Prior to SmartServer 4.2, the SmartServer Configuration page Firewall tab was called the Features tab.
...
For SmartServer 4.1 and prior, see Managing Ports and Services (Release 4.1 and Prior).
This section consists of the following topics:
...
The table below lists the incoming and/or outgoing service ports that are open to the outside world by default. The default is set when re-imaging the system and when transitioning the Enable Enhanced Security option from disabled to enabled. You can sort the table by clicking on the column header.
When the Enable Enhanced Security option is checked (enabled), all of the ports listed in the table are opened, except for the ports that are marked with asterisks (**). These ports are only open by default if the service is enabled in the SmartServer Configuration pages. The consequence of closing these ports is described in the column labeled Consequence of Closing.
Other services can be managed from the command line using ufw
firewall rules. See the Disabling / Re-enabling Other Ports section below for more information. You can optionally create a backup of the following files in case you want to undo any changes to the firewall rules:
/etc/ufw/user.rules
/etc/ufw/user6.rules
Info | ||
---|---|---|
| ||
Enhanced security is disabled by default on a SmartServer that is updated to 3.5 or higher from a release prior to 3.5. Enhanced security disables IP-852 routing. To use IP-852 routing you will need to disable Enhanced security. |
Port | Service | Protocol | Enhanced In/Out | Standard In/Out | Comment |
---|---|---|---|---|---|
BAC0-BACF, C000-FFFF ** | BACnet Server (echbacnet) | UDP | Allowed/Blocked | Allowed/Allowed | You can enable/disable this service using the BACnet Configuration page. This port is user-configurable. |
22 | SSH (sshd) | TCP | Allowed/Blocked | Allowed/Allowed | See the Disabling SSH / Port 22 section below for more information. |
25 | SMTP | TCP | Blocked/Allowed | Blocked/Allowed | Email alarm notifications and password notifications will not be sent. |
53 | DNS | TCP/UDP | Blocked/Allowed | Blocked/Allowed | This port is required for DNS resolution. |
67 | DHCP client (dnsmasq) | UDP | Allowed/Blocked | Allowed/Allowed | You can set static IP addresses using the System Configuration page. Setting static IPs does not disable the service.
Update: |
80 | SmartServer CMS Update | TCP | Blocked/Allowed | Blocked/Allowed | Default HTTP port. |
123 | NTP | UDP | Blocked/Allowed | Blocked/Allowed | This port is required for system time synchronization. |
502 | Modbus TCP | TCP | Blocked/Allowed | Blocked/Allowed | This is the conventional port used for Modbus TCP for clients and simulators. |
443 | Signed Certificates Licensing | TCP | Blocked/Allowed | Blocked/Allowed | |
443 | Web/Proxy Server (nginx) | TCP | Allowed/Blocked | Allowed/Allowed | Default HTTPS port. |
1628 – 1645 (typical default range) ** | LON (echlte) | TCP | Allowed/Blocked | Allowed/Allowed | Optional LON functionality: IP-852, RNI, Protocol Analyzer port. You can enable/disable these services using the LON Configuration page. 1628 and 1629 are IANA assigned ports for LON communications over IP supporting IP-852, RNI. This port is user-configurable. |
1883 ** | MQTT (mosquitto) | TCP | Allowed/Blocked | Allowed/Allowed | You can enable/disable this port using the Firewall Configuration page. This feature will need to be re-enabled after enabling enhanced security. |
2541 | LON (echlte) | TCP | Allowed/Blocked | Allowed/Allowed | External IP-70 This port is always open. |
5353 | mDNS (avahi-daemon) | UDP | Allowed/Blocked | Allowed/Allowed | mDNS/ ZeroConf/Bonjour DNS service will not find the SmartServer (e.g., hostname.local). You will need to use an IP address or some other DNS service. |
8883 ** | MQTT (mosquitto) | TCP | Allowed/Blocked | Allowed/Allowed | INE requires a certificate and credentials to be configured in order to connect. You can enable/disable this port using the Firewall Configuration page. This feature will need to be re-enabled after enabling enhanced security. |
8883 ** | MQTT (mosquitto) | TCP | Blocked/Allowed | Blocked/Allowed | You can enable/disable this port using the System Configuration page → Enable Remote CMS. |
41797 ** | BACnet Server (echbacnet) | UDP | Allowed/Blocked | Allowed/Allowed | You can enable/disable this service using the BACnet Configuration page. This feature will need to be re-enabled after enabling enhanced security. |
47808 ** | BACnet Server (echbacnet) | UDP | Allowed/Blocked | Allowed/Allowed | You can enable/disable this service using the BACnet Configuration page. This feature will need to be re-enabled after enabling enhanced security. |
49152 – 65535 ** | IANA ephemeral UDP port range | UDP | Blocked/Allowed | Blocked/Allowed | These ports are used dynamically by clients such as YABE (Yet Another BACnet Explorer) for BACnet as their source port while they have an established connection to the SmartServer. You can configure these ports using the BACnet Configuration page. |
55000 (default) ** | OPC UA Server (echopcua) | TCP | Allowed/Blocked | Allowed/Allowed | You can disable this service using the OPC UA Configuration page. OPC UA can be configured to require authentication. This port is user-configurable. |
All other ports | Multiple | TCP/UDP | Blocked/Blocked | Blocked/Allowed |
...
The table below lists internal services/ports. There are no firewall rules exposing these internal services/ports to external interfaces. You can sort the table by clicking on the column header.
Warning | ||
---|---|---|
| ||
Attempting to modify or restrict these ports may compromise the functionality of the SmartServer applications. |
...
- Open the SmartServer Configuration page as described in Accessing the SmartServer IoT Configuration Page. The Network tab appears as the default SmartServer Configuration page. Once the network settings are configured for the SmartServer system, then the System tab will appear as the default as shown in the next step.
- Click the System tab.
Click the Firewall tab.
The Firewall tab appears.- Select the check boxes for the ports you want to enable; clear the checkboxes for the ports you want to disable.
- Click Update to save the port settings.
...
To disable SSH port 22, perform the following steps:
- Log into the SmartServer console using USB or SSH.
- Enter the following command to view current firewall rules:
sudo ufw status numbered - Take note of the rule number for SSH port 22.
Delete the rule for SSH port 22 using the following command (may require sudo password):
The following confirmation prompt appears:
sudo ufw delete <rule number for port 22>
Proceed with operation (y|n)?- Enter y and press RETURN.
Once the rule number for port 22 is deleted, SSH connection attempts will timeout and fail to connect.
Example: disables the SSH port 22Info title Disabling SSH service You can also disable the SSH service; however, this service will be re-enabled after upgrading or re-imaging the SmartServer. To disable the SSH service, enter the following commands:
sudo systemctl disable ssh
sudo systemctl stop ssh
...
To disable a port by deleting a firewall rule, perform the following steps:
- Log into the SmartServer console using USB or SSH.
- Enter the following command to view current firewall rules:
sudo ufw status numbered Take note of the current settings and only remove specific rules by entering the following command (may require sudo password):
sudo ufw delete <rule number>For example:
sudo ufw delete 24
This example disables the outbound ephemeral UDP port range.Note title Note the syntax for enabling the rule Take note of the response to the delete command (i.e.,
allow out 49152:65535/udp
in the example below) as shown in the highlighted area of the following screen capture. You will need this syntax if you later want to re-enable the port.
The following confirmation prompt appears:Proceed with operation (y|n)?
- Enter y and press RETURN.
The rule is deleted.
To re-enable a port by adding a firewall rule, perform the following steps:
- Log into the SmartServer console using USB or SSH.
- Enter the following command to add a rule:
sudo ufw <allow syntax that was noted above>
For example:sudo ufw allow out 49152:65535/udp
The rule is added.
...