From 5a21f026f23bbbb73efc59a685030083b98213a8 Mon Sep 17 00:00:00 2001
From: Steve-Mcl <sdmclaughlin@gmail.com>
Date: Wed, 26 Oct 2022 08:59:36 +0100
Subject: [PATCH 1/6] Add setting to disable tcp/udp server (inbound)

---
 .../nodes/core/network/31-tcpin.html          |  22 ++-
 .../@node-red/nodes/core/network/31-tcpin.js  |  22 ++-
 .../@node-red/nodes/core/network/32-udp.html  |  13 +-
 .../@node-red/nodes/core/network/32-udp.js    | 187 ++++++++++--------
 .../nodes/locales/en-US/messages.json         |   2 +
 5 files changed, 150 insertions(+), 96 deletions(-)

diff --git a/packages/node_modules/@node-red/nodes/core/network/31-tcpin.html b/packages/node_modules/@node-red/nodes/core/network/31-tcpin.html
index cd85a655b..2138c48c4 100644
--- a/packages/node_modules/@node-red/nodes/core/network/31-tcpin.html
+++ b/packages/node_modules/@node-red/nodes/core/network/31-tcpin.html
@@ -70,7 +70,16 @@
         color: "Silver",
         defaults: {
             name: {value:""},
-            server: {value:"server", required:true},
+            server: {
+                value: RED.settings.tcpInAllowInboundConnections === false ? "client" : "server", 
+                validate: function(v, opt) {
+                    console.log("validating client/server mode")
+                    if (v === 'server' && RED.settings.tcpInAllowInboundConnections === false) {
+                        return RED._("node-red:tcpin.errors.inbound-disabled");
+                    }
+                    return ["client", "server"].indexOf(v) >= 0
+                }
+            },
             host: {
                 value:"",
                 validate:function(v, opt) {
@@ -218,7 +227,16 @@
                     return RED._("node-red:tcpin.errors.invalid-port");
                 }
             },
-            beserver: {value:"client", required:true},
+            beserver: {
+                value: "client", 
+                validate: function(v, opt) {
+                    console.log("validating client/server mode")
+                    if (v === 'server' && RED.settings.tcpInAllowInboundConnections === false) {
+                        return RED._("node-red:tcpin.errors.inbound-disabled");
+                    }
+                    return ["client", "server", "reply"].indexOf(v) >= 0
+                }
+            },
             base64: {value:false, required:true},
             end: {value:false, required:true},
             tls: {type:"tls-config", value:'', required:false,
diff --git a/packages/node_modules/@node-red/nodes/core/network/31-tcpin.js b/packages/node_modules/@node-red/nodes/core/network/31-tcpin.js
index d2de33522..605023938 100644
--- a/packages/node_modules/@node-red/nodes/core/network/31-tcpin.js
+++ b/packages/node_modules/@node-red/nodes/core/network/31-tcpin.js
@@ -19,6 +19,7 @@ module.exports = function(RED) {
     let reconnectTime = RED.settings.socketReconnectTime || 10000;
     let socketTimeout = RED.settings.socketTimeout || null;
     const msgQueueSize = RED.settings.tcpMsgQueueSize || 1000;
+    const allowInbound = RED.settings.tcpInAllowInboundConnections === false ? false : true
     const Denque = require('denque');
     const net = require('net');
     const tls = require('tls');
@@ -196,8 +197,7 @@ module.exports = function(RED) {
                 clearTimeout(reconnectTimeout);
                 if (!node.connected) { done(); }
             });
-        }
-        else {
+        } else if (allowInbound) {
             let srv = net;
             let connOpts;
             if (n.tls) {
@@ -308,9 +308,19 @@ module.exports = function(RED) {
                     });
                 }
             });
+        } else {
+            node.warn(RED._("tcpin.errors.inbound-disabled",{host:node.host,port:node.port}));
+            node.status({fill:"red",shape:"dot",text:"tcpin.errors.inbound-disabled"});
         }
     }
-    RED.nodes.registerType("tcp in",TcpIn);
+    RED.nodes.registerType("tcp in",TcpIn, {
+        settings: {
+            tcpInAllowInboundConnections: {
+                value: true,
+                exportable: true
+            }
+        }
+    });
 
 
     function TcpOut(n) {
@@ -434,7 +444,7 @@ module.exports = function(RED) {
                 nodeDone();
             });
         }
-        else {
+        else if (allowInbound)  {
             const connectedSockets = new Set();
             node.status({text:RED._("tcpin.status.connections",{count:0})});
             let srv = net;
@@ -507,11 +517,13 @@ module.exports = function(RED) {
                     });
                 }
             });
+        } else {
+            node.warn(RED._("tcpin.errors.inbound-disabled",{host:node.host,port:node.port}));
+            node.status({fill:"red",shape:"dot",text:"tcpin.errors.inbound-disabled"});
         }
     }
     RED.nodes.registerType("tcp out",TcpOut);
 
-
     function TcpGet(n) {
         RED.nodes.createNode(this,n);
         this.server = n.server;
diff --git a/packages/node_modules/@node-red/nodes/core/network/32-udp.html b/packages/node_modules/@node-red/nodes/core/network/32-udp.html
index 4d5eeb23e..8ab527df5 100644
--- a/packages/node_modules/@node-red/nodes/core/network/32-udp.html
+++ b/packages/node_modules/@node-red/nodes/core/network/32-udp.html
@@ -18,7 +18,7 @@
 <script type="text/html" data-template-name="udp in">
     <div class="form-row">
         <label for="node-input-port"><i class="fa fa-sign-in"></i> <span data-i18n="udp.label.listen"></span></label>
-        <select id="node-input-multicast" style='width:70%'>
+        <select id="node-input-multicast" style="width:70%">
           <option value="false" data-i18n="udp.udpmsgs"></option>
           <option value="true" data-i18n="udp.mcmsgs"></option>
         </select>
@@ -68,7 +68,16 @@
                 validate:RED.validators.number(false)
             },
             ipv: {value:"udp4"},
-            multicast: {value:"false"},
+            multicast: {
+                value:"false",
+                validate: function(v, opt) {
+                    console.log("validating client/server mode")
+                    if (RED.settings.udpInAllowInboundConnections === false) {
+                        return RED._("node-red:udp.errors.inbound-disabled");
+                    }
+                    return true
+                }
+            },
             group: {
                 value:"",
                 validate:function(v,opt) {
diff --git a/packages/node_modules/@node-red/nodes/core/network/32-udp.js b/packages/node_modules/@node-red/nodes/core/network/32-udp.js
index d42d3a7c3..2d6b3718a 100644
--- a/packages/node_modules/@node-red/nodes/core/network/32-udp.js
+++ b/packages/node_modules/@node-red/nodes/core/network/32-udp.js
@@ -16,9 +16,10 @@
 
 module.exports = function(RED) {
     "use strict";
-    var os = require('os');
-    var dgram = require('dgram');
-    var udpInputPortsInUse = {};
+    const os = require('os');
+    const dgram = require('dgram');
+    const udpInputPortsInUse = {};
+    const allowInbound = RED.settings.udpInAllowInboundConnections === false ? false : true
 
     // The Input Node
     function UDPin(n) {
@@ -29,97 +30,102 @@ module.exports = function(RED) {
         this.iface = n.iface || null;
         this.multicast = n.multicast;
         this.ipv = n.ipv || "udp4";
-        var node = this;
-
-        if (node.iface && node.iface.indexOf(".") === -1) {
-            try {
-                if ((os.networkInterfaces())[node.iface][0].hasOwnProperty("scopeid")) {
-                    if (node.ipv === "udp4") {
-                        node.iface = (os.networkInterfaces())[node.iface][1].address;
-                    } else {
-                        node.iface = (os.networkInterfaces())[node.iface][0].address;
-                    }
-                }
-                else {
-                    if (node.ipv === "udp4") {
-                        node.iface = (os.networkInterfaces())[node.iface][0].address;
-                    } else {
-                        node.iface = (os.networkInterfaces())[node.iface][1].address;
-                    }
-                }
-            }
-            catch(e) {
-                node.warn(RED._("udp.errors.ifnotfound",{iface:node.iface}));
-                node.iface = null;
-            }
-        }
-
-        var opts = {type:node.ipv, reuseAddr:true};
-        if (process.version.indexOf("v0.10") === 0) { opts = node.ipv; }
-        var server;
-
-        if (!udpInputPortsInUse.hasOwnProperty(node.port)) {
-            server = dgram.createSocket(opts);  // default to udp4
-            server.bind(node.port, function() {
-                if (node.multicast == "true") {
-                    server.setBroadcast(true);
-                    server.setMulticastLoopback(false);
-                    try {
-                        server.setMulticastTTL(128);
-                        server.addMembership(node.group,node.iface);
-                        if (node.iface) { node.status({text:n.iface+" : "+node.iface}); }
-                        node.log(RED._("udp.status.mc-group",{group:node.group}));
-                    } catch (e) {
-                        if (e.errno == "EINVAL") {
-                            node.error(RED._("udp.errors.bad-mcaddress"));
-                        } else if (e.errno == "ENODEV") {
-                            node.error(RED._("udp.errors.interface"));
+        const node = this;
+        let server;
+        if (allowInbound) {
+            if (node.iface && node.iface.indexOf(".") === -1) {
+                try {
+                    if ((os.networkInterfaces())[node.iface][0].hasOwnProperty("scopeid")) {
+                        if (node.ipv === "udp4") {
+                            node.iface = (os.networkInterfaces())[node.iface][1].address;
                         } else {
-                            node.error(RED._("udp.errors.error",{error:e.errno}));
+                            node.iface = (os.networkInterfaces())[node.iface][0].address;
+                        }
+                    }
+                    else {
+                        if (node.ipv === "udp4") {
+                            node.iface = (os.networkInterfaces())[node.iface][0].address;
+                        } else {
+                            node.iface = (os.networkInterfaces())[node.iface][1].address;
                         }
                     }
                 }
+                catch(e) {
+                    node.warn(RED._("udp.errors.ifnotfound",{iface:node.iface}));
+                    node.iface = null;
+                }
+            }
+
+            let opts = {type:node.ipv, reuseAddr:true};
+            if (process.version.indexOf("v0.10") === 0) { opts = node.ipv; }
+
+            if (!udpInputPortsInUse.hasOwnProperty(node.port)) {
+                server = dgram.createSocket(opts);  // default to udp4
+                server.bind(node.port, function() {
+                    if (node.multicast == "true") {
+                        server.setBroadcast(true);
+                        server.setMulticastLoopback(false);
+                        try {
+                            server.setMulticastTTL(128);
+                            server.addMembership(node.group,node.iface);
+                            if (node.iface) { node.status({text:n.iface+" : "+node.iface}); }
+                            node.log(RED._("udp.status.mc-group",{group:node.group}));
+                        } catch (e) {
+                            if (e.errno == "EINVAL") {
+                                node.error(RED._("udp.errors.bad-mcaddress"));
+                            } else if (e.errno == "ENODEV") {
+                                node.error(RED._("udp.errors.interface"));
+                            } else {
+                                node.error(RED._("udp.errors.error",{error:e.errno}));
+                            }
+                        }
+                    }
+                });
+                udpInputPortsInUse[node.port] = server;
+            }
+            else {
+                node.log(RED._("udp.errors.alreadyused",{port:node.port}));
+                server = udpInputPortsInUse[node.port];  // re-use existing
+                if (node.iface) { node.status({text:n.iface+" : "+node.iface}); }
+            }
+
+            server.on("error", function (err) {
+                if ((err.code == "EACCES") && (node.port < 1024)) {
+                    node.error(RED._("udp.errors.access-error"));
+                } else {
+                    node.error(RED._("udp.errors.error",{error:err.code}));
+                }
+                server.close();
             });
-            udpInputPortsInUse[node.port] = server;
+
+            server.on('message', function (message, remote) {
+                let msg;
+                if (node.datatype =="base64") {
+                    msg = { payload:message.toString('base64'), fromip:remote.address+':'+remote.port, ip:remote.address, port:remote.port };
+                } else if (node.datatype =="utf8") {
+                    msg = { payload:message.toString('utf8'), fromip:remote.address+':'+remote.port, ip:remote.address, port:remote.port };
+                } else {
+                    msg = { payload:message, fromip:remote.address+':'+remote.port, ip:remote.address, port:remote.port };
+                }
+                node.send(msg);
+            });
+
+            server.on('listening', function () {
+                const address = server.address();
+                node.log(RED._("udp.status.listener-at",{host:node.iface||address.address,port:address.port}));
+
+            });
+        } else {
+            node.warn(RED._("udp.errors.inbound-disabled",{host:node.host,port:node.port}));
+            node.status({fill:"red",shape:"dot",text:"udp.errors.inbound-disabled"});
         }
-        else {
-            node.log(RED._("udp.errors.alreadyused",{port:node.port}));
-            server = udpInputPortsInUse[node.port];  // re-use existing
-            if (node.iface) { node.status({text:n.iface+" : "+node.iface}); }
-        }
-
-        server.on("error", function (err) {
-            if ((err.code == "EACCES") && (node.port < 1024)) {
-                node.error(RED._("udp.errors.access-error"));
-            } else {
-                node.error(RED._("udp.errors.error",{error:err.code}));
-            }
-            server.close();
-        });
-
-        server.on('message', function (message, remote) {
-            var msg;
-            if (node.datatype =="base64") {
-                msg = { payload:message.toString('base64'), fromip:remote.address+':'+remote.port, ip:remote.address, port:remote.port };
-            } else if (node.datatype =="utf8") {
-                msg = { payload:message.toString('utf8'), fromip:remote.address+':'+remote.port, ip:remote.address, port:remote.port };
-            } else {
-                msg = { payload:message, fromip:remote.address+':'+remote.port, ip:remote.address, port:remote.port };
-            }
-            node.send(msg);
-        });
-
-        server.on('listening', function () {
-            var address = server.address();
-            node.log(RED._("udp.status.listener-at",{host:node.iface||address.address,port:address.port}));
-
-        });
-
         node.on("close", function() {
             try {
-                if (node.multicast == "true") { server.dropMembership(node.group); }
-                server.close();
-                node.log(RED._("udp.status.listener-stopped"));
+                if (server) {
+                    if (node.multicast == "true") { server.dropMembership(node.group); }
+                    server.close();
+                    node.log(RED._("udp.status.listener-stopped"));
+                }
             } catch (err) {
                 //node.error(err);
             }
@@ -133,7 +139,14 @@ module.exports = function(RED) {
     RED.httpAdmin.get('/udp-ports/:id', RED.auth.needsPermission('udp-ports.read'), function(req,res) {
         res.json(Object.keys(udpInputPortsInUse));
     });
-    RED.nodes.registerType("udp in",UDPin);
+    RED.nodes.registerType("udp in",UDPin, {
+        settings: {
+            udpInAllowInboundConnections: {
+                value: true,
+                exportable: true
+            }
+        }
+    });
 
 
 
diff --git a/packages/node_modules/@node-red/nodes/locales/en-US/messages.json b/packages/node_modules/@node-red/nodes/locales/en-US/messages.json
index 62d5f351f..a781e4330 100644
--- a/packages/node_modules/@node-red/nodes/locales/en-US/messages.json
+++ b/packages/node_modules/@node-red/nodes/locales/en-US/messages.json
@@ -647,6 +647,7 @@
             "connections_plural": "__count__ connections"
         },
         "errors": {
+            "inbound-disabled": "inbound connections are disabled",
             "connection-lost": "connection lost to __host__:__port__",
             "timeout": "timeout closed socket port __port__",
             "cannot-listen": "unable to listen on port __port__, error: __error__",
@@ -711,6 +712,7 @@
             "re-use": "udp re-use socket: __outport__ -> __host__:__port__"
         },
         "errors": {
+            "inbound-disabled": "inbound connections are disabled",
             "access-error": "UDP access error, you may need root access for ports below 1024",
             "error": "error: __error__",
             "bad-mcaddress": "Bad Multicast Address",

From bdff1e48836911d0bb131385c097bb5948990622 Mon Sep 17 00:00:00 2001
From: Steve-Mcl <sdmclaughlin@gmail.com>
Date: Tue, 1 Nov 2022 13:43:56 +0000
Subject: [PATCH 2/6] remove client side validation & tidy up

---
 .../nodes/core/network/31-tcpin.html          | 52 ++++++++++++-------
 .../@node-red/nodes/core/network/31-tcpin.js  |  8 +--
 .../@node-red/nodes/core/network/32-udp.html  | 25 +++++----
 .../@node-red/nodes/core/network/32-udp.js    |  4 +-
 .../nodes/locales/en-US/messages.json         | 14 +++--
 5 files changed, 64 insertions(+), 39 deletions(-)

diff --git a/packages/node_modules/@node-red/nodes/core/network/31-tcpin.html b/packages/node_modules/@node-red/nodes/core/network/31-tcpin.html
index 2138c48c4..9ed317fd3 100644
--- a/packages/node_modules/@node-red/nodes/core/network/31-tcpin.html
+++ b/packages/node_modules/@node-red/nodes/core/network/31-tcpin.html
@@ -23,6 +23,12 @@
         </select>
         <span data-i18n="tcpin.label.port"></span> <input type="text" id="node-input-port" style="width:65px">
     </div>
+
+    <div class="form-row inbound-disabled-tip">
+        <label> &nbsp; </label>
+        <div class="form-tips" data-i18n="tcpin.tip.inbound-disabled"></div>
+    </div>
+
     <div class="form-row hidden" id="node-input-host-row" style="padding-left:110px;">
         <span data-i18n="tcpin.label.host"></span> <input type="text" id="node-input-host" placeholder="localhost" style="width: 60%;">
     </div>
@@ -72,13 +78,6 @@
             name: {value:""},
             server: {
                 value: RED.settings.tcpInAllowInboundConnections === false ? "client" : "server", 
-                validate: function(v, opt) {
-                    console.log("validating client/server mode")
-                    if (v === 'server' && RED.settings.tcpInAllowInboundConnections === false) {
-                        return RED._("node-red:tcpin.errors.inbound-disabled");
-                    }
-                    return ["client", "server"].indexOf(v) >= 0
-                }
             },
             host: {
                 value:"",
@@ -116,8 +115,14 @@
                 var sockettype = $("#node-input-server").val();
                 if (sockettype == "client") {
                     $("#node-input-host-row").show();
+                    $(".form-row.inbound-disabled-tip").addClass("hide")
                 } else {
                     $("#node-input-host-row").hide();
+                    if(RED.settings.tcpInAllowInboundConnections === false) {
+                        $(".form-row.inbound-disabled-tip").removeClass("hide")
+                    } else {
+                        $(".form-row.inbound-disabled-tip").addClass("hide")
+                    }
                 }
                 var datamode = $("#node-input-datamode").val();
                 var datatype = $("#node-input-datatype").val();
@@ -151,6 +156,11 @@
             $("#node-input-usetls").on("click",function() {
                 updateTLSOptions();
             });
+            setTimeout(function() {
+                // form tips have a max-width to prevent the initial edit form size calc making it overly large.
+                // once the form is built and displayed, remove the size limit so that it sizes with the other elements.
+                $('.form-tips').css({"max-width": "unset"})
+            }, 500)
         },
         oneditsave: function() {
             if (!$("#node-input-usetls").is(':checked')) {
@@ -171,7 +181,10 @@
         </select>
         <span id="node-input-port-row"><span data-i18n="tcpin.label.port"></span> <input type="text" id="node-input-port" style="width: 65px"></span>
     </div>
-
+    <div class="form-row inbound-disabled-tip">
+        <label> &nbsp; </label>
+        <div class="form-tips" data-i18n="tcpin.tip.inbound-disabled"></div>
+    </div>
     <div class="form-row hidden" id="node-input-host-row" style="padding-left: 110px;">
         <span data-i18n="tcpin.label.host"></span> <input type="text" id="node-input-host" style="width: 60%;">
     </div>
@@ -227,16 +240,7 @@
                     return RED._("node-red:tcpin.errors.invalid-port");
                 }
             },
-            beserver: {
-                value: "client", 
-                validate: function(v, opt) {
-                    console.log("validating client/server mode")
-                    if (v === 'server' && RED.settings.tcpInAllowInboundConnections === false) {
-                        return RED._("node-red:tcpin.errors.inbound-disabled");
-                    }
-                    return ["client", "server", "reply"].indexOf(v) >= 0
-                }
-            },
+            beserver: {value:"client", required:true},
             base64: {value:false, required:true},
             end: {value:false, required:true},
             tls: {type:"tls-config", value:'', required:false,
@@ -260,16 +264,23 @@
                     $("#node-input-host-row").hide();
                     $("#node-input-end-row").hide();
                     $("#node-input-tls-enable").hide();
+                    $(".form-row.inbound-disabled-tip").addClass("hide")
                 } else if (sockettype == "client"){
                     $("#node-input-port-row").show();
                     $("#node-input-host-row").show();
                     $("#node-input-end-row").show();
                     $("#node-input-tls-enable").show();
+                    $(".form-row.inbound-disabled-tip").addClass("hide")
                 } else {
                     $("#node-input-port-row").show();
                     $("#node-input-host-row").hide();
                     $("#node-input-end-row").show();
                     $("#node-input-tls-enable").show();
+                    if(RED.settings.tcpInAllowInboundConnections === false) {
+                        $(".form-row.inbound-disabled-tip").removeClass("hide")
+                    } else {
+                        $(".form-row.inbound-disabled-tip").addClass("hide")
+                    }
                 }
             };
             updateOptions();
@@ -290,6 +301,11 @@
             $("#node-input-usetls").on("click",function() {
                 updateTLSOptions();
             });
+            setTimeout(function() {
+                // form tips have a max-width to prevent the initial edit form size calc making it overly large.
+                // once the form is built and displayed, remove the size limit so that it sizes with the other elements.
+                $('.form-tips').css({"max-width": "unset"})
+            }, 500)
         },
         oneditsave: function() {
             if (!$("#node-input-usetls").is(':checked')) {
diff --git a/packages/node_modules/@node-red/nodes/core/network/31-tcpin.js b/packages/node_modules/@node-red/nodes/core/network/31-tcpin.js
index 605023938..42b47609c 100644
--- a/packages/node_modules/@node-red/nodes/core/network/31-tcpin.js
+++ b/packages/node_modules/@node-red/nodes/core/network/31-tcpin.js
@@ -309,8 +309,8 @@ module.exports = function(RED) {
                 }
             });
         } else {
-            node.warn(RED._("tcpin.errors.inbound-disabled",{host:node.host,port:node.port}));
-            node.status({fill:"red",shape:"dot",text:"tcpin.errors.inbound-disabled"});
+            node.warn(RED._("tcpin.status.inbound-disabled",{host:node.host,port:node.port}));
+            node.status({fill:"gray",shape:"circle",text:"tcpin.status.inbound-disabled"});
         }
     }
     RED.nodes.registerType("tcp in",TcpIn, {
@@ -518,8 +518,8 @@ module.exports = function(RED) {
                 }
             });
         } else {
-            node.warn(RED._("tcpin.errors.inbound-disabled",{host:node.host,port:node.port}));
-            node.status({fill:"red",shape:"dot",text:"tcpin.errors.inbound-disabled"});
+            node.warn(RED._("tcpin.status.inbound-disabled",{host:node.host,port:node.port}));
+            node.status({fill:"gray",shape:"circle",text:"tcpin.status.inbound-disabled"});
         }
     }
     RED.nodes.registerType("tcp out",TcpOut);
diff --git a/packages/node_modules/@node-red/nodes/core/network/32-udp.html b/packages/node_modules/@node-red/nodes/core/network/32-udp.html
index 8ab527df5..f70cf973d 100644
--- a/packages/node_modules/@node-red/nodes/core/network/32-udp.html
+++ b/packages/node_modules/@node-red/nodes/core/network/32-udp.html
@@ -23,6 +23,10 @@
           <option value="true" data-i18n="udp.mcmsgs"></option>
         </select>
     </div>
+    <div class="form-row inbound-disabled-tip">
+        <label> &nbsp; </label>
+        <div class="form-tips" data-i18n="udp.tip.inbound-disabled"></div>
+    </div>
     <div class="form-row node-input-group">
         <label for="node-input-group"><i class="fa fa-list"></i> <span data-i18n="udp.label.group"></span></label>
         <input type="text" id="node-input-group" placeholder="225.0.18.83">
@@ -68,16 +72,7 @@
                 validate:RED.validators.number(false)
             },
             ipv: {value:"udp4"},
-            multicast: {
-                value:"false",
-                validate: function(v, opt) {
-                    console.log("validating client/server mode")
-                    if (RED.settings.udpInAllowInboundConnections === false) {
-                        return RED._("node-red:udp.errors.inbound-disabled");
-                    }
-                    return true
-                }
-            },
+            multicast: {value:"false"},
             group: {
                 value:"",
                 validate:function(v,opt) {
@@ -104,6 +99,11 @@
             return this.name?"node_label_italic":"";
         },
         oneditprepare: function() {
+            if(RED.settings.udpInAllowInboundConnections === false) {
+                $(".form-row.inbound-disabled-tip").removeClass("hide")
+            } else {
+                $(".form-row.inbound-disabled-tip").addClass("hide")
+            }
             $("#node-input-multicast").on("change", function() {
                 var id = $("#node-input-multicast").val();
                 if (id == "false") {
@@ -130,6 +130,11 @@
                     RED.notify(alreadyused+" "+$("#node-input-port").val(),"warn");
                 }
             });
+            setTimeout(function() {
+                // form tips have a max-width to prevent the initial edit form size calc making it overly large.
+                // once the form is built and displayed, remove the size limit so that it sizes with the other elements.
+                $('.form-tips').css({"max-width": "unset"})
+            }, 500)
         }
     });
 </script>
diff --git a/packages/node_modules/@node-red/nodes/core/network/32-udp.js b/packages/node_modules/@node-red/nodes/core/network/32-udp.js
index 2d6b3718a..e3b202182 100644
--- a/packages/node_modules/@node-red/nodes/core/network/32-udp.js
+++ b/packages/node_modules/@node-red/nodes/core/network/32-udp.js
@@ -116,8 +116,8 @@ module.exports = function(RED) {
 
             });
         } else {
-            node.warn(RED._("udp.errors.inbound-disabled",{host:node.host,port:node.port}));
-            node.status({fill:"red",shape:"dot",text:"udp.errors.inbound-disabled"});
+            node.warn(RED._("udp.status.inbound-disabled",{host:node.host,port:node.port}));
+            node.status({fill:"gray",shape:"circle",text:"udp.status.inbound-disabled"});
         }
         node.on("close", function() {
             try {
diff --git a/packages/node_modules/@node-red/nodes/locales/en-US/messages.json b/packages/node_modules/@node-red/nodes/locales/en-US/messages.json
index a781e4330..7a9f37811 100644
--- a/packages/node_modules/@node-red/nodes/locales/en-US/messages.json
+++ b/packages/node_modules/@node-red/nodes/locales/en-US/messages.json
@@ -636,6 +636,9 @@
             "never": "never - keep connection open",
             "immed": "immediately - don't wait for reply"
         },
+        "tip": {
+            "inbound-disabled": "inbound connections are disabled for this Node-RED instance"
+        },
         "status": {
             "connecting": "connecting to __host__:__port__",
             "connected": "connected to __host__:__port__",
@@ -644,10 +647,10 @@
             "connection-from": "connection from __host__:__port__",
             "connection-closed": "connection closed from __host__:__port__",
             "connections": "__count__ connection",
-            "connections_plural": "__count__ connections"
+            "connections_plural": "__count__ connections",
+            "inbound-disabled": "inbound connections are disabled"
         },
         "errors": {
-            "inbound-disabled": "inbound connections are disabled",
             "connection-lost": "connection lost to __host__:__port__",
             "timeout": "timeout closed socket port __port__",
             "cannot-listen": "unable to listen on port __port__, error: __error__",
@@ -698,7 +701,8 @@
         "tip": {
             "in": "Tip: Make sure your firewall will allow the data in.",
             "out": "Tip: leave address and port blank if you want to set using <code>msg.ip</code> and <code>msg.port</code>.",
-            "port": "Ports already in use: "
+            "port": "Ports already in use: ",
+            "inbound-disabled": "inbound connections are disabled for this Node-RED instance"
         },
         "status": {
             "listener-at": "udp listener at __host__:__port__",
@@ -709,10 +713,10 @@
             "bc-ready": "udp broadcast ready: __outport__ -> __host__:__port__",
             "ready": "udp ready: __outport__ -> __host__:__port__",
             "ready-nolocal": "udp ready: __host__:__port__",
-            "re-use": "udp re-use socket: __outport__ -> __host__:__port__"
+            "re-use": "udp re-use socket: __outport__ -> __host__:__port__",
+            "inbound-disabled": "inbound connections are disabled"
         },
         "errors": {
-            "inbound-disabled": "inbound connections are disabled",
             "access-error": "UDP access error, you may need root access for ports below 1024",
             "error": "error: __error__",
             "bad-mcaddress": "Bad Multicast Address",

From 24b1c42820b546e83378f628ba4ee814d068d9ca Mon Sep 17 00:00:00 2001
From: Steve-Mcl <sdmclaughlin@gmail.com>
Date: Tue, 1 Nov 2022 13:44:23 +0000
Subject: [PATCH 3/6] improve tip layout when nested in a form row

---
 .../@node-red/editor-client/src/sass/editor.scss            | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/packages/node_modules/@node-red/editor-client/src/sass/editor.scss b/packages/node_modules/@node-red/editor-client/src/sass/editor.scss
index 1730b9e35..9c1f0d60e 100644
--- a/packages/node_modules/@node-red/editor-client/src/sass/editor.scss
+++ b/packages/node_modules/@node-red/editor-client/src/sass/editor.scss
@@ -229,6 +229,12 @@ button.red-ui-tray-resize-button {
         border: 1px solid var(--red-ui-secondary-border-color);
         max-width: 450px;
     }
+    .form-row > div.form-tips {
+        width: 70%;
+        display: inline-block;
+        box-sizing: border-box;
+        max-width: 350px; // 100 less for label width
+    }
     .form-tips code {
         border: none;
         padding: auto;

From 7c5d8b60ba5e31c1b0f5a78f14b3600b4371f37f Mon Sep 17 00:00:00 2001
From: Steve-Mcl <sdmclaughlin@gmail.com>
Date: Tue, 1 Nov 2022 13:47:20 +0000
Subject: [PATCH 4/6] correct duplicate test IDs (copy+paste error)

---
 test/nodes/core/network/31-tcpin_spec.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/test/nodes/core/network/31-tcpin_spec.js b/test/nodes/core/network/31-tcpin_spec.js
index 3644a0ba1..8bf16147d 100644
--- a/test/nodes/core/network/31-tcpin_spec.js
+++ b/test/nodes/core/network/31-tcpin_spec.js
@@ -157,7 +157,7 @@ describe('TCP in Node', function() {
         testTCP0(flow, ["foo\nbar\nbaz"], ["foo\nbar\nbaz"], done);
     });
 
-    it('should recv data (Stream/Base64)', function(done) {
+    it('should recv data (Single/Base64)', function(done) {
         var flow = [{id:"n1", type:"tcp in", server:"server", host:"localhost", port:port, datamode:"single", datatype:"base64", newline:"", topic:"", base64:false, wires:[["n2"]] },
                     {id:"n2", type:"helper"}];
         testTCP0(flow, ["foo"], [Buffer("foo").toString('base64')], done);
@@ -227,7 +227,7 @@ describe('TCP in Node', function() {
         testTCP1(flow, ["foo\nbar\nbaz"], ["foo\nbar\nbaz"], done);
     });
 
-    it('should connect & recv data (Stream/Base64)', function(done) {
+    it('should connect & recv data (Single/Base64)', function(done) {
         var flow = [{id:"n1", type:"tcp in", server:"client", host:"localhost", port:server_port, datamode:"single", datatype:"base64", newline:"", topic:"", base64:false, wires:[["n2"]] },
                     {id:"n2", type:"helper"}];
         testTCP1(flow, ["foo"], [Buffer("foo").toString('base64')], done);

From d66828aaf17d14acebf59faacf75f872e38531d6 Mon Sep 17 00:00:00 2001
From: Steve-Mcl <sdmclaughlin@gmail.com>
Date: Sun, 4 Dec 2022 11:07:52 +0000
Subject: [PATCH 5/6] add note to built-in help RE: "inbound disabled"

---
 .../@node-red/nodes/locales/en-US/network/31-tcpin.html     | 4 +++-
 .../@node-red/nodes/locales/en-US/network/32-udp.html       | 6 ++++--
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/packages/node_modules/@node-red/nodes/locales/en-US/network/31-tcpin.html b/packages/node_modules/@node-red/nodes/locales/en-US/network/31-tcpin.html
index 173f003f7..e788decca 100644
--- a/packages/node_modules/@node-red/nodes/locales/en-US/network/31-tcpin.html
+++ b/packages/node_modules/@node-red/nodes/locales/en-US/network/31-tcpin.html
@@ -16,9 +16,11 @@
 
 <script type="text/html" data-help-name="tcp in">
     <p>Provides a choice of TCP inputs. Can either connect to a remote TCP port,
-       or accept incoming connections.</p>
+        or accept incoming connections.</p>
     <p><b>Note: </b>On some systems you may need root or administrator access
     to access ports below 1024.</p>
+    <p><b>Note: </b>If your node shows "inbound connections are disabled", then 
+        it has been disabled in the Node-RED settings file.</p>
 </script>
 
 <script type="text/html" data-help-name="tcp out">
diff --git a/packages/node_modules/@node-red/nodes/locales/en-US/network/32-udp.html b/packages/node_modules/@node-red/nodes/locales/en-US/network/32-udp.html
index 666889be6..4dd57d6c0 100644
--- a/packages/node_modules/@node-red/nodes/locales/en-US/network/32-udp.html
+++ b/packages/node_modules/@node-red/nodes/locales/en-US/network/32-udp.html
@@ -19,8 +19,10 @@
     Buffer, string, or base64 encoded string. Supports multicast.</p>
     <p>It also provides <code>msg.ip</code> and <code>msg.port</code> set to the
     ip address and port from which the message was received.</p>
-    <p><b>Note</b>: On some systems you may need root or administrator access to use
-    ports below 1024 and/or broadcast.</p>
+    <p><b>Note: </b>On some systems you may need root or administrator access
+      to access ports below 1024.</p>
+    <p><b>Note: </b>If your node shows "inbound connections are disabled", then 
+      it has been disabled in the Node-RED settings file.</p>
 </script>
 
 <script type="text/html" data-help-name="udp out">

From b5fae8bb733d43faa7804168c950918cfddb1827 Mon Sep 17 00:00:00 2001
From: Steve-Mcl <sdmclaughlin@gmail.com>
Date: Sun, 4 Dec 2022 11:09:15 +0000
Subject: [PATCH 6/6] add settings to default settings.js file

---
 packages/node_modules/node-red/settings.js | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/packages/node_modules/node-red/settings.js b/packages/node_modules/node-red/settings.js
index ec247a672..5b4cb429e 100644
--- a/packages/node_modules/node-red/settings.js
+++ b/packages/node_modules/node-red/settings.js
@@ -441,6 +441,8 @@ module.exports = {
  *  - socketReconnectTime
  *  - socketTimeout
  *  - tcpMsgQueueSize
+ *  - tcpInAllowInboundConnections
+ *  - udpInAllowInboundConnections
  *  - inboundWebSocketTimeout
  *  - tlsConfigDisableLocalFiles
  *  - webSocketNodeVerifyClient
@@ -509,6 +511,16 @@ module.exports = {
      */
     //tcpMsgQueueSize: 2000,
 
+    /** Permit TCP nodes to expose inbound connections. Set value to `false` to disable the inbound modes.
+     * defaults to true
+     */
+    //tcpInAllowInboundConnections: true,
+
+    /** Permit UDP nodes to expose inbound connections. Set value to `false` to disable the inbound modes.
+     * defaults to true
+     */
+    //udpInAllowInboundConnections: true,
+
     /** Timeout in milliseconds for inbound WebSocket connections that do not
      * match any configured node. Defaults to 5000
      */