Re: [Vyatta-users] Vyatta-users Digest, Vol 23, Issue 32
Thank you all. I actually installed the vyatta router on my PC.I did checked the linux shell and I confirmed that my router running config was there. I may be missing something out on vyatta 3 because I never encounter such problem with vyatta 1.0.3 version.I encountered silmilar problem with vyatta vc2. But no such problem with vyatta version 1.0.3 And that is the reason I keep on with vyatta 1.0.3. I think the vyatta technical team should work on this issue.Probably config directory should be left on route directory like in the vyatta version 1.0.3 [EMAIL PROTECTED] wrote: Send Vyatta-users mailing list submissions to vyatta-users@mailman.vyatta.com To subscribe or unsubscribe via the World Wide Web, visit http://mailman.vyatta.com/mailman/listinfo/vyatta-users or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] When replying, please edit your Subject line so it is more specific than Re: Contents of Vyatta-users digest... Today's Topics: 1. Re: Vyatta Stateful Firewall Issue (Komal Shah) 2. can't find my running config (Isiak Solih Sadik) 3. Re: can't find my running config (Justin Fletcher) 4. Re: can't find my running config (James A. Shigley) 5. Re: can't find my running config (Dave Roberts) -- Message: 1 Date: Thu, 15 Nov 2007 17:35:04 +0530 From: Komal Shah [EMAIL PROTECTED] Subject: Re: [Vyatta-users] Vyatta Stateful Firewall Issue To: vyatta-users@mailman.vyatta.com Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-1 Excellent! Please consider adding this information in documentation. Komal Robyn Orosz wrote: Hi Adrian, First off, I apologize for the long delay in getting back to you but, I think I have an answer for you. On the Vyatta router, try the following: echo 0 /proc/sys/net/netfilter/nf_conntrack_tcp_loose Then try running the nmap ACK scan again. The RST packet, which is what nmap is expecting in return, should not even get sent by the host since the ACK packet should be blocked by the firewall this time. What was happening is that a state of NEW in iptables means exactly that--any new TCP packet. It does not mean a new TCP packet with the SYN flag set. The 'nf_conntrack_tcp_loose' option can be modified however, to enforce a more stringent set of checks on incoming TCP packets. With this option set to 0, the firewall will compare the packet against the existing conntrack entries and drop it because it is not a valid packet for establishing a new connection and it is not part of an existing established connection. The benefit of having this value set to 3 (the default) is that it will try and pick up any existing connections that were terminated as a result of a system reload or other unexpected failure. So, it assumes that the new ACK packet was part of a previous connection that got dropped and cleared from the conntrack table when the system went down. If this is not a concern of yours, then I'd say setting it to 0 would not cause any other problems. An enhancement request has actually already been open to allow the nf_conntrack_tcp_loose value to be modified via the CLI: https://bugzilla.vyatta.com/show_bug.cgi?id=2122 Another option is to add a rule directly in iptables that drops any NEW packets that don't have the SYN flag set. EX: iptables -I FORWARD 1 -p tcp ! --syn -m state --state NEW -j DROP This rule gets added to the beginning of the iptables FORWARD chain and drops any new packets that don't have the SYN flag set. The problem with this workaround is that you have to be careful when running firewall rules in the CLI and in iptables as their order of entry is very important and can cause problems or confusion if it gets out of sync. You'll also have to script any rules that you add directly into iptables and also the echo into the nf_conntrack_tcp_loose so that your changes will still exist after a reboot. I also opened an enhancement request to add TCP flag match criteria into the Vyatta firewall. So, in the future, the rule above should be configurable via the CLI: https://bugzilla.vyatta.com/show_bug.cgi?id=2474 Thank you and let me know if this works for you. -Robyn -- Message: 2 Date: Thu, 15 Nov 2007 23:09:57 +0530 From: Isiak Solih Sadik [EMAIL PROTECTED] Subject: [Vyatta-users] can't find my running config To: vyatta-users@mailman.vyatta.com Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=us-ascii Pls Help! I installed vyatta router 3 on my pc and it worked parfectly.I actually saved the running config on the default file opt/vyatta/etc/config/config.boot.but when I reboot my vyatta can't route anything.I found out that my saved running config is no longer in
Re: [Vyatta-users] Problem with gateway, and vyatta internet update
Two things.
1) Your DHCP config should be handing out the inside ip of the vyatta
box for the default-gateway to clients, in this case 10.0.0.1, not
the default gateway of the vyatta box itself.
2) You need to give the vyatta box a name server so it can resolve
addresses to get to the apt repository for updates. Do this:
set system name-server 192.168.0.2
commit
save
And that will allow the vyatta router to look up host names to get on
the internet.
--
Aubrey Wells
Senior Engineer
Shelton | Johns Technology Group
404.478.2790
www.sheltonjohns.com
On Nov 16, 2007, at 9:40 AM, GVerris wrote:
Hi my name is Giannis and I am a new user of vyatta and I have some
problems
I use the vc3
This is my network
PC1 (IP A)
PC2 (IP B)
PC3 (IP C)
SERVER (IP D)
ROUTER (NOT VYATTA) (IP E)
(DNS DHCP is disabled I want to used it as gateway only)
And the role of firewall, dhcp, dns, router etc I want to be the
vyatta
Here is my config.boot
/*XORP Configuration File, v1.0*/
protocols {
static {
disable: false
route 0.0.0.0/0 {
next-hop: 192.168.0.1
metric: 1
}
}
}
policy {
}
interfaces {
restore: false
loopback lo {
description:
}
ethernet eth0 {
disable: false
discard: false
description: Office Lan
hw-id: 00:50:bf:6b:0d:ce
duplex: auto
speed: auto
address 10.0.0.1 {
prefix-length: 24
disable: false
}
}
ethernet eth1 {
disable: false
discard: false
description: Internet Wan
hw-id: 00:50:22:82:ef:63
duplex: auto
speed: auto
address 192.168.0.2 {
prefix-length: 24
disable: false
}
firewall {
local {
name: FWTELNET
}
}
}
}
service {
dhcp-server {
shared-network-name OfficeLAN {
subnet 10.0.0.0/24 {
start 10.0.0.50 {
stop: 10.0.0.150
}
dns-server 192.168.0.20
default-router: 192.168.0.2
lease: 86400
domain-name: test.router
authoritative: disable
}
}
}
nat {
rule 1 {
type: masquerade
outbound-interface: eth1
protocols: all
source {
network: 10.0.0.0/24
}
destination {
network: 0.0.0.0/0
}
}
rule 2 {
type: destination
inbound-interface: eth1
protocols: tcp
source {
network: 0.0.0.0/0
}
destination {
address: 192.168.0.1
port-name http
}
inside-address {
address: 10.0.0.30
}
}
}
telnet {
port: 23
}
webgui {
http-port: 80
https-port: 443
}
}
firewall {
log-martians: enable
send-redirects: disable
receive-redirects: disable
ip-src-route: disable
broadcast-ping: disable
syn-cookies: enable
name FWTELNET {
rule 1 {
protocol: tcp
action: reject
log: disable
source {
network: 0.0.0.0/0
}
destination {
port-name telnet
}
}
rule 2 {
protocol: all
action: accept
log: disable
source {
network: 0.0.0.0/0
}
destination {
network: 0.0.0.0/0
}
}
}
}
system {
host-name: vyatta
domain-name:
time-zone: GMT
ntp-server 69.59.150.135
login {
user root {
full-name:
authentication {
encrypted-password: x
}
}
user vyatta {
full-name:
authentication {
encrypted-password: x
}
}
}
package {
auto-sync: 1
repository community {
component: main
url: http://archive.vyatta.com/vyatta;
}
}
}
/* Warning: Do not remove the following line. */
/* === vyatta-config-version: [EMAIL PROTECTED]:[EMAIL PROTECTED]:dhcp-
[EMAIL PROTECTED]:[EMAIL PROTECTED]:[EMAIL PROTECTED]:[EMAIL PROTECTED]:[EMAIL PROTECTED] === */
Here is the problems
1.I can’t see the internet the dhcp works fine and the
firewall,dns I suppose.
2. The vyatta does not connect to the internet to make updates
Please help I don’t know what is wrong
[Vyatta-users] Problem with gateway, and vyatta internet update
Hi my name is Giannis and I am a new user of vyatta and I have some problems
I use the vc3
This is my network
PC1 (IP A)
PC2 (IP B)
PC3 (IP C)
SERVER (IP D)
ROUTER (NOT VYATTA) (IP E)
(DNS DHCP is disabled I want to used it as gateway only)
And the role of firewall, dhcp, dns, router etc I want to be the vyatta
Here is my config.boot
/*XORP Configuration File, v1.0*/
protocols {
static {
disable: false
route 0.0.0.0/0 {
next-hop: 192.168.0.1
metric: 1
}
}
}
policy {
}
interfaces {
restore: false
loopback lo {
description:
}
ethernet eth0 {
disable: false
discard: false
description: Office Lan
hw-id: 00:50:bf:6b:0d:ce
duplex: auto
speed: auto
address 10.0.0.1 {
prefix-length: 24
disable: false
}
}
ethernet eth1 {
disable: false
discard: false
description: Internet Wan
hw-id: 00:50:22:82:ef:63
duplex: auto
speed: auto
address 192.168.0.2 {
prefix-length: 24
disable: false
}
firewall {
local {
name: FWTELNET
}
}
}
}
service {
dhcp-server {
shared-network-name OfficeLAN {
subnet 10.0.0.0/24 {
start 10.0.0.50 {
stop: 10.0.0.150
}
dns-server 192.168.0.20
default-router: 192.168.0.2
lease: 86400
domain-name: test.router
authoritative: disable
}
}
}
nat {
rule 1 {
type: masquerade
outbound-interface: eth1
protocols: all
source {
network: 10.0.0.0/24
}
destination {
network: 0.0.0.0/0
}
}
rule 2 {
type: destination
inbound-interface: eth1
protocols: tcp
source {
network: 0.0.0.0/0
}
destination {
address: 192.168.0.1
port-name http
}
inside-address {
address: 10.0.0.30
}
}
}
telnet {
port: 23
}
webgui {
http-port: 80
https-port: 443
}
}
firewall {
log-martians: enable
send-redirects: disable
receive-redirects: disable
ip-src-route: disable
broadcast-ping: disable
syn-cookies: enable
name FWTELNET {
rule 1 {
protocol: tcp
action: reject
log: disable
source {
network: 0.0.0.0/0
}
destination {
port-name telnet
}
}
rule 2 {
protocol: all
action: accept
log: disable
source {
network: 0.0.0.0/0
}
destination {
network: 0.0.0.0/0
}
}
}
}
system {
host-name: vyatta
domain-name:
time-zone: GMT
ntp-server 69.59.150.135
login {
user root {
full-name:
authentication {
encrypted-password: x
}
}
user vyatta {
full-name:
authentication {
encrypted-password: x
}
}
}
package {
auto-sync: 1
repository community {
component: main
url: http://archive.vyatta.com/vyatta;
}
}
}
/* Warning: Do not remove the following line. */
/* === vyatta-config-version:
[EMAIL PROTECTED]:[EMAIL PROTECTED]:[EMAIL PROTECTED]:[EMAIL PROTECTED]:[EMAIL PROTECTED]:[EMAIL PROTECTED]:[EMAIL PROTECTED]
=== */
Here is the problems
1.I can't see the internet the dhcp works fine and the
firewall,dns I suppose.
2. The vyatta does not connect to the internet to make updates
Please help I don't know what is wrong
thanks
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] DHCP relay in vif interfaces (vc3)
Thanks Marat, I will try it asap. Marat Nepomnyashy wrote: Hi Sergio, There is a limitation in the VC3 release in that only 'ethX' values can be specified for DHCP relay interfaces. This is due to overly stringent validation checks. I just opened a new bug on this: https://bugzilla.vyatta.com/show_bug.cgi?id=2473 A temporary work-around can be implemented using the attachments just added to Bug 2473. There is the attachment id 238 that should be copied over the runtime file '/opt/vyatta/share/xorp/templates/rl_dhcp.tp' on your router. You will also need to apply the patch in attachment id 239 to the runtime script file '/opt/vyatta/sbin/dhcrelay-starter.pl' to disable another validation check. You will have to reboot the router for the validation checks removals to take effect, so make sure you're running off a disk rather than CDROM, or the changes will be lost. Hope this works for now, -- Marat - Original Message - From: Sergio Garcia [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 14, 2007 4:34 AM Subject: [Vyatta-users] DHCP relay in vif interfaces (vc3) Hi all. I hope you can help me with this doubt :) I want to relay dhcp requests incoming from tree eth1 vif's to a dhcp server but Vyatta VC3 only allows me to select ethX interfaces (X goes from 0 to 23). Is it possible to do this? Launching dhcrelay manually is not a good solution, but if it is the only way I will accept. Thanks in advance ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users -- This mail has been sent through DS2 mail server ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Digest versus Non-Digest Mail
For the sake of those of us who subscribe to the Vyatta-users mail in digest form (the once a day compilation), please try only to quote the pertinent part of your reply to a poster. Leaving the whole of the original post, when only a small portion is needed to clarify your reply makes the messages needlessly long. And for the sake of whatever deity you hold sacred, don't send confidentiality notices or 10-line pithy sayings in your signature. This litters the ether with needless bits of crap we just don't need when discussing open-source routing. Thanks, ROFL! Amen! Yes! Seriously, good advice. The world is becoming more electronically connected. Mailing list hygiene is just as important as personal hygiene in this day and age. Trim where you can. ;-) -- Dave something pithy would go here, but I trimmed it... this message is not confidential and in fact should be shared with everyone, unless of course by the act of receiving this message your company has now deemed it a company confidential secret. In which case, you should not share it with anybody before asking your company attorneys whether you can do so. Your mileage may vary. Employees of Vyatta and their immediate families are not eligible to win. ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
