Westermo RedFox Series User Manual
Page 233
Westermo OS Management Guide
Version 4.17.0-0
As interface pppoe0 is typically used as upstreams interface, the NAT
settings should be adapted, see Routing, Firewall and NAT below.
❼ LAN interface: The LAN interface vlan1 is by default assigned IP address
192.168.2.200. All management services are enabled on the LAN inter-
face.
Example
iface vlan1 inet static
distance 16
management ssh http https ipconfig snmp
address 192.168.2.200/24
end
❼ Routing, Firewall and NAT: Falcon by default has IP forwarding (routing)
and NAT enabled. Thereby Falcon can to route packets between a private
network on its LAN interface (vlan1) and the public Internet on its WAN in-
terface.
The default firewall and NAT rules will block all incoming traffic on the WAN
interface, except for packets belonging to established connections. (Such
connections are in turn initiated from the private network, i.e., from the LAN
side.) These settings are chosen to limit the risk for security attacks when
connecting the Falcon to a public network such as the Internet.
Special firewall deny rules are set up for TCP and UDP port 53 (DNS). These
are to prevent the Falcon to become an open DNS relay on the WAN side.
Open DNS relay is considered to be a security problem and can be used for
remote attacks of the ISP’s DNS server. DNS relay is enabled on all interfaces
and should be filtered away on all interfaces facing public networks. Normal
DNS traffic originating from the inside (from the LAN) will work as expected
and is not affected by these rules.
Example
ip
forwarding
firewall
policy input DROP
policy forward DROP
filter allow in vlan1 proto icmp
filter deny in vlan1006 dport 53 proto udp
filter deny in vlan1006 dport 53 proto tcp
nat type napt out vlan1006 addfilter
enable
end
➞ 2015 Westermo Teleindustri AB
233