ApplicationNote Ed. 01
2 SpeedTouchTM610 Remote Access
12
In case you use the SpeedTouchTM610 DHCP server for automatic IP configuration for
the hosts on your local network, DHCP requests from local hosts will no longer be
accepted to arrive at the SpeedTouchTM610 IP host (i.e. its DHCP server), and equally,
DHCP replies will no longer be accepted to leave the SpeedTouchTM610 IP host
towards the local LAN.
To solve this, you can add following firewall rules:
The first rule makes sure that DHCP requests are accepted to pass the
SpeedTouchTM610 DHCP server’s BootP-Server UDP port; the second that DHCP
replies in answer to the DHCP requests are accepted to pass the DHCP server’s
BootP-Client UDP port.
Of course, in case your local network uses fixed IP adresses or another DHCP server
than the SpeedTouchTM610’s, there is no need for these rules.
Syslog messages When restricting access as described in “ Restricting all SpeedTouchTM610 access for
the local network” on page 11 no communication between any host and the
SpeedTouchTM610 IP host is possible.
However, to provide minimal management, syslog messages are allowed to pass the fire-
wall towards the LAN or WAN via following rule in the source chain:
Still, to allow a host’s syslog deamon to receive SpeedTouchTM610 syslog messages, a
syslog rule for that host must be configured via the SpeedTouchTM610 web pages or the
CLI.
Allowing restricted
access
Once you denied all access leaving from or ariving at the SpeedTouchTM610 IP host, you
are able to allow service by service to the LAN by adding specific firewall rules for the
sink and source chains.
The rules are very similar to the rules added for remote management except that now
the “gate” must be opened for the LAN instead of the WAN.
chain=sink index=3 srcintfgrp=lan prot=udp dstport=bootps action=accept
chain=source index=3 dstintfgrp=lan prot=udp srcport=bootpc action=accept
chain=source index=4 prot=udp dstport=syslog action=accept