Technicolor - Thomson 610 Manuel D’Utilisation
Application Note Ed. 01
2 SpeedTouch
TM
610 Remote Access
10
2.4 Remote SpeedTouch
TM
610 FTP Access
Appropriate firewall
rules
To allow remote access to the SpeedTouch
TM
610 File System via an FTP session from
the WAN to the SpeedTouch
TM
610, you must add two rules per chain: one rule for the
FTP control channel and one for the FTP data channel:
•
To the sink chain:
The first rule allows users from the WAN to contact the SpeedTouch
TM
610 FTP
server. The second rule allows data coming from the WAN to the
SpeedTouch
SpeedTouch
TM
610 file system.
The rules are both inserted after the first two rules (index=0 and index=1) as
none of the two rules apply to traffic coming from any WAN interface. However,
make sure (as in the example) to insert the rule before the last rule (which drops
all traffic not blocked by any preceding rule).
none of the two rules apply to traffic coming from any WAN interface. However,
make sure (as in the example) to insert the rule before the last rule (which drops
all traffic not blocked by any preceding rule).
Note
If you want to allow remote access to the SpeedTouch
TM
610 CLI via Telnet
in a Bridged Ethernet Packet Service scenario, you must add the rules with
index=0 respectively index=1 (i.e. becoming the first two rules) to avoid that
the traffic coming from the WAN Bridge port and destined for the
SpeedTouch
index=0 respectively index=1 (i.e. becoming the first two rules) to avoid that
the traffic coming from the WAN Bridge port and destined for the
SpeedTouch
TM
610 FTP server, or file system is dropped.
•
To the source chain:
The first rule allows control messages generated by the SpeedTouch
TM
610 FTP
server to pass through to the WAN. The second rule allows data coming from the
SpeedTouch
SpeedTouch
TM
610 file system and FTP server to pass through to the WAN. Both
rules are added after the first rule concerning all traffic towards the LAN as it has
no concern with it, but before the last rule (which drops all traffic not blocked by
any preceding rule).
no concern with it, but before the last rule (which drops all traffic not blocked by
any preceding rule).
The added rules will allow any user on the WAN to open an FTP session to the
SpeedTouch
SpeedTouch
TM
610 and accessing the file system after authentication.
Note
The access rights which apply to the SpeedTouch
TM
610 file system are not
controlled by the firewall. I.e. you can not change the access rights to the file
system root directory, nor to the /dl and /active subdirectories.
For more information on the access rights that apply to the
SpeedTouch
system root directory, nor to the /dl and /active subdirectories.
For more information on the access rights that apply to the
SpeedTouch
TM
610 file system, see the application note SpeedTouch
TM
610
Operation and Maintenance
.
[firewall rule]=>
create chain=sink index=2 prot=tcp dstport=ftp action=accept
[firewall rule]=>
create chain=sink index=3 prot=tcp dstport=ftp-data action=accept
create chain=sink index=2 prot=tcp dstport=ftp action=accept
[firewall rule]=>
create chain=sink index=3 prot=tcp dstport=ftp-data action=accept
[firewall rule]=>
create chain=source index=1 prot=tcp srcport=ftp-data action=accept
[firewall rule]=>
create chain=rule index=2 prot=tcp srcport=ftp-data action=accept
create chain=source index=1 prot=tcp srcport=ftp-data action=accept
[firewall rule]=>
create chain=rule index=2 prot=tcp srcport=ftp-data action=accept