This section describes how script files (default script files or dynamic script files) are written so that they can be executed during the booting of the controller or during a specific command triggered.
NOTE: The MAC layer rules are managed separately and have more priority over other packet filter rules.
The syntax of script files is described in Creating a Script.
The following commands are available to manage the Ethernet firewall of the M262 Logic/Motion Controller:
|
Command |
Description |
|---|---|
|
Firewall Enable |
Blocks the frames from the Ethernet interfaces. If no specific IP address or port is authorized, it is not possible to communicate on the Ethernet interfaces. NOTE: By default, when the firewall is enabled, the frames are rejected. |
|
Firewall Disable |
IP addresses can access the controller on the Ethernet interfaces. |
|
Firewall Ethx Default Allow (1) |
Frames are accepted by the controller on interface Ethx. |
|
Firewall Ethx Default Reject(1) |
Frames are rejected by the controller on interface Ethx. NOTE: By default, if this line is not present, it corresponds to the command Firewall Eth1 Default Reject. |
|
(1)Where Ethx = oEth0: USB port oEth1: Ethernet_1 oEth2: Ethernet_2 oEth3: TMSES4 |
|
The following commands are available to configure firewall rules for specific ports and addresses:
|
Command |
Range |
Description |
|---|---|---|
|
Firewall Eth1 Allow IP •.•.•.• |
• = 0...255 |
Frames from the specified IP address are allowed on all port numbers and port types. |
|
Firewall Eth1 Reject IP •.•.•.• |
• = 0...255 |
Frames from the specified IP address are rejected on all port numbers and port types. |
|
Firewall Eth1 Allow IPs •.•.•.• to •.•.•.• |
• = 0...255 |
Frames from the IP addresses in the specified range are allowed for all port numbers and port types. NOTE: Rules with specific IP address range will be converted to CIDR format in controller while they are established. Example: “Firewall Eth2 allows IPs 192.168.100.66 to 192.168.100.99 on TCP port 44818” is separated into 7: o192.168.100.66/31 o192.168.100.68/30 o192.168.100.72/29 o192.168.100.80/28 o192.168.100.96/27 o192.168.100.128/26 o192.168.100.192/29 Using of entire subnet IP ranges avoids firewall rules saturation. |
|
Firewall Eth1 Reject IPs •.•.•.• to •.•.•.• |
• = 0...255 |
Frames from the IP addresses in the specified range are rejected for all port numbers and port types. |
|
Firewall Eth1 Allow port_type port Y |
Y = (destination port numbers) |
Frames with the specified destination port number are allowed. |
|
Firewall Eth1 Reject port_type port Y |
Y = (destination port numbers) |
Frames with the specified destination port number are rejected. |
|
Firewall Eth1 Allow port_type ports Y1 to Y2 |
Y = (destination port numbers) |
Frames with a destination port number in the specified range are allowed. |
|
Firewall Eth1 Reject port_type ports Y1 to Y2 |
Y = (destination port numbers) |
Frames with a destination port number in the specified range are rejected. |
|
Firewall Eth1 Allow IP •.•.•.• on port_type port Y |
• = 0...255 Y = (destination port numbers) |
Frames from the specified IP address and with the specified destination port number are allowed. |
|
Firewall Eth1 Reject IP •.•.•.• on port_type port Y |
• = 0...255 Y = (destination port numbers) |
Frames from the specified IP address and with the specified destination port number are rejected. |
|
Firewall Eth1 Allow IP •.•.•.• on port_type ports Y1 to Y2 |
• = 0...255 Y = (destination port numbers) |
Frames from the specified IP address and with a destination port number in the specified range are allowed. |
|
Firewall Eth1 Reject IP •.•.•.• on port_type ports Y1 to Y2 |
• = 0...255 Y = (destination port numbers) |
Frames from the specified IP address and with a destination port number in the specified range are rejected. |
|
Firewall Eth1 Allow IPs •1.•1.•1.•1 to •2.•2.•2.•2 on port_type port Y |
• = 0...255 Y = (destination port numbers) |
Frames from an IP address in the specified range and with the specified destination port number are allowed. |
|
Firewall Eth1 Reject IPs •1.•1.•1.•1 to •2.•2.•2.•2 on port_type port Y |
• = 0...255 Y = (destination port numbers) |
Frames from an IP address in the specified range and with the specified destination port number are rejected. |
|
Firewall Eth1 Allow IPs •1.•1.•1.•1 to •2.•2.•2.•2 on port_type ports Y1 to Y2 |
• = 0...255 Y = (destination port numbers) |
Frames from an IP address in the specified range and with a destination port number in the specified range are allowed. |
|
Firewall Eth1 Reject IPs •1.•1.•1.•1 to •2.•2.•2.•2 on port_type ports Y1 to Y2 |
• = 0...255 Y = (destination port numbers) |
Frames from an IP address in the specified range and with a destination port number in the specified range are rejected. |
|
Firewall Eth1 Allow MAC ••:••:••:••:••:•• |
• = 0...F |
Frames from the specified MAC address ••:••:••:••:•• are allowed. NOTE: When the rules to allow the MAC address are applied, only the listed MAC addresses can communicate with the controller, even if other rules are allowed. |
|
Firewall Eth1 Reject MAC ••:••:••:••:••:•• |
• = 0...F |
Frames with the specified MAC address ••:••:••:••:•• are rejected. |
|
Firewall Ethx (1) Established to port_type port Y |
Y = 0...65535 |
Frames established from the controller with the protocols TCP/UDP to the specified destination port number are allowed. |
|
(1) If: ox=0, USB port. ox=1, Ethernet 1 port. ox=2, Ethernet 2 port. ox=3, Ethernet port of the TMSES4. |
||
NOTE: When IP Forwarding is activated, rules with Reject port only filter frames with current controller as destination. They are not applied for the frames routed by the current controller.
; Enable FireWall. All frames are rejected;
FireWall Enable;
; Allow frames on Eth1
FireWall Eth1 Default Allow;
; Block all Modbus Requests on all IP address
Firewall Eth1 Reject tcp port 502;
; Reject frames on Eth2
FireWall Eth2 Default Reject;
; Allow FTP active connection for IP address 85.16.0.17
FireWall Eth2 Allow IP 85.16.0.17 on tcp ports 20 to 21;
The following is an example of a Firewall in white list mode. The example has all communication blocked by default and allows only the necessary services.
NOTE: This example is designed to show most of the commands available with the firewall. It should be adapted to your configuration and tested before implementation.
|
Commands |
Comments |
|
Firewall Enable |
; Enable the firewall. |
|
Eth1 Configuration |
|
|
Firewall Eth1 Default Reject |
; Reject all frames on interface ETH1. ; In this example, ETH1 is connected to the Industrial Ethernet devices network and therefore can be relatively trusted. |
|
Firewall Eth1 Allow TCP port 502 |
; Allow Modbus TCP server on interface ETH1. ; There is no authentication on Modbus so this should be allowed only on trusted networks. |
|
Firewall Eth1 Established to TCP port 502 |
; Allow replies to communication established by the controller to TCP port 502. ; This is necessary when using PlcCommunication library to communicate using Modbus TCP protocol. |
|
Firewall Eth1 Allow UDP port 2222 |
; Allow ETHIP scanner implicit exchanges replies to UDP port 2222 (ETHIP) on interface ETH1. |
|
Firewall Eth1 Established to TCP port 44818 |
; Allow replies to communication established by the controller to TCP port 44818 (ETHIP) on interface ETH1. ; The last 2 commands allow the EtheNetIP Scanner to communicate with the industrial ethernet devices. |
|
Eth2 Configuration |
|
|
Firewall Eth2 Default Reject |
; Reject all frames on interface ETH2. This interface is connected to a network used mainly for commissioning. |
|
Firewall Eth2 Allow TCP port 4840 |
; Allow OPC-UA server on interface ETH2. |
|
Firewall Eth2 Allow TCP port 443 |
; Allow web server (https) on interface ETH2. |
|
Firewall Eth2 Allow TCP port 8089 |
; Allow web visu (https) on interface ETH2. |
|
Firewall Eth2 Allow TCP port 20 to 21 |
; Allow ftp in active mode on interface ETH2. |
|
Firewall Eth2 Allow IP 192.168.1.1 on UDP ports 27126 to 27127 |
; Allow the IP of the commissioning PC to discover and configure the IP address of the controller. ; This should be allowed only on a trusted network as IP can be changed even if the User Rights are configured. |
|
Firewall Eth2 Allow IP 192.168.1.1 to IP 192.168.1.2 on UDP port 1740 |
; Allow the IP of the commissioning PC and an HMI to communicate with the controller using Machine Expert protocol. |
|
Firewall Eth2 Allow TCP port 11740 |
; Allow Fast TCP on interface ETH2. This allow to connect to the controller using TCP. |
|
Firewall Eth2 Allow TCP port 2222 |
; Allow implicit communication with UDP port 2222 (ETHIP) on interface ETH2. |
|
Firewall Eth2 Allow TCP port 44818 |
; Allow explicit communication to TCP port 44818 (ETHIP) on interface ETH2. The last 2 commands allow to use the controller as an EtherNetIP Adapter. |
|
Firewall Eth2 Allow MAC 4C:CC:6A:A1:09:C8 |
; Allow the MAC address of the HMI. |
|
Firewall Eth2 Allow MAC 00:0C:29:92:43:A8 |
; Allow the MAC address of the commissioning PC. Only the MAC addresses allowed can communicate with the controller. |
|
Eth3 Configuration TMSES4 |
|
|
Firewall Eth3 Default Reject |
; Reject frames on TMSES4. This interface is connected to the Plant network and can access the web. It should be considered as untrusted. |
|
Firewall Eth3 Established to TCP port 443 |
; Allow http client (for example to connect to Machine Advisor) on interface TMSES4. |
|
Firewall Eth3 Allow TCP port 11740 |
; Allow Fast TCP on interface TMSES4. This allow to connect to the controller remotely. It must not be allowed unless User Rights are activated on the controller. |
NOTE: Characters are limited to 200 per line, including comments.
|
Protocol |
Destination Port Numbers |
|---|---|
|
Machine Expert |
UDP 1740, 1741, 1742, 1743 TCP 11740 |
|
FTP |
TCP 21, 20 |
|
HTTP |
TCP 80 |
|
HTTPS |
TCP 443 |
|
Modbus |
TCP 502 |
|
Machine Expert Discovery |
UDP 27126, 27127 |
|
Web Services Dynamic Discovery |
UDP 3702 TCP 5357 |
|
SNMP |
UDP 161, 162 |
|
NVL |
UDP Default value: 1202 |
|
EtherNet/IP |
UDP 2222 TCP 44818 |
|
Webvisualization |
HTTP 8080 HTTPS 8089 |
|
TFTP |
UDP 69 (used for FDR server only) |
|
SafeLogger |
UDP 35021, 45000 |
|
Machine Assistant |
UDP 45001...45004 |
