Category     

NCOS: SDK Enabling TCP/UDP Server Access Through the Firewall

« Go Back

Information

 
Content

You can easily create IP servers - for example the standard Python module "http.server" can be used: https://docs.python.org/3.3/library/http.server.html

However, by default the Cradlepoint router's firewall will block all unexpected incoming traffic, so while your server can bind on a local router port, happily waiting for incoming clients - none will appear. Therefore, you will need to create the appropriate firewall rules to allow incoming IP traffic to reach your SDK code.

Create a custom Filter Policy

  • First, we'll create a custom filter policy, which defines the general type of filter we'll allow. Go into "Security" > "Filter Policy", and click "Add".
User-added image
  • Next, in the policy editor, name and add a new policy defining some allowed traffic. Since this is for a custom SDK web server, we'll call it "My Web Server".
User-added image
  • Within this policy, we'll have a single rule, which allows any clients to be received. Therefore leave the "Source" as "None assigned". ''Note that limiting access to local clients verse WAN clients is done later.'' See Cradlepoint documentation for more advanced, flexible rules.
User-added image
  • For destination, define the TCP or UDP port which your SDK code will bind upon. Because your SDK code runs as a non-privileged user, you cannot use values 0 to 1023. Also, avoid port numbers of common servers, because if the router NCOS uses a common port, your code will run too late and find the port unavailable for binding. Also, for security purposes, it is advisable to use unexpected port numbers, which offers hackers fewer clues or help. In this example, our web server will wait on TCP port 9001.
User-added image
  • Finally, enable this policy for UDP (IP protocol 6) or TCP (IP protocol 17). Note that SSH, SSL, and TLS all arrive as-if TCP, so IP protocol 17.
User-added image
  • Press save to save this policy. Make sure the
    action is green, for allow.
User-added image
  • You are returned to the list of Filter Policy. Click the "+", so you see the details and once again, confirm it looks as expected.
User-added image
 

Attach Your New Policy to Zone Forwarding

  • Next, create a new Zone Forwarding rule. Go into "Security" > "Zone Forwarding", and click "Add".
User-added image
  • Next, create a new Zone Forwarding rule. Select the appropriate source and destination zone, then attach your new policy. In this example, we are limiting access to our customer web server to clients on the primary local LAN.
User-added image
  • After you click "Save", confirm the details are as expected.
User-added image

 

Dangerous "Allow All" for testing

  • If you are having trouble testing, you might wish to create a "Zone Forwarding" which in effect disables your firewall! This is less risky during local SDK development, but should not be used if your router has a publicly exposed, routable IP address. Use it for quick testing, then delete it.
User-added image
 

 
Knowledge Home | Product