Filter
Top Products
2 SpeedTouch
TM
610 Remote Access
Application Note Ed. 01
11
2.5 SpeedTouch
TM
610 Controlled Access
Introduction In sections “2.2 Remote SpeedTouchTM610 Web Interface Access” on page 8,
“2.3 Remote SpeedTouchTM610 Telnet Access” on page 9 and “2.4 Remote
SpeedTouchTM610 FTP Access” on page 10 the methods for allowing remote manage-
ment of the SpeedTouch
TM
610 by a remote host or network on the WAN are
described.
Generally the method existed of changing or adding firewall rules to which the packets
arriving at or leaving from the SpeedTouch
TM
610 from/to the WAN are checked against
Regarding the local network no restrictions exist at all by default.
However, in many cases where the SpeedTouch
TM
610 is remotely managed it is useful
to restrict access to the device from the local network to avoid potential mis-configura-
tion and/or interference with remote management tasks.
The SpeedTouch
TM
610 firewall provides various means to restrict access from the LAN.
Default Firewall
configuration vs LAN
No restriction apply at all for packets arriving at the SpeedTouch
TM
610 IP host from the
local network due to following two primary rules in the sink chain:
Equally, no restrictions apply for packets leaving the SpeedTouch
TM
610 IP host to the
local network due to following primary rule in the source chain:
Restricting all
SpeedTouch
TM
610
access for the local
network
Forbidding all contact between the SpeedTouch
TM
610 IP host and the local network can
be simply done by deleting these three rules.
Note Do not perform this operation via a Telnet session, or via the
SpeedTouch
TM
610 web pages, as deleting the rules will have immediate
effect: all direct IP conectivity will be lost. Therefore, make sure to perform
this operation only from CLI access via the serial Console port.
Doing so will not affect the forwarding and routing functionality of the
SpeedTouch
TM
610, but local hosts will no longer be able to ping, ftp and telnet the
SpeedTouch
TM
610 or browse its web pages.
However, before the local users will experience the same behaviour of the services
delivered by the SpeedTouch
TM
610 two internal SpeedTouch
TM
610 should be made
available for the “outside” again:
For the good operation of the SpeedTouch
TM
610 DNS server towards the local
network, following rule must be added to the source chain:
This rule makes sure that name resolvings by the SpeedTouch
TM
610 can be propagated
to the requesting (local) host.
chain=sink index=0 srcintf="eth0" srcbridgeport=!1 action=drop
chain=sink index=1 srcintfgrp=!wan action=accept
chain=source index=0 srcintfgrp=!wan action=accept
chain=source index=1 prot=tcp srcport=dns action=accept