Firewall configuration

The security-related settings for the controller are configured in the Security area of the Web-based Management (WBM).

Accessibility

This WBM page is accessible with user role:

  • Admin
  • SecurityAdmin (from firmware 2022.0 LTS)
  

This WBM page is not accessible if this System Service has been disabled:

  • Firewall Manager

How to get into the WBMHow to get into the WBM

Establishing a connection to the Web-based Management (WBM):

  • Open a web browser on your computer.
  • In the address field, enter the URL https://<IP-address-of-the-controller>/wbm,
    for example: https://192.168.1.10/wbm.

For further information, see WBM.

Use Case

The hazards in public and even private networks are omnipresent, and nowadays no private user would come up with the idea to put a computer on the network without a proper firewall setting. So how would that be different when working with a PLC? 

That's the reason why every PLCnext Control is delivered with a preset firewall.

Concept

PLCnext Technology  relies on the proven and commonly used Linux® firewall nftables. On the PLCnext Control, you don't need to configure the firewall rules via cryptic Linux shell commands: Just log on to the Web-based Management and choose from the predefined basic rules, or add your own rules to the set.

How to

info-iYou can only open the Firewall page if you are logged into the WBM as an administrator.
For information on user roles, please refer to the User Authentication page of the Security WBM area.

How to work with the WBM user interface

The controller firewall is configured via the Web-based Management. Log in to the WBM as Admin, unfold the Security area and click on Firewall to see the configuration page (PLCnext Control AXC F 2152 as an example):

Firewall Basic configuration 2023.6

Screenshot up to firmware version 2023.3Screenshot up to firmware version 2023.3

Firewall Basic configuration

Let's walk through all the sections, tabs and menus and look what's in there to configure the firewall on your PLCnext Control to your needs.

Reset and Apply buttons

The buttons in the upper right corner of the page  are used after changing settings in the sections below.

  • To reset the firewall to default settings, click Reset.
  • To transfer changed firewall settings to the controller, click Apply.

System Message section

In the System Message section, responses and warnings regarding the transfer of settings to the controller are displayed. The following system messages can occur:

System message Description
Status=Ok The configured firewall settings were successfully transferred to the controller.
Warning A warning from the controller is issued, e.g., if one or several additional filter configurations are present in the system. The warning contains the designations of all additionally loaded filter tables.
Error At least one firewall configuration is faulty.

System Status section

If the firewall is active, you can generate an overview of all enabled firewall rules in a *.txt file. 

  • Click on Show Rules in the System Status section.
    ↪ The *.txt file with the activated firewall rules is being generated and opens in a dialog box:
    Firewall Active Rules
  • To save the active rules to a *.txt file, click Save to file in the dialog box.
    ↪ The *.txt file is saved to the directory selected in the next step.

General Configuration section

In the General Configuration area, you can view the current firewall status (e.g., Current: stopped), temporarily activate or deactivate the firewall or permanently activate or deactivate the firewall.

Temporarily activating or deactivating the firewall
  • To temporarily activate the firewall, select the Start or Restart entry from the drop-down list in the Status row.
    To activate the configuration, click Apply in the upper right corner.
    ↪ The firewall is activated.
    This setting is no longer active after a restart of the controller.
  • To temporarily deactivate the firewall, select the Stop entry from the drop-down list in the Status row.
    To activate the configuration, click Apply in the upper right corner.
    ↪ The firewall is deactivated.
    This setting is no longer active after a restart of the controller.
Permanently activating or deactivating the firewall
  • To permanently activate the firewall, enable the checkbox in the Activation row.
    ↪ The firewall is activated.
    The firewall remains activated even after a restart of the controller.
  • To permanently deactivate the firewall, disable the checkbox in the Activation row.
    ↪ The firewall is deactivated.
    The firewall remains deactivated even after a restart of the controller.

Configuring the firewall

Configuration of the firewall rules is divided into Basic Configuration and User Configuration.
The Basic Configuration tab provides predefined firewall rules while you can create your own firewall rules on the User Configuration tab.

Action column

The options for activating and deactivating the filter rules are available in the Action column on the Basic Configuration tab as well as on the User Configuration tab.

Select a setting from the drop-down list in the Action column for each firewall rule:

Option Description
Accept Connections are accepted.
The connection request is accepted. The connection can be established.
Drop Connections are dropped.
There is no response to the request. The packet is dropped.
Reject Connections are rejected.
The sender receives a response via the rejected connection.
Continue The rule is not executed.
Choose this option to skip the basic rule and instead use a user-specific rule for the port.
User-specific rules are configured in the User Configuration area of the Web-based Management.

To activate this configuration, click Apply in the upper right corner.

Basic Configuration tab

On the Basic Configuration tab, the rules that are stored for the firewall upon delivery are displayed. For each rule, you can select how the respective connections are to be treated.

ICMP Configurations

In the ICMP Configurations section, you specify how incoming and outgoing ICMP echo requests are to be treated. Possible settings are:

  • Incoming ICMP requests accepted
    checkbox enabled: Incoming ICMP echo requests are accepted.
    checkbox disabled: Incoming ICMP echo requests are blocked.
    The controller cannot be reached using a ping command.
  • Outgoing ICMP requests accepted
    checkbox enabled: Outgoing ICMP echo requests are accepted.
    checkbox disabled: Outgoing ICMP echo requests are blocked.
    Ping commands cannot be issued by the controller.
Basic Rules

The Basic Rules section provides predefined firewall rules for different incoming connections, which you can enable or disable in the Action column. The configuration baseline is stored in the /etc/nftables/plcnext-filter file in the controller file system.

The configuration baseline contains the following rules for incoming connections (Direction: Input).

Description Protocol Port
NTP (Network Time Protocol) UDP Port 123
Common remoting, e.g., using PLCnext Engineer TCP Port 41100
SSH connections, e.g., for SSH shell connection or SFTP connection TCP Port 22
HTTP TCP Port 80
HTTPS, Proficloud, web server for eHMI and WBM TCP Port 443
OPC UA® TCP Port 4840
Matlab® Simulink® in External mode TCP Port 17725

only available up to 2023.3:

SNMP (Simple Network Management Protocol) 		TCP Port 161

only available up to 2023.3:

PROFINET unicast/multicast ports 		UDP Ports 34962 - 34964

The settings are valid for all Ethernet interfaces. A limitation to certain Ethernet interfaces is specified via a user-specific rule in the User Configuration tab (see here).

With some activated firewall rules there is the risk that accessing the controller becomes difficult for you due to blocked ports. Restoring access permissions can result in the loss of user data.

Therefore, please consider the following notes when configuring basic rules:

Blocking the WBM access:
If you select the Reject or Drop action for basic rule no. 5 (TCP Port 443 - HTTPS, PROFICLOUD, eHMI), you can no longer access the WBM of the controller after activating the rule (Apply). Therefore, you can no longer change the firewall rules via the WBM.

  • In case of a permanently started firewall (enabled Activation checkbox in the General Configuration section):
    To stop the firewall in this case, you have to reset the controller to the default settings.
    For more detailed information, please refer to the user manual for your controller.
    Note that during a reset to the default settings, user-specific data (applications, configuration, etc.) is deleted.
    Once the firewall is deactivated, you can again access the WBM.
  • In case of a permanently stopped firewall (disabled Activation checkbox in the General Configuration section):
    The firewall is stopped after restarting the controller. You can again access the WBM.

Observe the following when using a PROFINET controller:

Up to firmware version 2023.3:

If you use the controller as PROFINET controller, you have to ensure that with an activated firewall, Accept is selected for basic rule no. 9 (UDP ports 34962-34964 - PROFINET unicast/multicast ports).
Otherwise, establishing a connection to certain PROFINET devices is not possible.

From firmware version 2023.6:

The firewall rules no. 8 (SNMP) and no. 9 (PROFINET unicast/multicast ports) were removed from the default rules because PROFINET could almost not be used at all with an activated firewall using the default firewall rules of PLCnext. The rules could be misinterpreted that a PROFINET communication is possible even if the firewall is activated.  At PLCnext Security Info Center - Activating PROFINET you can find information on how to configure the firewall to enable PROFINET communication. 

Changing a basic rule

To change a basic rule, proceed as follows:

  • In the Basic Configuration area, set the basic rule to Continue in the Action column. This way, this rule is skipped.
  • Create a new rule in the User Configuration → Input Rules area.
  • Configure the rule for the protocol and the port of the basis rule from the Basic Configuration area.
    Example: You can specify incoming SSH connection requests via TCP port 22 in more detail by excluding certain IP addresses or exclusively establishing access of some IP addresses.

User Configuration tab

In addition or as an alternative to the basic rules, you can define and activate your own, user-specific firewall rules for different filter categories in the User Configuration tab. You can create new rules, delete rules or change the order of rules using the buttons at the end of the table.

Adding a new rule

To add a new Input rule, use the Input Rules tab on the User Configuration tab:

new input rule

To add a new Output rule, use the Output Rules tab on the User Configuration tab:

new output rule

When working on a new rule, you will use these buttons:

Button Meaning Function
plus icon  New Rule Adds a new filter rule
delete icon.png  Delete Rule Deletes the selected filter rule
move up/down icon  Move rule up/down Moves the filter rule upwards/downwards.
The order determines the priority of the rules.

You can define user-specific filter rules for specific ports, protocols and IP addresses for incoming (Input Rules tab) and outgoing (Output Rules tab) connections.

For a user-specific filter rule, define the following parameters:

Column Description
Interface
( Input Rules only)		 You can configure Input Rules specifically for an interface.
From the drop-down list, select the desired Ethernet interface to which the filter rule is to be applied.
The Output Rules apply to all interfaces.
Protocol From the drop-down list, select the TCP, UDP, UDPLITE protocol or all of them.
From IP

In the From IP field, enter an IP address, if applicable.
You can specify all IP addresses, a single IP address or a range. 
An IP address range is specified with a - without spaces between the IP addresses.
Example: 192.168.1.10-192.168.1.20
If you leave the field empty (0.0.0.0), all IP addresses are selected.
From Port In the From Port field, enter the corresponding ports, if applicable.
The rule applies to connections coming in from this address. You can specify all ports, single ports, or a value range. 
A port range is specified with a - without spaces between the port numbers. Example: 22-30
If you leave the field empty (any), all ports are selected.
To IP In the To IP field, enter an IP address, if applicable.
You can specify all IP addresses, a single IP address or a range. 
An IP address range is specified with a - without spaces between the IP addresses.
Example: 192.168.1.10-192.168.1.20
If you leave the field empty (0.0.0.0), all IP addresses are selected.
To Port In the To Port field, enter the corresponding ports, if applicable.
The rule applies to connections going out to this address. You can specify all ports, single ports, or a value range. 
A port range is specified with a - without spaces between the port numbers. Example: 22-30
If you leave the field empty (any), all ports are selected.
Comment Here, enter a description of the filter rule.
Action The options described in Action column can be used as actions for the filter rules.
Note: If you want to specify several different IP addresses or ports, you currently have to define each of them individually in a filter rule.

To activate the settings you configured and transmit them to the system, click on the Apply button. If a configuration is already present on the system, it is overwritten during this process.

To drop the current configuration and call the basic settings, click on the Reset button.

Related Topics

  1. Additional filters via nftables

 

 

 

• Published/reviewed: 2024-05-06   ★  Revision 068 •