Chapter 10. System Services

Table of Contents

10.1. Protecting the FB9000
10.2. Common settings
10.3. HTTP Server configuration
10.3.1. Access control
10.3.1.1. Trusted addresses
10.3.2. HTTPS access
10.4. Telnet Server configuration
10.4.1. Access control
10.5. DNS configuration
10.5.1. Blocking DNS names
10.5.2. Local DNS responses
10.5.3. Auto DHCP DNS
10.6. NTP configuration
10.7. SNMP configuration

A system service provides general functionality, and runs as a separate concurrent process alongside normal traffic handling.

Table 10.1 lists the services that the FB9000 can provide :-

Table 10.1. List of system services

ServiceFunction
SNMP serverprovides clients with access to management information using the Simple Network Management Protocol
NTP clientautomatically synchronises the FB9000's clock with an NTP time server (usually using an Internet public NTP server)
Telnet serverprovides an administration command-line interface accessed over a network connection
HTTP serverserves the web user-interface files to a user's browser on a client machine
DNSrelays DNS requests from either the FB9000 itself, or client machines to one or more DNS resolvers

Services are configured under the "Setup" category, under the heading "General system services", where there is a single services object (XML element : <services>). The services object doesn't have any attributes itself, all configuration is done via child objects, one per service. If a service object is not present, the service is disabled. Clicking on the Edit link next to the services object will take you to the list of child objects. Where a service object is not present, the table in that section will contain an "Add" link. A maximum of one instance of each service object type can be present.

10.1. Protecting the FB9000

The FB9000 does not have a firewall as such. However, the design of the FB9000 is that it should be able to protect itself sensibly without the need for a separate firewall.

Each service has specific access control settings, and these default to not allowing external access (i.e. traffic not from locally Ethernet connected devices). You can also lock down access to a specific routing table, and restrict the source IP addresses from which connections are accepted.

In the case of the web interface, you can also define trusted IP addresses which are given priority access to the login page even if there is a denial of service attack against the web interface.