TwinCAT/BSD provides a complete and fully-featured firewall within the package filter (PF). The firewall is factory-set to be restrictive and allows only a few incoming and outgoing connections. The rules for the firewall are stored in a configuration file. You can open the configuration file using the command doas ee /etc/pf.conf.

The rules for ports used by Beckhoff services are included through "anchor bhf" in the file pf.conf and are created dynamically for TwinCAT Functions. Custom rules for the firewall should still be added to the pf.conf file.

Note that the unencrypted ADS port 48898 is disabled by default. Use Secure ADS instead or enable ADS port 48898 with the following entry in the firewall:

Firewall rule for unencrypted ADS communication.



pass in quick proto tcp to port 48898 synproxy state

TCP connections on ADS port 48898 (ADS/TCP), disabled by default.