Re: [Vyatta-users] SOLVED: FIREWALL question: How can I "stealth" tcpports

2007-12-21 Thread John Mason Jr
I'll throw my $.02 in here

Examples of how to accomplish common configurations is very important,
with graphics where possible to allow a vyatta beginner to easily select
 an appropriate config.


I would add info on some of the tasks Vyatta doesn't do out of the box,
like antivirus, webcontent inspection that kind of thing.


Also I would but links in the documentation where it makes sense to
basic sources on networking firewalls and other topics, so folks can
help themselves learn.



John




Lindsay Burrell wrote:
> Hi, Josh--
> 
> Hi, Josh
> 
> I think you speak for other users about the firewall documentation--we get
> lots of questions about firewall and NAT, and that tells me that the
> documentation needs to be strengthened, or made easier, or made richer, or
> made simpler, or made more relevant.
> 
> Dave Roberts has offered me some suggestions for making this kind of
> documentation easier for folks to approach. I've re-written the Quick Start
> Guide for one of the upcoming releases along the lines of his suggestions,
> and I'm hoping the result is something that will be more helpful.
> 
> If you don't mind, I'll keep your e-mail aside. When we feel the new guide
> is ready to "try out," perhaps I'll ask you to take a sneak preview of it
> and see what you think. I'd like to know whether, if you had seen this
> documentation first, it would have worked for you and allowed you to get on
> with doing what you wanted to do.
> 
> Please let me know if you'd be willing to take a look. :-)
> 
> (You can reply to me directly if you like.)
> 
> So thank you for bothering to give us for your comments. I'll try to use
> them to make good improvements. 
> 
> --I do recognize how important the security features are (and yet how
> complex), and how critical it is to present the right information, in just
> the right amount, in the right form, so that folks can get done the things
> they want to get done and not be faced with a forest of information they
> don't need.
> 
> Lindsay
> 
> 
> Lindsay Burrell
> Technical Writer
> Vyatta, Inc.
> 

___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users


Re: [Vyatta-users] SOLVED: FIREWALL question: How can I "stealth" tcpports

2007-12-21 Thread Lindsay Burrell
Hi, Josh--

Hi, Josh

I think you speak for other users about the firewall documentation--we get
lots of questions about firewall and NAT, and that tells me that the
documentation needs to be strengthened, or made easier, or made richer, or
made simpler, or made more relevant.

Dave Roberts has offered me some suggestions for making this kind of
documentation easier for folks to approach. I've re-written the Quick Start
Guide for one of the upcoming releases along the lines of his suggestions,
and I'm hoping the result is something that will be more helpful.

If you don't mind, I'll keep your e-mail aside. When we feel the new guide
is ready to "try out," perhaps I'll ask you to take a sneak preview of it
and see what you think. I'd like to know whether, if you had seen this
documentation first, it would have worked for you and allowed you to get on
with doing what you wanted to do.

Please let me know if you'd be willing to take a look. :-)

(You can reply to me directly if you like.)

So thank you for bothering to give us for your comments. I'll try to use
them to make good improvements. 

--I do recognize how important the security features are (and yet how
complex), and how critical it is to present the right information, in just
the right amount, in the right form, so that folks can get done the things
they want to get done and not be faced with a forest of information they
don't need.

Lindsay


Lindsay Burrell
Technical Writer
Vyatta, Inc.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Josh vyatta
Sent: December 21, 2007 10:45 AM
To: [EMAIL PROTECTED]
Subject: [Vyatta-users] SOLVED: FIREWALL question: How can I "stealth"
tcpports

Adrian,
I must express my deepest appreciation for listing out the steps to
configure my firewall properly! You can't imagine my confusion until
now. Your advice has helped me accomplish my first main objective of
at least making the Vyatta as secure as a common SOHO router/firewall.
I realize it can do so much more, but if I can't make it do the
basics, how can I ever think of moving into the more complex config
goals I have.

I now have external SSH access properly configured, and internal-only
WebGui access. All other ports on the outside (including http and
https) are now filtered (or "stealthed" if scanned from GRC.com).

Why is none of this valuable information DOCUMENTED in the Vyatta
Manuals? (Or have I missed it somewhere)? It seems this is very
elementary and is probably a very common configuration goal for many
people.

Adrian, I have one more question to reference your last statement...

> In the same way you can set an in firewall instance for your local
> interface(obviuosly for tcp you will have to use the new parameter and
> now the source ports become destination ports). And also for the local
> instance of you local interface.
> Since "the rest" of the traffic is denied you need to carefully create
> your rules.

...is it necessary to set an INBOUND firewall on my eth1 internal port
for the traffic leaving OUTBOUND for http or DNS, for example?

Currently, I can access DNS/HTTP/HTTPS/FTP, etc from internal to
outbound. So wouldn't adding a firewall to eth1 open Pandora's box for
requiring ALL types of traffic to be identified and specifically
listed in order to be permitted outbound access once you add the first
firewall rule to that interface? I guess it would not be a terribly
bad idea to KNOW all the traffic that comes in OR GOES OUT, but
wouldn't that be an administrative nightmare?

Hope all of that makes sense.

Thanks again for all your help!
Josh

On 12/12/07, Adrian F. Dimcev <[EMAIL PROTECTED]> wrote:
> Hi Josh,
> There is no firewall by default on Vyatta.
> Your firewall rule does not prevent packets from "external" to your
> Vyatta itself.
> You can apply the firewall instance as in, out and local per interface.
> You have used in, meaning that packets entering that interface will be
> filtered by the firewall.
> But you are scanning Vyatta's external IP address meaning that packets
> are "sent to" the local instance.
> So you should define a rule like:
>
> set firewall name extlocal rule 10 action accept
> set firewall name extlocal rule 10 protocol tcp
> set firewall name extlocal rule 10 state new enable
> set firewall name extlocal rule 10 state established enable
> set firewall name extlocal rule 10 destination port-number 22
>
> set interfaces ethernet eth0 firewall local name extlocal
>
> Obviously this means that tcp port 22 will come as "open" because you
> wanted to use ssh from the "external net".
> Other traffic will be implicitly denied. So you won't be able to ping
> from Vyatta itself