[Vyatta-users] VC3 firewall problem
Hi All,
I have upgraded VC2 to VC3. But when I tried to implement
firewall, all traffic to internet stops. Here is my old and new
firewall configuration:
OLD FIREWALL CONFIGURATION:
firewall {
log-martians: enable
send-redirects: disable
receive-redirects: disable
ip-src-route: disable
broadcast-ping: disable
syn-cookies: enable
name inbound {
rule 1 {
protocol: all
state {
established: enable
related: enable
}
action: accept
log: disable
}
rule 2 {
protocol: tcp
action: accept
log: disable
source {
address: x.x.x.x
}
destination {
port-name: ssh
}
}
rule 3 {
protocol: tcp
action: accept
log: disable
source {
address: x.x.x.x
}
destination {
port-name: ssh
}
}
rule 4 {
protocol: icmp
icmp {
type: 8
}
action: accept
log: disable
}
rule 5 {
protocol: icmp
icmp {
type: 11
}
action: accept
log: disable
}
rule 6 {
protocol: udp
action: accept
log: disable
destination {
port-number: xxx
}
}
rule 7 {
protocol: all
action: drop
log: disable
source {
network: 0.0.0.0/0
}
}
}
}
NEW FIREWALL CONFIGURATION:
firewall {
log-martians: enable
send-redirects: disable
receive-redirects: disable
ip-src-route: disable
broadcast-ping: disable
syn-cookies: enable
name inbound {
description: inbound firewall
rule 1 {
protocol: tcp
state {
established: enable
related: enable
}
action: accept
log: disable
}
rule 2 {
protocol: tcp
action: accept
log: disable
source {
address: x.x.x.x
}
destination {
port-name ssh
}
}
rule 3 {
protocol: tcp
action: accept
log: disable
source {
address: x.x.x.x
}
destination {
port-name ssh
}
}
rule 4 {
protocol: icmp
icmp {
type: 8
}
action: accept
log: disable
}
rule 5 {
protocol: icmp
icmp {
type: 11
}
action: accept
log: disable
}
rule 6 {
protocol: udp
action: accept
log: disable
destination {
port-number xxx
}
}
rule 7 {
protocol: udp
action: accept
log: disable
destination {
port-number xxx
}
}
rule 8 {
protocol: all
action: drop
log: disable
source {
network: 0.0.0.0/0
}
}
}
}
I have applied this setting to my interface's firewall as : in and local .
When I try to enable this firewall setting , I can't ping to my ISP
gateway (modem IP) too.
Please tell me what I want to change to implement it on VC3 ?
Thanks in Advance,
Regards,
Abhilash S
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] VC3 firewall problem
Hi Abhilash,
There is an issue in VC3 that restricts the related/ established rule
(your rule number 1) to TCP only. Most likely, the reason your VC2
firewall was working is because return traffic of any type (ICMP, UDP,
TCP, etc.) was allowed back in via rule number 1. Your new rule number
1 on VC3 only allows return traffic on TCP.
For more information on the bug and to fix this issue on your system,
see the following post to the user's list:
http://mailman.vyatta.com/pipermail/vyatta-users/2007-November/002406.html
This bug has been fixed and will no longer be an issue in the next release.
Thank you,
Robyn
abhilash s wrote:
Hi All,
I have upgraded VC2 to VC3. But when I tried to implement
firewall, all traffic to internet stops. Here is my old and new
firewall configuration:
OLD FIREWALL CONFIGURATION:
firewall {
log-martians: enable
send-redirects: disable
receive-redirects: disable
ip-src-route: disable
broadcast-ping: disable
syn-cookies: enable
name inbound {
rule 1 {
protocol: all
state {
established: enable
related: enable
}
action: accept
log: disable
}
rule 2 {
protocol: tcp
action: accept
log: disable
source {
address: x.x.x.x
}
destination {
port-name: ssh
}
}
rule 3 {
protocol: tcp
action: accept
log: disable
source {
address: x.x.x.x
}
destination {
port-name: ssh
}
}
rule 4 {
protocol: icmp
icmp {
type: 8
}
action: accept
log: disable
}
rule 5 {
protocol: icmp
icmp {
type: 11
}
action: accept
log: disable
}
rule 6 {
protocol: udp
action: accept
log: disable
destination {
port-number: xxx
}
}
rule 7 {
protocol: all
action: drop
log: disable
source {
network: 0.0.0.0/0
}
}
}
}
NEW FIREWALL CONFIGURATION:
firewall {
log-martians: enable
send-redirects: disable
receive-redirects: disable
ip-src-route: disable
broadcast-ping: disable
syn-cookies: enable
name inbound {
description: inbound firewall
rule 1 {
protocol: tcp
state {
established: enable
related: enable
}
action: accept
log: disable
}
rule 2 {
protocol: tcp
action: accept
log: disable
source {
address: x.x.x.x
}
destination {
port-name ssh
}
}
rule 3 {
protocol: tcp
action: accept
log: disable
source {
address: x.x.x.x
}
destination {
port-name ssh
}
}
rule 4 {
protocol: icmp
icmp {
type: 8
}
action: accept
log: disable
}
rule 5 {
protocol: icmp
icmp {
type: 11
}
action: accept
log: disable
}
rule 6 {
protocol: udp
action: accept
log: disable
destination {
port-number xxx
}
}
rule 7 {
protocol: udp
action: accept
log: disable
destination {
port-number xxx
}
}
rule 8 {
protocol: all
action: drop
log: disable
source {
network: 0.0.0.0/0
}
}
}
}
I have applied this setting to my interface's firewall as : in and local .
When I try to enable this firewall setting , I can't ping to my ISP
gateway (modem IP) too.
Please tell me what I want to change to implement it on VC3 ?
Thanks in Advance,
Regards,
Abhilash S
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
Re: [Vyatta-users] VC3 firewall problem
Hi Robyn,
This works for me. Thank you very much.
Thanks and Regards,
Abhilash.S
On Jan 10, 2008 10:11 AM, Robyn Orosz [EMAIL PROTECTED] wrote:
Hi Abhilash,
There is an issue in VC3 that restricts the related/ established rule
(your rule number 1) to TCP only. Most likely, the reason your VC2
firewall was working is because return traffic of any type (ICMP, UDP,
TCP, etc.) was allowed back in via rule number 1. Your new rule number
1 on VC3 only allows return traffic on TCP.
For more information on the bug and to fix this issue on your system,
see the following post to the user's list:
http://mailman.vyatta.com/pipermail/vyatta-users/2007-November/002406.html
This bug has been fixed and will no longer be an issue in the next release.
Thank you,
Robyn
abhilash s wrote:
Hi All,
I have upgraded VC2 to VC3. But when I tried to implement
firewall, all traffic to internet stops. Here is my old and new
firewall configuration:
OLD FIREWALL CONFIGURATION:
firewall {
log-martians: enable
send-redirects: disable
receive-redirects: disable
ip-src-route: disable
broadcast-ping: disable
syn-cookies: enable
name inbound {
rule 1 {
protocol: all
state {
established: enable
related: enable
}
action: accept
log: disable
}
rule 2 {
protocol: tcp
action: accept
log: disable
source {
address: x.x.x.x
}
destination {
port-name: ssh
}
}
rule 3 {
protocol: tcp
action: accept
log: disable
source {
address: x.x.x.x
}
destination {
port-name: ssh
}
}
rule 4 {
protocol: icmp
icmp {
type: 8
}
action: accept
log: disable
}
rule 5 {
protocol: icmp
icmp {
type: 11
}
action: accept
log: disable
}
rule 6 {
protocol: udp
action: accept
log: disable
destination {
port-number: xxx
}
}
rule 7 {
protocol: all
action: drop
log: disable
source {
network: 0.0.0.0/0
}
}
}
}
NEW FIREWALL CONFIGURATION:
firewall {
log-martians: enable
send-redirects: disable
receive-redirects: disable
ip-src-route: disable
broadcast-ping: disable
syn-cookies: enable
name inbound {
description: inbound firewall
rule 1 {
protocol: tcp
state {
established: enable
related: enable
}
action: accept
log: disable
}
rule 2 {
protocol: tcp
action: accept
log: disable
source {
address: x.x.x.x
}
destination {
port-name ssh
}
}
rule 3 {
protocol: tcp
action: accept
log: disable
source {
address: x.x.x.x
}
destination {
port-name ssh
}
}
rule 4 {
protocol: icmp
icmp {
type: 8
}
action: accept
log: disable
}
rule 5 {
protocol: icmp
icmp {
type: 11
}
action: accept
log: disable
}
rule 6 {
protocol: udp
action: accept
log: disable
destination {
port-number xxx
}
}
rule 7 {
protocol: udp
action: accept
log: disable
destination {
port-number xxx
}
}
rule 8 {
protocol: all
action: drop
log: disable
source {
network: 0.0.0.0/0
}
}
}
}
I have applied this setting to my interface's firewall as : in and local .
When I try to enable this firewall setting , I can't ping to my ISP
gateway (modem IP) too.
Please tell me what I want to change to implement it on VC3 ?
Thanks in Advance,
