2 remote speedtouchtm610 web interface access, Appropriate firewall rules, Refinements of the rules – Technicolor - Thomson 610v User Manual

Page 12: Remote speedtouch, 2 remote speedtouch, 610 web interface access

Advertising
background image

Application Note Ed. 01

2 SpeedTouch

TM

610 Remote Access

8

2.2 Remote SpeedTouch

TM

610 Web Interface

Access

Appropriate firewall

rules

To allow remote access to the SpeedTouch

TM

610 web pages from the WAN, you must

add following rules:

To the sink chain:

The rule allows incoming traffic from the WAN to the SpeedTouch

TM

610 web

host.
The rule is inserted after the first two rules (index=0 and index=1) as none of the
two rules apply to traffic coming from any WAN interface. However, make sure
(as in the example) to insert the rule before the last rule (which drops all traffic
not blocked by any preceding rule).

Note

If you want to allow remote access to the SpeedTouch

TM

610 web pages in a

Bridged Ethernet Packet Service scenario, you must add the rule mentioned
above with index=0 (i.e. the added rule becoming the first one) to avoid that
the traffic coming from the WAN Bridge port and destined for the
SpeedTouch

TM

610 web host is dropped.

To the source chain:

The rule allows outgoing traffic from the SpeedTouch

TM

610 web host to the

WAN. It is added after the first rule concerning all traffic towards the LAN as it
has no concern with it, but before the last rule (which drops all traffic not blocked
by any preceding rule).

The added rules will allow any user on the WAN to contact the SpeedTouch

TM

610 web

pages and browse them after authentication.

Refinements of the

rules

However, if needed, the rules can be fine-tuned to allow only traffic coming from/going
to a particular Packet Service interface, or even (additionally) restrict allowed traffic to
a range of IP addresses.
The example below shows the rules to add in case a separate management PVC (called
IPoA) is used with the Routed IPoA Packet Service configuration in the 192.6.11.x/24
range of IP addresses. In this setup only remote hosts with an IP address in the range of
192.6.11.1 to 192.6.11.254 with an IP connection to the SpeedTouch

TM

610 via the IPoA

WAN interface are allowed to contact the SpeedTouch

TM

610 web pages.

For more information on the complete CLI command parameters, see the
SpeedTouch

TM

610 CLI Reference Guide

.

[firewall rule]=>
create chain=sink index=2 prot=tcp dstport=www-http action=accept

[firewall rule]=>
create chain=source index=1 prot=tcp srcport=www-http action=accept

[firewall rule]=>
create chain=sink index=2 srcintf=IPoA src=192.6.11.1/24 prot=tcp

dstport=www-http action=accept

[firewall rule]=>
create chain=source index=1 dstintf=IPoA dst=192.6.11.1/24 prot=tcp

srcport=www-http action=accept

Advertising
This manual is related to the following products: