An open port is like a door on a building. It allows people from outside (the Internet) to go to the attached room on the inside (the service you’re exposing).

Now is that’s the only room in the building (the computer is not used for anything else), and the building is alone in the middle of an island with no land access (the computer is separated from the network, like in a DMZ) then the second worst thing an attacker can do is squat in in and rifle through your papers (the configuration files). The worst thing they can do however is start using your address and the utilities you paid for to start some unsavoury business (make it part of a botnet).

But if the server is not segregated from the rest of your network, they’ll start running into other rooms/buildings, getting their hands at anything they can. Your accounts, your identity, etc. You’ll be living in a really bad neighborhood, being shaken down for everything you have at every corner.

Now for the type of door you’re putting on a building: if you just port forward it’ll be like a screen door. It keeps the bugs out, but any person can open it with ease or crash through it, and they can see what’s inside by just standing in front of it (server fingerprinting). If the services you run have a vulnerability it will be exploited. If you don’t have a firewall or intrusion detection it’ll be like putting a combination lock on the door and never checking if someone is trying all the numbers. The attackers WILL just keep trying until they succeed, and they’re really fast at it.

So it’s not like you should never put a door on a building, but the door should be reasonably secure, with the appropriate strength, deadbolt, and depending on what you run a receptionist (reverse proxy) and security guard.

Also be aware that an exposed port that has an application responding to requests can give information that might reveal weaknesses (for example old versions with available exploits).

I know Minecraft was very exploitable earlier, I guess with that specific version an attacker would still be able to get access to your machine in some cases.

So port forwarding is like unlocking a door. As long as the stuff inside the door knows how to handle unwanted guests then no problem. But the challenge, as others have mentioned, is to make sure you actually know everything is secure.

Port forwarding itself is not inherently dangerous; in much the same way that jumping out of a window is not inherently dangerous. But obviously it is risky.

If you know what you’re doing and mitigate the risk, jumping out of a window onto say a soft landing or a ground floor window is not a problem.

Anyone hosting websites or services either at home or in a datacenter do it all the time.

The dangerous part is if someone can do with that forwarded port if the service it’s attached to can be used to gain access to something else on the network.

Usually done by figuring out what you are running, and then exploiting a CVE to get in and then get access to the rest of your network that way.

So as an example I have a VM with Google Cloud that is running my website. If someone does manage to hack it, well, who cares - it’s just a VM running that simple LAMP stack.

If I had that same website on my home network, and it can access my home NAS, well if it turns out there’s a vulnerability I didn’t account for then technically someone can take over that VM and hop into my NAS and do damage there.

The problem is a lot of people here are beginners and have no real clue about network security. And opening a port is opening a door. If you have a bouncer that clears people beforehand then you can keep the door open. But you will still need to keep your bouncer trained so he can take care of people you don’t want. Same with software. Keep it updated and have security enhancements in place like 2FA and analysis tools like crowdsec or fail2ban. And the open port might not an issue at all.

But if you open a device like a NAS (cough QNAP cough) then you have a higher security risk.

TLDR; if you know what you are doing it might not have implications.

You’re allowing random people to access those services. Jellyfin almost definitely has a 0 day exploit so anyone who has access would potentially be able to use that on you. I would wager burning a 0 day on a random is probably not gonna be happening but also the odds of a random realizing they’ve been hacked is pretty low too so you never really know.

That depends on the port/service you’re forwarding.

It also depends on your ISP if they filter some standard ports.

Non-standard ports can obfuscate your service, prevents it from being detected by crawlers and bots.

Start small and don’t ignore security standards.

Patch your stuff. Use common sense.

A lot of great and valuable replies here so far. I’ll add my comments anyway.

I have learned over the years of selfhosting/homelabbing and being an IT professional that as u/emprahsFury stated,

Oftentimes though people don’t know what they don’t know, and we only find out that we don’t know after we’ve moved from the prevention phase to the remediation phase.

I have seen this for years professionally. Unless you think like the bad guy, you don’t know what the bad guy is thinking. Not knowing what the bad guy is thinking does not mean that the techniques and possibilities do not exist.

Taking some time to learn what the bad guys can do can be very helpful to the self-hoster in general.