Firewall Service

The Firewall service is implemented using Uncomplicated Firewall (UFW), which provide a user-friendly way to manage netfilter, the default firewall configuration tool in Linux. Nice introduction and usage of UFW in Ubuntu is documented here.

By default, the Firewall service is disabled in the distribution, ensuring that new users building applications in the platform don’t inadvertently block their network traffic. However we strongly recommend to update, enable and use the firewall service once the ports to be enabled for your application traffic is finalized.

Note that the various containers in the reference application docker compose deployment run in host networking mode by default; hence without the firewall these APIs can be freely invoked from over the network posing a security risk.

Enable/Disable - Firewall

Use the following command to start the firewall service:

sudo systemctl start jetson-firewall

Use the following command to stop the firewall service:

sudo systemctl stop jetson-firewall

Note

Default rules in the firewall service is provided only as a reference. Users are strongly recommended to closely review the rules and only enable the firewall ports which are relevant for the application they are building on top of Jetson Platform Services.

AI NVR application - Firewall

To enhance the security and functionality of AI NVR (Artificial Intelligence Network Video Recorder) NVIDIA’s reference application on the Jetson devices, a specific set of firewall rules can be used. These rules are designed to work within the framework of the Jetson Platform Services and application stack.

Below is the sample Firewall rules that can be used while deploying AI NVR applications on the Jetson device. These set of UFW rules outlined below has been tailored specifically for the AI NVR applications, taking into account the specific ports, protocols, and services that these applications utilize. These rules ensure that only necessary network traffic is allowed, significantly reducing the risk of unauthorized access or data breaches your applications.

To implement these rules, users should replace the existing UFW rules in the jetson-firewall.sh file with the following configuration. This process involves editing the script file(/opt/nvidia/jetson/services/firewall/bin/jetson-firewall.sh) to replace the UFW rules with the below rules, ensuring that they are correctly formatted and placed within the appropriate sections of the script:

            ## SSH port
ufw allow 22

## DNS
ufw allow 53

## External look-up
ufw allow out https
ufw allow out http

## For TCP mux client
ufw allow out 30099/tcp

##For ONVIF probe
ufw allow 3702

## Redis ports for VST
ufw allow in 8000/tcp
ufw allow out 8000/tcp
ufw allow out 6379/tcp


## VST RTSP traffic
ufw allow in 554/tcp
ufw allow out 554/tcp

##For VST GUI
ufw allow in 30000:32767/tcp
ufw allow  out 30000:32767/tcp


###Interface specific rules
ufw allow in on lo
ufw allow out on lo

ufw allow eth1
ufw route allow in on eth1 out on eth0
ufw route allow in on eth0 out on eth1
ufw route allow in on eth0 out on eth0



# IGMP multicasting
ufw allow in on eth0 to 224.0.0.1 proto igmp

## WebRTC TURN connections
ufw allow out 3478/udp
ufw allow in 3478/udp
ufw allow out 5349/tcp

## WebRTC media traffic
ufw allow in on eth0 to any port 25000:65535 proto udp

## Deny all other traffic
ufw deny out 1:65535/tcp
ufw default deny incoming

It’s important to note that modifying firewall settings should be done with caution. Incorrect settings can lead to network vulnerabilities or, conversely, can block legitimate traffic, hindering the functionality of the AI NVR applications. Users are advised to thoroughly test the new firewall settings in a controlled environment before applying them to active Jetson devices.

By following these guidelines, users can enhance the security of their AI NVR applications on Jetson devices, ensuring that their systems are protected against unauthorized access while maintaining optimal functionality.