Table of Contents
Advertisement
6.5 Firewall
6.5
Firewall
The WRZ-OS is shipped with the standard iptable firewall that came in most of
the Linux distribution.
The default rules applied is to forbid everything in the timing network (the optical
fiber interface named wrX) so that only the necessary services can be accessed.
The table below resume the port that can be accessed:
Table 6-1:
Service
DNS
DHCP/BootP
NTP
NTS-KE
PTP/WR
If an advanced user needs to customize the access to meet a specific security
policy, he can use the persistent custom files
page 170) to overwrite the default rules with its own configuration.
6.5.1
Example to only allow a specific IP for management
This is a typical use case where only a single IP (or a subnetwork) should be
allowed to access to the management port of the device.
##First append the current rule to existing rule (overwise flush)
iptables
iptables
106
Caution:
When TACACS and RADIUS work and have been con-
figured on the same client device, be careful with the order of the
configuration lines in /etc/pam.d/sshd. The TACACS configuration
line must be added always in first place and after it, the RADIUS con-
figuration line. This is because when the RADIUS configuration is the
first line, authentication of the first password always goes to the
RADIUS server and, if is the password of TACACS, the authentication
will fail. With TACACS configuration in first line, the first password is
verified with both TACACS and RADIUS.
Default firewall configuration
- A
INPUT
- i
-
A
INPUT
Timing (wrX)
Port
53
67-68
123
4460
319-320
("Persistent Custom Files" on
eth0
- s
192.168.7.1
-
i
eth0
CHAPTER
- j
ACCEPT
-
j
•
6
WR-Z16 User Manual Rev. v5.0
DROP
Advertisement
Table of Contents
