beautypg.com

Altering the zgate static configuration settings – Zilog EZ80F91GA User Manual

Page 30

background image

The ZGATE Embedded Security Development Kit

UM024502-1012

18

ZGATE Embedded Security Development Kit
User Manual

C, 7, ICMP_TYPE_FILTER, NONE

R, 1, WHITELIST, ENABLED, TCP_PORT,

{1,7,20,21,22,23,25,37,42,43,57,80,88,107,115}

R, 2, WHITELIST, ENABLED, TCP_PORT,

{162,179,264,443,546,547,992,8081}

R, 3, WHITELIST, ENABLED, UDP_PORT,

{1,7,22,37,42,53,67,68,69,80,88,123,161,162}

R, 4, WHITELIST, ENABLED, UDP_PORT,

{179,264,514,520,546,547,992}

R, 5, WHITELIST, ENABLED, IP_PROT, {1,2,3,4,6,8,9,17}

In the above configuration settings, observe that in the

tcp_port

list, both FTP ports

20 and 21 are listed, even though these ports were removed from the (run-time or
dynamic) TCP Port configuration page. This example should explain why FTP access
is reenabled each time the system is restarted.

To cause the changes made to the run-time TCP Port configuration to be persistent
(i.e., used each time the system is restarted), click the

Use Dynamic

button.

As a result of this procedure, the next time ZGATE restarts, FTP access will not be
allowed until it is explicitly added back to the white list, either through the web interface
or by using the

zg_config add tcp_port 20 21

shell command.

Altering the ZGATE Static Configuration Settings

Browsing through the Eth Address, Eth Frame Type and IP Address pages of the ZTP
Demo program shows that the filtering mode of each of these pages is set to Disabled. As
a result, ZGATE will not examine these parameters when determining whether to forward
or block packets from ZTP. Furthermore, none of the ZGATE shell commands or web
pages can be used to dynamically enable these filtering options at run time. The filtering
mode for these parameters is set at the moment the system is started, and can only be mod-
ified by either of the following two methods:

Modify the settings in the

ZGATE_Conf.c

file that is linked to the ZGATE Demo

project and rebuild the project. (To learn more, please refer to the

Restoring the

ZGATE Default Static Configuration

section on page 19.)

Modify the

zg_rules.usr

configuration file resident in the file system using FTP

(described below).

Consider a scenario in which it might be necessary to alter ZGATE’s persistent configura-
tion settings to prevent untrusted PCs from accessing ZTP. Such a situation could arise if
there is a guest machine on the local network that should not be allowed to access a
ZGATE-protected ZTP device. This situation requires blacklist filtering, which causes
ZGATE to discard packets that originate from untrusted (blacklisted) sources.

See also other documents in the category Zilog Sensors: