Re: [Vyatta-users] Vyatta-users Digest, Vol 23, Issue 32
Thank you all. I actually installed the vyatta router on my PC.I did checked the linux shell and I confirmed that my router running config was there. I may be missing something out on vyatta 3 because I never encounter such problem with vyatta 1.0.3 version.I encountered silmilar problem with vyatta vc2. But no such problem with vyatta version 1.0.3 And that is the reason I keep on with vyatta 1.0.3. I think the vyatta technical team should work on this issue.Probably config directory should be left on route directory like in the vyatta version 1.0.3 [EMAIL PROTECTED] wrote: Send Vyatta-users mailing list submissions to vyatta-users@mailman.vyatta.com To subscribe or unsubscribe via the World Wide Web, visit http://mailman.vyatta.com/mailman/listinfo/vyatta-users or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] When replying, please edit your Subject line so it is more specific than Re: Contents of Vyatta-users digest... Today's Topics: 1. Re: Vyatta Stateful Firewall Issue (Komal Shah) 2. can't find my running config (Isiak Solih Sadik) 3. Re: can't find my running config (Justin Fletcher) 4. Re: can't find my running config (James A. Shigley) 5. Re: can't find my running config (Dave Roberts) -- Message: 1 Date: Thu, 15 Nov 2007 17:35:04 +0530 From: Komal Shah [EMAIL PROTECTED] Subject: Re: [Vyatta-users] Vyatta Stateful Firewall Issue To: vyatta-users@mailman.vyatta.com Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-1 Excellent! Please consider adding this information in documentation. Komal Robyn Orosz wrote: Hi Adrian, First off, I apologize for the long delay in getting back to you but, I think I have an answer for you. On the Vyatta router, try the following: echo 0 /proc/sys/net/netfilter/nf_conntrack_tcp_loose Then try running the nmap ACK scan again. The RST packet, which is what nmap is expecting in return, should not even get sent by the host since the ACK packet should be blocked by the firewall this time. What was happening is that a state of NEW in iptables means exactly that--any new TCP packet. It does not mean a new TCP packet with the SYN flag set. The 'nf_conntrack_tcp_loose' option can be modified however, to enforce a more stringent set of checks on incoming TCP packets. With this option set to 0, the firewall will compare the packet against the existing conntrack entries and drop it because it is not a valid packet for establishing a new connection and it is not part of an existing established connection. The benefit of having this value set to 3 (the default) is that it will try and pick up any existing connections that were terminated as a result of a system reload or other unexpected failure. So, it assumes that the new ACK packet was part of a previous connection that got dropped and cleared from the conntrack table when the system went down. If this is not a concern of yours, then I'd say setting it to 0 would not cause any other problems. An enhancement request has actually already been open to allow the nf_conntrack_tcp_loose value to be modified via the CLI: https://bugzilla.vyatta.com/show_bug.cgi?id=2122 Another option is to add a rule directly in iptables that drops any NEW packets that don't have the SYN flag set. EX: iptables -I FORWARD 1 -p tcp ! --syn -m state --state NEW -j DROP This rule gets added to the beginning of the iptables FORWARD chain and drops any new packets that don't have the SYN flag set. The problem with this workaround is that you have to be careful when running firewall rules in the CLI and in iptables as their order of entry is very important and can cause problems or confusion if it gets out of sync. You'll also have to script any rules that you add directly into iptables and also the echo into the nf_conntrack_tcp_loose so that your changes will still exist after a reboot. I also opened an enhancement request to add TCP flag match criteria into the Vyatta firewall. So, in the future, the rule above should be configurable via the CLI: https://bugzilla.vyatta.com/show_bug.cgi?id=2474 Thank you and let me know if this works for you. -Robyn -- Message: 2 Date: Thu, 15 Nov 2007 23:09:57 +0530 From: Isiak Solih Sadik [EMAIL PROTECTED] Subject: [Vyatta-users] can't find my running config To: vyatta-users@mailman.vyatta.com Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=us-ascii Pls Help! I installed vyatta router 3 on my pc and it worked parfectly.I actually saved the running config on the default file opt/vyatta/etc/config/config.boot.but when I reboot my vyatta can't route anything.I found out that my saved running config is no longer in
Re: [Vyatta-users] Problem with gateway, and vyatta internet update
Two things. 1) Your DHCP config should be handing out the inside ip of the vyatta box for the default-gateway to clients, in this case 10.0.0.1, not the default gateway of the vyatta box itself. 2) You need to give the vyatta box a name server so it can resolve addresses to get to the apt repository for updates. Do this: set system name-server 192.168.0.2 commit save And that will allow the vyatta router to look up host names to get on the internet. -- Aubrey Wells Senior Engineer Shelton | Johns Technology Group 404.478.2790 www.sheltonjohns.com On Nov 16, 2007, at 9:40 AM, GVerris wrote: Hi my name is Giannis and I am a new user of vyatta and I have some problems I use the vc3 This is my network PC1 (IP A) PC2 (IP B) PC3 (IP C) SERVER (IP D) ROUTER (NOT VYATTA) (IP E) (DNS DHCP is disabled I want to used it as gateway only) And the role of firewall, dhcp, dns, router etc I want to be the vyatta Here is my config.boot /*XORP Configuration File, v1.0*/ protocols { static { disable: false route 0.0.0.0/0 { next-hop: 192.168.0.1 metric: 1 } } } policy { } interfaces { restore: false loopback lo { description: } ethernet eth0 { disable: false discard: false description: Office Lan hw-id: 00:50:bf:6b:0d:ce duplex: auto speed: auto address 10.0.0.1 { prefix-length: 24 disable: false } } ethernet eth1 { disable: false discard: false description: Internet Wan hw-id: 00:50:22:82:ef:63 duplex: auto speed: auto address 192.168.0.2 { prefix-length: 24 disable: false } firewall { local { name: FWTELNET } } } } service { dhcp-server { shared-network-name OfficeLAN { subnet 10.0.0.0/24 { start 10.0.0.50 { stop: 10.0.0.150 } dns-server 192.168.0.20 default-router: 192.168.0.2 lease: 86400 domain-name: test.router authoritative: disable } } } nat { rule 1 { type: masquerade outbound-interface: eth1 protocols: all source { network: 10.0.0.0/24 } destination { network: 0.0.0.0/0 } } rule 2 { type: destination inbound-interface: eth1 protocols: tcp source { network: 0.0.0.0/0 } destination { address: 192.168.0.1 port-name http } inside-address { address: 10.0.0.30 } } } telnet { port: 23 } webgui { http-port: 80 https-port: 443 } } firewall { log-martians: enable send-redirects: disable receive-redirects: disable ip-src-route: disable broadcast-ping: disable syn-cookies: enable name FWTELNET { rule 1 { protocol: tcp action: reject log: disable source { network: 0.0.0.0/0 } destination { port-name telnet } } rule 2 { protocol: all action: accept log: disable source { network: 0.0.0.0/0 } destination { network: 0.0.0.0/0 } } } } system { host-name: vyatta domain-name: time-zone: GMT ntp-server 69.59.150.135 login { user root { full-name: authentication { encrypted-password: x } } user vyatta { full-name: authentication { encrypted-password: x } } } package { auto-sync: 1 repository community { component: main url: http://archive.vyatta.com/vyatta; } } } /* Warning: Do not remove the following line. */ /* === vyatta-config-version: [EMAIL PROTECTED]:[EMAIL PROTECTED]:dhcp- [EMAIL PROTECTED]:[EMAIL PROTECTED]:[EMAIL PROTECTED]:[EMAIL PROTECTED]:[EMAIL PROTECTED] === */ Here is the problems 1.I can’t see the internet the dhcp works fine and the firewall,dns I suppose. 2. The vyatta does not connect to the internet to make updates Please help I don’t know what is wrong
[Vyatta-users] Problem with gateway, and vyatta internet update
Hi my name is Giannis and I am a new user of vyatta and I have some problems I use the vc3 This is my network PC1 (IP A) PC2 (IP B) PC3 (IP C) SERVER (IP D) ROUTER (NOT VYATTA) (IP E) (DNS DHCP is disabled I want to used it as gateway only) And the role of firewall, dhcp, dns, router etc I want to be the vyatta Here is my config.boot /*XORP Configuration File, v1.0*/ protocols { static { disable: false route 0.0.0.0/0 { next-hop: 192.168.0.1 metric: 1 } } } policy { } interfaces { restore: false loopback lo { description: } ethernet eth0 { disable: false discard: false description: Office Lan hw-id: 00:50:bf:6b:0d:ce duplex: auto speed: auto address 10.0.0.1 { prefix-length: 24 disable: false } } ethernet eth1 { disable: false discard: false description: Internet Wan hw-id: 00:50:22:82:ef:63 duplex: auto speed: auto address 192.168.0.2 { prefix-length: 24 disable: false } firewall { local { name: FWTELNET } } } } service { dhcp-server { shared-network-name OfficeLAN { subnet 10.0.0.0/24 { start 10.0.0.50 { stop: 10.0.0.150 } dns-server 192.168.0.20 default-router: 192.168.0.2 lease: 86400 domain-name: test.router authoritative: disable } } } nat { rule 1 { type: masquerade outbound-interface: eth1 protocols: all source { network: 10.0.0.0/24 } destination { network: 0.0.0.0/0 } } rule 2 { type: destination inbound-interface: eth1 protocols: tcp source { network: 0.0.0.0/0 } destination { address: 192.168.0.1 port-name http } inside-address { address: 10.0.0.30 } } } telnet { port: 23 } webgui { http-port: 80 https-port: 443 } } firewall { log-martians: enable send-redirects: disable receive-redirects: disable ip-src-route: disable broadcast-ping: disable syn-cookies: enable name FWTELNET { rule 1 { protocol: tcp action: reject log: disable source { network: 0.0.0.0/0 } destination { port-name telnet } } rule 2 { protocol: all action: accept log: disable source { network: 0.0.0.0/0 } destination { network: 0.0.0.0/0 } } } } system { host-name: vyatta domain-name: time-zone: GMT ntp-server 69.59.150.135 login { user root { full-name: authentication { encrypted-password: x } } user vyatta { full-name: authentication { encrypted-password: x } } } package { auto-sync: 1 repository community { component: main url: http://archive.vyatta.com/vyatta; } } } /* Warning: Do not remove the following line. */ /* === vyatta-config-version: [EMAIL PROTECTED]:[EMAIL PROTECTED]:[EMAIL PROTECTED]:[EMAIL PROTECTED]:[EMAIL PROTECTED]:[EMAIL PROTECTED]:[EMAIL PROTECTED] === */ Here is the problems 1.I can't see the internet the dhcp works fine and the firewall,dns I suppose. 2. The vyatta does not connect to the internet to make updates Please help I don't know what is wrong thanks ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] DHCP relay in vif interfaces (vc3)
Thanks Marat, I will try it asap. Marat Nepomnyashy wrote: Hi Sergio, There is a limitation in the VC3 release in that only 'ethX' values can be specified for DHCP relay interfaces. This is due to overly stringent validation checks. I just opened a new bug on this: https://bugzilla.vyatta.com/show_bug.cgi?id=2473 A temporary work-around can be implemented using the attachments just added to Bug 2473. There is the attachment id 238 that should be copied over the runtime file '/opt/vyatta/share/xorp/templates/rl_dhcp.tp' on your router. You will also need to apply the patch in attachment id 239 to the runtime script file '/opt/vyatta/sbin/dhcrelay-starter.pl' to disable another validation check. You will have to reboot the router for the validation checks removals to take effect, so make sure you're running off a disk rather than CDROM, or the changes will be lost. Hope this works for now, -- Marat - Original Message - From: Sergio Garcia [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 14, 2007 4:34 AM Subject: [Vyatta-users] DHCP relay in vif interfaces (vc3) Hi all. I hope you can help me with this doubt :) I want to relay dhcp requests incoming from tree eth1 vif's to a dhcp server but Vyatta VC3 only allows me to select ethX interfaces (X goes from 0 to 23). Is it possible to do this? Launching dhcrelay manually is not a good solution, but if it is the only way I will accept. Thanks in advance ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users -- This mail has been sent through DS2 mail server ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Digest versus Non-Digest Mail
For the sake of those of us who subscribe to the Vyatta-users mail in digest form (the once a day compilation), please try only to quote the pertinent part of your reply to a poster. Leaving the whole of the original post, when only a small portion is needed to clarify your reply makes the messages needlessly long. And for the sake of whatever deity you hold sacred, don't send confidentiality notices or 10-line pithy sayings in your signature. This litters the ether with needless bits of crap we just don't need when discussing open-source routing. Thanks, ROFL! Amen! Yes! Seriously, good advice. The world is becoming more electronically connected. Mailing list hygiene is just as important as personal hygiene in this day and age. Trim where you can. ;-) -- Dave something pithy would go here, but I trimmed it... this message is not confidential and in fact should be shared with everyone, unless of course by the act of receiving this message your company has now deemed it a company confidential secret. In which case, you should not share it with anybody before asking your company attorneys whether you can do so. Your mileage may vary. Employees of Vyatta and their immediate families are not eligible to win. ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users