Hello,
I have firewall at home, an I like to know what kind of ports the nuki bridge use for communication.
And what kind of server names. In the logs I found port and *.nuki.io
Does Nuki use some AWS Services?
Best regards
Tristan
Hello,
I have firewall at home, an I like to know what kind of ports the nuki bridge use for communication.
And what kind of server names. In the logs I found port and *.nuki.io
Does Nuki use some AWS Services?
Best regards
Tristan
Hi @tkoridass!
You need to keep outbound port 443 open for the Nuki Bridge if you want to use the remote access features.
@MatthiasK some additional question.
I think I understood that the bridge only establishes outgoing communication with your servers. So the commands from the server to the bridge then take place securely via a kind of polling or websockets. So it is not necessary to open an incoming port on the router for the brigde, right? I even think it would not be really desirable to open the only port (for the api) externally. if necessary you should make calls safely via the nuki web api, because the connection is ssl. am I right there?
thank you and regards, Alex
Correct, outgoing port 443 is sufficient.
Hello and sorry to re-open this older topic.
I am new with Nuki but very interested in Security / Firewall …
As the Nuki-Bride has to use HTTPS / 443 I understand as standard - otherwise there would be some “plain-text” communication.
So my (pfSense) FW-rule is: PASS, IPv4, TCP, Nuki-IP, any Port to any IP, Port 443 (HTTPS)
As Nuki-Bridge do not need to communicate to the world … so, what is the server-name the Bridge must connect to, please (the Bridge has - of course - some address coded, otherwise the bridge would not know to whom to contact) ?
I hope I was understandable with my question
Have a nice day !
Dariusz
Hello Dariusz,
you like to know what IP Adress Nuki use for communication?
In my firewall I could use wildcard fqdn like .nuki.io fpr destination, so my firewall is searching the IP address(es) behind this fqdn, and if Nuki change this adresses, I did‘nt change anything.
I dont‘t know if pfsense could do this also.
Best regards
… you like to know what IP Adress Nuki use for communication?
In my firewall I could use wildcard fqdn like .nuki.io …
Thank you tkoridass,
sorry, I used IP as synonyme … but - of course - I am looking for FQDN (IP-addresses can change)
Do you mean .nuki.io is enough or *.nuki.io ? I have to check with pfSense …
I would expect to get some official feedback from NUKI as Nuki is always underlaining the security topic of Nuki
Somethin like xyz.nuki.io
Thank you once again - I will check with pfSense by Nuki oficially inform the needed FQDN to use in PASS FW-Rule !
It’s not documented because we do not commit do a certain domain/IP, range of domains/IPs. Things might change over time. However allowing *.nuki.io is a good advise and should not restrict the bridge for the time being.
Thanks Jürgen !
Please allow to me to point out … Security is not an option, security is a must - a professional company (not a hobby anymore) need some standards as well as a recommendation to set up a firewall, otherwise I need to allow Nuki to contact the whole world (and also maybe some suspect sites what I cannot judge if there is no formal rule how to setup a FW).
I setup my FW to allow the bridge to contact nuki.io via 443.
Today I found some bloking log of 212.227.198.151:443 … is it NUKI’s IP or is NUKI-bridge contacting some “third pary” IP (as it seems, that this IP is not included in nuki.io in case it is Nuki’s IP) ?
I personally am not able to find out the asked qeustion - thank you in advance.
Yes.
Nukis Servers are hosted at 1&1 in Germany to which the IP belongs. https://whois.domaintools.com/212.227.198.151
Thank you Jürgen for your feedback, I appreciaty it always very much.
On the ohter hand, this is not that perfect from efficience / effort as well as from security point of view
I can add this IP to the firewall - of course - but next time therer will be other or additional IP, etc., etc., etc.
And - if Nuki will not use the IP anymore (from theoritical point of view) and this IP will be sold to third party, then I have a not perfect secured fire-wall-rule …
There should be some FQDN, e.g. fw.nuki.io what includes all relevant and or changed IPs - this is a part of professional security as other companies provides.
Here some example of APC / Schneider Electric … https://smartconnect-support.apc.com/help/EN/#page/EcoStruxure%2520Ready%2520Smart-UPS%2520Help%2520Center%2FMN01.2.5.html%23ww1146370