ARCHITECTURE TECHNOLOGY CORPORATION CRR-1000 Краткое руководство по эксплуатации - Страница 7
Просмотреть онлайн или скачать pdf Краткое руководство по эксплуатации для Беспроводной маршрутизатор ARCHITECTURE TECHNOLOGY CORPORATION CRR-1000. ARCHITECTURE TECHNOLOGY CORPORATION CRR-1000 18 страниц.
CRR-1000 Quick Start Guide
Important Note:
The default firewall policy is configured to make it easy for users to access the router
over SSH, test its features, and experiment with configuration when used for the first time. For
deployment scenarios, we highly recommend changing the filter policies to DENY for all chains and
allowing network traffic to/from known destination/sources only if possible for maximum security. The
suitable configuration for a specific scenario depends on the use case.
4.1 Viewing the Firewall Policy (show filter policy)
The current firewall policy can be viewed by entering the following CLI command:
admin@CRR> show filter policy
Firewall Mode: Router
Current Policy Settings
INPUT -
OUTPUT -
FORWARD – ALLOW
4.2 Setting the Firewall Policy (set filter policy)
To change the firewall policy, use the "set filter policy" command, e.g.,
crr@CRR> set filter policy <input/output/forward> <allow/deny>
Example:
crr@CRR> set filter policy forward deny
User root attempting to restart service firewall-post
firewall-post restart successful
4.3 Advanced Firewall Rules
Best security practices dictate that firewalls only allow input, output and forward traffic that is explicitly
defined and to deny all other traffic. The following CLI command is used to specifically configure the
firewall rules:
admin@CRR> configure filter
A text editor will open and the firewall rules can be modified. The firewall is implemented through the
use of IPtables and follows the standard rule specification format where all firewall rules are saved into
the file. Refer to the user guide for more information.
5 Network and Routing Protocol Configuration Examples
CRR supports many standards routing protocols as well as numerous proprietary protocols and network
functions. There are two services running on CRR that responsible for configuring such protocols and
functions. The first is FRR service which supports the standard routing protocols such as OSPF, PIM,
BGP, RIP, NHRP, etc. The second is ARES service which supports OSPF and PIM protocols as well as
proprietary protocols such ATCorp's link sensing, automatic tunneling, and Cut-through routing. The
VPN configuration is also handled by ARES using the VPN Gateway plugin, refer to CRR user guide for
information about the VPN configuration.
It is important to note that in general you have to pick FRR or ARES to configure a certain link and not
configure the same link using both services. Otherwise there is a risk of creating link configuration
conflicts resulting in undesirable behavior. The default CRR configuration is all done using the ARES
service. If you wish to use FRR for configuration instead, please remove all link configuration from
ARES first.
DENY
ALLOW
5