Digi suggests setting up a scheduled TransPort reboot, to provide x amount of minutes for the user to test the updated firewall rules, to confirm that they not only work as expected, but also to confirm that the TransPort itself can still be accessed (that the updated rules do not inadvertently "lock out" access to the TransPort).
The steps below outline this process. The updated firewall rules will be uploaded to the TransPort and remain there, but the firewall will only be actually enabled during the scheduled testing period. After the timer expires and the unit is automatically rebooted, the unit will boot up with the updated firewall rules still on the TransPort file system, but the firewall will be disabled.
The user should only commit to the changes (via a "Save All") after the updated rules have been fully tested and it's ensured that the updated rules will not "lock out" the user from the TransPort.Assumptions
The "fw.txt" file is updated on a computer and then uploaded to the TransPort (via FTP for example), as opposed to the firewall rules being updated through the web interface.
The TransPort is being accessed via the unit's web interface.Testing steps
1. Disable the firewall on ALL interfaces, in Configuration - Security > Firewall
. Specifically, scroll down past the firewall rules and uncheck any checked checkboxes (ETH x and PPP x).
2. Click the Apply button, click the "click here" link and then click the Save All button.
3. Upload the updated fw.txt to the TransPort (FTP is recommended and commonly used), overwriting the existing file.
4. In the TransPort web interface, navigate to Administration - Execute a Command
. Issue the "fw" command (without quotes). Make sure there are no errors! The output should say something similar to "x lines compiled, 0 error(s)" where x is the number of lines/rules, then "OK" on a new line.
5. Navigate to Administration – Reboot
, change the radio button to “In” and input "5" (without quotes) in the mins field. This will provide a specified amount of time to ensure you don’t accidentally lock yourself out, and to verify that the firewall rules are working as expected, while the firewall is temporarily enabled.
6. Click the Reboot button. The 5 minute (or however many minutes you set) countdown will begin immediately, meaning the unit will automatically reboot in that many minutes, and the firewall will be disabled on all interfaces at that time.
7. Go back to Configuration - Security > Firewall
and turn on the firewall for the interfaces that it should be enabled on.
NOTE: The old rules may still appear here, at the top. If so, please disregard this, as it’s likely a known browser caching issue.
8. Click the Apply button to enable the firewall on the selected interface(s).
9. Immediately ensure that you can still access the TransPort web interface, in other words, that you haven't locked yourself out. To be diligent, close the web browser and re-open it. If it appears that you're locked out, wait 5 (or however many) minutes for the unit to automatically reboot, then re-start this process and adjust the firewall rules as needed to attempt to address the lock out issue.
10. After you have confidence that the updated firewall rules aren't locking you out of the TransPort, consider doing a "Save All" at this point, so that if the unit is rebooted or power cycled, you'll still be able to access it.
11. Adjust the updated firewall rules as needed and follow the logic above (overwrite the existing fw.txt file; schedule a reboot before enabling/Applying the firewall) to ensure that whatever changes were made work as they should, and that you don't lock yourself out of the unit's web interface.
12. If the update firewall rules work as expected and you can still access the TransPort web interface, perform a "Save All" to commit the changes. Once the "Save All" has been performed, navigate back to Administration - Reboot
and cancel the reboot timer..
Mar 19, 2019