/
Managing SmartServer IoT Ports and Services

Managing SmartServer IoT Ports and Services

Prior to SmartServer 4.2, the SmartServer Configuration page Firewall tab was called the Features tab.
For SmartServer 4.1 and prior, see Managing Ports and Services (Release 4.1 and Prior).

This section consists of the following topics:

Identifying Outgoing Internet Requests

The following functions may attempt outgoing Internet requests while using the SmartServer:

  • NTP – SmartServer synchronizes time using http://ntp.pool.org/.

  • Certificates – if you are using signed certificates, then the SmartServer will periodically renew certificates by going to Let's Encrypt.

  • DDNS – the public IP address of the SmartServer's private network is registered in order to allow outside users to contact the SmartServer by its hostname. This operations entails going to AWS (location of DDNS service).

  • Google Maps and Open Street Maps – the Locations widget accesses external mapping APIs.

  • wget – SmartServer accesses the SmartServer download server when you update the SmartServer using the Internet method for the update source.

  • Node-RED – if you are using Node-RED (Sequencing widget), then some functions may try to access the Node-RED server.

Identifying External Ports

The table below lists the incoming and/or outgoing service ports that are open to the outside world by default. The default is set when re-imaging the system and when transitioning the Enable Enhanced Security option from disabled to enabled. You can sort the table by clicking on the column header.

When the Enable Enhanced Security option is checked (enabled), all of the ports listed in the table are opened, except for the ports that are marked with asterisks (**). These ports are only open by default if the service is enabled in the SmartServer Configuration pages. The consequence of closing these ports is described in the column labeled Consequence of  Closing. 

Other services can be managed from the command line using ufw firewall rules. See the Disabling / Re-enabling Other Ports section below for more information. You can optionally create a backup of the following files in case you want to undo any changes to the firewall rules:

/etc/ufw/user.rules
/etc/ufw/user6.rules

Enhanced Security is available with SmartServer 3.5 and higher

Enhanced security is enabled by default on (System Configuration page):

  • a factory-configured SmartServer that is shipped with 3.5 or higher

  • a SmartServer with 3.5 or higher after a factory reset

  • a SmartServer that is  re-imaged with 3.5 or higher

Enhanced security is disabled by default on a SmartServer that is updated to 3.5 or higher from a release prior to 3.5.

Enhanced security disables IP-852 routing. To use IP-852 routing you will need to disable Enhanced security.

 

Port

Service

Protocol

Enhanced In/Out

Standard In/Out

Comment

Port

Service

Protocol

Enhanced In/Out

Standard In/Out

Comment

BAC0-BACF, C000-FFFF  **

BACnet Server (echbacnet)

UDP

 Allowed/Blocked 

 Allowed/Allowed

You can enable/disable this service using the BACnet Configuration page.

This port is user-configurable.

22

SSH (sshd)

TCP

 Allowed/Blocked

Allowed/Allowed

See the Disabling SSH / Port 22 section below for more information.

25

SMTP

TCP

Blocked/Allowed

Blocked/Allowed

Email alarm notifications and password notifications will not be sent.

53

DNS

TCP/UDP

Blocked/Allowed

Blocked/Allowed

This port is required for DNS resolution.

67

 

 

DHCP client (dnsmasq)

UDP

 Allowed/Blocked

Allowed/Allowed

You can set static IP addresses using the System Configuration page.

Setting static IPs does not disable the service.

ufw/iptables cannot be blocked.

Update: /etc/ufw/before.rules

80

SmartServer CMS Update

TCP

Blocked/Allowed

Blocked/Allowed

Default HTTP port.

123

NTP

UDP

Blocked/Allowed

Blocked/Allowed

This port is required for system time synchronization.

502

Modbus TCP

TCP

Blocked/Allowed

Blocked/Allowed

This is the conventional port used for Modbus TCP for clients and simulators.

443

Signed Certificates

Licensing

TCP

  Blocked/Allowed

Blocked/Allowed

 

443

Web/Proxy Server (nginx)

TCP

Allowed/Blocked

Allowed/Allowed

Default HTTPS port.
This port is required for the SmartServer Configuration page, Local CMS, custom web pages, and custom applications using IAP/REST.

1628 – 1645 (typical default range) **

LON (echlte)

TCP

 Allowed/Blocked

Allowed/Allowed

Optional LON functionality: IP-852, RNI, Protocol Analyzer port.

You can enable/disable these services using the LON Configuration page.

1628 and 1629 are IANA assigned ports for LON communications over IP supporting IP-852, RNI.

This port is user-configurable.

1883 **

MQTT (mosquitto)

TCP

Allowed/Blocked

Allowed/Allowed

You can enable/disable this port using the Firewall Configuration page.

This feature will need to be re-enabled after enabling enhanced security.

2541

LON (echlte)

TCP

Allowed/Blocked

Allowed/Allowed

External IP-70

This port is always open.

5353

mDNS
(avahi-daemon)

UDP

 Allowed/Blocked

Allowed/Allowed

mDNS/ ZeroConf/Bonjour DNS service will not find the SmartServer (e.g., hostname.local). You will need to use an IP address or some other DNS service.

8883 **

MQTT (mosquitto)

TCP

Allowed/Blocked

Allowed/Allowed

INE requires a certificate and credentials to be configured in order to connect.

You can enable/disable this port using the Firewall Configuration page.

This feature will need to be re-enabled after enabling enhanced security.

8883 **

MQTT (mosquitto)

TCP

Blocked/Allowed

Blocked/Allowed

You can enable/disable this port using the System Configuration page → Enable SmartSupervisor (Remote CMS).

41797 **

 

BACnet Server (echbacnet)

UDP

Allowed/Blocked

Allowed/Allowed

You can enable/disable this service using the BACnet Configuration page. 

This feature will need to be re-enabled after enabling enhanced security.

47808 **

BACnet Server (echbacnet)

UDP

Allowed/Blocked

Allowed/Allowed

You can enable/disable this service using the BACnet Configuration page. 

This feature will need to be re-enabled after enabling enhanced security.

49152 – 65535 **

IANA ephemeral UDP port range

UDP

 Blocked/Allowed

Blocked/Allowed

These ports are used dynamically by clients such as YABE (Yet Another BACnet Explorer) for BACnet as their source port while they have an established connection to the SmartServer.

You can configure these ports using the BACnet Configuration page. 

55000 (default) **

OPC UA Server (echopcua)

TCP

 Allowed/Blocked

Allowed/Allowed

You can disable this service using the OPC UA Configuration page. OPC UA can be configured to require authentication.

This port is user-configurable.

All other ports

Multiple

TCP/UDP

 Blocked/Blocked

Blocked/Allowed

 

By default, there is no rule for port 80/TCP. Nginx automatically upgrades HTTP requests to HTTPS (443/TCP), therefore, there is no HTTP service even when 80/TCP is open. 

Identifying Internal Ports

The table below lists internal services/ports. There are no firewall rules exposing these internal services/ports to external interfaces. You can sort the table by clicking on the column header.

Managing internal ports

Attempting to modify or restrict these ports may compromise the functionality of the SmartServer applications.

Port

Service

Protocol

Enhanced In/Out

Standard In/Out

Port

Service

Protocol

Enhanced In/Out

Standard In/Out

53

DNS (dnsmasq)

TCP

Allowed/Blocked

Allowed/Allowed

53

DNS (dnsmasq)

UDP

Allowed/Blocked

Allowed/Allowed

1099

Local CMS if active
(jmx)

TCP

Allowed/Blocked

Allowed/Allowed

1629 (IP-70)

LON (echlte)

UDP

Allowed/Blocked

Allowed/Allowed

1880

Node-Red (node-red)

TCP

Allowed/Blocked

Allowed/Allowed

3200

Local CMS if active
(mqtt)

TCP

Allowed/Blocked

Allowed/Allowed

5432

Local CMS if active
(pgsql)

TCP

Allowed/Blocked

Allowed/Allowed

6379

Local CMS if active
(redis)

TCP

Allowed/Blocked

Allowed/Allowed

8101

Local CMS if active
(cms for SmartServer 4.4 and higher,
karaf for SmartServer 4.3 and prior)

TCP

Allowed/Blocked

Allowed/Allowed

8181

Local CMS if active
(jetty)

TCP

Allowed/Blocked

Allowed/Allowed

9001

Supervisor (python)

TCP

Allowed/Blocked

Allowed/Allowed

9090

Reboot Manager (python3)

TCP

Allowed/Blocked

Allowed/Allowed

44444

Local CMS if active
(jmx)

TCP

Allowed/Blocked

Allowed/Allowed

dynamic
(see note below)

Reboot Manager (python3)

 

TCP

Allowed/Blocked

Allowed/Allowed

dynamic
(see note below)

Local CMS if active
(jmx)

TCP

Allowed/Blocked

Allowed/Allowed

dynamic
(see note below)

Local CMS if active
(pgsql)

UDP

Allowed/Blocked

Allowed/Allowed

Dynamic ports

Dynamic ports are determined at runtime.

Enabling / Disabling MQTT Ports

Starting with SmartServer 2.7 Update 1, you can enable and disable the MQTT ports on the LAN (eth0) and WAN (eth1) interfaces from the SmartServer Configuration page.  These ports are used to provide external access to the IAP/MQ message bus used internally by the SmartServer.  The MQTT ports are 1883 for unsecure communication and 8883 for TLS encrypted secure communication.

To enable or disable either of these ports, perform the following steps:

  1. Open the SmartServer Configuration page as described in Accessing the SmartServer IoT Configuration Page. The Network tab appears as the default SmartServer Configuration page. Once the network settings are configured for the SmartServer system, then the System tab will appear.

    SmartServer IoT Network Tab

     

    SmartServer IoT System Tab

     

  2. Click the Firewall tab. 

    The Firewall tab appears.

    image-20250212-233533.png

     

  3. Select the check boxes for the ports you want to enable; clear the checkboxes for the ports you want to disable.

     

  4. Click Update to save the port settings.

Disabling SSH / Port 22

To disable SSH port 22, perform the following steps:

  1. Log into the SmartServer console using USB or SSH.

  2. Enter the following command to view current firewall rules:

    sudo ufw status numbered

     

  3. Take note of the rule number for SSH port 22.

     

  4. Delete the rule for SSH port 22 using the following command (may require sudo password):

    sudo ufw delete <rule number for port 22>

    The following confirmation prompt appears:

    Proceed with operation (y|n)?

     

  5. Enter y and press RETURN.

    Once the rule number for port 22 is deleted, SSH connection attempts will timeout and fail to connect.

    image-20250212-233625.png
    Example: disables the SSH port 22

Disabling SSH service

You can also disable the SSH service; however, this service will be re-enabled after upgrading or re-imaging the SmartServer. To disable the SSH service, enter the following commands (use systemctl instead of smartserverctl for SmartServer 3.6 and prior):

sudo smartserverctl disable ssh sudo smartserverctl stop ssh

Disabling / Re-enabling Other Ports

Starting with SmartServer 3.5, the default for all outgoing and incoming ports is set to deny. In order to enable a port through the firewall, a rule needs to be created, and to disable a port through the firewall, a rule needs to be deleted.

To disable a port by deleting a firewall rule, perform the following steps:

  1. Log into the SmartServer console using USB or SSH.

  2. Enter the following command to view current firewall rules:

    sudo ufw status numbered

     

     

  3. Take note of the current settings and only remove specific rules by entering the following command (may require sudo password):

    sudo ufw delete <rule number>

    Example

    sudo ufw delete 24

     

    image-20250212-233741.png
    This example disables the outbound ephemeral UDP port range.

Note the syntax for enabling the rule

Take note of the response to the delete command (i.e., allow out 49152:65535/udp in the example below) as shown in the highlighted area of the following screen capture. You will need this syntax if you later want to re-enable the port.

image-20250212-234537.png

The following confirmation prompt appears:

Proceed with operation (y|n)?

 

  1. Enter y and press RETURN.

    The rule is deleted.

    image-20250212-233912.png

     

To re-enable a port by adding a firewall rule, perform the following steps:

  1. Log into the SmartServer console using USB or SSH.

  2. Enter the following command to add a rule:

    sudo ufw <allow syntax that was noted above>

    Example

    sudo ufw allow out 49152:65535/udp


    The rule is added.

    image-20250212-233936.png

Changing the HTTP and HTTPS Ports

The SmartServer defaults to using port 80 for HTTP and 443 for HTTPS. In some cases, you will want to change these ports in order to make HTTP and HTTPS more secure. The instructions below show how to change the http port from 80 to 1780,  and https from 443 to 1443. 

The CMS Export using the Import/Export button may not use the new HTTPS port. In this case, once the export times out, add the HTTPS port to the URL. 

After you change the HTTP and HTTPS ports, if you do a restore to factory this will change the ufw ports back to defaults, but does not change the apollo.conf file. Therefor, even though you can ping the SmartServer, you will not be able to access the SmartServer Configuration page or CMS until you change the apollo.conf file back to the default settings (see step 2 below). 

To change both of these ports you have to do the following:

  1. Backup the /etc/nginx/sites-available/apollo.conf.  Use ssh/console (use apollo login) or SFTP (requires root login).
    Making a copy of apollo.conf using console/ssh

    ls -l /etc/nginx/sites-available/ sudo cp /etc/nginx/sites-available/apollo.conf /etc/nginx/sites-available/apollo.conf.old ls -l /etc/nginx/sites-available/

     

  2. Change three lines in the apollo.conf file.

    Console/SSH using nano

    sudo nano /etc/nginx/sites-available/apollo.conf
    1. Default settings are as follows:

      apollo.conf default settings for HTTP (80) ports

      listen 80 default_server; listen [::]:80 default_server ipv6only=on;

      apollo.conf default settings for HTTPS (443) ports

      listen 443 ssl;
    2. After HTTP port is changed from port 80 to port 1780, and after HTTPS port changed from 443 to 1443.

      apollo.conf default settings for HTTP (1780) ports

      listen 1780 default_server; listen [::]:1780 default_server ipv6only=on;

      apollo.conf default settings for HTTPS (1443) ports

      listen 1443 ssl;
    3. Save the file.

    4. Verify changes.

      Verify the change were made

      cat /etc/nginx/sites-available/apollo.conf : server { # listen on HTTP port(s) (this is the default server) # NOTE: Only use non-SSL ports for debugging! listen 1680 default_server; listen [::]:1680 default_server ipv6only=on; server_name ""; return 301 https://$host$request_uri; } server { # listen on IPv4 HTTPS port (using a self-signed certificate) # DOC: <http://nginx.org/en/docs/http/configuring_https_servers.html> # DOC: <http://www.akadia.com/services/ssh_test_certificate.html> listen 1443 ssl; :

       

  3. Determine what ports are open.

    1. Enter the following command:

      sudo ufw status numbered 

       


      Each port number can have multiple entries and can be input or outputs.

  4. Open new ports for HTTP (1780) and HTTPS (1443). Remove the port 80 and 443 IN ports, but keep the port 80 and 443 Output ports. The port 80 and 443 output entries are used by the SmartServer internal applications to access external servers and should not be changed. 

    Close some port 80 and 443 entries, and add new 1780 and 1443 port entries

    sudo ufw allow 1780 sudo ufw allow 1780/tcp sudo ufw allow out 1680/tcp sudo ufw allow 1443/tcp sudo ufw allow 1443 sudo ufw allow out 1443/tcp sudo ufw delete allow 80/tcp sudo ufw delete allow 443 sudo ufw delete allow 443/tcp

     

  5. Verify that port setting are correct. Make sure that 80/tcp ALLOW OUT and 443/tcp ALLOW OUT are still allowed.

    Ports open after changes

    $ sudo ufw status numbered Status: active To Action From -- ------ ---- [ 1] 22/tcp ALLOW IN Anywhere [ 2] 5353/udp ALLOW IN Anywhere [ 3] 2541/udp ALLOW IN Anywhere [ 4] 2541/udp ALLOW OUT Anywhere (out) [ 5] Anywhere on lo ALLOW IN Anywhere [ 6] Anywhere ALLOW OUT Anywhere on lo (out) [ 7] Anywhere DENY IN 127.0.0.0/8 [ 8] 53/udp ALLOW OUT Anywhere (out) [ 9] 5353/udp ALLOW OUT Anywhere (out) [10] 80/tcp ALLOW OUT Anywhere (out) [11] 443/tcp ALLOW OUT Anywhere (out) [12] Anywhere ALLOW OUT Anywhere on ip70 (out) [13] 123/udp ALLOW OUT Anywhere (out) [14] 25/tcp ALLOW OUT Anywhere (out) [15] 502/tcp ALLOW OUT Anywhere (out) [26] 1443 ALLOW IN Anywhere [17] 1628/udp ALLOW IN Anywhere [18] 1628/udp ALLOW OUT Anywhere (out) [19] 1883 on eth0 ALLOW IN Anywhere [20] 8883 on eth0 ALLOW IN Anywhere [21] 1780/tcp ALLOW IN Anywhere [22] 1780/tcp ALLOW OUT Anywhere (out) [23] 1780 ALLOW IN Anywhere [24] 1443/tcp ALLOW IN Anywhere [25] 1443/tcp ALLOW OUT Anywhere (out)

     

  6. Reboot the SmartServer.

 

Related content