ctrlX OS - Firewall

Valid for basic license, version 3.6.2 and greater:

The ctrlX OS Firewall Basic web interface has 3 sections:

• Filter

• Routing

• Directional interfaces

Which are working in parallel to the "Advanced" view that is the old web interface available by clicking in the top right over the word "Advanced".

Modern networks require internet access, directional connections, filtering, routing,
and even more:

• Directional interfaces, internet connection, LANs segmentation: it is important that the device can be easily connected to internet and, that the interface connected to internet is then protected against incoming connections.

• Routing: many times, like in the remote access usage, it is important to use the core to implement the DNAT, SNAT and Masquerade functions in order to be able to remote access the devices in the LAN.

• Filtering: probably the most basic of the operations: allow or deny the use of a certain port/service.

Valid for advanced license, version 2.6 and greater:

The Firewall app advanced gives the user full access to Nftables.

Nftables uses tables (IP, IP6, Inet), chains (Input, Output, Forward) and rules that are hierarchy levels at the same time. Tables include chains that include the actual firewall rules. The app provides a graphic interface of the Nftables functionality. This allows to comfortably create, edit and manage rules for network traffic/ packet filtering.

The firewall app offers Network Address Translation (NAT). NAT makes it possible to replace the destination or source IP address of a data packet with another address in the data packet. Both destination and source NAT are supported. Using source NAT of the firewall app, several devices (IP addresses) of the machine from the machine network can communicate with the production network via the ctrlX CORE using a single IP address (masquerading), which has security advantages. In contrast, Destination NAT enables the firewall app to address different services on different devices (IP addresses) in the machine network via one IP address of the ctrlX CORE from the production network (port forwarding).

Features

• Firewall based on Nftables.

• Network tables for IPv4, IPv6 and Inet (IPv4 + IPv6) network traffic.

• Chains for Input (packets received by device), Output (packets leaving the device) and Forward (packets passing the device).

• Rules support simple and advanced expressions to accept, drop or reject network packets.

• Chain Management - managing of network rules (Create, edit, delete).

• Rule Management - managing of expressions (Create, edit, delete, change of sequence).

• Monitoring of rule(s) configuration via network packet counter.

• Source NAT to adapt the source address of the data packet.

• Destination NAT to adapt the destination address of the data packet.
  

Firewall configuration

Support

• Forum ctrlX IOT

Related Links

• Documentation ctrlX OS - Firewall

• Basic guide for 3.6 version and greater: Firewall basic a Practical guide

• Routing guide for 2.6 and greater, firewall advanced, the same result can be achieved more easily with the previous guide and firewall basic license:

  • How to use ctrlX CORE as a “router” using the Firewall App

  • Cybersecurity: Device selective connectivity using DNAT and MASQUERADE

• Read more about Cybersecurity: Security is a priority for industrial automation.

Curious?

You can test many apps free of charge with a virtual control system provided by ctrlX WORKS.
Just download ctrlX WORKS and follow this How-to

[link-button type="light" text="TRY IT NOW" target="_blank" href="https://community.boschrexroth.com/ctrlx-os-store-apps-oc2pqqwn/post/ctrlx-works-xOJLFLUiK4NGm5H"]