4The SpeedTouch
TM610 SNMP
ApplicationNote Ed. 01 23
SNMP and the default
SpeedTouchTM610
Firewall
Towards the local network, no restrictions apply on behalf of the firewall rules.
However, regarding the WAN, any traffic on destination UDP ports 161 (SNMP) and
162 (SNMP-trap) generated by the SpeedTouchTM610 will be counted and logged to
Syslog:
Any traffic arriving from the WAN sourced on UDP port 162 towards the
SpeedTouchTM610 is counted and logged as well:
Subsequently the SNMP packets are dropped by the drop-all rules of the firewall:
Allowing remote SNMP To allow a remote SNMP manager to monitor the SpeedTouchTM610 you must add
following firewall rules:
To allow the remote SNMP manager to receive SNMP traps generated by the
SpeedTouchTM610, additional firewall rule must be added (next to enabling traps for the
remote manager via a “:snmp trapadd”), assuming the default snmp trap UDP port (162)
is used:
As a result, any WAN traffic coming from or going to the SpeedTouchTM610 SNMP
agent, will still be counted and logged to Syslog, but will be accepted.
Note As for all remote management methods the possibility exist to refine the
firewall rules to restrict access to a certain range of, or a single IP address -
optionally over a specific WAN interface.
:firewall rule create chain=source index=6 prot=udp dstport=snmp
log=yes action=count
:firewall rule create chain=source index=7 prot=udp dstport=snmptrap
log=yes action=count
:firewall rule create chain=sink index=6 prot=udp dstport=snmp
log=yes action=count
:firewall rule create chain=source index=8 action=drop
:firewall rule create chain=sink index=7 action=drop
:firewall rule create chain=source index=7 prot=udp dstport=snmp
action=accept
:firewall rule create chain=sink index=7 prot=udp dstport=snmp
action=accept
:firewall rule create chain=source index=9 prot=udp dstport=snmptrap
action=accept