Configuration File

Overview

The IPv4 (Internet Protocol version 4) firewall rules are defined in a configuration file which is located in: ide0:/Firewall/IPv4_rules.cfg on the memory card of the LMC controller. (IPv6 is not supported by the PacDrive LMC controllers).

The controller reads the configuration file during boot and configures the firewall accordingly.

The following diagnostic messages are displayed in the message logger in this (regular) case:

Diagnostic code	Diagnostic message	Diagnostic class
8251	Firewall activated	Message (1)
8256	Firewall configuration file loaded	Message (1)

If the configuration file does not exist, the firewall is generated with predefined default rules.

In this case, an additional diagnostic message (Firewall configuration file created) is displayed in the message logger:

Diagnostic code	Diagnostic message	Diagnostic class
8251	Firewall activated	Message (1)
8256	Firewall configuration file loaded	Message (1)
8257	Firewall configuration file created	Message (1)

Also refer to Firewall-Related Diagnostic Messages.

Automatically Generated Configuration File

The following code snippet provides the content of the automatically generated configuration file:

Row	Code
`1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21`	block in on fei0 all block in on gei0 all block in on nei0 all pass out quick from any to any keep state pass in quick proto icmp from any to me keep state pass in quick proto tcp from any to me port = 21 keep state pass in quick proto tcp from any to me port = 1105 keep state pass in quick proto tcp from any to me port = 4840 keep state pass in quick proto tcp from any to me port = 5000 keep state pass in quick proto tcp from any to me port = 8080 keep state pass in quick proto tcp from any to me port = 11740 keep state pass in quick proto udp from any to me port = 1202 keep state pass in quick proto udp from any to me port = 1203 keep state pass in quick proto udp from any to me port = 1740 keep state pass in quick proto udp from any to me port = 1741 keep state pass in quick proto udp from any to me port = 1742 keep state pass in quick proto udp from any to me port = 1743 keep state pass in quick proto udp from any to me port = 27127 keep state pass in quick proto tcp from any to me port >= 65000 keep state # pass in quick proto tcp from any to any port = 50000 keep state # pass in quick proto udp from any to any port = 35021 keep state

Row

Code

block in on fei0 all
block in on gei0 all
block in on nei0 all
pass out quick from any to any keep state
pass in quick proto icmp from any to me keep state
pass in quick proto tcp from any to me port = 21 keep state
pass in quick proto tcp from any to me port = 1105 keep state
pass in quick proto tcp from any to me port = 4840 keep state
pass in quick proto tcp from any to me port = 5000 keep state
pass in quick proto tcp from any to me port = 8080 keep state
pass in quick proto tcp from any to me port = 11740 keep state
pass in quick proto udp from any to me port = 1202 keep state
pass in quick proto udp from any to me port = 1203 keep state
pass in quick proto udp from any to me port = 1740 keep state
pass in quick proto udp from any to me port = 1741 keep state
pass in quick proto udp from any to me port = 1742 keep state
pass in quick proto udp from any to me port = 1743 keep state
pass in quick proto udp from any to me port = 27127 keep state
pass in quick proto tcp from any to me port >= 65000 keep state
# pass in quick proto tcp from any to any port = 50000 keep state
# pass in quick proto udp from any to any port = 35021 keep state

Also refer to Applications / Ports (Default Firewall Configuration).

The first line blocks the incoming traffic on the Ethernet interface fei0 (PacDrive LMC Eco and PacDrive LMC Pro).
The second line blocks the incoming traffic on the Ethernet interface gei0 (PacDrive LMC Pro2).
The third line blocks the incoming traffic on the additional standard Ethernet interface nei0 (PacDrive LMC Eco, PacDrive LMC Pro and PacDrive LMC Pro2).
The fourth line enables stateful inspection for outgoing connections.
The fifth line allows incoming ICMP (Internet Control Message Protocol) packets, for example, ping requests.
The following lines allow incoming TCP (Transmission Control Protocol) or UDP (User Datagram Protocol) traffic for known services on defined ports.
The last two lines contain deactivated rules for the NAT (Network Address Translation) mechanism to TM5CSLC•00.

You can edit the file on the memory card to permanently allow incoming traffic for additional applications / ports. Except while the initial generation process, the file is not automatically modified by the PacDrive LMC controller firmware.

Firewall Rules

For the syntax and the keywords, refer to Firewall Rules.

Stateful Inspection (keep state)

Stateful inspection analyzes the transport layer headers in data packets to track the state of network connections. Using this header information, stateful inspection identifies whether each packet is a new connection request or a packet belonging to a previously established connection. You can write filtering rules to pass or block packets based on the state information. Stateful inspection keeps the state for TCP (Transmission Control Protocol) packets, UDP (User Datagram Protocol) packets and ICMP (Internet Control Message Protocol) echo packets.

Firewall stateful inspection requires a rule with a keep state keyword to create a state tracking entry for incoming or outgoing packets. When a packet matches the rule, the firewall temporarily opens a port for packets arriving in response to such a request.

The firewall then matches packets against active state entries before checking other rules. If there is a matching state entry, the firewall bypasses other rules and accepts the packet. If the state entry has timed out, the packet is tested against the remaining rules in the rule set.

The state tracking entry contains the following information:

Source and destination IP addresses
Source and destination ports for TCP and UDP
ICMP Id and sequence number for ICMP echo

Error Handling

If the configuration file is invalid or an error is detected while reading, the default rules are loaded to provide a certain security level. The configuration file on the memory card is not modified.

An error message (8254) and an advisory message (8255) are written to the message logger:

Diagnostic code	Diagnostic message	Diagnostic class
8251	Firewall activated	Message (1)
8255	Firewall applied default rules	Alert (2)
8254	Firewall configuration file error detected	Error (3)

Also refer to Firewall-Related Diagnostic Messages.

Reset Configuration

To reset the firewall configuration, delete the configuration file and restart the logic motion controller or call FC_LoadDefaultPortRules once. After that, a new firewall configuration file with default rules is generated.