Firewall

Application

With the control you can set up a firewall for the primary network interface, and for a sandbox if needed. You can block incoming network traffic for specific senders and services.

Description of function

The Firewall menu item opens the Firewall settings window. The menu item can be found in the Network/Remote Access group of the Settings application.

If you activate the firewall, the control displays an icon at the bottom right in the taskbar. The control displays the following icons, depending on the security level:

Icon

Meaning

firewall-low

Firewall protection does not yet exist although it has been activated.

Example: A dynamic IP address is used in the network interface configuration, but the DHCP server has not yet assigned an IP address.

DHCP server tab

firewall-medium

Firewall active with medium security level.

firewall-high

Firewall active with high security level.

All services except for SSH are blocked.

Firewall settings

firewall

The Firewall settings window contains the following settings:

Setting

Meaning

Active

Activate or deactivate firewall

Interface

Select the interface

  • eth0: X26 of the control
  • eth1: X116 of the control
  • brsb0: Sandbox (optional)

If a control has two Ethernet interfaces, then by default the DHCP server for the machine network is active for the second interface. With this setting you cannot activate the firewall for eth1 because the firewall and DHCP server mutually exclude each other.

Report other inhibited packets

Activate the firewall with a high security level

All services except for SSH are blocked.

Inhibit ICMP echo answer

If this check box is selected, the control does not respond to a ping request.

Service

Brief designation of services configured with the firewall. You can change the settings even if the services are not started.

  • DNC
  • DNC server using the RPC protocol for external applications that were developed with RemoTools SDK (port 19003)

     
    Manual

    For more detailed information, consult the RemoTools SDK manual.

  • LDAPS
  • Server with user data and configuration of user administration

  • LSV2
  • Functionality for TNCremo, TeleService, and other HEIDENHAIN PC tools (port 19000)

  • OPC UA
  • Service provided by the OPC UA NC Server (port 4840).

  • SMB
  • Only incoming SMB connections, meaning a Windows share on the control. Outgoing SMB connections are not influenced, meaning a Windows share connected to the control.

  • SSH
  • SecureShell protocol (port 22) for secure LSV2 handling with active user administration; starting with HEROS 504

  • VNC
  • Access to screen contents. If you block this service, then not even TeleService programs from HEIDENHAIN can access the control. If you block this service, the control displays a warning in the VNC settings window.

    VNC menu item

Method

Configure accessibility

  • Prohibit all: Cannot be accessed by anyone
  • Permit all: Can be accessed by everyone
  • Permit some: Can be accessed only by specific clients
  • In the Computer column you must define the computer for which access is permitted. If you do not define a computer, the control activates Prohibit all.

Log

  • The control shows the following messages when transmitting network packets:
  • Red: Network packet blocked
  • Blue: Network packet accepted

Computer

IP address or host name of the computers with access rights. Separated by commas, if there are multiple computers

The control converts the host name to an IP address when the control starts. If the IP address changes, you must restart the control or change the setting. The control issues an error message if it cannot convert the host name to an IP address.

Only with the Permit some method

Advanced options

Only for network specialists

Set standard values

Reset the settings to the default values recommended by HEIDENHAIN

Notes

  • Have your network specialist check and, if necessary, change the standard settings.
  • When user administration is active, you can set up only secure network connections via SSH. The control automatically disables the LSV2 connections via the serial interfaces (COM1 and COM2) and the network connections without user identification.
  • The firewall does not protect the second network interface eth1. Connect only trustworthy hardware to this interface, and do not use this interface for Internet connections.