[Vyatta-users] VC3 firewall problem
Hi All, I have upgraded VC2 to VC3. But when I tried to implement firewall, all traffic to internet stops. Here is my old and new firewall configuration: OLD FIREWALL CONFIGURATION: firewall { log-martians: enable send-redirects: disable receive-redirects: disable ip-src-route: disable broadcast-ping: disable syn-cookies: enable name inbound { rule 1 { protocol: all state { established: enable related: enable } action: accept log: disable } rule 2 { protocol: tcp action: accept log: disable source { address: x.x.x.x } destination { port-name: ssh } } rule 3 { protocol: tcp action: accept log: disable source { address: x.x.x.x } destination { port-name: ssh } } rule 4 { protocol: icmp icmp { type: 8 } action: accept log: disable } rule 5 { protocol: icmp icmp { type: 11 } action: accept log: disable } rule 6 { protocol: udp action: accept log: disable destination { port-number: xxx } } rule 7 { protocol: all action: drop log: disable source { network: 0.0.0.0/0 } } } } NEW FIREWALL CONFIGURATION: firewall { log-martians: enable send-redirects: disable receive-redirects: disable ip-src-route: disable broadcast-ping: disable syn-cookies: enable name inbound { description: inbound firewall rule 1 { protocol: tcp state { established: enable related: enable } action: accept log: disable } rule 2 { protocol: tcp action: accept log: disable source { address: x.x.x.x } destination { port-name ssh } } rule 3 { protocol: tcp action: accept log: disable source { address: x.x.x.x } destination { port-name ssh } } rule 4 { protocol: icmp icmp { type: 8 } action: accept log: disable } rule 5 { protocol: icmp icmp { type: 11 } action: accept log: disable } rule 6 { protocol: udp action: accept log: disable destination { port-number xxx } } rule 7 { protocol: udp action: accept log: disable destination { port-number xxx } } rule 8 { protocol: all action: drop log: disable source { network: 0.0.0.0/0 } } } } I have applied this setting to my interface's firewall as : in and local . When I try to enable this firewall setting , I can't ping to my ISP gateway (modem IP) too. Please tell me what I want to change to implement it on VC3 ? Thanks in Advance, Regards, Abhilash S ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] VC3 firewall problem
Hi Abhilash, There is an issue in VC3 that restricts the related/ established rule (your rule number 1) to TCP only. Most likely, the reason your VC2 firewall was working is because return traffic of any type (ICMP, UDP, TCP, etc.) was allowed back in via rule number 1. Your new rule number 1 on VC3 only allows return traffic on TCP. For more information on the bug and to fix this issue on your system, see the following post to the user's list: http://mailman.vyatta.com/pipermail/vyatta-users/2007-November/002406.html This bug has been fixed and will no longer be an issue in the next release. Thank you, Robyn abhilash s wrote: Hi All, I have upgraded VC2 to VC3. But when I tried to implement firewall, all traffic to internet stops. Here is my old and new firewall configuration: OLD FIREWALL CONFIGURATION: firewall { log-martians: enable send-redirects: disable receive-redirects: disable ip-src-route: disable broadcast-ping: disable syn-cookies: enable name inbound { rule 1 { protocol: all state { established: enable related: enable } action: accept log: disable } rule 2 { protocol: tcp action: accept log: disable source { address: x.x.x.x } destination { port-name: ssh } } rule 3 { protocol: tcp action: accept log: disable source { address: x.x.x.x } destination { port-name: ssh } } rule 4 { protocol: icmp icmp { type: 8 } action: accept log: disable } rule 5 { protocol: icmp icmp { type: 11 } action: accept log: disable } rule 6 { protocol: udp action: accept log: disable destination { port-number: xxx } } rule 7 { protocol: all action: drop log: disable source { network: 0.0.0.0/0 } } } } NEW FIREWALL CONFIGURATION: firewall { log-martians: enable send-redirects: disable receive-redirects: disable ip-src-route: disable broadcast-ping: disable syn-cookies: enable name inbound { description: inbound firewall rule 1 { protocol: tcp state { established: enable related: enable } action: accept log: disable } rule 2 { protocol: tcp action: accept log: disable source { address: x.x.x.x } destination { port-name ssh } } rule 3 { protocol: tcp action: accept log: disable source { address: x.x.x.x } destination { port-name ssh } } rule 4 { protocol: icmp icmp { type: 8 } action: accept log: disable } rule 5 { protocol: icmp icmp { type: 11 } action: accept log: disable } rule 6 { protocol: udp action: accept log: disable destination { port-number xxx } } rule 7 { protocol: udp action: accept log: disable destination { port-number xxx } } rule 8 { protocol: all action: drop log: disable source { network: 0.0.0.0/0 } } } } I have applied this setting to my interface's firewall as : in and local . When I try to enable this firewall setting , I can't ping to my ISP gateway (modem IP) too. Please tell me what I want to change to implement it on VC3 ? Thanks in Advance, Regards, Abhilash S ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com
Re: [Vyatta-users] VC3 firewall problem
Hi Robyn, This works for me. Thank you very much. Thanks and Regards, Abhilash.S On Jan 10, 2008 10:11 AM, Robyn Orosz [EMAIL PROTECTED] wrote: Hi Abhilash, There is an issue in VC3 that restricts the related/ established rule (your rule number 1) to TCP only. Most likely, the reason your VC2 firewall was working is because return traffic of any type (ICMP, UDP, TCP, etc.) was allowed back in via rule number 1. Your new rule number 1 on VC3 only allows return traffic on TCP. For more information on the bug and to fix this issue on your system, see the following post to the user's list: http://mailman.vyatta.com/pipermail/vyatta-users/2007-November/002406.html This bug has been fixed and will no longer be an issue in the next release. Thank you, Robyn abhilash s wrote: Hi All, I have upgraded VC2 to VC3. But when I tried to implement firewall, all traffic to internet stops. Here is my old and new firewall configuration: OLD FIREWALL CONFIGURATION: firewall { log-martians: enable send-redirects: disable receive-redirects: disable ip-src-route: disable broadcast-ping: disable syn-cookies: enable name inbound { rule 1 { protocol: all state { established: enable related: enable } action: accept log: disable } rule 2 { protocol: tcp action: accept log: disable source { address: x.x.x.x } destination { port-name: ssh } } rule 3 { protocol: tcp action: accept log: disable source { address: x.x.x.x } destination { port-name: ssh } } rule 4 { protocol: icmp icmp { type: 8 } action: accept log: disable } rule 5 { protocol: icmp icmp { type: 11 } action: accept log: disable } rule 6 { protocol: udp action: accept log: disable destination { port-number: xxx } } rule 7 { protocol: all action: drop log: disable source { network: 0.0.0.0/0 } } } } NEW FIREWALL CONFIGURATION: firewall { log-martians: enable send-redirects: disable receive-redirects: disable ip-src-route: disable broadcast-ping: disable syn-cookies: enable name inbound { description: inbound firewall rule 1 { protocol: tcp state { established: enable related: enable } action: accept log: disable } rule 2 { protocol: tcp action: accept log: disable source { address: x.x.x.x } destination { port-name ssh } } rule 3 { protocol: tcp action: accept log: disable source { address: x.x.x.x } destination { port-name ssh } } rule 4 { protocol: icmp icmp { type: 8 } action: accept log: disable } rule 5 { protocol: icmp icmp { type: 11 } action: accept log: disable } rule 6 { protocol: udp action: accept log: disable destination { port-number xxx } } rule 7 { protocol: udp action: accept log: disable destination { port-number xxx } } rule 8 { protocol: all action: drop log: disable source { network: 0.0.0.0/0 } } } } I have applied this setting to my interface's firewall as : in and local . When I try to enable this firewall setting , I can't ping to my ISP gateway (modem IP) too. Please tell me what I want to change to implement it on VC3 ? Thanks in Advance,