This section describes how script files (default script files or dynamic script files) are written so that they can be executed during the booting of the controller or during a specific command triggered.
NOTE: The MAC layer rules are managed separately and have more priority over other packet filter rules.
The syntax of script files is described in Script Syntax Guidelines.
The following commands are available to manage the Ethernet firewall of the M241 Logic Controller:
|
Command |
Description |
|---|---|
|
Firewall Enable |
Blocks the frames from the Ethernet interfaces. If no specific IP address is authorized, it is not possible to communicate on the Ethernet interfaces. NOTE: By default, when the firewall is enabled, the frames are rejected. |
|
Firewall Disable |
Firewall rules are not applied. Frames are not blocked |
|
Firewall Ethx Default Allow (1) |
Frames are accepted by the controller. |
|
Firewall Ethx Default Reject(1) |
Frames are rejected by the controller. NOTE: By default, if this line is not present, it corresponds to the command Firewall Eth1 Default Reject. |
|
(1)Where Ethx = oEth1: Ethernet_1 oEth2: TM4ES4 |
|
The following commands are available to configure firewall rules for specific ports and addresses:
|
Command |
Range |
Description |
|---|---|---|
|
Firewall Eth1 Allow IP •.•.•.• |
• = 0...255 |
Frames from the specified IP address are allowed on all port numbers and port types. |
|
Firewall Eth1 Reject IP •.•.•.• |
• = 0...255 |
Frames from the specified IP address are rejected on all port numbers and port types. |
|
Firewall Eth1 Allow IPs •.•.•.• to •.•.•.• |
• = 0...255 |
Frames from the IP addresses in the specified range are allowed for all port numbers and port types. |
|
Firewall Eth1 Reject IPs •.•.•.• to •.•.•.• |
• = 0...255 |
Frames from the IP addresses in the specified range are rejected for all port numbers and port types. |
|
Firewall Eth1 Allow port_type port Y |
Y = (destination port numbers) |
Frames with the specified destination port number are allowed. |
|
Firewall Eth1 Reject port_type port Y |
Y = (destination port numbers) |
Frames with the specified destination port number are rejected. NOTE: When IP forwarding is activated, rules with reject port only filter frames with current controller as destination. They are not applied for the frames routed by the current controller. |
|
Firewall Eth1 Allow port_type ports Y1 to Y2 |
Y = (destination port numbers) |
Frames with a destination port number in the specified range are allowed. |
|
Firewall Eth1 Reject port_type ports Y1 to Y2 |
Y = (destination port numbers) |
Frames with a destination port number in the specified range are rejected. |
|
Firewall Eth1 Allow IP •.•.•.• on port_type port Y |
• = 0...255 Y = (destination port numbers) |
Frames from the specified IP address and with the specified destination port number are allowed. |
|
Firewall Eth1 Reject IP •.•.•.• on port_type port Y |
• = 0...255 Y = (destination port numbers) |
Frames from the specified IP address and with the specified destination port number are rejected. |
|
Firewall Eth1 Allow IP •.•.•.• on port_type ports Y1 to Y2 |
• = 0...255 Y = (destination port numbers) |
Frames from the specified IP address and with a destination port number in the specified range are allowed. |
|
Firewall Eth1 Reject IP •.•.•.• on port_type ports Y1 to Y2 |
• = 0...255 Y = (destination port numbers) |
Frames from the specified IP address and with a destination port number in the specified range are rejected. |
|
Firewall Eth1 Allow IPs •1.•1.•1.•1 to •2.•2.•2.•2 on port_type port Y |
• = 0...255 Y = (destination port numbers) |
Frames from an IP address in the specified range and with the specified destination port number are allowed. |
|
Firewall Eth1 Reject IPs •1.•1.•1.•1 to •2.•2.•2.•2 on port_type port Y |
• = 0...255 Y = (destination port numbers) |
Frames from an IP address in the specified range and with the specified destination port number are rejected. |
|
Firewall Eth1 Allow IPs •1.•1.•1.•1 to •2.•2.•2.•2 on port_type ports Y1 to Y2 |
• = 0...255 Y = (destination port numbers) |
Frames from an IP address in the specified range and with a destination port number in the specified range are allowed. |
|
Firewall Eth1 Reject IPs •1.•1.•1.•1 to •2.•2.•2.•2 on port_type ports Y1 to Y2 |
• = 0...255 Y = (destination port numbers) |
Frames from an IP address in the specified range and with a destination port number in the specified range are rejected. |
|
Firewall Eth1 Allow MAC ••:••:••:••:••:•• |
• = 0...F |
Frames from the specified MAC address ••:••:••:••:•• are allowed. NOTE: When the rules to allow the MAC address are applied, only the listed MAC addresses can communicate with the controller, even if other rules are allowed. |
|
Firewall Eth1 Reject MAC ••:••:••:••:••:•• |
• = 0...F |
Frames with the specified MAC address ••:••:••:••:•• are rejected. |
NOTE: The port_type can be TCP or UDP.
; Enable FireWall. All frames are rejected;
FireWall Enable;
; Allow frames on Eth1
FireWall Eth1 Default Allow;
; Block all Modbus Requests on all IP address
Firewall Eth1 Reject tcp port 502;
; Reject frames on Eth2
FireWall Eth2 Default Reject;
; Allow FTP active connection for IP address 85.16.0.17
FireWall Eth2 Allow IP 85.16.0.17 on tcp ports 20 to 21;
NOTE: IP addresses are converted to CIDR format.
For example:
"FireWall Eth2 Allow IPs 192.168.100.66 to 192.168.100.99 on tcp port 44818;", is separated into 7:
o192.168.100.66/31
o192.168.100.68/30
o192.168.100.72/29
o192.168.100.80/28
o192.168.100.96/27
o192.168.100.128/26
o192.168.100.192/29
To prevent a firewall error, use the entire subnet configuration.
NOTE: Characters are limited to 200 per line, including comments.
|
Protocol |
Destination Port Numbers |
|---|---|
|
Machine Expert |
UDP 1740, 1741, 1742, 1743 TCP 1105 |
|
FTP |
TCP 21, 20 |
|
HTTP |
TCP 80 |
|
Modbus |
TCP 502 (1) |
|
Machine Expert Discovery |
UDP 27126, 27127 |
|
SNMP |
UDP 161, 162 |
|
NVL |
UDP Default value: 1202 |
|
EtherNet/IP |
UDP 2222 TCP 44818 |
|
TFTP |
UDP 69 (used for FDR server only) |
|
(1)The default value can be changed using the change ModbusPort command. |
|
