1800 557 705
Aaron Bloom | Support Engineer
Red Lion’s FlexEdge has immense capabilities and potential, of which we have only just scratched the surface. Its comprehensive Crimson 3.2 software is easy to use and setup however, to facilitate very specific configuration, we’ll need to investigate it in further detail. In this Tech Tip, we will be looking into FlexEdge’s firewall.
Configuring the firewall can be performed in two ways, through the system Web GUI or directly inside Crimson 3.2. The images displayed throughout this tech tip are from the Crimson software, but the sections and options are the same in the Web GUI.
The firewall is broken down into six groups: Access Lists, Untrusted Traffic, Routing Filters, Port Forwarding, NAT and DMZ and Custom Rules. All these features are displayed inside the Device Configuration section.
The Access Lists enable you to allow (white list) or deny (black list) individual IP addresses or IP ranges. The below example demonstrates adding addresses 192.168.63.100 to 192.168.63.103 to the white list, which would allow all traffic from that range.
Individual interfaces can either be set to trusted or untrusted. The difference between the two is traffic received at a trusted interface will be allowed by default whereas, traffic arriving at an untrusted interface will be denied by default if it's not a response to traffic sent out of the untrusted interface. Thus, the Untrusted Traffic feature sets rules to allow traffic to come in from an untrusted interface, only when it meets the specified rules, with predefined rules for common services and custom for specific ports.
Routing Filters allow or deny traffic based on the destination of that traffic and can specify which interface it is coming in and going out of. In the example below, traffic coming from Ethernet 1, routed to Ethernet 2, with a destination network of 10.30.10.0, will be allowed through.
The Port Forwarding feature allows you to alter traffic that is routed through the FlexEdge unit by changing the destination port or applying what is known as ‘Masquerade’. This changes traffic to appear as if it originated from the FlexEdge unit, which can get around units unable to change their IP settings or set appropriate routing. In the example below, all Modbus traffic to any of the FlexEdge interfaces will be sent to 192.168.0.50 and appear to that device as if it originated from the FlexEdge’s IP address.
NAT and DMZ
Network Address Translation and Demilitarised Zone allow the translation of IP addresses and exposure of devices behind the FlexEdge respectively. The NAT example below, will change the destination IP address of inbound packets from the 192.168.0.0/24 range to 10.99.0.0/24 and masquerade the source’s address to the relevant Flexedge address.
As for the DMZ, the example below demonstrates how all IP traffic coming into the WiFi 1 interface will be forwarded to the device, 172.16.0.5. This would normally be used for servers that you want publicly accessible which are likely isolated from the rest of your trusted interfaces.
The previous sections should cover most usage cases however, occasionally very specific rules are required due to security or network constraints. This is exactly where the Custom Rules feature excels. FlexEdge uses an iptables based firewall, therefore, to introduce a custom rule, creating an iptables command and entering it as a rule following the Crimson format is necessary.
As an example, the following would be executed if we wanted to block DNS UDP Traffic directly to external servers.
1. Iptables entry:
Iptables -I FORWARD 1 -p udp -dport 53 -j DROP
2. Crimson entry:
Displayed below is the rule in action, trying to resolve the URL controllogic.com.au with CloudFlare’s main DNS server (18.104.22.168) on a PC, using the FlexEdge as a gateway.
Before saving the firewall rule:
After applying the rule (we get no response from the server):
The current firewall rules can be inspected on the Crimson 3.2 System Webserver under the Diagnostics > Network Info section.
Under the Firewall Filter Rules table, we can see the custom rule that we added above.
Network security and firewalls can be difficult to implement and will only increase in difficulty as end users demand more data and connectivity. If you are struggling to keep up or, are in need of a second opinion, Control Logic has the resources to assist your industrial applications.