Filter
Top Products
2 SpeedTouch
TM
610 Remote Access
Application Note Ed. 01
7
Implementation of the
default firewall rules
In the following an extract is given of the default firewall rules.
• Sink chain firewall rules applying to traffic destined for the SpeedTouch
TM
610 IP
host (sink hook):
The first rule indicates the firewall to allow only incoming traffic to the
SpeedTouch
TM
610 IP host if it comes from the Ethernet interface, but not from a
WAN hardware bridge port. The second rule indicates to accept any traffic
coming from any not-WAN interface.
Some specific UDP ports are opened for correct functioning of the
SpeedTouch
TM
610. SNMP and RIP packets are logged.
All other packets to the SpeedTouch
TM
610 IP host are dropped.
• Source chain firewall rules applying to traffic generated by the SpeedTouch
TM
610
IP host (source hook)::
The first rule indicates that there is no restriction for traffic towards the LAN.
Again some specific UDP ports are opened for correct functioning. SNMP and RIP
packets are logged.
All other packets generated by the SpeedTouch
TM
610 IP host are dropped.
When adding rules to the source and sink chains, always make sure to insert the rules
before the last rule, as all traffic subjected to this last rule will be dropped.
Firewalling in the scope
of remote management
Allowing remote management and monitoring of the SpeedTouch
TM
610 from the WAN
actually means creating specific holes in the firewall to allow dedicated WAN traffic
directly to and from the SpeedTouch
TM
610 IP host.
Otherwise stated, if you want to allow remote management and monitoring, the firewall
rules applying to source and sink have to be changed that way that all traffic (DNS and
DHCP not included) between SpeedTouch
TM
610 is dropped as before, except traffic
specifically belonging to one or more kinds of remote management and monitoring.
In the following, the changes are described per remote access method.
Note All of following examples start from the default set of firewall rules.
chain=sink index=0 srcintf="eth0" srcbridgeport=!1 action=drop
chain=sink index=1 srcintfgrp=!wan action=accept
chain=sink index=2 prot=udp dstport=dns action=accept
chain=sink index=3 prot=udp dstport=bootpc action=accept
chain=sink index=4 prot=udp dstport=sntp action=accept
chain=sink index=5 prot=udp dstport=snmp log=yes action=count
chain=sink index=6 prot=udp dstport=rip log=yes action=count
chain=sink index=7 action=drop
chain=source index=0 dstintfgrp=!wan action=accept
chain=source index=1 prot=udp dstport=dns action=accept
chain=source index=2 prot=udp dstport=bootps action=accept
chain=source index=3 prot=udp dstport=sntp action=accept
chain=source index=4 prot=udp dstport=syslog action=accept
chain=source index=5 prot=udp dstport=rip log=yes action=count
chain=source index=6 prot=udp dstport=snmptrap log=yes action=count
chain=source index=7 prot=udp srcport=snmp log=yes action=count
chain=source index=8 action=drop