PLC Firewall - How to create a deny-list

Sharing a PLC Firewall configuration that denies all except a small subset of ports that are essential. The documentation lacks a example of such list.
Copy and paste the code into an existing firewall configuration.

Use following nmap command to test the configuration

nmap host-ipaddress -p- -sV --stats-every=5s

Denies everything ingress/egress by default, but allows following
FTP
HTTPS
OPC UA
ANSL (Online monitoring)
PING (ICMP)

<?xml version="1.0" encoding="utf-8"?>
<?AutomationStudio FileVersion="4.9"?>
<Configuration>
  <Element ID="FirewallRules" Type="firewallRules">
    <Property ID="TemplateID" Value="firewallRules" />
    <Group ID="Rule[1]" Description="Block all ingress traffic except if other rule apply">
      <Selector ID="RuleMode">
        <Property ID="Action" Value="block" />
        <Property ID="Direction" Value="in" />
        <Property ID="Logging" Value="off" />
        <Property ID="Quick" Value="other" />
        <Selector ID="Interface" Value="none" />
        <Selector ID="Protocol" Value="none" />
        <Selector ID="ResponseScheme" Value="none" />
        <Selector ID="SourceAddress" Value="any" />
        <Selector ID="DestinationAddress" Value="any" />
        <Selector ID="Group" Value="none" />
      </Selector>
    </Group>
    <Group ID="Rule[2]" Description="Block all egress traffic except if other rule apply">
      <Selector ID="RuleMode">
        <Property ID="Action" Value="block" />
        <Property ID="Direction" Value="out" />
        <Property ID="Logging" Value="off" />
        <Property ID="Quick" Value="other" />
        <Selector ID="Interface" Value="none" />
        <Selector ID="Protocol" Value="none" />
        <Selector ID="ResponseScheme" Value="none" />
        <Selector ID="SourceAddress" Value="any" />
        <Selector ID="DestinationAddress" Value="any" />
        <Selector ID="Group" Value="none" />
      </Selector>
    </Group>
    <Group ID="Rule[3]" Description="Allow egress FTP Data">
      <Selector ID="RuleMode">
        <Property ID="Action" Value="pass" />
        <Property ID="Direction" Value="in" />
        <Property ID="Logging" Value="off" />
        <Property ID="Quick" Value="immediately" />
        <Selector ID="Interface" Value="none" />
        <Selector ID="Protocol" Value="tcp">
          <Selector ID="SPortOperator" Value="all" />
          <Selector ID="DPortOperator" Value="equal">
            <Property ID="DPortNumber" Value="20" />
          </Selector>
        </Selector>
        <Selector ID="ResponseScheme" Value="none" />
        <Selector ID="SourceAddress" Value="any" />
        <Selector ID="DestinationAddress" Value="any" />
        <Selector ID="Group" Value="none" />
      </Selector>
    </Group>
    <Group ID="Rule[4]" Description="Allow egress FTP Data">
      <Selector ID="RuleMode">
        <Property ID="Action" Value="pass" />
        <Property ID="Direction" Value="out" />
        <Property ID="Logging" Value="off" />
        <Property ID="Quick" Value="immediately" />
        <Selector ID="Interface" Value="none" />
        <Selector ID="Protocol" Value="tcp">
          <Selector ID="SPortOperator" Value="equal">
            <Property ID="SPortNumber" Value="20" />
          </Selector>
          <Selector ID="DPortOperator" Value="all" />
        </Selector>
        <Selector ID="ResponseScheme" Value="none" />
        <Selector ID="SourceAddress" Value="any" />
        <Selector ID="DestinationAddress" Value="any" />
        <Selector ID="Group" Value="none" />
      </Selector>
    </Group>
    <Group ID="Rule[5]" Description="Allow ingress FTP Control">
      <Selector ID="RuleMode">
        <Property ID="Action" Value="pass" />
        <Property ID="Direction" Value="in" />
        <Property ID="Logging" Value="off" />
        <Property ID="Quick" Value="immediately" />
        <Selector ID="Interface" Value="none" />
        <Selector ID="Protocol" Value="tcp">
          <Selector ID="SPortOperator" Value="all" />
          <Selector ID="DPortOperator" Value="equal">
            <Property ID="DPortNumber" Value="21" />
          </Selector>
        </Selector>
        <Selector ID="ResponseScheme" Value="none" />
        <Selector ID="SourceAddress" Value="any" />
        <Selector ID="DestinationAddress" Value="any" />
        <Selector ID="Group" Value="none" />
      </Selector>
    </Group>
    <Group ID="Rule[6]" Description="Allow egress FTP Control">
      <Selector ID="RuleMode">
        <Property ID="Action" Value="pass" />
        <Property ID="Direction" Value="out" />
        <Property ID="Logging" Value="off" />
        <Property ID="Quick" Value="immediately" />
        <Selector ID="Interface" Value="none" />
        <Selector ID="Protocol" Value="tcp">
          <Selector ID="SPortOperator" Value="equal">
            <Property ID="SPortNumber" Value="21" />
          </Selector>
          <Selector ID="DPortOperator" Value="all" />
        </Selector>
        <Selector ID="ResponseScheme" Value="none" />
        <Selector ID="SourceAddress" Value="any" />
        <Selector ID="DestinationAddress" Value="any" />
        <Selector ID="Group" Value="none" />
      </Selector>
    </Group>
    <Group ID="Rule[7]" Description="Allow ingress HTTPS">
      <Selector ID="RuleMode">
        <Property ID="Action" Value="pass" />
        <Property ID="Direction" Value="in" />
        <Property ID="Logging" Value="off" />
        <Property ID="Quick" Value="immediately" />
        <Selector ID="Interface" Value="none" />
        <Selector ID="Protocol" Value="tcp">
          <Selector ID="SPortOperator" Value="all" />
          <Selector ID="DPortOperator" Value="equal">
            <Property ID="DPortNumber" Value="443" />
          </Selector>
        </Selector>
        <Selector ID="ResponseScheme" Value="none" />
        <Selector ID="SourceAddress" Value="any" />
        <Selector ID="DestinationAddress" Value="any" />
        <Selector ID="Group" Value="none" />
      </Selector>
    </Group>
    <Group ID="Rule[8]" Description="Allow egress HTTPS">
      <Selector ID="RuleMode">
        <Property ID="Action" Value="pass" />
        <Property ID="Direction" Value="out" />
        <Property ID="Logging" Value="off" />
        <Property ID="Quick" Value="immediately" />
        <Selector ID="Interface" Value="none" />
        <Selector ID="Protocol" Value="tcp">
          <Selector ID="SPortOperator" Value="equal">
            <Property ID="SPortNumber" Value="443" />
          </Selector>
          <Selector ID="DPortOperator" Value="all" />
        </Selector>
        <Selector ID="ResponseScheme" Value="none" />
        <Selector ID="SourceAddress" Value="any" />
        <Selector ID="DestinationAddress" Value="any" />
        <Selector ID="Group" Value="none" />
      </Selector>
    </Group>
    <Group ID="Rule[9]" Description="Allow ingresss OPC UA">
      <Selector ID="RuleMode">
        <Property ID="Action" Value="pass" />
        <Property ID="Direction" Value="in" />
        <Property ID="Logging" Value="off" />
        <Property ID="Quick" Value="immediately" />
        <Selector ID="Interface" Value="none" />
        <Selector ID="Protocol" Value="tcp">
          <Selector ID="SPortOperator" Value="all" />
          <Selector ID="DPortOperator" Value="equal">
            <Property ID="DPortNumber" Value="4840" />
          </Selector>
        </Selector>
        <Selector ID="ResponseScheme" Value="none" />
        <Selector ID="SourceAddress" Value="any" />
        <Selector ID="DestinationAddress" Value="any" />
        <Selector ID="Group" Value="none" />
      </Selector>
    </Group>
    <Group ID="Rule[10]" Description="Allow egress OPC UA">
      <Selector ID="RuleMode">
        <Property ID="Action" Value="pass" />
        <Property ID="Direction" Value="out" />
        <Property ID="Logging" Value="off" />
        <Property ID="Quick" Value="immediately" />
        <Selector ID="Interface" Value="none" />
        <Selector ID="Protocol" Value="tcp">
          <Selector ID="SPortOperator" Value="equal">
            <Property ID="SPortNumber" Value="4840" />
          </Selector>
          <Selector ID="DPortOperator" Value="all" />
        </Selector>
        <Selector ID="ResponseScheme" Value="none" />
        <Selector ID="SourceAddress" Value="any" />
        <Selector ID="DestinationAddress" Value="any" />
        <Selector ID="Group" Value="none" />
      </Selector>
    </Group>
    <Group ID="Rule[11]" Description="Allow ingress ANSL">
      <Selector ID="RuleMode">
        <Property ID="Action" Value="pass" />
        <Property ID="Direction" Value="in" />
        <Property ID="Logging" Value="off" />
        <Property ID="Quick" Value="immediately" />
        <Selector ID="Interface" Value="none" />
        <Selector ID="Protocol" Value="tcp">
          <Selector ID="SPortOperator" Value="all" />
          <Selector ID="DPortOperator" Value="equal">
            <Property ID="DPortNumber" Value="11169" />
          </Selector>
        </Selector>
        <Selector ID="ResponseScheme" Value="none" />
        <Selector ID="SourceAddress" Value="any" />
        <Selector ID="DestinationAddress" Value="any" />
        <Selector ID="Group" Value="none" />
      </Selector>
    </Group>
    <Group ID="Rule[12]" Description="Allow egress ANSL">
      <Selector ID="RuleMode">
        <Property ID="Action" Value="pass" />
        <Property ID="Direction" Value="out" />
        <Property ID="Logging" Value="off" />
        <Property ID="Quick" Value="immediately" />
        <Selector ID="Interface" Value="none" />
        <Selector ID="Protocol" Value="tcp">
          <Selector ID="SPortOperator" Value="equal">
            <Property ID="SPortNumber" Value="11169" />
          </Selector>
          <Selector ID="DPortOperator" Value="all" />
        </Selector>
        <Selector ID="ResponseScheme" Value="none" />
        <Selector ID="SourceAddress" Value="any" />
        <Selector ID="DestinationAddress" Value="any" />
        <Selector ID="Group" Value="none" />
      </Selector>
    </Group>
    <Group ID="Rule[13]" Description="Allow ingress ICMP Ping">
      <Selector ID="RuleMode">
        <Property ID="Action" Value="pass" />
        <Property ID="Direction" Value="in" />
        <Property ID="Logging" Value="off" />
        <Property ID="Quick" Value="immediately" />
        <Selector ID="Interface" Value="none" />
        <Selector ID="Protocol" Value="icmp" />
        <Selector ID="ResponseScheme" Value="none" />
        <Selector ID="SourceAddress" Value="any" />
        <Selector ID="DestinationAddress" Value="me" />
        <Selector ID="Group" Value="none" />
      </Selector>
    </Group>
    <Group ID="Rule[14]" Description="Allow egress ICMP Ping">
      <Selector ID="RuleMode">
        <Property ID="Action" Value="pass" />
        <Property ID="Direction" Value="out" />
        <Property ID="Logging" Value="off" />
        <Property ID="Quick" Value="immediately" />
        <Selector ID="Interface" Value="none" />
        <Selector ID="Protocol" Value="icmp" />
        <Selector ID="ResponseScheme" Value="none" />
        <Selector ID="SourceAddress" Value="any" />
        <Selector ID="DestinationAddress" Value="any" />
        <Selector ID="Group" Value="none" />
      </Selector>
    </Group>
  </Element>
</Configuration>
<?xml version="1.0" encoding="utf-8"?> <?AutomationStudio FileVersion="4.9"?> ```
17 Likes