Digi TransPort LR54 - Page 85

Digi TransPort LR54

512 pages

To Next Page

To Next Page

To Previous Page

To Previous Page

Loading...

Security Firewall management with IP filters

Digi TransPort WR Routers User Guide

85

blocks direct mail access to servers on the WAN from LAN devices. Examples like this might be used to

prevent access to common services that use a lot of bandwidth or are security risks to the LAN:

n Adds an IP filter Reject rule to reject traffic forwarded from any LAN host to any WAN host. The

reject rule immediately fails the connection.

n Restricts the rejected traffic to a set of commonly used mail ports.

n Rejects access using multiple protocols (the default). It rejects both TCP and UDP access.

digi.router> ip-filter 4 description Restrict LAN to WAN for various email

services

digi.router> ip-filter 4 action reject

digi.router> ip-filter 4 src any-lan

digi.router> ip-filter 4 dst any-wan

digi.router> ip-filter 4 protocol tcp,udp

digi.router> ip-filter 4 dst-ip-port 25,2525,265,587,110,995,143,993

digi.router> ip-filter 4 state on

digi.router> save config

IP filter example: Restrict access to an open service

The following example shows how to turn on SSH access for a WAN and restrict SSH access to only a

particular subnet of authorized hosts.

WARNING! The commands in the following example could prevent access to your device if

connected from the WAN. To safely modify and test ip filter rules, use a scheduled reboot

strategy.

The example demonstrates the following:

n Uses the reboot command to schedule a reboot of the device in case of accidental lockout. A

scheduled reboot discards any changes that have not been saved and restores access.

n Adds an ip filter Accept rule (the default) to allow incoming traffic on any WAN network

additional access.

n Restricts the accepted network traffic so that only traffic from hosts on the 10.20 network to

SSH (port 22) is allowed.

n Turns off the allow-ssh-access option for the two currently configured WAN networks. The

allow-ssh-access allows SSH access unrestricted by host or network.

# Schedule a reboot in 10 minutes in case we lock ourselves out of the

device

reboot in 10

# Add the ip filter rule. Be sure to include src-ip-address of at least your

current session (if connected with ssh)

ip-filter 1 description Allow WAN SSH only from 10.20 network

ip-filter 1 action accept

ip-filter 1 src any-wan

ip-filter 1 src-ip-address 10.20.0.0/16

ip-filter 1 dst-ip-port 22

ip-filter 1 state on

# Now turn off allow all ssh access on any WAN where it was turned on

previously

Table of Contents

Other manuals for Digi TransPort LR54

Hardware Reference21 pages

Quick Start Guide2 pages

Related product manuals

Preview: Digi TransPort

Preview: Digi TransPort WR31

Digi TransPort WR31

Preview: Digi TransPort WR11

Digi TransPort WR11

Preview: Digi TransPort WR21

Digi TransPort WR21

Preview: Digi TransPort WR44

Digi TransPort WR44

Preview: Digi TransPort WR41

Digi TransPort WR41

Preview: Digi WR54

Preview: Digi IX10

Digi Connect WAN

Digi Connect IT 4

Preview: Digi Connect Series

Digi Connect Series

Preview: Digi AnywhereUSB Series

Digi AnywhereUSB Series