Firewalls & portsPRO
Required ports and configuration strategies for transports, ISS and management.
Overview
Most outbound traffic works without custom rules. In stricter environments define explicit allow rules below.
Core Outbound
| Purpose | Protocol | Port | Direction |
|---|---|---|---|
| ISS supervision | TCP | 22017 | Out |
| ISS fallback | HTTP | 80 | Out |
| Upgrade service | TCP | 9022 | Out |
| RTMP streaming | TCP | 1935 | Out |
| RTMPT fallback | HTTP | 80 | Out |
Video Transports
| Transport | Protocol | Ports | Notes |
|---|---|---|---|
| UDP Unicast / RTP / FEC / Bifrost | UDP | Even start + range (e.g. 6010–6019) | Reserve contiguous block; open both UDP & TCP for flexibility |
| Stream TCP | TCP | Single chosen (e.g. 6010) | Match receiver listen |
| TCP on Request | TCP | Listening port (e.g. 5040) | Receiver connects inbound |
Inbound to Receiver Behind Firewall
| Component | Rule |
|---|---|
| Streams | Allow UDP & TCP port range per input (e.g. 6010–6019 for input 1) |
| Web UI (optional) | TCP 443 in (avoid if ISS remote control available) |
| File downloads (optional) | TCP 80 in |
Multicast Considerations
- Ensure IGMP snooping configured to prevent flooding.
- Coordinate address allocation (224.0.0.0 – 239.255.255.255) with network admin.
RTMP Troubleshooting
| Symptom | Cause | Action |
|---|---|---|
| Stream blocked | Port 1935 filtered | Switch to RTMPT (HTTP 80) |
| Higher latency | RTMPT encapsulation | Restore 1935 when possible |
Security Tips
- Prefer outbound-only model (ISS remote control) over exposing Web UI.
- Limit opened ranges tightly (10-port blocks). Document allocations.
Cheat Sheets
Receiver (Live Broadcasting)
ISS: TCP 22017 out Upgrade: TCP 9022 out Input Streams: TCP & UDP 6010–6019 (input1), 6020–6029 (input2) etc.
Sender (Direkt link) Strict Firewall
ISS: TCP 22017 out Streams: TCP & UDP 6010–6019 (encoder1), 6020–6029 (encoder2) etc. RTMP: TCP 1935 (or 80 for RTMPT)