Westermo RedFox Series User Manual

Page 691

Westermo OS Management Guide

Version 4.17.0-0

3. VPN Rules: If the WeOS unit is configured as VPN gateway, rules to accept

IKE and ESP traffic are implicitly inserted here (UDP port 500 and 4500, and
IP protocol 50).

4. Configured Packet Filter Rules: Then the configured packet filter rules are in-

serted, i.e., the configurable allow/deny rules described here in

section 31.1.2

The relative order of these packet filter rules is configurable.

As all packet rules are configured before the rules for ”Enabled Services”
and ”Management Interfaces” (see below), the packet filter rules can be
used to override those rules. E.g., if the management interface configura-
tion has disabled SNMP management via interface vlan1 (”no management
snmp”, see

section 19.6.6

), a packet filtering rule allowing host 192.168.3.1

SNMP access (”filter allow src 192.168.3.1 proto udp dport 161”,
see

section 31.3.3

) will have precedence, and thus allow SNMP manage-

ment from that particular host even if the SNMP traffic enters via interface
vlan1.

5. Enabled Services: Depending on what additional services are enabled in the

configuration, additional allow rules will be inserted to enable those services
to operate correctly. As of WeOS v4.17.0, this includes

❼ DHCP Server: UDP port 67 is allowed for appropriate interfaces if a DHCP

server is configured (see

chapter 22

❼ OSPF: IP protocol 89 is allowed if the unit is configured to run OSPF for