System information
Firewall/Packet Filtering on the OnBoard
56 AlterPath OnBoard Administrator’s Guide
Firewall/Packet Filtering on the OnBoard
Packet filtering on the OnBoard is controlled by chains and rules that are
configured in iptables. (For more details about the predefined chains and
rules, see “Chains” on page 56 and “Rules” on page 57.)
Both the Web Manager and the cycli utility provide a way for the OnBoard
administrator to add rules and to edit or delete any added rules:
• Because the OnBoard filters packets like a firewall, the Web Manager
menu option under “Network” is titled “Firewall.”)
•The cycli utility provides the iptables command to do the same
tasks, because when rules are added, edited, or deleted, the corresponding
iptables are updated.
By default, the OnBoard does not forward any traffic between private and
public networks. The administrator might want to add rules to allow some
limited communications between specific devices on the private network and
the public network. For example, the administrator could add rules to allow a
device to send email using an email server on the public network, as shown in
the example in /usr/share/docs/OnBoard/
Application_Notes/Network/priv-to-pub.pdf.
Caution! It is possible for an OnBoard administrator to create rules that
circumvent the access controls on a device. The OnBoard administrator is
responsible for understanding the implications of packet filtering rules that the
administrator may add to the system and making sure that security is not
compromised by the added rules.
Chains
A chain is a kind of named profile that includes one or more rules that define
the following:
• A set of characteristics to look for in a packet
• What to do with any packet that has all the defined characteristics