Configuration File

Overview

The IPv4 (Internet Protocol version 4) firewall rules are defined in a configuration file which is located in: ide0:/Firewall/IPv4_rules.cfg  on the memory card of the LMC controller. (IPv6 is not supported by the PacDrive LMC controllers).

The controller reads the configuration file during boot and configures the firewall accordingly.

The following diagnostic messages are displayed in the message logger in this (regular) case:

If the configuration file does not exist, the firewall is generated with predefined default rules.

In this case, an additional diagnostic message (Firewall configuration file created) is displayed in the message logger:

Also refer to Firewall-Related Diagnostic Messages.

Automatically Generated Configuration File

The following code snippet provides the content of the automatically generated configuration file:

Also refer to chapter Applications / Ports (Default Firewall Configuration).

oThe first two lines block all incoming traffic on the Ethernet port (fei0 = PacDrive LMC Eco and PacDrive LMC Pro, gei0 = PacDrive LMC Pro2).

oThe third line enables stateful inspection for all outgoing connections.

oThe fourth line allows all incoming ICMP (Internet Control Message Protocol) packets, for example, ping requests.

oThe following lines allow incoming TCP (Transmission Control Protocol) or UDP (User Datagram Protocol) traffic for known services on defined ports.

oThe last two lines contain deactivated rules for the NAT (Network Address Translation) mechanism to TM5CSLC•00.

You can edit the file on the memory card to permanently allow incoming traffic for additional applications / ports. Except while the initial generation process, the file is not automatically modified by the PacDrive LMC controller firmware.

Firewall Rules

For the syntax and the keywords, refer to chapter Firewall Rules.

Stateful Inspection (keep state)

Stateful inspection analyzes the transport layer headers in data packets to track the state of network connections. Using this header information, stateful inspection identifies whether each packet is a new connection request or a packet belonging to a previously established connection. You can write filtering rules to pass or block packets based on the state information. Stateful inspection keeps the state for TCP (Transmission Control Protocol) packets, UDP (User Datagram Protocol) packets and ICMP (Internet Control Message Protocol) echo packets.

Firewall stateful inspection requires a rule with a keep state keyword to create a state tracking entry for incoming or outgoing packets. When a packet matches the rule, the firewall temporarily opens a port for packets arriving in response to such a request.

The firewall then matches packets against active state entries before checking other rules. If there is a matching state entry, the firewall bypasses other rules and accepts the packet. If the state entry has timed out, the packet is tested against the remaining rules in the rule set.

The state tracking entry contains the following information:

oSource and destination IP addresses

oSource and destination ports for TCP and UDP

oICMP Id and sequence number for ICMP echo

Error Handling

If the configuration file is invalid or an error is detected while reading, the default rules are loaded to provide a certain security level. The configuration file on the memory card is not modified.

An error message (8254) and an advisory message (8255) are written to the message logger:

Also refer to Firewall-Related Diagnostic Messages.

Reset Configuration

To reset the firewall configuration, delete the configuration file and restart the logic motion controller or call FC_LoadDefaultPortRules once. After that, a new firewall configuration file with default rules is generated.