78 lines
3.5 KiB
Plaintext
78 lines
3.5 KiB
Plaintext
##############################################################################################
|
|
# TRS-NBTEVO-SYS-427
|
|
# A firewall shall be implemented that prevents incoming/outgoing ports on the OBD connection. The following listed ports shall be open, all other ports not listed shall be closed
|
|
# * Telnet (port 23/tcp) server on the HU/RSE (Development) - see TRS-NBTEVO-SYS-426
|
|
# * SSH (port 22/tcp) server on the HU/RSE (Development) - see TRS-NBTEVO-SYS-426
|
|
# * qconnd (port 8000/tcp) server on the HU/RSE (Development) - see TRS-NBTEVO-SYS-426
|
|
# * HTTP (port 80/tcp) server on the HU/RSE (TraceServer)
|
|
# * HTTP (port 80/tcp, 81/tcp) client on the HU/RSE (HTTP update Navi Database)
|
|
# * Diagnostics (port 6801/tcp, 6811/tcp) server on the HU/RSE
|
|
# * NetBIOS SMB (port 137/udp, 138/udp, 139/tcp, 445/tcp) server on the HU/RSE
|
|
# * BOOTP/DHCP (port 67/udp, 68/udp as defined for NBT) client on the HU/RSE
|
|
# * GnLogger (port 851/tcp/udp) server on the HU/RSE
|
|
# * HiQNet (port 3804/tcp/udp) server on the HU/RSE
|
|
#
|
|
# In addition, ICMP is passed through to allow for PING requests for the factory.
|
|
##############################################################################################
|
|
|
|
# definition of ext obd interface
|
|
obd_if = "dwc0"
|
|
vlan_ifx49 = "vlan73"
|
|
vlan_ifx4D = "vlan77"
|
|
vlan_ifx50 = "vlan80"
|
|
vlan_ifx56 = "vlan86"
|
|
|
|
block on $obd_if all
|
|
#pass quick on $obd_if
|
|
block on $vlan_ifx49 inet6 all
|
|
pass on $vlan_ifx49 inet all
|
|
pass on $vlan_ifx4D
|
|
block on $vlan_ifx50 inet6 all
|
|
pass quick on $vlan_ifx50 inet all
|
|
block on $vlan_ifx56 inet6 all
|
|
pass quick on $vlan_ifx56 inet all
|
|
|
|
# * Telnet (port 23/tcp) server on the HU/RSE (Development) - see TRS-NBTEVO-SYS-426
|
|
pass quick on $obd_if proto tcp from any to any port 23 keep state
|
|
|
|
# * SSH (port 22/tcp) server on the HU/RSE (Development) - see TRS-NBTEVO-SYS-426
|
|
pass quick on $obd_if proto tcp from any to any port 22 keep state
|
|
|
|
# * qconnd (port 8000/tcp) server on the HU/RSE (Development) - see TRS-NBTEVO-SYS-426
|
|
pass quick on $obd_if proto tcp from any to any port 8000 keep state
|
|
|
|
# * HTTP (port 80/tcp) server on the HU/RSE (TraceServer)
|
|
# * HTTP (port 80/tcp, 81/tcp) client on the HU/RSE (HTTP update Navi Database)
|
|
pass quick on $obd_if proto tcp from any to any port 80 keep state
|
|
# update NaviDB over http
|
|
pass out quick on $obd_if proto tcp from any to any port 81 keep state
|
|
|
|
# * Diagnostics (port 6801/tcp, 6811/tcp) server on the HU/RSE
|
|
pass quick on $obd_if proto tcp from any to any port 6801 keep state
|
|
pass quick on $obd_if proto tcp from any to any port 6811 keep state
|
|
|
|
# * NetBIOS SMB (port 137/udp, 138/udp, 139/tcp, 445/tcp) server on the HU/RSE
|
|
pass quick on $obd_if proto udp from any to any port 137
|
|
pass quick on $obd_if proto udp from any to any port 138
|
|
pass out quick on $obd_if proto tcp from any to any port 139 keep state
|
|
# Windows ActiveDirectory
|
|
pass out quick on $obd_if proto tcp from any to any port 445 keep state
|
|
|
|
# * BOOTP/DHCP (port 67/udp, 68/udp as defined for NBT) client on the HU/RSE
|
|
pass quick on $obd_if proto {tcp,udp} from {0.0.0.0,(self)} port 68 to 255.255.255.255 port 67 keep state
|
|
pass quick on $obd_if proto {tcp,udp} from any port 67 to{255.255.255.255,(self)} port 68 keep state
|
|
|
|
# * GnLogger (port 851/tcp/udp) server on the HU/RSE
|
|
pass quick on $obd_if proto {tcp,udp} from any to any port 851 keep state
|
|
|
|
# * HiQNet (port 3804/tcp/udp) server on the HU/RSE
|
|
pass quick on $obd_if proto {tcp,udp} from any to any port 3804 keep state
|
|
|
|
|
|
# In addition, ICMP is passed through to allow for PING requests for the factory.
|
|
pass quick on $obd_if proto icmp
|
|
|
|
block quick on $obd_if all
|
|
|
|
# end
|