5 speedtouchtm610 controlled access, Introduction, Default firewall configuration vs lan – Technicolor - Thomson 610v User Manual

2 SpeedTouch

TM

610 Remote Access

Application Note Ed. 01

11

2.5 SpeedTouch

TM

610 Controlled Access

Introduction

In sections

“2.2 Remote SpeedTouchTM610 Web Interface Access” on page 8

,

“2.3 Remote SpeedTouchTM610 Telnet Access” on page 9

and

“2.4 Remote

SpeedTouchTM610 FTP Access” on page 10

the methods for allowing remote manage-

ment of the SpeedTouch

TM

610 by a remote host or network on the WAN are

described.
Generally the method existed of changing or adding firewall rules to which the packets
arriving at or leaving from the SpeedTouch

TM

610 from/to the WAN are checked against

Regarding the local network no restrictions exist at all by default.
However, in many cases where the SpeedTouch

TM

610 is remotely managed it is useful

to restrict access to the device from the local network to avoid potential mis-configura-
tion and/or interference with remote management tasks.
The SpeedTouch

TM

610 firewall provides various means to restrict access from the LAN.

Default Firewall

configuration vs LAN

No restriction apply at all for packets arriving at the SpeedTouch

TM

610 IP host from the

local network due to following two primary rules in the sink chain:

Equally, no restrictions apply for packets leaving the SpeedTouch

TM

610 IP host to the

local network due to following primary rule in the source chain:

Restricting all

SpeedTouch

TM

610

access for the local

network

Forbidding all contact between the SpeedTouch

TM

610 IP host and the local network can

be simply done by deleting these three rules.

Note

Do not perform this operation via a Telnet session, or via the
SpeedTouch

TM

610 web pages, as deleting the rules will have immediate

effect: all direct IP conectivity will be lost. Therefore, make sure to perform
this operation only from CLI access via the serial Console port.

Doing so will not affect the forwarding and routing functionality of the
SpeedTouch

TM

610, but local hosts will no longer be able to ping, ftp and telnet the

SpeedTouch

TM

610 or browse its web pages.

However, before the local users will experience the same behaviour of the services
delivered by the SpeedTouch

TM

610 two internal SpeedTouch

TM

610 should be made

available for the “outside” again:
For the good operation of the SpeedTouch

TM

610 DNS server towards the local

network, following rule must be added to the source chain:

This rule makes sure that name resolvings by the SpeedTouch

TM

610 can be propagated

to the requesting (local) host.

chain=sink index=0 srcintf="eth0" srcbridgeport=!1 action=drop
chain=sink index=1 srcintfgrp=!wan action=accept

chain=source index=0 srcintfgrp=!wan action=accept

chain=source index=1 prot=tcp srcport=dns action=accept