Snmp and the default speedtouchtm610 firewall, Allowing remote snmp – Technicolor - Thomson 610v User Manual
Page 27
4 The SpeedTouch
TM
610 SNMP
Application Note Ed. 01
23
SNMP and the default
SpeedTouch
TM
610
Firewall
Towards the local network, no restrictions apply on behalf of the firewall rules.
However, regarding the WAN, any traffic on destination UDP ports 161 (SNMP) and
162 (SNMP-trap) generated by the SpeedTouch
TM
610 will be counted and logged to
Syslog:
Any traffic arriving from the WAN sourced on UDP port 162 towards the
SpeedTouch
TM
610 is counted and logged as well:
Subsequently the SNMP packets are dropped by the drop-all rules of the firewall:
Allowing remote SNMP
To allow a remote SNMP manager to monitor the SpeedTouch
TM
610 you must add
following firewall rules:
To allow the remote SNMP manager to receive SNMP traps generated by the
SpeedTouch
TM
610, additional firewall rule must be added (next to enabling traps for the
remote manager via a “:snmp trapadd”), assuming the default snmp trap UDP port (162)
is used:
As a result, any WAN traffic coming from or going to the SpeedTouch
TM
610 SNMP
agent, will still be counted and logged to Syslog, but will be accepted.
Note
As for all remote management methods the possibility exist to refine the
firewall rules to restrict access to a certain range of, or a single IP address -
optionally over a specific WAN interface.
:firewall rule create chain=source index=6 prot=udp dstport=snmp
log=yes action=count
:firewall rule create chain=source index=7 prot=udp dstport=snmptrap
log=yes action=count
:firewall rule create chain=sink index=6 prot=udp dstport=snmp
log=yes action=count
:firewall rule create chain=source index=8 action=drop
:firewall rule create chain=sink index=7 action=drop
:firewall rule create chain=source index=7 prot=udp dstport=snmp
action=accept
:firewall rule create chain=sink index=7 prot=udp dstport=snmp
action=accept
:firewall rule create chain=source index=9 prot=udp dstport=snmptrap
action=accept