Firewall ports not documented or known #270

New issue

Open

opened 2026-02-20 08:21:38 -05:00 by deekerman · 6 comments

deekerman commented 2026-02-20 08:21:38 -05:00

Owner

Copy link

Originally created by @discotimetraveler on GitHub (May 15, 2025).

Originally assigned to: @ym on GitHub.

When attempting to isolate KetJVM to a management network/VLAN, the ports to connect to JetKVM are unknown and not documented. This is not related to public internet connectivity.

There is some discussion of this in issue #84 that is linked from the Troubleshooting documentation. But that thread is full of browser issues, OS issues, Internet issues, etc.

This issue is very simple. What ports are required to connect from the browser to the JetKVM and get video working locally? 80/443 are not enough. 80/443 & STUN (3478) are not enough. 80/443 and a huge block of 49152-65535 (as mentioned in issue #84) is almost enough but not quite right, as well as having a huge dynamic port range is very security unfriendly.

If this device requires a massive dynamic port range, and that is seemingly solved "publicly" with Cloudflare and whatever is happening with STUN/TURN as documented here https://jetkvm.com/docs/networking/remote-access, this is not helpful on a local network with firewall segmentation. Not only is this common in Home Lab setups, it's in every Enterprise network everywhere. Having clearly defined and ideally minimal port range known and documented is mandatory.

Originally created by @discotimetraveler on GitHub (May 15, 2025). Originally assigned to: @ym on GitHub. When attempting to isolate KetJVM to a management network/VLAN, the ports to connect to JetKVM are unknown and not documented. This is not related to public internet connectivity. There is some discussion of this in issue #84 that is linked from the Troubleshooting documentation. But that thread is full of browser issues, OS issues, Internet issues, etc. This issue is very simple. What ports are required to connect from the browser to the JetKVM and get video working _locally_? 80/443 are not enough. 80/443 & STUN (3478) are not enough. 80/443 and a huge block of 49152-65535 (as mentioned in issue #84) is almost enough but not quite right, as well as having a huge dynamic port range is very security unfriendly. If this device requires a massive dynamic port range, and that is seemingly solved "publicly" with Cloudflare and whatever is happening with STUN/TURN as documented here https://jetkvm.com/docs/networking/remote-access, this is not helpful on a local network with firewall segmentation. Not only is this common in Home Lab setups, it's in every Enterprise network everywhere. Having clearly defined and ideally minimal port range known and documented is mandatory.

deekerman commented 2026-02-20 08:21:39 -05:00

Author

Owner

Copy link

@sint-sol2023 commented on GitHub (May 19, 2025):

A bump for this issue. I received two JetKVMs last week and must say that the product has a very slick look, is easy to set up, and quite user friendly. However, this device must be isolated from the client network and made accessible on an isolated VLAN which can be reached only via a VPN. This VLAN is not per se a secure place and is set up to allow only a minimum range of ports to reach the machines there. My first idea was allow only the http port 80, but no was as it only allows to see and pass the login page while the whole feature set of the KVM is then not working - USB, video, web console, virtual media are all grayed out.

A solution for now will have to be to remove all restrictions for this devices or to move it to yet another VLAN both of which are not exactly optimal. When I check open sockets I get following output:

# netstat -tulpen
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:3893          0.0.0.0:*               LISTEN      267/jetkvm_native
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      192/dropbear
tcp        0      0 :::80                   :::*                    LISTEN      178/jetkvm_app
tcp        0      0 :::22                   :::*                    LISTEN      192/dropbear
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           178/jetkvm_app
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           178/jetkvm_app
udp        0      0 0.0.0.0:56313           0.0.0.0:*                           178/jetkvm_app
udp        0      0 0.0.0.0:36417           0.0.0.0:*                           178/jetkvm_app
udp        0      0 192.168.100.15:42114    0.0.0.0:*                           178/jetkvm_app
udp        0      0 :::5353                 :::*                                178/jetkvm_app
udp        0      0 :::5353                 :::*                                178/jetkvm_app
udp        0      0 :::37885                :::*                                178/jetkvm_app
udp        0      0 :::33143                :::*                                178/jetkvm_app
udp        0      0 fe80::3252:53ff:fe00:a667:56716 :::*                        178/jetkvm_app

If we ignore dropbear, then there are still quite a few TCP and UDP ports and the port 80 is just a tip of an iceberg. Current documentation has yet no information on isolating and securing a JetKVM device on a network. I understand that the product is still fairly new, wildly popular among home labbers, but starts to spill over to SME. Therefore, quite few people would appreciate more documentation/information on this topic.

Thank you once a gain for a great product and software stack and looking forward to more info.

@sint-sol2023 commented on GitHub (May 19, 2025): A bump for this issue. I received two JetKVMs last week and must say that the product has a very slick look, is easy to set up, and quite user friendly. However, this device must be isolated from the client network and made accessible on an isolated VLAN which can be reached only via a VPN. This VLAN is not per se a secure place and is set up to allow only a minimum range of ports to reach the machines there. My first idea was allow only the http port 80, but no was as it only allows to see and pass the login page while the whole feature set of the KVM is then not working - USB, video, web console, virtual media are all grayed out. A solution for now will have to be to remove all restrictions for this devices or to move it to yet another VLAN both of which are not exactly optimal. When I check open sockets I get following output: ``` # netstat -tulpen Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:3893 0.0.0.0:* LISTEN 267/jetkvm_native tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 192/dropbear tcp 0 0 :::80 :::* LISTEN 178/jetkvm_app tcp 0 0 :::22 :::* LISTEN 192/dropbear udp 0 0 0.0.0.0:5353 0.0.0.0:* 178/jetkvm_app udp 0 0 0.0.0.0:5353 0.0.0.0:* 178/jetkvm_app udp 0 0 0.0.0.0:56313 0.0.0.0:* 178/jetkvm_app udp 0 0 0.0.0.0:36417 0.0.0.0:* 178/jetkvm_app udp 0 0 192.168.100.15:42114 0.0.0.0:* 178/jetkvm_app udp 0 0 :::5353 :::* 178/jetkvm_app udp 0 0 :::5353 :::* 178/jetkvm_app udp 0 0 :::37885 :::* 178/jetkvm_app udp 0 0 :::33143 :::* 178/jetkvm_app udp 0 0 fe80::3252:53ff:fe00:a667:56716 :::* 178/jetkvm_app ``` If we ignore dropbear, then there are still quite a few TCP and UDP ports and the port 80 is just a tip of an iceberg. Current documentation has yet no information on isolating and securing a JetKVM device on a network. I understand that the product is still fairly new, wildly popular among home labbers, but starts to spill over to SME. Therefore, quite few people would appreciate more documentation/information on this topic. Thank you once a gain for a great product and software stack and looking forward to more info.

deekerman commented 2026-02-20 08:21:39 -05:00

Author

Owner

Copy link

@maxmeyer commented on GitHub (May 19, 2025):

I second the request for a more complete documentation about firewall ports.

@maxmeyer commented on GitHub (May 19, 2025): I second the request for a more complete documentation about firewall ports.

deekerman commented 2026-02-20 08:21:39 -05:00

Author

Owner

Copy link

@baarcher commented on GitHub (May 19, 2025):

Bump - Until this is published for me JetKVM is a just a (very cool) paperweight. In a Zero trust environment knowing what flows are required is critical and should be published as a matter of course.

@baarcher commented on GitHub (May 19, 2025): Bump - Until this is published for me JetKVM is a just a (very cool) paperweight. In a Zero trust environment knowing what flows are required is critical and should be published as a matter of course.

deekerman commented 2026-02-20 08:21:39 -05:00

Author

Owner

Copy link

@ym commented on GitHub (Jul 11, 2025):

Currently, Pion uses the full range of ephemeral UDP ports (1024–65535), covering nearly all available UDP ports. We’re planning to introduce a feature that allows users to override this setting and specify a smaller port range.

In the meantime, it may be advisable to permit all outgoing UDP ports to ensure full functionality.

Additionally, many cloud-based features rely on dynamic IP ranges. To ensure proper operation, such as with STUN or JetKVM Cloud, you may need to allow all IP ranges from Cloudflare.

@ym commented on GitHub (Jul 11, 2025): Currently, Pion uses the [full range of ephemeral UDP ports](https://github.com/pion/webrtc/blob/4c1af4c3e6cbc596fe75329bbcc3a802a2a19453/settingengine.go#L202C28-L202C49) (1024–65535), covering nearly all available UDP ports. We’re planning to introduce a feature that allows users to override this setting and specify a smaller port range. In the meantime, it may be advisable to permit all outgoing UDP ports to ensure full functionality. Additionally, many cloud-based features rely on dynamic IP ranges. To ensure proper operation, such as with STUN or JetKVM Cloud, you may need to allow all IP ranges from Cloudflare.

deekerman commented 2026-02-20 08:21:39 -05:00

Author

Owner

Copy link

@J0E6469 commented on GitHub (Nov 3, 2025):

Any update on this?

@J0E6469 commented on GitHub (Nov 3, 2025): Any update on this?

deekerman commented 2026-02-20 08:21:39 -05:00

Author

Owner

Copy link

@purepani commented on GitHub (Dec 26, 2025):

This is important to me as well.

@purepani commented on GitHub (Dec 26, 2025): This is important to me as well.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

dev

dependabot/npm_and_yarn/ui/vitejs/plugin-react-swc-4.2.3

dependabot/npm_and_yarn/ui/vite-tsconfig-paths-6.1.1

dependabot/npm_and_yarn/ui/framer-motion-12.34.3

dependabot/npm_and_yarn/ui/tailwind-merge-3.5.0

dependabot/npm_and_yarn/ui/multi-d88693a43a

dependabot/go_modules/github.com/pion/webrtc/v4-4.2.9

dependabot/npm_and_yarn/ui/inlang/cli-3.1.6

dependabot/npm_and_yarn/ui/eslint-plugin-react-refresh-0.5.2

dependabot/go_modules/golang.org/x/sys-0.41.0

dependabot/go_modules/golang.org/x/crypto-0.48.0

dependabot/npm_and_yarn/ui/zustand-5.0.11

dependabot/go_modules/github.com/prometheus/procfs-0.20.1

dependabot/npm_and_yarn/ui/inlang/sdk-2.7.0

dependabot/go_modules/github.com/gin-gonic/gin-1.12.0

dependabot/go_modules/golang.org/x/net-0.51.0

dependabot/github_actions/actions/upload-artifact-7

dependabot/npm_and_yarn/ui/npm_and_yarn-e66adb831b

feat/signed-releases

dependabot/go_modules/github.com/prometheus/common-0.67.5

fix/ipv6-readiness

fix/failsafe-tolerance

fix/failscafe-tolerance

debug/native-logs

fix/retry-sleep-mode-check

copilot/add-copilot-instructions-file

chore/es-lint-redux

fix/deploy-cloud-app

release-cloud-app/0.4.9

release-cloud-app/0.4.8

release-cloud-app/0.4.5

release-cloud-app/0.4.4

release-cloud-app/0.4.3

release-cloud-app/0.4.2

release-cloud-app/0.4.1

release-cloud-app/0.4.0

release-cloud-app/0.3.9

release-cloud-app/0.3.8

fix/prevent-video-restart-loop

fix/en-as-default

backports/ota-und-cgo

e2e-tests

release/049

feat/audio-support-metrics

fix/usb-gadget-init-rebind

feat/lldp

feat/usb-reset

feat/audio-support

fix/hdmi-mutex

main

feat/auto-reload-fe

feat/jsonrpc-typings

feat/ocr

chore/show-codec

chore/golangci-lint-additional

refactor/jsonrpc-kbd

misc/0.4.6-with-old-deps

feat/static-ip-ui

cursor/refactor-uselocation-to-prevent-re-renders-f026

cursor/remove-uselocation-from-devices-id-tsx-7751

chore/eslint-prettier-setup

feat/tls-config

feat/metrics-optin

feat/tls

release/0.5.4-dev202602080922

release/0.5.3

release/0.5.3-dev202602061404

release/0.5.3-dev202601281951

release/0.5.2-dev202601071426

release/0.5.2

release/0.5.2-dev202601070105

release/0.5.2-dev202601070032

release/0.5.2-dev202601061215

release/0.5.2-dev202601051816

release/0.5.2-dev202512291946

release/0.5.1-dev202512211114

release/0.5.1

release/0.5.1-dev202512181840

release/0.5.1-dev202512181609

release/0.5.1-dev202512181144

release/0.5.0-dev202512051510

release/0.5.0

0.5.0-dev202511271013

0.5.0-dev202511271020

release/0.5.0-dev202511211223

release/0.5.0-dev20251120

release/0.4.9

release/0.4.8

release/0.4.7

challenge-base

release/0.4.6

release/0.4.5

release/0.4.5-rc2

release/0.4.5-rc1

release/0.4.4

release/0.4.3

release/0.4.2

release/0.4.1

release/0.4.0

release/0.3.9

release/0.3.8

Labels

Clear labels   

component/keyboard-layout

  

component: cloud

  

component: device screen

  

component: extensions

  

component: hid/keyboard

  

component: hid/mouse

  

component: network

  

component: timesync

  

component: ui

  

component: updater

  

component: usb

  

component: usb/hid

  

component: usb/storage

  

component: video

  

component: webrtc

  

component: webserver

  

need-more-details

  

status: working-in-progress

  

wontfix

No labels

component/keyboard-layout

component: cloud

component: device screen

component: extensions

component: hid/keyboard

component: hid/mouse

component: network

component: timesync

component: ui

component: updater

component: usb

component: usb/hid

component: usb/storage

component: video

component: webrtc

component: webserver

need-more-details

status: working-in-progress

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/kvm#270

No description provided.