Filter
Top Products
Application Note Ed. 01
2 SpeedTouch
TM
610 Remote Access
12
In case you use the SpeedTouch
TM
610 DHCP server for automatic IP configuration for
the hosts on your local network, DHCP requests from local hosts will no longer be
accepted to arrive at the SpeedTouch
TM
610 IP host (i.e. its DHCP server), and equally,
DHCP replies will no longer be accepted to leave the SpeedTouch
TM
610 IP host
towards the local LAN.
To solve this, you can add following firewall rules:
The first rule makes sure that DHCP requests are accepted to pass the
SpeedTouch
TM
610 DHCP server’s BootP-Server UDP port; the second that DHCP
replies in answer to the DHCP requests are accepted to pass the DHCP server’s
BootP-Client UDP port.
Of course, in case your local network uses fixed IP adresses or another DHCP server
than the SpeedTouch
TM
610’s, there is no need for these rules.
Syslog messages When restricting access as described in “ Restricting all SpeedTouchTM610 access for
the local network” on page 11 no communication between any host and the
SpeedTouch
TM
610 IP host is possible.
However, to provide minimal management, syslog messages are allowed to pass the fire-
wall towards the LAN or WAN via following rule in the source chain:
Still, to allow a host’s syslog deamon to receive SpeedTouch
TM
610 syslog messages, a
syslog rule for that host must be configured via the SpeedTouch
TM
610 web pages or the
CLI.
Allowing restricted
access
Once you denied all access leaving from or ariving at the SpeedTouch
TM
610 IP host, you
are able to allow service by service to the LAN by adding specific firewall rules for the
sink and source chains.
The rules are very similar to the rules added for remote management except that now
the “gate” must be opened for the LAN instead of the WAN.
chain=sink index=3 srcintfgrp=lan prot=udp dstport=bootps action=accept
chain=source index=3 dstintfgrp=lan prot=udp srcport=bootpc action=accept
chain=source index=4 prot=udp dstport=syslog action=accept