FreshTomato Wiki

User Tools

Site Tools

Trace:
disable_access_to_admin_access_ssh:gui_for_guest_v:wlan

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
disable_access_to_admin_access_ssh:gui_for_guest_v:wlan [2021/02/09 23:06] hogwilddisable_access_to_admin_access_ssh:gui_for_guest_v:wlan [2024/03/02 17:01] (current) hogwild
Line 1: Line 1:
-===== Disable administrative access (SSH/GUI) for guest V/WLAN =====+====== Disable Administrative Access (SSH/GUI) to Guest VLAN/WLAN ======
  
-The default settings make Tomato's administration ports (SSH and HTTP/S) reachable from all VLANs/WLANs configured on the router.+The default settings allow access to the router's administration ports (SSH and HTTP/S) from all configured VLANs/WLANs.
  
-If you don't want communication to be available on a certain VLAN or WLAN, you can filter out access to those ports by using the following script in the Administration/Scripts/Firewall page:+If you don't want communication on a certain VLAN or WLAN, you can filter out access to its ports using the following script in the //Firewall// field of the [[https://wiki.freshtomato.org/doku.php/admin-scripts|Scripts]] menu \\  \\
  
-<code>+<code ->
 iptables -t filter -I INPUT 1 -p tcp -m multiport -i br1 --dport 22,23,80,443 -j REJECT iptables -t filter -I INPUT 1 -p tcp -m multiport -i br1 --dport 22,23,80,443 -j REJECT
- 
 </code> </code>
  
-Your bridge number will reflect the interface on which you which to disable the above protocols.+\\ 
 + 
 +The bridge number ("br1" in the example) represents the interface on which you want access disabled. Double check the [[basic-network|Network]] menu to be certain. **Avoid filtering on bridge "br0"** to avoid locking out access to the router.
  
-If you're using non-standard port numbers, You can change the ports used above (22,80,443). You can also add additional lines changing br1 if you have multiple bridges/guest VLAN+If you use non-standard port numbers, you can change the port numbers used above (22,80,443).
  
-To ensure you don't lock yourself out of having access to the routeravoid filtering on bridge br0.+If you have multiple bridges or guest VLANsyou can add additional lines and change the relevant bridge interface names. The command will take effect as soon as the next run of the firewall script.
  
-This will take effect as soon as the firewall script is called next. You can force this manually with either a **service firewall restart** or rebooting the device.+You can force the command(s) to take effect manually by logging on to the router and typing the command: "//service firewall restart" //or by rebooting the device.
  
  
disable_access_to_admin_access_ssh/gui_for_guest_v/wlan.1612912009.txt.gz · Last modified: 2021/02/09 23:06 by hogwild

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki