This section describes how script files (default script files or dynamic script files) are written so that they can be executed during the booting of the controller or during a specific command triggered.
The following commands are available to manage the Ethernet firewall of the M262 Logic/Motion Controller:
|
Command |
Description |
|---|---|
|
|
Blocks the frames from the Ethernet interfaces. If no specific IP address or port is authorized, it is not possible to communicate on the Ethernet interfaces.
NOTE: By default, when the firewall is enabled, the frames are rejected.
|
|
|
Firewall rules are not applied. Frames are not blocked. |
|
|
Frames are accepted by the controller on interface Ethx. |
|
|
Frames are rejected by the controller on interface Ethx.
NOTE: By default, if this line is not present, it corresponds to the command
Firewall Eth1 Default Reject.
|
|
(1) Where Ethx =
|
|
The following commands are available to configure firewall rules for specific ports and addresses:
|
Command |
Range |
Description |
|---|---|---|
|
|
• = 0...255 |
Frames from the specified IP address are allowed on all port numbers and port types. |
|
|
• = 0...255 |
Frames from the specified IP address are rejected on all port numbers and port types. |
|
|
• = 0...255 |
Frames from the IP addresses in the specified range are allowed for all port numbers and port types.
NOTE: Rules with specific IP address range will be converted to CIDR format in controller while they are established.
Example: “Firewall Eth2 allows IPs 192.168.100.66 to 192.168.100.99 on TCP port 44818” is separated into 7:
Using of entire subnet IP ranges avoids firewall rules saturation. |
|
|
• = 0...255 |
Frames from the IP addresses in the specified range are rejected for all port numbers and port types. |
|
|
Y = (destination port numbers) |
Frames with the specified destination port number are allowed. |
|
|
Y = (destination port numbers) |
Frames with the specified destination port number are rejected.
NOTE: When IP forwarding is activated, rules with reject port only filter frames with current controller as destination. They are not applied for the frames routed by the current controller.
|
|
|
Y = (destination port numbers) |
Frames with a destination port number in the specified range are allowed. |
|
|
Y = (destination port numbers) |
Frames with a destination port number in the specified range are rejected. |
|
|
• = 0...255 Y = (destination port numbers) |
Frames from the specified IP address and with the specified destination port number are allowed. |
|
|
• = 0...255 Y = (destination port numbers) |
Frames from the specified IP address and with the specified destination port number are rejected. |
|
|
• = 0...255 Y = (destination port numbers) |
Frames from the specified IP address and with a destination port number in the specified range are allowed. |
|
|
• = 0...255 Y = (destination port numbers) |
Frames from the specified IP address and with a destination port number in the specified range are rejected. |
|
|
• = 0...255 Y = (destination port numbers) |
Frames from an IP address in the specified range and with the specified destination port number are allowed. |
|
|
• = 0...255 Y = (destination port numbers) |
Frames from an IP address in the specified range and with the specified destination port number are rejected. |
|
|
• = 0...255 Y = (destination port numbers) |
Frames from an IP address in the specified range and with a destination port number in the specified range are allowed. |
|
|
• = 0...255 Y = (destination port numbers) |
Frames from an IP address in the specified range and with a destination port number in the specified range are rejected. |
|
|
• = 0...F |
Frames from the specified MAC address ••:••:••:••:•• are allowed.
NOTE: When the rules to allow the MAC address are applied, only the listed MAC addresses can communicate with the controller, even if other rules are allowed.
|
|
|
• = 0...F |
Frames with the specified MAC address ••:••:••:••:•• are rejected. |
|
|
Y = 0...65535 |
Frames established from the controller with the protocols TCP/UDP to the specified destination port number are allowed. |
|
(1) Where Ethx =
|
||
; Enable FireWall. All frames are rejected;
FireWall Enable;
; Allow frames on Eth1
FireWall Eth1 Default Allow;
; Block all Modbus Requests on all IP address
Firewall Eth1 Reject tcp port 502;
; Reject frames on Eth2
FireWall Eth2 Default Reject;
; Allow FTP active connection for IP address 85.16.0.17
FireWall Eth2 Allow IP 85.16.0.17 on tcp ports 20 to 21;
For example:
"FireWall Eth2 Allow IPs 192.168.100.66 to 192.168.100.99 on tcp port 44818;", is separated into 7:
192.168.100.66/31
192.168.100.68/30
192.168.100.72/29
192.168.100.80/28
192.168.100.96/27
192.168.100.128/26
192.168.100.192/29
To prevent a firewall error, use the entire subnet configuration.
The following is an example of a firewall in white list mode. The example has all communication blocked by default and allows only the necessary services.
|
Commands |
Comments |
|
|
; Enable the firewall. |
|
Eth1 Configuration |
|
|
|
; Reject all frames on interface ETH1. ; In this example, ETH1 is connected to the Industrial Ethernet devices network and therefore can be relatively trusted. |
|
|
; Allow Modbus TCP server on interface ETH1. ; There is no authentication on Modbus so this should be allowed only on trusted networks. |
|
|
; Allow replies to communication established by the controller to TCP port 502. ; This is necessary when using PlcCommunication library to communicate using Modbus TCP protocol. |
|
|
; Allow ETHIP scanner implicit exchanges replies to UDP port 2222 (ETHIP) on interface ETH1. |
|
|
; Allow replies to communication established by the controller to TCP port 44818 (ETHIP) on interface ETH1. ; The last 2 commands allow the EtheNetIP Scanner to communicate with the industrial ethernet devices. |
|
Eth2 Configuration |
|
|
|
; Reject all frames on interface ETH2. This interface is connected to a network used mainly for commissioning. |
|
|
; Allow OPC UA server on interface ETH2. |
|
|
; Allow Web server (https) on interface ETH2. |
|
|
; Allow WebVisualisation (https) on interface ETH2. |
|
|
; Allow FTP in active mode on interface ETH2. |
|
|
; Allow the IP of the commissioning PC to discover and configure the IP address of the controller. ; This should be allowed only on a trusted network as IP can be changed even if the User Rights are configured. |
|
|
; Allow the IP of the commissioning PC and an HMI to communicate with the controller using Machine Expert protocol. |
|
|
; Allow Fast TCP on interface ETH2. This allow to connect to the controller using TCP. |
|
|
; Allow implicit communication with UDP port 2222 (ETHIP) on interface ETH2. |
|
|
; Allow explicit communication to TCP port 44818 (ETHIP) on interface ETH2. The last 2 commands allow to use the controller as an EtherNetIP Adapter. |
|
|
; Allow the MAC address of the HMI. |
|
|
; Allow the MAC address of the commissioning PC. Only the MAC addresses allowed can communicate with the controller. |
|
Eth3 Configuration TMSES4 |
|
|
|
; Reject frames on TMSES4. This interface is connected to the Plant network and can access the web. It should be considered as untrusted. |
|
|
; Allow http client (for example to connect to Machine Advisor) on interface TMSES4. |
|
|
; Allow Fast TCP on interface TMSES4. This allows to connect to the controller remotely. It must not be allowed unless User Rights are activated on the controller. |
|
Protocol |
Destination Port Numbers |
|---|---|
|
Machine Expert |
UDP 1740, 1741, 1742, 1743 TCP 11740 |
|
FTP |
TCP 21, 20 |
|
HTTP |
TCP 80 |
|
HTTPS |
TCP 443 |
|
Modbus |
TCP 502 |
|
OPC UA |
TCP 4840 |
|
Machine Expert Discovery |
UDP 27126, 27127 |
|
Bonjour Discovery Protocol |
UDP 5353 |
|
Web Services Dynamic Discovery |
UDP 3702 TCP 5357 |
|
SNMP |
UDP 161, 162 |
|
NVL |
UDP Default value: 1202 |
|
EtherNet/IP |
UDP 2222 TCP 44818 |
|
WebVisualisation |
HTTP 8080 HTTPS 8089 |
|
TFTP |
UDP 69 (used for FDR server only) |
|
|
UDP 35021, 45000 |
|
|
UDP 45001...45004 |