Caution: When TACACS and RADIUS work and have been configured on
the same client device, be careful with the order of the configuration lines
in /etc/pam.d/sshd. The TACACS configuration line must be added always
in first place and after it, the RADIUS configuration line. This is because
when the RADIUS configuration is the first line, authentication of the first
password always goes to the RADIUS server and, if is the password of
TACACS, the authentication will fail. With TACACS configuration in first
line, the first password is verified with both TACACS and RADIUS.
6.5 Firewall
The WRZ-OS is shipped with the standard iptable firewall that came in most of the Linux
distribution.
The default rules applied is to forbid everything in the timing network (the optical fiber
interface named wrX) so that only the necessary services can be accessed. The table
below resume the port that can be accessed:
Table 6-1:
Default firewall configuration
Timing (wrX)
Service Port
DNS 53
DHCP/BootP 67-68
NTP 123
PTP/WR 319-320
If an advanced user needs to customize the access to meet a specific security policy, he
can use the persistent custom files ("Persistent Custom Files" on page147) to overwrite
the default rules with its own configuration.
6.5.1 Example to only allow a specific IP for management
This is a typical use case where only a single IP (or a subnetwork) should be allowed to
access to the management port of the device.
##First append the current rule to existing rule (overwise flush)
iptables - A INPUT - i eth0 - s 192.168.7.1 - j ACCEPT
iptables - A INPUT - i eth0 - j DROP
iptables - A INPUT - i eth1 - s 192.168.7.1 - j ACCEPT
iptables -A INPUT -i eth1 -j DROP
92
CHAPTER 6 • WR-Z16 User Manual Rev. v3.4
6.5 Firewall
To Next Page
Loading...