Security Firewall management with IP filters
Digi TransPort WR Routers User Guide
86
wan 1 allow-ssh-access off
wan 2 allow-ssh-access off
# Test the configuration. If all is good, save the configuration and cancel
the reboot before 10 minutes
save config
reboot cancel
IP filter example: Restrict access to a router service from LAN devices
The following example shows how to remove HTTP, HTTPS, SSH, SNMP access from a LAN. Note that
by default, LAN traffic is allowed.
WARNING! The commands in the following example could prevent access to your device if
connected from the LAN. To safely modify and test ip filter rules, use a scheduled reboot
strategy.
The example demonstrates the following:
n IP filter rules have a higher precedence (priority) than many system firewall rules. By default
for LANs, traffic is allowed into the TransPort router by built-in system firewall rules. This
example changes the default allowed access, restricting LAN devices from access.
n Uses the reboot command to schedule a reboot of the device in case of accidental lockout. A
scheduled reboot discards any changes that have not been saved and restores access.
n Adds an IP filter Drop rule to drop incoming traffic on any LAN network, thereby restricting
additional access. A drop rule silently drops traffic, giving no indication to the connecting host.
n Restricts access to multiple protocols (the default) and multiple services (ports) to simplify
creation of rules. It blocks both TCP and UDP access for all services even though only the SNMP
service (ports 161 or 162) uses UDP.
# Schedule a reboot in 10 minutes in case we lock ourselves out of the
device
reboot in 10
# Add the ip filter rule. If you are connected from the LAN using SSH this
will remove your access.
ip-filter 2 description Restrict LAN from HTTP,HTTPS,SSH,SNMP
ip-filter 2 action drop
ip-filter 2 src any-lan
ip-filter 2 protocol tcp,udp
ip-filter 2 dst-ip-port 80,443,22,161,162
ip-filter 2 state on
# Test the configuration. If all is good, save the configuration and cancel
the reboot before 10 minutes
save config
reboot cancel
IP filter example: Restrict LAN-to-LAN for all but one service
The following example shows how to restrict devices on LAN 1 (perhaps a public LAN) from
communicating with devices on any other LAN (perhaps internal LANs) except for certain services. By
default, LAN devices can communicate with other LANs.
To Next Page
Loading...
