Technicolor - Thomson 610 Manuel D’Utilisation
2 SpeedTouch
TM
610 Remote Access
Application Note Ed. 01
9
2.3 Remote SpeedTouch
TM
610 Telnet Access
Appropriate firewall
rules
To allow remote access to the SpeedTouch
TM
610 Command Line Interface (CLI) via a
Telnet session from the WAN to the SpeedTouch
TM
610, you must add following rules:
•
To the sink chain:
The rule allows incoming traffic from the WAN to the SpeedTouch
TM
610 Telnet
server.
The rule is inserted after the first two rules (index=0 and index=1) as none of the
two rules apply to traffic coming from any WAN interface. However, make sure
(as in the example) to insert the rule before the last rule (which drops all traffic
not blocked by any preceding rule).
The rule is inserted after the first two rules (index=0 and index=1) as none of the
two rules apply to traffic coming from any WAN interface. However, make sure
(as in the example) to insert the rule before the last rule (which drops all traffic
not blocked by any preceding rule).
Note
If you want to allow remote access to the SpeedTouch
TM
610 CLI via Telnet
in a Bridged Ethernet Packet Service scenario, you must add the rule with
index=0 (i.e. the added rule becoming the first one) to avoid that the traffic
coming from the WAN Bridge port and destined for the SpeedTouch
index=0 (i.e. the added rule becoming the first one) to avoid that the traffic
coming from the WAN Bridge port and destined for the SpeedTouch
TM
610
Telnet server is dropped.
•
To the source chain:
The rule allows outgoing traffic from the SpeedTouch
TM
610 Telnet server to the
WAN. It is added after the first rule concerning all traffic towards the LAN as it
has no concern with it, but before the last rule (which drops all traffic not blocked
by any preceding rule).
has no concern with it, but before the last rule (which drops all traffic not blocked
by any preceding rule).
The added rules will allow any user on the WAN to open a Telnet session to the
SpeedTouch
SpeedTouch
TM
610 and accessing the CLI after authentication.
Refinements of the
rules
However, if needed, the rules can be fine-tuned to allow only traffic coming from/going
to a particular Packet Service interface, or even (additionally) restrict allowed traffic to
a range of IP addresses.
The example below shows the rules to add in case a same management setup as in
to a particular Packet Service interface, or even (additionally) restrict allowed traffic to
a range of IP addresses.
The example below shows the rules to add in case a same management setup as in
is applied. Again, in
this setup only remote hosts with an IP address in the range of 192.6.11.1 to
192.6.11.254 with an IP connection to the SpeedTouch
192.6.11.254 with an IP connection to the SpeedTouch
TM
610 via the IPoA WAN inter-
face are allowed to contact the SpeedTouch
TM
610 Telnet server.
For more information on the complete CLI command parameters, see the
SpeedTouch
SpeedTouch
TM
610 CLI Reference Guide
.
[firewall rule]=>
create chain=sink index=2 prot=tcp dstport=telnet action=accept
create chain=sink index=2 prot=tcp dstport=telnet action=accept
[firewall rule]=>
create chain=source index=1 prot=tcp srcport=telnet action=accept
create chain=source index=1 prot=tcp srcport=telnet action=accept
[firewall rule]=>
create chain=sink index=2 srcintf=IPoA src=192.6.11.1/24 prot=tcp
create chain=sink index=2 srcintf=IPoA src=192.6.11.1/24 prot=tcp
dstport=telnet action=accept
[firewall rule]=>
create chain=source index=1 dstintf=IPoA dst=192.6.11.1/24 prot=tcp
create chain=source index=1 dstintf=IPoA dst=192.6.11.1/24 prot=tcp
srcport=telnet action=accept