PLC Firewall - How to create a deny-list

johan.dehn · April 18, 2024, 8:35pm

Sharing a PLC Firewall configuration that denies all except a small subset of ports that are essential. The documentation lacks a example of such list.
Copy and paste the code into an existing firewall configuration.

Use following nmap command to test the configuration

nmap host-ipaddress -p- -sV --stats-every=5s

Denies everything ingress/egress by default, but allows following
FTP
HTTPS
OPC UA
ANSL (Online monitoring)
PING (ICMP)

<?xml version="1.0" encoding="utf-8"?>
<?AutomationStudio FileVersion="4.9"?>
<Configuration>
  <Element ID="FirewallRules" Type="firewallRules">
    <Property ID="TemplateID" Value="firewallRules" />
    <Group ID="Rule[1]" Description="Block all ingress traffic except if other rule apply">
      <Selector ID="RuleMode">
        <Property ID="Action" Value="block" />
        <Property ID="Direction" Value="in" />
        <Property ID="Logging" Value="off" />
        <Property ID="Quick" Value="other" />
        <Selector ID="Interface" Value="none" />
        <Selector ID="Protocol" Value="none" />
        <Selector ID="ResponseScheme" Value="none" />
        <Selector ID="SourceAddress" Value="any" />
        <Selector ID="DestinationAddress" Value="any" />
        <Selector ID="Group" Value="none" />
      </Selector>
    </Group>
    <Group ID="Rule[2]" Description="Block all egress traffic except if other rule apply">
      <Selector ID="RuleMode">
        <Property ID="Action" Value="block" />
        <Property ID="Direction" Value="out" />
        <Property ID="Logging" Value="off" />
        <Property ID="Quick" Value="other" />
        <Selector ID="Interface" Value="none" />
        <Selector ID="Protocol" Value="none" />
        <Selector ID="ResponseScheme" Value="none" />
        <Selector ID="SourceAddress" Value="any" />
        <Selector ID="DestinationAddress" Value="any" />
        <Selector ID="Group" Value="none" />
      </Selector>
    </Group>
    <Group ID="Rule[3]" Description="Allow egress FTP Data">
      <Selector ID="RuleMode">
        <Property ID="Action" Value="pass" />
        <Property ID="Direction" Value="in" />
        <Property ID="Logging" Value="off" />
        <Property ID="Quick" Value="immediately" />
        <Selector ID="Interface" Value="none" />
        <Selector ID="Protocol" Value="tcp">
          <Selector ID="SPortOperator" Value="all" />
          <Selector ID="DPortOperator" Value="equal">
            <Property ID="DPortNumber" Value="20" />
          </Selector>
        </Selector>
        <Selector ID="ResponseScheme" Value="none" />
        <Selector ID="SourceAddress" Value="any" />
        <Selector ID="DestinationAddress" Value="any" />
        <Selector ID="Group" Value="none" />
      </Selector>
    </Group>
    <Group ID="Rule[4]" Description="Allow egress FTP Data">
      <Selector ID="RuleMode">
        <Property ID="Action" Value="pass" />
        <Property ID="Direction" Value="out" />
        <Property ID="Logging" Value="off" />
        <Property ID="Quick" Value="immediately" />
        <Selector ID="Interface" Value="none" />
        <Selector ID="Protocol" Value="tcp">
          <Selector ID="SPortOperator" Value="equal">
            <Property ID="SPortNumber" Value="20" />
          </Selector>
          <Selector ID="DPortOperator" Value="all" />
        </Selector>
        <Selector ID="ResponseScheme" Value="none" />
        <Selector ID="SourceAddress" Value="any" />
        <Selector ID="DestinationAddress" Value="any" />
        <Selector ID="Group" Value="none" />
      </Selector>
    </Group>
    <Group ID="Rule[5]" Description="Allow ingress FTP Control">
      <Selector ID="RuleMode">
        <Property ID="Action" Value="pass" />
        <Property ID="Direction" Value="in" />
        <Property ID="Logging" Value="off" />
        <Property ID="Quick" Value="immediately" />
        <Selector ID="Interface" Value="none" />
        <Selector ID="Protocol" Value="tcp">
          <Selector ID="SPortOperator" Value="all" />
          <Selector ID="DPortOperator" Value="equal">
            <Property ID="DPortNumber" Value="21" />
          </Selector>
        </Selector>
        <Selector ID="ResponseScheme" Value="none" />
        <Selector ID="SourceAddress" Value="any" />
        <Selector ID="DestinationAddress" Value="any" />
        <Selector ID="Group" Value="none" />
      </Selector>
    </Group>
    <Group ID="Rule[6]" Description="Allow egress FTP Control">
      <Selector ID="RuleMode">
        <Property ID="Action" Value="pass" />
        <Property ID="Direction" Value="out" />
        <Property ID="Logging" Value="off" />
        <Property ID="Quick" Value="immediately" />
        <Selector ID="Interface" Value="none" />
        <Selector ID="Protocol" Value="tcp">
          <Selector ID="SPortOperator" Value="equal">
            <Property ID="SPortNumber" Value="21" />
          </Selector>
          <Selector ID="DPortOperator" Value="all" />
        </Selector>
        <Selector ID="ResponseScheme" Value="none" />
        <Selector ID="SourceAddress" Value="any" />
        <Selector ID="DestinationAddress" Value="any" />
        <Selector ID="Group" Value="none" />
      </Selector>
    </Group>
    <Group ID="Rule[7]" Description="Allow ingress HTTPS">
      <Selector ID="RuleMode">
        <Property ID="Action" Value="pass" />
        <Property ID="Direction" Value="in" />
        <Property ID="Logging" Value="off" />
        <Property ID="Quick" Value="immediately" />
        <Selector ID="Interface" Value="none" />
        <Selector ID="Protocol" Value="tcp">
          <Selector ID="SPortOperator" Value="all" />
          <Selector ID="DPortOperator" Value="equal">
            <Property ID="DPortNumber" Value="443" />
          </Selector>
        </Selector>
        <Selector ID="ResponseScheme" Value="none" />
        <Selector ID="SourceAddress" Value="any" />
        <Selector ID="DestinationAddress" Value="any" />
        <Selector ID="Group" Value="none" />
      </Selector>
    </Group>
    <Group ID="Rule[8]" Description="Allow egress HTTPS">
      <Selector ID="RuleMode">
        <Property ID="Action" Value="pass" />
        <Property ID="Direction" Value="out" />
        <Property ID="Logging" Value="off" />
        <Property ID="Quick" Value="immediately" />
        <Selector ID="Interface" Value="none" />
        <Selector ID="Protocol" Value="tcp">
          <Selector ID="SPortOperator" Value="equal">
            <Property ID="SPortNumber" Value="443" />
          </Selector>
          <Selector ID="DPortOperator" Value="all" />
        </Selector>
        <Selector ID="ResponseScheme" Value="none" />
        <Selector ID="SourceAddress" Value="any" />
        <Selector ID="DestinationAddress" Value="any" />
        <Selector ID="Group" Value="none" />
      </Selector>
    </Group>
    <Group ID="Rule[9]" Description="Allow ingresss OPC UA">
      <Selector ID="RuleMode">
        <Property ID="Action" Value="pass" />
        <Property ID="Direction" Value="in" />
        <Property ID="Logging" Value="off" />
        <Property ID="Quick" Value="immediately" />
        <Selector ID="Interface" Value="none" />
        <Selector ID="Protocol" Value="tcp">
          <Selector ID="SPortOperator" Value="all" />
          <Selector ID="DPortOperator" Value="equal">
            <Property ID="DPortNumber" Value="4840" />
          </Selector>
        </Selector>
        <Selector ID="ResponseScheme" Value="none" />
        <Selector ID="SourceAddress" Value="any" />
        <Selector ID="DestinationAddress" Value="any" />
        <Selector ID="Group" Value="none" />
      </Selector>
    </Group>
    <Group ID="Rule[10]" Description="Allow egress OPC UA">
      <Selector ID="RuleMode">
        <Property ID="Action" Value="pass" />
        <Property ID="Direction" Value="out" />
        <Property ID="Logging" Value="off" />
        <Property ID="Quick" Value="immediately" />
        <Selector ID="Interface" Value="none" />
        <Selector ID="Protocol" Value="tcp">
          <Selector ID="SPortOperator" Value="equal">
            <Property ID="SPortNumber" Value="4840" />
          </Selector>
          <Selector ID="DPortOperator" Value="all" />
        </Selector>
        <Selector ID="ResponseScheme" Value="none" />
        <Selector ID="SourceAddress" Value="any" />
        <Selector ID="DestinationAddress" Value="any" />
        <Selector ID="Group" Value="none" />
      </Selector>
    </Group>
    <Group ID="Rule[11]" Description="Allow ingress ANSL">
      <Selector ID="RuleMode">
        <Property ID="Action" Value="pass" />
        <Property ID="Direction" Value="in" />
        <Property ID="Logging" Value="off" />
        <Property ID="Quick" Value="immediately" />
        <Selector ID="Interface" Value="none" />
        <Selector ID="Protocol" Value="tcp">
          <Selector ID="SPortOperator" Value="all" />
          <Selector ID="DPortOperator" Value="equal">
            <Property ID="DPortNumber" Value="11169" />
          </Selector>
        </Selector>
        <Selector ID="ResponseScheme" Value="none" />
        <Selector ID="SourceAddress" Value="any" />
        <Selector ID="DestinationAddress" Value="any" />
        <Selector ID="Group" Value="none" />
      </Selector>
    </Group>
    <Group ID="Rule[12]" Description="Allow egress ANSL">
      <Selector ID="RuleMode">
        <Property ID="Action" Value="pass" />
        <Property ID="Direction" Value="out" />
        <Property ID="Logging" Value="off" />
        <Property ID="Quick" Value="immediately" />
        <Selector ID="Interface" Value="none" />
        <Selector ID="Protocol" Value="tcp">
          <Selector ID="SPortOperator" Value="equal">
            <Property ID="SPortNumber" Value="11169" />
          </Selector>
          <Selector ID="DPortOperator" Value="all" />
        </Selector>
        <Selector ID="ResponseScheme" Value="none" />
        <Selector ID="SourceAddress" Value="any" />
        <Selector ID="DestinationAddress" Value="any" />
        <Selector ID="Group" Value="none" />
      </Selector>
    </Group>
    <Group ID="Rule[13]" Description="Allow ingress ICMP Ping">
      <Selector ID="RuleMode">
        <Property ID="Action" Value="pass" />
        <Property ID="Direction" Value="in" />
        <Property ID="Logging" Value="off" />
        <Property ID="Quick" Value="immediately" />
        <Selector ID="Interface" Value="none" />
        <Selector ID="Protocol" Value="icmp" />
        <Selector ID="ResponseScheme" Value="none" />
        <Selector ID="SourceAddress" Value="any" />
        <Selector ID="DestinationAddress" Value="me" />
        <Selector ID="Group" Value="none" />
      </Selector>
    </Group>
    <Group ID="Rule[14]" Description="Allow egress ICMP Ping">
      <Selector ID="RuleMode">
        <Property ID="Action" Value="pass" />
        <Property ID="Direction" Value="out" />
        <Property ID="Logging" Value="off" />
        <Property ID="Quick" Value="immediately" />
        <Selector ID="Interface" Value="none" />
        <Selector ID="Protocol" Value="icmp" />
        <Selector ID="ResponseScheme" Value="none" />
        <Selector ID="SourceAddress" Value="any" />
        <Selector ID="DestinationAddress" Value="any" />
        <Selector ID="Group" Value="none" />
      </Selector>
    </Group>
  </Element>
</Configuration>

<?xml version="1.0" encoding="utf-8"?> <?AutomationStudio FileVersion="4.9"?> ```

Topic		Replies	Views
TCP/UDP Ports used by B&R PLC Ask Questions automation-runtime , library	4	785	March 24, 2025
Question about static routes inside the PLC Ask Questions	2	338	March 11, 2024
Is there a way to prevent access to X20EM1611 to modify anything in the code Ask Questions automation-studio , automation-runtime	2	81	May 5, 2025
PLC as NTP server for local subnet Ask Questions plc	3	49	March 26, 2025
Using different Gateways (Ethernet VS. Ethernet Powerlink) Ask Questions fieldbus	2	84	February 25, 2025

PLC Firewall - How to create a deny-list

Related topics