Security Firewall management with IP filters
Digi TransPort WR Routers User Guide
84
IP filter examples
The following examples show typical ways to use IPfilters to control network traffic:
n IP filter example: Allow additional traffic into the device
n IP filter example: Restrict access by rejecting traffic from a LAN to a WAN
n IP filter example: Restrict access to an open service
n IP filter example: Restrict access to a router service from LAN devices
n IP filter example: Restrict LAN-to-LAN for all but one service
IP filter example: Allow additional traffic into the device
The following example shows how to allow SNMP access from a particular subnet on the WAN. Note
that by default WAN access does not allow SNMP access.
WARNING! The commands in the following example open up SNMP access to your device.
SNMP can be used to configure your device. Before allowing SNMP access, make sure you
first secure your SNMP configuration using the snmp, snmp-user and snmp-community
commands.
The example demonstrates that IP filter rules can override the default behavior for the firewall. By
default, WAN traffic into the TransPort router is dropped if no other configuration or rules explicitly
allow traffic in. That is, the default policy for the input chain in the firewall is to DROP traffic.
n Adds an IP filter Accept rule (the default) to allow incoming traffic on any WAN network
additional access.
n Restricts the accepted network traffic so that only traffic from hosts on the 10.20 network to
SNMP (ports 161 and 162) is allowed.
n Allows access to multiple protocols (the default). It allows both TCP and UDP access for the
SNMP service.
digi.router> ip-filter 3 description Allow WAN SNMP only from 10.20 network
digi.router> ip-filter 3 action accept
digi.router> ip-filter 3 src any-wan
digi.router> ip-filter 3 protocol tcp,udp
digi.router> ip-filter 3 src-ip-address 10.20.0.0/16
digi.router> ip-filter 3 dst-ip-port 161,162
digi.router> ip-filter 3 state on
digi.router> save config
IP filter example: Restrict access by rejecting traffic from a LAN to a WAN
The following example shows how to restrict LAN devices from accessing services on the WAN
(possibly the internet).
WARNING! The commands in the following example could remove your access to the
Internet. If you or your users are connected through the LAN to the WAN, using email, the
example rule prevents access.
The example demonstrates blocking access from a LAN device to a WAN network. By default, LAN
devices are allowed access via the WAN and traffic is forwarded through the router. The example
To Next Page
Loading...
