Versions Compared

Old Version 5

changes.mady.by.user Jon Tandy

Saved on

compared with

New Version Current

changes.mady.by.user Jon Tandy

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Terminal Server (TCP) or UDP Server - port number defined in ACE
  • Modbus or DNP3 Network Slave - TCP port number defined in ACE
  • HCP/HCP2 - TCP port number defined in ACE
  • TLS Tunnels (typically a local listener for client mode, or public server in server mode) - TCP port number defined in ACE
  • DHCP Server (child of object under Ethernet) - UDP port 67
  • BACnet Network Slave - UDP port number defined in ACE
  • BACnet IP Discovery - UDP and TCP port numbers defined in ACE
  • SMNP - port number defined in ACE

...

  • MQTT Client (also Sparkplug B) - TCP port number defined in ACE
  • Modbus, DNP3, DF1/PCCC, Ethernet/IP, CSP, or most other Field Units under the Network Circuit - TCP port number defined in ACE
  • DF1/PCCC - TCP port 44818
  • BACnet master field unit - UDP port number defined in ACE
  • TLS Tunnels (typically connect to local port in server mode or remote port in client mode) - TCP port number defined in ACE
  • NTP Client - UDP port 123
  • Terminal Client (TCP) or UDP Client - port number defined in ACE
  • OpenVPN (typically configured through POD and VPN config files) - typically TCP port 443 and UDP port 1194
  • DHCP Client - UDP port 67
  • DNS Client - UDP port 53
  • Syslog Client - UDP port 514

Block Access to Specific Ports

...

Warning

NOTE: This process may cause you to lose remote TCP connectivity to the RediGate. Make sure that you follow the instructions exactly, including the firewall rule for the new port.

You may want to should test this procedure in a lab environment with backup connection over the local console serial port before trying it remotely with a field-installed unit, to ensure you aren't locked out.

  1. Log in to the RediGate with the 'root' account.
  2. Enter the following command, substituting the intended port number instead of "2222":
    P=2222 ; sed -i 's/[#]*Port[ ]*[0-9][0-9]*/Port '$P'/' /etc/sshd_config
  3. Check the change made to the configuration by entering the following command:
    grep 2222 /etc/sshd_config
  4. Add one or more new temporary firewall rules with the command, using your port number instead of "2222", and using the correct interface in place of "ppp0":
    iptables -A INPUT -p tcp -i ppp0 --dport 2222 -j ACCEPT

    AND/OR, you will ultimately need to configure a permanent, proper firewall rule setting to ACCEPT the new port number using the ACE Firewall object (see above).

  5. Restart sshd with the following command (make sure to include the  &  at the end):
    /etc/init.d/S50sshd restart &

    All existing SSH sessions will be closed. Log back in using the new port number. 

...