially the router can clearly identify not just what box is asking for that rule, but rather what specific service is asking for it. As I stated, I would really like to see all those UPnP enabled rules.

By the way, if you check your router’s ‘attached devices’ or something like that page, you will see device names, where those names were available. SSDP/UPnP are rather verbose, as basically everything is conveyed via XML flat files.

Saying that, I cannot say that I have seen many routers, mainly Netgear and Linksys/Cisco. If I recall it, @seymour.krelborn router is given to him by his ISP, so it is for sure heavily modified. To me, that is the reason to not go with any provided routers, as one really has no clue what kind of crap is installed on those routers, plus regardless if remote control is disabled or not, the service providers have full access to those.

That is just a crook company making false statements to boost their bottom line by spreading lies. There is plenty of good reads out there that describe garbage NordVPN is pushing.

Statements like: “enable UPnP by default, making them discoverable from the WAN, which leads to many security issues.” are complete horseshit. Whoever wrote it has no clue how for instance SSDP (advertisement part of UPnP) protocol works. There is no way to advertise UPnP service on the WAN side, as it is using LAN UDP broadcast ports.

Correct (20 characters)

Well, some digging, and here you go:

So, yeah you can dance around it as much as you want, but at the end, the code is what matters. The friendly name they use to request that port to be open is exactly lower case ‘chia’ as how @seymour.krelborn quoted it. You can also dig into the library to learn more how it is further executed.

@seymour.krelborn It would be an interesting test to check your router, the next time you bring the full node down, as when chia shuts down properly, it should request to delete that port mapping, so potentially the router may remove that entry. Although, as we know chia has problems with clean shutdowns, so that part of the code (deleteportmap) may not be executed. It also could be that the router will linger a bit before it will release it / update UI after it gets that request.

2 Likes

What I might also try is the following:
When I do my next Chia upgrade (currently on 1.3.3), I will:

– Shut down the GUI and ensure that all related processes have shut down.
– Delete the port forwarding entry in my router.
– Install the new Chia version.
– Check to see if the port forwarding entry returns in my router.

By the way…
How do you include text file attachments that include scroll bars?
When I try to include an attachment, the only file types this site offers are jpg, png, gif, and other graphic type files. I am unable to load a text file (like a chia log file).

1 Like

@Voodoo Man, I gave you a like, and I am not sure anymore whether for what you wrote, or rather that you pulled it down :slight_smile:

Much better test!

You don’t include text as an attachment, rather you copy it in, and (as @Voodoo wrote) highlight that part, and hit “Preformatted text - Ctrl+E” button (6th from the left).

Although, the text in my previous post was a link to github, and was automatically formatted like that (when you put it on a new line).

1 Like

I thought when you use the inline code button you could make that scroll he was asking about.
But couldnt check it on my phone there so i deleted it :sweat_smile:

Dude don’t you remember we were texting each other at night drinking beers and you said i have to log into my router to make some changes, I said sounds good I need another beer I’ll be right back :woozy_face: :dizzy_face: :face_with_spiral_eyes:

That entry in his router was made by him. And I don’t dance, Router manufacturers would be sued if they let software breach their security.

Nice. At this point I am feeling like I was wrong, but figured the only way to get to the bottom of this is the test it. Here is what I did.

My firewall/gateway is a Ubiquiti UDM-Pro. This was my manual Port Forwarding I have setup.

Located the UPnP setting under Settings → Internet → Default WAN → Advanced Section. It was currently disabled.
image

To test, I disabled the manual port forwarding rule and enabled the UPnP service for the WAN interface. Then I closed the Chia GUI and started it back up. Watched the chia log for “upnp” and saw the following:

Looked at the firewall again but could not find any entry called “chia” or any reference to port 8444. Pulled the logs and still didn’t find anything. Enabled the highest level of logging and did it all over again and still didn’t find any reference. Chia appears to be working properly. Most likely, my device just doesn’t list out UPnP connections.

My conclusion is that @Jacek is correct and I was incorrect in my belief that the entry was not automatically created. But by test was kind of inconclusive in proving this. To be 100% positive, the OP would need to do a test.

  1. Shut down Chia. (If it was an automatically created rule, doing this should have removed the rule from your firewall, you can check now to see. If it is gone, restart chia and see if it comes back. If it is still there, continue to next steps)
  2. Reboot your firewall/router.
  3. Confirm that the entry in your firewall rules is now gone. If it isn’t, document its configuration and delete it.
  4. Start Chia.
  5. Check your firewall for the entry. Did it come back? If it did or didn’t we have an answer for sure. If it did, no other action needed, it is obviously automatically created. Your firewall just lists them as rules as they get generated. If it didn’t come back, go ahead and manually put it back.

If it is an automatic entry, I guess my biggest complaint would be the way that router shows it. It should not be under the rules section. If it is to be there, it should be clearly indicated that it was dynamically created via a service on the router. And maybe it is and the OP just didn’t notice.

I don’t support or use NordVPN. And I pointed out that the title was clearly BS (so most likely any opinion in the article is too). But the base description of UPnP provide is correct and why I pointed to the specific paragraph. It was worded in clearer terms than the standard UPnP Protocol wikis and such. I was just trying to be helpful.

For one, even though my ISP provides a cable modem/router, I have my own own router that I place my static IP of my router into the DMZ of the provided modem/router. This way you are in control of what gets onto your network. And you can configure your port forwarding to your nodes etc.

Not sure why you replied to me with that information. What’s your point?