Firewall configuration

Return to topicThis is a WBM topic - How do I get to the WBM again? Click here for more information...

Establishing a connection to WBM:

  • Open a web browser on your computer.
  • In the address field, enter the URL https://<IP-address-of-the-controller>/wbm, for example: https://192.168.1.10/wbm.

For further information, see here Web-based management (WBM)

The security-related settings for the controller are configured in the Security area of the Web-based Management (WBM).

Use Case

The hazards in public and even private networks are omnipresent, and nowadays no private user would come up with the idea to put a computer on the network without a proper firewall setting. So how would that be different when working with a PLC? 

That's the reason why every PLCnext Control is delivered with a preset firewall.

Concept

PLCnext Technology  relies on the proven and commonly used Linux® firewall nftables. On the PLCnext Control, you don't need to configure the firewall rules via cryptic Linux shell commands: Just log on to the Web-based Management and choose from the predefined basic rules, or add your own rules to the set.

How to

info-iYou can only open the Firewall page if you are logged into the WBM as an administrator.
For information on user roles, please refer to the User Authentication page of the Security WBM area.

How to work with the WBM user interface

The controller firewall is configured via the Web-based Management. Log in to the WBM as Admin, unfold the Security area and click on Firewall to see the configuration page (PLCnext Control AXC F 2152 as an example):

 

Firewall Basic configuration

Let's walk through all the sections, tabs and menus and look what's in there to configure the firewall on your PLCnext Control to your needs.

Reset and Apply buttons

The buttons in the upper right corner of the page  are used after changing settings in the sections below.

  • To reset the firewall to default settings, click Reset.
  • To transfer changed firewall settings to the controller, click Apply.

System Message section

In the System Message section, responses and warnings regarding the transfer of settings to the controller are displayed. The following system messages can occur:

System message Description
Status=Ok The configured firewall settings were successfully transferred to the controller.
Warning A warning from the controller is issued, e.g., if one or several additional filter configurations are present in the system. The warning contains the designations of all additionally loaded filter tables.
Error At least one firewall configuration is faulty.

 

System Status section

If the firewall is active, you can generate an overview of all enabled firewall rules in a *.txt file. 

  1. Click on Show Rules in the System Status section.
    ⇒ The *.txt file with the activated firewall rules is being generated and opens in a dialog box:
    Firewall Active Rules
  2. To save the active rules to a *.txt file, click Save to file in the dialog box.
    ⇒ The *.txt file is saved to the directory selected in the next step.

General Configuration section

In the General Configuration area, you can view the current firewall status (e.g., Current: stopped), temporarily activate or deactivate the firewall or permanently activate or deactivate the firewall.

Temporarily activating or deactivating the firewall
  • To temporarily activate the firewall, select the Start or Restart entry from the drop-down list in the Status row.
    To activate the configuration, click Apply in the upper right corner.
    ⇒ The firewall is activated.
    This setting is no longer active after a restart of the controller.
  • To temporarily deactivate the firewall, select the Stop entry from the drop-down list in the Status row.
    To activate the configuration, click Apply in the upper right corner.
    ⇒ The firewall is deactivated.
    This setting is no longer active after a restart of the controller.
Permanently activating or deactivating the firewall
  • To permanently activate the firewall, enable the check box in the Activation row.
    ⇒ The firewall is activated.
    The firewall remains activated even after a restart of the controller.
  • To permanently deactivate the firewall, disable the check box in the Activation row.
    ⇒ The firewall is deactivated.
    The firewall remains deactivated even after a restart of the controller.

Configuring the firewall

Configuration of the firewall rules is divided into Basic Configuration and User Configuration.
The Basic Configuration tab provides predefined firewall rules while you can create your own firewall rules on the User Configuration tab.

Action column

The options for activating and deactivating the filter rules are available in the Action column on the Basic Configuration tab as well as on the User Configuration tab.

Select a setting from the drop-down list in the Action column for each firewall rule:

Option Description
Accept Connections are accepted.
The connection request is accepted. The connection can be established.
Drop Connections are dropped.
There is no response to the request. The packet is dropped.
Reject Connections are rejected.
The sender receives a response via the rejected connection.
Continue The rule is not executed.
Choose this option to skip the basic rule and instead use a user-specific rule for the port.
User-specific rules are configured in the User Configuration area of the Web-based Management.

To activate this configuration, click Apply in the upper right corner.

Basic Configuration tab

On the Basic Configuration tab, the rules that are stored for the firewall upon delivery are displayed. For each rule, you can select how the respective connections are to be treated.

ICMP Configurations

In the ICMP Configurations section, you specify how incoming and outgoing ICMP echo requests are to be treated. Possible settings are:

  • Incoming ICMP requests accepted
    Check box enabled: Incoming ICMP echo requests are accepted.
    Check box disabled: Incoming ICMP echo requests are blocked.
    The controller cannot be reached using a ping command.
  • Outgoing ICMP requests accepted
    Check box enabled: Outgoing ICMP echo requests are accepted.
    Check box disabled: Outgoing ICMP echo requests are blocked.
    Ping commands cannot be issued by the controller.
Basic Rules

The Basic Rules section provides predefined firewall rules for different incoming connections, which you can enable or disable in the Action column. The configuration baseline is stored in the /etc/nftables/plcnext-filter file in the controller file system.

The configuration baseline contains the following rules for incoming connections (Direction: Input).

Description Protocol Port
NTP (Network Time Protocol) UDP Port 123
Common remoting, e.g., using PLCnext Engineer TCP Port 41100
SSH connections, e.g., for SSH shell connection or SFTP connection TCP Port 22
HTTP TCP Port 80
HTTPS, Proficloud, eHMI (web server for eHMI and WBM) TCP Port 443
OPC UA TCP Port 4840
Matlab® Simulink® in External mode TCP Port 17725
SNMP (Simple Network Management Protocol) TCP Port 161
PROFINET® unicast/multicast ports UDP Ports 34962 - 34964

 

The settings are valid for all Ethernet interfaces. A limitation to certain Ethernet interfaces is specified via a user-specific rule in the User Configuration tab (see here).

With some activated firewall rules there is the risk that accessing the controller becomes difficult for you due to blocked ports. Restoring access permissions can result in the loss of user data.

Therefore, please consider the following notes when configuring basic rules:

Blocking the WBM access:
If you select the Reject or Drop action for basic rule no. 5 (TCP Port 443 - HTTPS, PROFICLOUD, eHMI), you can no longer access the WBM of the controller after activating the rule (Apply). Therefore, you can no longer change the firewall rules via the WBM.

  • In case of a permanently started firewall (enabled Activation check box in the General Configuration section):
    To stop the firewall in this case, you have to reset the controller to the default settings.
    For more detailed information, please refer to the user manual for your controller.
    Note that during a reset to the default settings, user-specific data (applications, configuration, etc.) is deleted.
    Once the firewall is deactivated, you can again access the WBM.
  • In case of a permanently stopped firewall (disabled Activation check box in the General Configuration section):
    The firewall is stopped after restarting the controller. You can again access the WBM.

Observe the following when using a PROFINET controller:
If you use the controller as PROFINET controller, you have to ensure that with an activated firewall, Accept is selected for basic rule no. 9 (UDP ports 34962-34964 - PROFINET unicast/multicast ports).
Otherwise, establishing a connection to certain PROFINET devices is not possible.

User Configuration tab

In addition or as an alternative to the basic rules, you can define and activate your own, user-specific firewall rules for different filter categories in the User Configuration tab. You can create new rules, delete rules or change the order of rules using the buttons at the end of the table.

Adding a new rule

To add a new Input rule, use the Input Rules tab on the User Configuration tab:

new input rule

To add a new Output rule, use the Output Rules tab on the User Configuration tab:

new output rule

When working on a new rule, you will use these buttons:

Button Meaning Function
plus icon  New Rule Adds a new filter rule
delete icon.png  Delete Rule Deletes the selected filter rule
move up/down icon  Move rule up/down Moves the filter rule upwards/downwards.
The order determines the priority of the rules.

 

You can define user-specific filter rules for specific ports, protocols and IP addresses for incoming (Input Rules tab) and outgoing (Output Rules tab) connections.

For a user-specific filter rule, define the following parameters:

Column Description
Interface
(Input Rules only)
You can configure Input Rules specifically for an interface.
From the drop-down list, select the desired Ethernet interface to which the filter rule is to be applied.
The Output Rules apply to all interfaces.
Protocol From the drop-down list, select the TCP, UDP, UDPLITE protocol or all of them.
From IP
From Port
In the From IP field, enter an IP address, if applicable. In the From Port“From Port” field, enter the corresponding ports, if applicable.
The rule applies to connections coming in from this address. You can specify all ports, selected ports, or a value range.
To IP
To Port
In the To IP field, enter an IP address, if applicable. In the To Port field, enter the corresponding ports, if applicable. The rule applies to connections going out to this address. You can specify all ports, selected ports, or a value range.
Comment Here, enter a description of the filter rule.
Action The options described in Action column can be used as actions for the filter rules.

 

To activate the settings you configured and transmit them to the system, click on the Apply button. If a configuration is already present on the system, it is overwritten during this process.

To drop the current configuration and call the basic settings, click on the Reset button.

Changing a basic rule

To change a basic rule, proceed as follows:

  • In the Basic Configuration area, set the basic rule to Continue in the Action column. This way, this rule is skipped.
  • Now, create a new rule in the User Configuration →  Input Rules area.
  • Configure the rule for the protocol and the port of the basis rule from the Basic Configuration area.
    Example: You can specify incoming SSH connection requests via TCP port 22 in more detail by excluding certain IP addresses or exclusively establishing access of some IP addresses.

 

Blocking the PROFICLOUD access

Access to the PROFICLOUD WBM page is not controlled via user authentication (see User Authentication). Each user with access to WBM can also access the PROFICLOUD page and make settings. To protect the PROFICLOUD configuration against unauthorized access, you can create a user without access permission to WBM.

However, if WBM access is required for each user role, you can also block the connection to PROFICLOUD via a firewall configuration.

For this, create a new rule under User Configuration using the following parameters:

  • Direction: Output
  • Protocol: TCP
  • Port: 443
  • Action: Drop/reject

To activate the configuration, click on the Apply button.

Take into consideration that due to this firewall rule, HTTPS and HMI connections are also blocked.

To permanently block the PROFICLOUD access for a user, you have to configure this user without security permissions (done on the User Authentication WBM page). This way, a user cannot access the Firewall WBM page at all. The user can therefore not activate the firewall rule which blocks access to PROFICLOUD. If the user changes the configuration on the Proficloud WBM page, this does not have any consequences as the corresponding ports stay blocked by the firewall settings. Therefore, the device cannot establish a connection to PROFICLOUD.

If you want to generally inhibit communication with PROFICLOUD for one user, you have to configure this accordingly via the firewall and protect the firewall configuration against unauthorized access.