This section describes how script files (default script file or dynamic script file) are written so that they can be executed during the booting of the controller or during a specific command triggered.
NOTE: The MAC layer rules are managed separately and have higher priority over other packet filter rules.
The syntax of script files is described in Script Syntax Guidelines.
The following commands are available to manage the Ethernet firewall of the M241 Logic Controller:
|
Command |
Description |
|---|---|
|
FireWall Enable |
Blocks the frames from the Ethernet interfaces. If no specific IP address is authorized, it is not possible to communicate on the Ethernet interfaces. NOTE: By default, when the firewall is enabled, the frames are rejected. |
|
FireWall Disable |
IP addresses are allowed access to the controller on the Ethernet interfaces. |
|
FireWall Ethx Default Allow (1) |
Frames are accepted by the controller. |
|
FireWall Ethx Default Reject(1) |
Frames are rejected by the controller. NOTE: By default, if this line is not present, it corresponds to the command FireWall Eth1 Default Reject. |
|
(1)Where Ethx = oEth1: Ethernet_1 oEth2: TM4ES4 |
|
The following commands are available to configure firewall rules for specific ports and addresses:
|
Command |
Range |
Description |
|---|---|---|
|
Firewall Eth1 Allow IP •.•.•.• |
• = 0...255 |
Frames from the specified IP address are allowed on all port numbers and port types. |
|
Firewall Eth1 Reject IP •.•.•.• |
• = 0...255 |
Frames from the specified IP address are rejected on all port numbers and port types. |
|
Firewall Eth1 Allow IPs •.•.•.• to •.•.•.• |
• = 0...255 |
Frames from the IP addresses in the specified range are allowed for all port numbers and port types. |
|
Firewall Eth1 Reject IPs •.•.•.• to •.•.•.• |
• = 0...255 |
Frames from the IP addresses in the specified range are rejected for all port numbers and port types. |
|
Firewall Eth1 Allow port_type port Y |
Y = (destination port numbers) |
Frames with the specified destination port number are allowed. |
|
Firewall Eth1 Reject port_type port Y |
Y = (destination port numbers) |
Frames with the specified destination port number are rejected. NOTE: When IP forwarding is activated, rules with reject port only filter frames with current controller as destination. They are not applied for the frames routed by the current controller. |
|
Firewall Eth1 Allow port_type ports Y1 to Y2 |
Y = (destination port numbers) |
Frames with a destination port number in the specified range are allowed. |
|
Firewall Eth1 Reject port_type ports Y1 to Y2 |
Y = (destination port numbers) |
Frames with a destination port number in the specified range are rejected. |
|
Firewall Eth1 Allow IP •.•.•.• on port_type port Y |
• = 0...255 Y = (destination port numbers) |
Frames from the specified IP address and with the specified destination port number are allowed. |
|
Firewall Eth1 Reject IP •.•.•.• on port_type port Y |
• = 0...255 Y = (destination port numbers) |
Frames from the specified IP address and with the specified destination port number are rejected. |
|
Firewall Eth1 Allow IP •.•.•.• on port_type ports Y1 to Y2 |
• = 0...255 Y = (destination port numbers) |
Frames from the specified IP address and with a destination port number in the specified range are allowed. |
|
Firewall Eth1 Reject IP •.•.•.• on port_type ports Y1 to Y2 |
• = 0...255 Y = (destination port numbers) |
Frames from the specified IP address and with a destination port number in the specified range are rejected. |
|
Firewall Eth1 Allow IPs •1.•1.•1.•1 to •2.•2.•2.•2 on port_type port Y |
• = 0...255 Y = (destination port numbers) |
Frames from an IP address in the specified range and with the specified destination port number are allowed. |
|
Firewall Eth1 Reject IPs •1.•1.•1.•1 to •2.•2.•2.•2 on port_type port Y |
• = 0...255 Y = (destination port numbers) |
Frames from an IP address in the specified range and with the specified destination port number are rejected. |
|
Firewall Eth1 Allow IPs •1.•1.•1.•1 to •2.•2.•2.•2 on port_type ports Y1 to Y2 |
• = 0...255 Y = (destination port numbers) |
Frames from an IP address in the specified range and with a destination port number in the specified range are allowed. |
|
Firewall Eth1 Reject IPs •1.•1.•1.•1 to •2.•2.•2.•2 on port_type ports Y1 to Y2 |
• = 0...255 Y = (destination port numbers) |
Frames from an IP address in the specified range and with a destination port number in the specified range are rejected. |
|
Firewall Eth1 Allow MAC ••:••:••:••:••:•• |
• = 0...F |
Frames from the specified MAC address ••:••:••:••:•• are allowed. NOTE: When allow MAC address rules are used, only listed MAC addresses can communicate with the controller even if other allow rules are applied. |
|
Firewall Eth1 Reject MAC ••:••:••:••:••:•• |
• = 0...F |
Frames with the specified MAC address ••:••:••:••:•• are rejected. |
NOTE: The port_type can be TCP or UDP.
; Enable firewall on Ethernet 1. All frames are rejected;
FireWall Enable;
; Block all Modbus Requests on all IP address
Firewall Eth1 Reject tcp port 502;
; Allow FTP active connection for IP address 85.16.0.17
Firewall Eth1 Allow IP 85.16.0.17 on tcp ports 20 to 21;
|
Protocol |
Destination Port Numbers |
|---|---|
|
Machine Expert |
UDP 1740, 1741, 1742, 1743 TCP 1105 |
|
FTP |
TCP 21, 20 |
|
HTTP |
TCP 80 |
|
Modbus |
TCP 5021 |
|
Discovery |
UDP 27126, 27127 |
|
SNMP |
UDP 161, 162 |
|
NVL |
UDP Default value: 1202 |
|
EtherNet/IP |
UDP 2222 TCP 44818 |
|
TFTP |
UDP 69 (used for FDR server only) |
1The default value can be changed using the changeModbusPort command.
