Technicolor - Thomson 610, 610i, 610s, 610v 2.5 SpeedTouchTM610 Controlled Access

2 SpeedTouchTM610 Remote Access

ApplicationNote Ed. 01 11

2.5 SpeedTouchTM610 Controlled Access

Introduction In sections “2.2 Remote SpeedTouchTM610 Web Interface Access” on page 8,

“2.3 Remote SpeedTouchTM610 Telnet Access” on page 9 and “2.4 Remote

SpeedTouchTM610 FTP Access” on page10 the methods for allowing remote manage-

ment of the SpeedTouchTM610 by a remote host or network on the WAN are

described.

Generally the method existed of changing or adding firewall rules to which the packets

arriving at or leaving from the SpeedTouchTM610 from/to the WAN are checked against

Regarding the local network no restrictions exist at all by default.

However, in many cases where the SpeedTouchTM610 is remotely managed it is useful

to restrict access to the device from the local network to avoid potential mis-configura-

tion and/or interference with remote management tasks.

The SpeedTouchTM610 firewall provides various means to restrict access from the LAN.

Default Firewall

configuration vs LAN

No restriction apply at all for packets arriving at the SpeedTouchTM610 IP host from the

local network due to following two primary rules in the sink chain:

Equally, no restrictions apply for packets leaving the SpeedTouchTM610 IP host to the

local network due to following primary rule in the source chain:

Restricting all

SpeedTouchTM610

access for the local

network

Forbidding all contact between the SpeedTouchTM610 IP host and the local network can

be simply done by deleting these three rules.

Note Do not perform this operation via a Telnet session, or via the

SpeedTouchTM610 web pages, as deleting the rules will have immediate

effect: all direct IP conectivity will be lost. Therefore, make sure to perform

this operation only from CLI access via the serial Console port.

Doing so will not affect the forwarding and routing functionality of the

SpeedTouchTM610, but local hosts will no longer be able to ping, ftp and telnet the

SpeedTouchTM610 or browse its web pages.

However, before the local users will experience the same behaviour of the services

delivered by the SpeedTouchTM610 two internal SpeedTouchTM610 should be made

available for the “outside” again:

For the good operation of the SpeedTouchTM610 DNS server towards the local

network, following rule must be added to the source chain:

This rule makes sure that name resolvings by the SpeedTouchTM610 can be propagated

to the requesting (local) host.

chain=sink index=0 srcintf="eth0" srcbridgeport=!1 action=drop

chain=sink index=1 srcintfgrp=!wan action=accept

chain=source index=0 srcintfgrp=!wan action=accept

chain=source index=1 prot=tcp srcport=dns action=accept