Hi, Josh--
Hi, Josh
I think you speak for other users about the firewall documentation--we get
lots of questions about firewall and NAT, and that tells me that the
documentation needs to be strengthened, or made easier, or made richer, or
made simpler, or made more relevant.
Dave Roberts has offered me some suggestions for making this kind of
documentation easier for folks to approach. I've re-written the Quick Start
Guide for one of the upcoming releases along the lines of his suggestions,
and I'm hoping the result is something that will be more helpful.
If you don't mind, I'll keep your e-mail aside. When we feel the new guide
is ready to try out, perhaps I'll ask you to take a sneak preview of it
and see what you think. I'd like to know whether, if you had seen this
documentation first, it would have worked for you and allowed you to get on
with doing what you wanted to do.
Please let me know if you'd be willing to take a look. :-)
(You can reply to me directly if you like.)
So thank you for bothering to give us for your comments. I'll try to use
them to make good improvements.
--I do recognize how important the security features are (and yet how
complex), and how critical it is to present the right information, in just
the right amount, in the right form, so that folks can get done the things
they want to get done and not be faced with a forest of information they
don't need.
Lindsay
Lindsay Burrell
Technical Writer
Vyatta, Inc.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Josh vyatta
Sent: December 21, 2007 10:45 AM
To: [EMAIL PROTECTED]
Subject: [Vyatta-users] SOLVED: FIREWALL question: How can I stealth
tcpports
Adrian,
I must express my deepest appreciation for listing out the steps to
configure my firewall properly! You can't imagine my confusion until
now. Your advice has helped me accomplish my first main objective of
at least making the Vyatta as secure as a common SOHO router/firewall.
I realize it can do so much more, but if I can't make it do the
basics, how can I ever think of moving into the more complex config
goals I have.
I now have external SSH access properly configured, and internal-only
WebGui access. All other ports on the outside (including http and
https) are now filtered (or stealthed if scanned from GRC.com).
Why is none of this valuable information DOCUMENTED in the Vyatta
Manuals? (Or have I missed it somewhere)? It seems this is very
elementary and is probably a very common configuration goal for many
people.
Adrian, I have one more question to reference your last statement...
In the same way you can set an in firewall instance for your local
interface(obviuosly for tcp you will have to use the new parameter and
now the source ports become destination ports). And also for the local
instance of you local interface.
Since the rest of the traffic is denied you need to carefully create
your rules.
...is it necessary to set an INBOUND firewall on my eth1 internal port
for the traffic leaving OUTBOUND for http or DNS, for example?
Currently, I can access DNS/HTTP/HTTPS/FTP, etc from internal to
outbound. So wouldn't adding a firewall to eth1 open Pandora's box for
requiring ALL types of traffic to be identified and specifically
listed in order to be permitted outbound access once you add the first
firewall rule to that interface? I guess it would not be a terribly
bad idea to KNOW all the traffic that comes in OR GOES OUT, but
wouldn't that be an administrative nightmare?
Hope all of that makes sense.
Thanks again for all your help!
Josh
On 12/12/07, Adrian F. Dimcev [EMAIL PROTECTED] wrote:
Hi Josh,
There is no firewall by default on Vyatta.
Your firewall rule does not prevent packets from external to your
Vyatta itself.
You can apply the firewall instance as in, out and local per interface.
You have used in, meaning that packets entering that interface will be
filtered by the firewall.
But you are scanning Vyatta's external IP address meaning that packets
are sent to the local instance.
So you should define a rule like:
set firewall name extlocal rule 10 action accept
set firewall name extlocal rule 10 protocol tcp
set firewall name extlocal rule 10 state new enable
set firewall name extlocal rule 10 state established enable
set firewall name extlocal rule 10 destination port-number 22
set interfaces ethernet eth0 firewall local name extlocal
Obviously this means that tcp port 22 will come as open because you
wanted to use ssh from the external net.
Other traffic will be implicitly denied. So you won't be able to ping
from Vyatta itself say, google's ip addresses.
For that you need to add another rule allowing the returning echo reply
packet(unfortunetelly we cannot have state parameter for other protocols
then TCP with Vyatta VC3, there is a report on bugzilla for that,
https://bugzilla.vyatta.com/show_bug.cgi?id=2502):
set firewall name
