Security notes

LogicMachine security notes #

General information #

Please follow these points to make your installation secure.

  1. Do not use port forwarding. Use OpenVPN or ZeroTier for commissioning. Use LM cloud for remote control.

  2. Do not enable unnecessary services - FTP, Remote Diagnostics, Remote services, etc.

  3. Disable KNX/IP features (System config > Network > KNX connection) if:

  • You have finished programming your KNX devices from ETS and this is not needed anymore.
  • KNX/IP routing is not needed for this project.
  1. Use HTTPS where possible. Install SSL certificate app on your LM to get a valid SSL certificate.

  2. If FTP is used, use SSL/TLS

  3. If communication between several LMs is required in one building:

  • Provide a KNX Backbone key and set the "Enable only secure communication" option.
  • Enable TOS (type of service) if your switch/router supports this. This way you can enable prioritization for KNX telegrams (7 - highest priority, 0 - lowest). It means other IP packets will have lower priority over KNX telegrams - KNX telegrams will always be delivered first.

Used ports #

The following ports are used for making outgoing connections:

  • UDP 53 - DNS (if external DNS server is set)
  • UDP 123 - NTP client (time synchronization)
  • UDP 9993 - ZeroTier (only if enabled)
  • TCP 443 - application store, LM cloud (only if enabled) and other applications
  • TCP 8883 - LM cloud (only if enabled)