This chapter indicates the possible rule settings for the Windows firewall. These can be further modified and tightened according to security needs (e.g. only allow access of specific IP addresses using the remoteip clause).
Enabling ICMP Ping packets (for diagnostics):
netsh advfirewall firewall add rule name="_Ping" dir=in protocol=ICMPv4 action=allow profile=any
Access of clients to D2000 Server:
netsh advfirewall firewall add rule name="_D2000 Kernel" dir=in protocol=TCP localport=3119 action=allow profile=any
Rules for D2000 SysConsole:
netsh advfirewall firewall add rule name="_D2000 SysConsole64" dir=in program="d:\D2000\D2000_EXE\Bin64\sysconsole.exe" action=allow profile=any
netsh advfirewall firewall add rule name="_D2000 SysConsoleTCP" dir=in protocol=TCP localport=31190-31289 action=allow profile=any
netsh advfirewall firewall add rule name="_D2000 SysConsoleTCP" dir=out protocol=TCP localport=3119,31190-31289 action=allow profile=any
netsh advfirewall firewall add rule name="_D2000 SysConsoleUDP" dir=in protocol=UDP localport=3119,31190-31289 action=allow profile=any
netsh advfirewall firewall add rule name="_D2000 SysConsoleUDP" dir=out protocol=UDP localport=3119,31190-31289 action=allow profile=any
Access to the PostgreSQL database server (for redundant application/archive servers):
netsh advfirewall firewall add rule name="_PostgreSQL" dir=in protocol=TCP localport=5432 action=allow profile=any
Access to the OpenSSH server (for the server that is used by d2u_* utilities to update clients):
netsh advfirewall firewall add rule name="_SFTP" dir=in protocol=TCP localport=22 action=allow profile=any
Of course, additional rules may be necessary due to communications (e.g. access to the D2000 Gateway server, to the UDP port for the SerialOverUDP Device Redundant communication line, or access to the TCP port for server protocols). An example rule for Modbus Server protocol on a TCP/IP-TCP line (a default Modbus port 502):
netsh advfirewall firewall add rule name="_D2000 Modbus Server" dir=in protocol=TCP localport=502 action=allow profile=any