This section describes how script files (default script files or dynamic script files) are written so that they can be executed during the booting of the controller or during a specific command triggered.
The following commands are available to manage the Ethernet firewall of the M251 Logic Controller:
|
Command |
Description |
|---|---|
|
|
Blocks the frames from the Ethernet interfaces. If no specific IP address is authorized, it is not possible to communicate on the Ethernet interfaces.
NOTE: By default, when the firewall is enabled, the frames are rejected.
|
|
|
Firewall rules are not applied. Frames are not blocked |
|
|
Frames are accepted by the controller. |
|
|
Frames are rejected by the controller.
NOTE: By default, if this line is not present, it corresponds to the command
Firewall Eth1 Default Reject.
|
|
(1) Where Ethx = For TM251MESC:
For TM251MESE:
|
|
The following commands are available to configure firewall rules for specific ports and addresses:
|
Command |
Range |
Description |
|---|---|---|
|
|
• = 0...255 |
Frames from the specified IP address are allowed on all port numbers and port types. |
|
|
• = 0...255 |
Frames from the specified IP address are rejected on all port numbers and port types. |
|
|
• = 0...255 |
Frames from the IP addresses in the specified range are allowed for all port numbers and port types. |
|
|
• = 0...255 |
Frames from the IP addresses in the specified range are rejected for all port numbers and port types. |
|
|
Y = (destination port numbers) |
Frames with the specified destination port number are allowed. |
|
|
Y = (destination port numbers) |
Frames with the specified destination port number are rejected.
NOTE: When IP forwarding is activated, rules with reject port only filter frames with current controller as destination. They are not applied for the frames routed by the current controller.
|
|
|
Y = (destination port numbers) |
Frames with a destination port number in the specified range are allowed. |
|
|
Y = (destination port numbers) |
Frames with a destination port number in the specified range are rejected. |
|
|
• = 0...255 Y = (destination port numbers) |
Frames from the specified IP address and with the specified destination port number are allowed. |
|
|
• = 0...255 Y = (destination port numbers) |
Frames from the specified IP address and with the specified destination port number are rejected. |
|
|
• = 0...255 Y = (destination port numbers) |
Frames from the specified IP address and with a destination port number in the specified range are allowed. |
|
|
• = 0...255 Y = (destination port numbers) |
Frames from the specified IP address and with a destination port number in the specified range are rejected. |
|
|
• = 0...255 Y = (destination port numbers) |
Frames from an IP address in the specified range and with the specified destination port number are allowed. |
|
|
• = 0...255 Y = (destination port numbers) |
Frames from an IP address in the specified range and with the specified destination port number are rejected. |
|
|
• = 0...255 Y = (destination port numbers) |
Frames from an IP address in the specified range and with a destination port number in the specified range are allowed. |
|
|
• = 0...255 Y = (destination port numbers) |
Frames from an IP address in the specified range and with a destination port number in the specified range are rejected. |
|
|
• = 0...F |
Frames from the specified MAC address ••:••:••:••:•• are allowed.
NOTE: When the rules to allow the MAC address are applied, only the listed MAC addresses can communicate with the controller, even if other rules are allowed.
|
|
|
• = 0...F |
Frames with the specified MAC address ••:••:••:••:•• are rejected. |
; Enable FireWall. All frames are rejected;
FireWall Enable;
; Allow frames on Eth1
FireWall Eth1 Default Allow;
; Block all Modbus Requests on all IP address
Firewall Eth1 Reject tcp port 502;
; Reject frames on Eth2
FireWall Eth2 Default Reject;
; Allow Fast TCP on interface ETH1. This allow to connect to the controller using TCP
Firewall Eth1 Allow TCP port 1105;
; Allow FTP active connection for IP address 85.16.0.17
FireWall Eth2 Allow IP 85.16.0.17 on tcp ports 20 to 21;
For example:
"FireWall Eth2 Allow IPs 192.168.100.66 to 192.168.100.99 on tcp port 44818;", is separated into 7:
192.168.100.66/31
192.168.100.68/30
192.168.100.72/29
192.168.100.80/28
192.168.100.96/27
192.168.100.128/26
192.168.100.192/29
To prevent a firewall error, use the entire subnet configuration.
|
Protocol |
Destination Port Numbers |
|---|---|
|
Machine Expert |
UDP 1740, 1741, 1742, 1743 TCP 1105 |
|
FTP |
TCP 21 |
|
HTTP / HTTPS |
TCP 80, 443 (Web server) TCP 8080 (Web visualization) |
|
Modbus |
TCP 502 (1) |
|
OPC UA |
TCP 4840 |
|
Machine Expert Discovery |
UDP 27126, 27127 |
|
SNMP |
UDP 161, 162 |
|
NVL |
UDP Default value: 1202 |
|
EtherNet/IP |
UDP 2222 TCP 44818 |
|
TFTP |
UDP 69 (used for FDR server only) |
|
(1) The default value can be changed using the change ModbusPort command. |
|