Firewall
Application
The control provides a firewall to allow or reject incoming network traffic, depending on the sender and service.
Related topics
- Existing network connection
- SELinux security software
- Comparison of the transmission duration of different protocols
Example: Transmission duration of different transmission types
Description of function
To navigate to this function:
Settings Network/Remote Access Firewall
- Overview of zones
The hefwconfig window always shows the OT Net zone after opening. If you select Zones in the breadcrumb navigation, the control opens an overview of the zones.
Five zones are displayed on the default overview screen. The overview shows which interfaces and sources have been added to the respective zones.
Each zone has its own default configuration.
You can edit the configuration of the zones.
For example, network specialists can make the following changes:
- Add and remove zones
- Rename zones
- Edit the zone description
- Edit the default target of the zone
If a network specialist has made changes to the firewall, the firewall of your machine might differ from the default configuration.
Icons and buttons
The hefwconfig window provides the following icons and buttons:
Icon or button | Meaning |
---|---|
Maximize Open the selected zone | |
Reduce Close the open zone and return to the overview screen | |
Add | |
Clear | |
Edit Edit comprehensive rule | |
OK | Save the changes and close the window |
Apply | Save the changes |
Import the configuration | Import the configuration and overwrite the present configuration |
Export configuration | Export the configuration of all zones |
HEIDENHAIN default | Reset the settings to their default values |
Advanced | Open the Firewall Configuration window Available only to network specialists |
Cancel | Discard the changes that have not been saved and close the window |
Default targets
Each zone has a default target. The default target defines how the firewall will handle incoming network connections. The firewall provides the following default targets:
Default target | Meaning |
---|---|
ACCEPT | Accept all incoming network connections This corresponds to the deactivation of the firewall. |
DROP | Discard the incoming network connections You can add or remove exceptions. |
REJECT | Reject the incoming network connections You can add or remove exceptions. |
Zones
The following table shows the available zones and the default configuration:
Zone | Meaning |
---|---|
Block | Default target: REJECT This zone rejects all incoming connections. |
Drop | Default target: DROP This zone discards all incoming connections. |
Machine Net | Default target: REJECT with exceptions This zone accepts all the services needed for connections between the control and an additional ITC operating station (e.g., VNC or DNS). The eth1 interface is assigned to this zone. |
OT Net | This zone is the default zone. Default target: REJECT with exceptions This zone accepts the SSH service. The eth0 interface is assigned to this zone. |
Trusted | Default target: ACCEPT This zone accepts all incoming connections. |
On programming stations, the eth1 interface is assigned to the additional zone Programmingstation Network by default.
Settings of the zones
- OT Net zone with description of the DNS service
When you open a zone, the control displays the following settings:
Setting | Meaning |
---|---|
Default zone | In this area, the control shows whether the zone is the default zone. If the zone is not the default zone, you can define this zone as the default zone by selecting the check box. The control automatically assigns all the unassigned interfaces and sources to the default zone. |
Source assignment | In this area, the control shows the interfaces and sources assigned to this zone You can add or delete interfaces and sources. |
Allowed services | On the Allowed services tab, the control displays all available services and the related ports. Use the check boxes to allow or reject services. If the check box is selected, the service is allowed. When you select a service, the control displays the appropriate description. Tip HEIDENHAIN recommends that you add or delete exceptions only in the OT Net zone. |
Allowed ports | On the Allowed ports tab, you can allow the TCP or UDP protocol. When you select the Add button, the control displays a window. Select TCP or UDP and define the port or the range of ports. |
Rich rules | On the Rich rules tab, you can define the exceptions for sources, services, and ports in more detail. When you create a comprehensive rule, the control provides the following selection options:
|
Notes
- When user administration is active, you can set up only secure network connections via SSH or OPC UA (#56-61 / #3-02-1*). If non-secure network connections exist, you must set them up again as secure connections.
- You must save all changes by using the Apply button; the control will discard the changes that have not been saved.
- You can also open a zone by double-tapping or double-clicking the zone.
- You can assign the interfaces or sources to different zones. A zone will be active once an interface or a source has been assigned to it.
- You can also add or delete interfaces and sources on the overview screen of the zones.
- If you delete an interface or source from a zone, the control will always assign this interface or source to the default zone. You cannot delete any interfaces or sources from the default zone.