Re: [Vyatta-users] Firewall question.

[Steven Kath]

Nate,

It's possible to manage your firewall exclusively with iptables, but it 
does add administrative overhead - you'd have to maintain the rules in 
rc.local or another script called from there to make sure your rules are 
applied on every boot. 

Are you trying to allow SSH access to the Vyatta router itself, or to 
another host through the router?  It's important to remember that 
traffic passing through the router is handled by a different firewall 
chain than the traffic destined for or originating from the router.

Allowing SSH on the INPUT chain (as you described) should allow access 
to the Vyatta router itself, but if you're trying to allow access to 
another host across the router, you'd need to add the allow rule to the 
FORWARD chain instead. 

In the Vyatta CLI, allowing access to the router itself would be done 
with a "Local" firewall:
set interfaces ethernet eth0 firewall local name eth0-allow-ssh

And allowing access to other hosts through the router would be done with 
the "In" firewall:
set interfaces ethernet eth0 firewall in name eth0-allow-ssh

- Steve


Nathan McBride wrote:
> Hmm, ok.  Can I just create my full firewall in iptables?
> Last time I did that, I changed the default rule for INPUT to DROP
> and then added a rule to allow ssh and it didn't seem to work?
>
> Thanks,
> Nate
>   
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Firewall question.

[Nathan McBride]

Hmm, ok.  Can I just create my full firewall in iptables?
Last time I did that, I changed the default rule for INPUT to DROP
and then added a rule to allow ssh and it didn't seem to work?

Thanks,
Nate



signature.asc
Description: This is a digitally signed message part
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Firewall question.

[Steven Kath]

Nate,

There is a walkthrough on the upgrade process in the Vyatta wiki, 
http://www.vyatta.com/twiki/bin/view/Community/HowToUpdate

However, I think this fix may not have been published to the community 
edition repositories yet. 

You may need to use the workaround and create the state-matching rule 
manually with iptables. 
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

Iptables rules created outside of the configuration file won't be 
persistent across reboots, so you'll probably want to add that line to 
the file /etc/rc.local to make sure it's applied at every boot.

- Steve

Nathan McBride wrote:
> You're right it looks exactly like that bug.
> When I do a show version all I get is:
>
> Baseline Version: vc3
> Booted From: disk
>
> Because of the similarity I would assume I haven't gotten the latest
> yet.  How should I go about updating it?
>
> When i do just 'aptitude' it gives me a confusing ncurse thing.
>
> Thanks,
> Nate
>
> On Mon, 2008-01-28 at 09:16 -0800, Steven Kath wrote:
>   
>> Nate,
>>
>> Are you using version 2.3?  It seems like you might be experiencing bug 
>> 2502:
>>
>> http://bugzilla.vyatta.com/show_bug.cgi?id=2502
>>
>> This bug was resolved with the 2.3.1 release, so you may want to upgrade 
>> if you haven't already.
>>
>> If you're already using the latest version and still getting errors, it 
>> would be useful to have a look at a log of your commands and the exact 
>> error message that's coming back.  From what I can tell, the rule 1 you 
>> describe below should work properly in version 2.3.1.
>>
>> - Steve
>>
>>
>> Nathan McBride wrote:
>> 
>>> So then I probably couldn't view a web page or see my pings because
>>> the response packets I was getting were being blocked?
>>>
>>> What is the correct way to make an esablished and related rule so you
>>> don't get the errors I am getting?
>>>
>>> Thanks,
>>> Nate
>>>
>>>
>>> On Mon, 2008-01-28 at 08:05 -0800, Justin Fletcher wrote:
>>>   
>>>   
 You shouldn't need the out rule; until a firewall is applied,
 everything is accepted.
 However, the simple rule is protocol any action accept.  That should
 do it if you
 want to be thorough :-)

 Justin

 On Jan 28, 2008 7:28 AM, Nathan McBride <[EMAIL PROTECTED]> wrote:
 
 
> Hey guys,
>
> I just installed Vyatta and have it working. (big step for me)
> But I'm having some trouble.  I first wanted to know if I should
> make the firewall using Vyatta's commands or just iptables?
> I tried iptables and it didn't seem to work. I added a rule to allow ssh
> but ssh couldn'g go through.  So then I made one in Vyatta.  Denied
> ping, enabled ssh, then applied it to the wan interface.  Well that
> killed all network traffic so looking through the manual I saw that when
> I applied the IN rule for the interface I guess the out rule
> automatically got a deny everything since I didn't apply a rule to it.
> So, I needed to add a related and established rule to the in for the wan
> interface.  I did (this is from memory):
>
> set firewall name eth0-in rule 1 action accept
> set firewall name eth0-in rule 1 state established enable
> set firewall name eth0-in rule 1 state related enable
>
> Then I was going to commit this but commit gave an error saying that
> protocol needed to be icmp.  Once I had set that it errored saying
> protocol needed to be tcp...  I'm really confused but I need to get a
> firewall up.
>
> Once this is done I was going make a rule for out on the wan interface
> to allow everything to go out.  Is there a simple rule for this?
>
> Thanks,
> Nate
>   
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Firewall question.

[John Gong]

Nathan,

The keyword is "all" instead of any.

Cheers,

John


- Original Message -
From: "Nathan McBride" <[EMAIL PROTECTED]>
To: Vyatta-users@mailman.vyatta.com
Sent: Monday, January 28, 2008 9:12:41 AM (GMT-0800) America/Los_Angeles
Subject: Re: [Vyatta-users] Firewall question.

Also, when I try any it doesn't work...

[EMAIL PROTECTED] commit
[edit]
Commit Failed
invalid protocol "any"
[EMAIL PROTECTED] set firewall name eth0-in rule 1 protocol ANY
[edit]
[EMAIL PROTECTED] commit
[edit]
Commit Failed
invalid protocol "ANY"

What am I doing wrong?
Nate

On Mon, 2008-01-28 at 08:05 -0800, Justin Fletcher wrote:
> You shouldn't need the out rule; until a firewall is applied,
> everything is accepted.
> However, the simple rule is protocol any action accept.  That should
> do it if you
> want to be thorough :-)
> 
> Justin
> 
> On Jan 28, 2008 7:28 AM, Nathan McBride <[EMAIL PROTECTED]> wrote:
> > Hey guys,
> >
> > I just installed Vyatta and have it working. (big step for me)
> > But I'm having some trouble.  I first wanted to know if I should
> > make the firewall using Vyatta's commands or just iptables?
> > I tried iptables and it didn't seem to work. I added a rule to allow ssh
> > but ssh couldn'g go through.  So then I made one in Vyatta.  Denied
> > ping, enabled ssh, then applied it to the wan interface.  Well that
> > killed all network traffic so looking through the manual I saw that when
> > I applied the IN rule for the interface I guess the out rule
> > automatically got a deny everything since I didn't apply a rule to it.
> > So, I needed to add a related and established rule to the in for the wan
> > interface.  I did (this is from memory):
> >
> > set firewall name eth0-in rule 1 action accept
> > set firewall name eth0-in rule 1 state established enable
> > set firewall name eth0-in rule 1 state related enable
> >
> > Then I was going to commit this but commit gave an error saying that
> > protocol needed to be icmp.  Once I had set that it errored saying
> > protocol needed to be tcp...  I'm really confused but I need to get a
> > firewall up.
> >
> > Once this is done I was going make a rule for out on the wan interface
> > to allow everything to go out.  Is there a simple rule for this?
> >
> > Thanks,
> > Nate
> >
> >
> > ___
> > Vyatta-users mailing list
> > Vyatta-users@mailman.vyatta.com
> > http://mailman.vyatta.com/mailman/listinfo/vyatta-users
> >
> >


-- 
John Gong, Systems Engineer
(650) 350-3147
www.vyatta.com
Welcome To the Dawn of Open Source Networking

___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Firewall question.

[Nathan McBride]

You're right it looks exactly like that bug.
When I do a show version all I get is:

Baseline Version: vc3
Booted From: disk

Because of the similarity I would assume I haven't gotten the latest
yet.  How should I go about updating it?

When i do just 'aptitude' it gives me a confusing ncurse thing.

Thanks,
Nate

On Mon, 2008-01-28 at 09:16 -0800, Steven Kath wrote:
> Nate,
> 
> Are you using version 2.3?  It seems like you might be experiencing bug 
> 2502:
> 
> http://bugzilla.vyatta.com/show_bug.cgi?id=2502
> 
> This bug was resolved with the 2.3.1 release, so you may want to upgrade 
> if you haven't already.
> 
> If you're already using the latest version and still getting errors, it 
> would be useful to have a look at a log of your commands and the exact 
> error message that's coming back.  From what I can tell, the rule 1 you 
> describe below should work properly in version 2.3.1.
> 
> - Steve
> 
> 
> Nathan McBride wrote:
> > So then I probably couldn't view a web page or see my pings because
> > the response packets I was getting were being blocked?
> >
> > What is the correct way to make an esablished and related rule so you
> > don't get the errors I am getting?
> >
> > Thanks,
> > Nate
> >
> >
> > On Mon, 2008-01-28 at 08:05 -0800, Justin Fletcher wrote:
> >   
> >> You shouldn't need the out rule; until a firewall is applied,
> >> everything is accepted.
> >> However, the simple rule is protocol any action accept.  That should
> >> do it if you
> >> want to be thorough :-)
> >>
> >> Justin
> >>
> >> On Jan 28, 2008 7:28 AM, Nathan McBride <[EMAIL PROTECTED]> wrote:
> >> 
> >>> Hey guys,
> >>>
> >>> I just installed Vyatta and have it working. (big step for me)
> >>> But I'm having some trouble.  I first wanted to know if I should
> >>> make the firewall using Vyatta's commands or just iptables?
> >>> I tried iptables and it didn't seem to work. I added a rule to allow ssh
> >>> but ssh couldn'g go through.  So then I made one in Vyatta.  Denied
> >>> ping, enabled ssh, then applied it to the wan interface.  Well that
> >>> killed all network traffic so looking through the manual I saw that when
> >>> I applied the IN rule for the interface I guess the out rule
> >>> automatically got a deny everything since I didn't apply a rule to it.
> >>> So, I needed to add a related and established rule to the in for the wan
> >>> interface.  I did (this is from memory):
> >>>
> >>> set firewall name eth0-in rule 1 action accept
> >>> set firewall name eth0-in rule 1 state established enable
> >>> set firewall name eth0-in rule 1 state related enable
> >>>
> >>> Then I was going to commit this but commit gave an error saying that
> >>> protocol needed to be icmp.  Once I had set that it errored saying
> >>> protocol needed to be tcp...  I'm really confused but I need to get a
> >>> firewall up.
> >>>
> >>> Once this is done I was going make a rule for out on the wan interface
> >>> to allow everything to go out.  Is there a simple rule for this?
> >>>
> >>> Thanks,
> >>> Nate
> >>>   


signature.asc
Description: This is a digitally signed message part
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Firewall question.

[Nathan McBride]

Also, when I try any it doesn't work...

[EMAIL PROTECTED] commit
[edit]
Commit Failed
invalid protocol "any"
[EMAIL PROTECTED] set firewall name eth0-in rule 1 protocol ANY
[edit]
[EMAIL PROTECTED] commit
[edit]
Commit Failed
invalid protocol "ANY"

What am I doing wrong?
Nate

On Mon, 2008-01-28 at 08:05 -0800, Justin Fletcher wrote:
> You shouldn't need the out rule; until a firewall is applied,
> everything is accepted.
> However, the simple rule is protocol any action accept.  That should
> do it if you
> want to be thorough :-)
> 
> Justin
> 
> On Jan 28, 2008 7:28 AM, Nathan McBride <[EMAIL PROTECTED]> wrote:
> > Hey guys,
> >
> > I just installed Vyatta and have it working. (big step for me)
> > But I'm having some trouble.  I first wanted to know if I should
> > make the firewall using Vyatta's commands or just iptables?
> > I tried iptables and it didn't seem to work. I added a rule to allow ssh
> > but ssh couldn'g go through.  So then I made one in Vyatta.  Denied
> > ping, enabled ssh, then applied it to the wan interface.  Well that
> > killed all network traffic so looking through the manual I saw that when
> > I applied the IN rule for the interface I guess the out rule
> > automatically got a deny everything since I didn't apply a rule to it.
> > So, I needed to add a related and established rule to the in for the wan
> > interface.  I did (this is from memory):
> >
> > set firewall name eth0-in rule 1 action accept
> > set firewall name eth0-in rule 1 state established enable
> > set firewall name eth0-in rule 1 state related enable
> >
> > Then I was going to commit this but commit gave an error saying that
> > protocol needed to be icmp.  Once I had set that it errored saying
> > protocol needed to be tcp...  I'm really confused but I need to get a
> > firewall up.
> >
> > Once this is done I was going make a rule for out on the wan interface
> > to allow everything to go out.  Is there a simple rule for this?
> >
> > Thanks,
> > Nate
> >
> >
> > ___
> > Vyatta-users mailing list
> > Vyatta-users@mailman.vyatta.com
> > http://mailman.vyatta.com/mailman/listinfo/vyatta-users
> >
> >


signature.asc
Description: This is a digitally signed message part
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Firewall question.

[Steven Kath]

Nate,

Are you using version 2.3?  It seems like you might be experiencing bug 
2502:

http://bugzilla.vyatta.com/show_bug.cgi?id=2502

This bug was resolved with the 2.3.1 release, so you may want to upgrade 
if you haven't already.

If you're already using the latest version and still getting errors, it 
would be useful to have a look at a log of your commands and the exact 
error message that's coming back.  From what I can tell, the rule 1 you 
describe below should work properly in version 2.3.1.

- Steve


Nathan McBride wrote:
> So then I probably couldn't view a web page or see my pings because
> the response packets I was getting were being blocked?
>
> What is the correct way to make an esablished and related rule so you
> don't get the errors I am getting?
>
> Thanks,
> Nate
>
>
> On Mon, 2008-01-28 at 08:05 -0800, Justin Fletcher wrote:
>   
>> You shouldn't need the out rule; until a firewall is applied,
>> everything is accepted.
>> However, the simple rule is protocol any action accept.  That should
>> do it if you
>> want to be thorough :-)
>>
>> Justin
>>
>> On Jan 28, 2008 7:28 AM, Nathan McBride <[EMAIL PROTECTED]> wrote:
>> 
>>> Hey guys,
>>>
>>> I just installed Vyatta and have it working. (big step for me)
>>> But I'm having some trouble.  I first wanted to know if I should
>>> make the firewall using Vyatta's commands or just iptables?
>>> I tried iptables and it didn't seem to work. I added a rule to allow ssh
>>> but ssh couldn'g go through.  So then I made one in Vyatta.  Denied
>>> ping, enabled ssh, then applied it to the wan interface.  Well that
>>> killed all network traffic so looking through the manual I saw that when
>>> I applied the IN rule for the interface I guess the out rule
>>> automatically got a deny everything since I didn't apply a rule to it.
>>> So, I needed to add a related and established rule to the in for the wan
>>> interface.  I did (this is from memory):
>>>
>>> set firewall name eth0-in rule 1 action accept
>>> set firewall name eth0-in rule 1 state established enable
>>> set firewall name eth0-in rule 1 state related enable
>>>
>>> Then I was going to commit this but commit gave an error saying that
>>> protocol needed to be icmp.  Once I had set that it errored saying
>>> protocol needed to be tcp...  I'm really confused but I need to get a
>>> firewall up.
>>>
>>> Once this is done I was going make a rule for out on the wan interface
>>> to allow everything to go out.  Is there a simple rule for this?
>>>
>>> Thanks,
>>> Nate
>>>   
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Firewall question.

[Nathan McBride]

So then I probably couldn't view a web page or see my pings because
the response packets I was getting were being blocked?

What is the correct way to make an esablished and related rule so you
don't get the errors I am getting?

Thanks,
Nate


On Mon, 2008-01-28 at 08:05 -0800, Justin Fletcher wrote:
> You shouldn't need the out rule; until a firewall is applied,
> everything is accepted.
> However, the simple rule is protocol any action accept.  That should
> do it if you
> want to be thorough :-)
> 
> Justin
> 
> On Jan 28, 2008 7:28 AM, Nathan McBride <[EMAIL PROTECTED]> wrote:
> > Hey guys,
> >
> > I just installed Vyatta and have it working. (big step for me)
> > But I'm having some trouble.  I first wanted to know if I should
> > make the firewall using Vyatta's commands or just iptables?
> > I tried iptables and it didn't seem to work. I added a rule to allow ssh
> > but ssh couldn'g go through.  So then I made one in Vyatta.  Denied
> > ping, enabled ssh, then applied it to the wan interface.  Well that
> > killed all network traffic so looking through the manual I saw that when
> > I applied the IN rule for the interface I guess the out rule
> > automatically got a deny everything since I didn't apply a rule to it.
> > So, I needed to add a related and established rule to the in for the wan
> > interface.  I did (this is from memory):
> >
> > set firewall name eth0-in rule 1 action accept
> > set firewall name eth0-in rule 1 state established enable
> > set firewall name eth0-in rule 1 state related enable
> >
> > Then I was going to commit this but commit gave an error saying that
> > protocol needed to be icmp.  Once I had set that it errored saying
> > protocol needed to be tcp...  I'm really confused but I need to get a
> > firewall up.
> >
> > Once this is done I was going make a rule for out on the wan interface
> > to allow everything to go out.  Is there a simple rule for this?
> >
> > Thanks,
> > Nate
> >
> >
> > ___
> > Vyatta-users mailing list
> > Vyatta-users@mailman.vyatta.com
> > http://mailman.vyatta.com/mailman/listinfo/vyatta-users
> >
> >


signature.asc
Description: This is a digitally signed message part
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Firewall question.

[Justin Fletcher]

You shouldn't need the out rule; until a firewall is applied,
everything is accepted.
However, the simple rule is protocol any action accept.  That should
do it if you
want to be thorough :-)

Justin

On Jan 28, 2008 7:28 AM, Nathan McBride <[EMAIL PROTECTED]> wrote:
> Hey guys,
>
> I just installed Vyatta and have it working. (big step for me)
> But I'm having some trouble.  I first wanted to know if I should
> make the firewall using Vyatta's commands or just iptables?
> I tried iptables and it didn't seem to work. I added a rule to allow ssh
> but ssh couldn'g go through.  So then I made one in Vyatta.  Denied
> ping, enabled ssh, then applied it to the wan interface.  Well that
> killed all network traffic so looking through the manual I saw that when
> I applied the IN rule for the interface I guess the out rule
> automatically got a deny everything since I didn't apply a rule to it.
> So, I needed to add a related and established rule to the in for the wan
> interface.  I did (this is from memory):
>
> set firewall name eth0-in rule 1 action accept
> set firewall name eth0-in rule 1 state established enable
> set firewall name eth0-in rule 1 state related enable
>
> Then I was going to commit this but commit gave an error saying that
> protocol needed to be icmp.  Once I had set that it errored saying
> protocol needed to be tcp...  I'm really confused but I need to get a
> firewall up.
>
> Once this is done I was going make a rule for out on the wan interface
> to allow everything to go out.  Is there a simple rule for this?
>
> Thanks,
> Nate
>
>
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
>
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

[Vyatta-users] Firewall question.

[Nathan McBride]

Hey guys,

I just installed Vyatta and have it working. (big step for me)
But I'm having some trouble.  I first wanted to know if I should
make the firewall using Vyatta's commands or just iptables?
I tried iptables and it didn't seem to work. I added a rule to allow ssh
but ssh couldn'g go through.  So then I made one in Vyatta.  Denied
ping, enabled ssh, then applied it to the wan interface.  Well that
killed all network traffic so looking through the manual I saw that when
I applied the IN rule for the interface I guess the out rule
automatically got a deny everything since I didn't apply a rule to it.
So, I needed to add a related and established rule to the in for the wan
interface.  I did (this is from memory):

set firewall name eth0-in rule 1 action accept
set firewall name eth0-in rule 1 state established enable
set firewall name eth0-in rule 1 state related enable

Then I was going to commit this but commit gave an error saying that
protocol needed to be icmp.  Once I had set that it errored saying
protocol needed to be tcp...  I'm really confused but I need to get a
firewall up.

Once this is done I was going make a rule for out on the wan interface
to allow everything to go out.  Is there a simple rule for this?

Thanks,
Nate



signature.asc
Description: This is a digitally signed message part
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] FIREWALL question: How can I "stealth" tcp ports

[Adrian F. Dimcev]

Hi Josh,
There is no firewall by default on Vyatta.
Your firewall rule does not prevent packets from "external" to your
Vyatta itself.
You can apply the firewall instance as in, out and local per interface.
You have used in, meaning that packets entering that interface will be
filtered by the firewall.
But you are scanning Vyatta's external IP address meaning that packets
are "sent to" the local instance.
So you should define a rule like:

set firewall name extlocal rule 10 action accept
set firewall name extlocal rule 10 protocol tcp
set firewall name extlocal rule 10 state new enable
set firewall name extlocal rule 10 state established enable
set firewall name extlocal rule 10 destination port-number 22

set interfaces ethernet eth0 firewall local name extlocal

Obviously this means that tcp port 22 will come as "open" because you
wanted to use ssh from the "external net".
Other traffic will be implicitly denied. So you won't be able to ping
from Vyatta itself say, google's ip addresses.
For that you need to add another rule allowing the returning echo reply
packet(unfortunetelly we cannot have state parameter for other protocols
then TCP with Vyatta VC3, there is a report on bugzilla for that,
https://bugzilla.vyatta.com/show_bug.cgi?id=2502):

set firewall name extlocal rule 20 action accept
set firewall name extlocal rule 20 protocol icmp
set firewall name extlocal rule 20 icmp type 0
set firewall name extlocal rule 20 icmp code 0

Also I assume that you will want to filter packets entering Vyatta's
external interface. You can use something like:

Say for Http/Https returning traffic:
set firewall name exttoint rule 10 action accept
set firewall name exttoint rule 10 protocol tcp
set firewall name exttoint rule 10 destination network "your internal
network"
set firewall name exttoint rule 10 state established enable
set firewall name exttoint rule 10 state related enable
set firewall name exttoint rule 10 state invalid disable
set firewall name exttoint rule 10 source port-number 80
set firewall name exttoint rule 10 source port-number 443

For DNS returning traffic(unfortunetelly again we cannot have the state
parameter for other protocols then TCP with Vyatta VC3), this may vary
depending on your DNS design, if you are using DNS forwarders...:
set firewall name exttoint rule 14 action accept
set firewall name exttoint rule 14 source address "Your External DNS
Server Address"
set firewall name exttoint rule 14 protocol udp
set firewall name exttoint rule 14 destination "your internal network or
your internal DNS server address"
set firewall name exttoint rule 14 source port-number 53

set interfaces ethernet eth0 firewall in name exttoint

In the same way you can set an in firewall instance for your local
interface(obviuosly for tcp you will have to use the new parameter and
now the source ports become destination ports). And also for the local
instance of you local interface.
Since "the rest" of the traffic is denied you need to carefully create
your rules.
It will be better if you will use nmap to scan your Vyatta. There aren't
any "stealth ports". They are merely filtered.
Adrian

___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

[Vyatta-users] FIREWALL question: How can I "stealth" tcp ports

[Josh vyatta]

Anyone who can help,

My problem seems to be fairly basic, but I cannot find any documentation
that addresses my situation. I've also tried searching the archives, but
haven't found any answers yet.

I have tried to configure the firewall so that all traffic to port 80 will
be dropped. However, a simple Port Scan conducted at www.grc.com reveals
http, https, ssh to be OPEN as well as ALL OTHER ports to be "CLOSED", not
"STEALTH" , indicating that at the least the following command may not be
configured properly:

 firewall {
name "from-external" {
rule 10 {
protocol: "tcp"
action: "drop"
destination {
port-number 80

I realize I have "webgui" enabled, which opens tcp 80 and 8080. I would like
to keep this functionality on the INSIDE, but NOT on the OUTSIDE. I would
prefer only SSH for outside inbound configuration access.

So my questions are:

1.  Does the process of enabling "webgui" preclude, or take effect before,
any firewall rule that would otherwise close access to port 80?
2.  If so, then how can I still enable webui on the inside, while
blocking/stealthing tcp 80 on the outside?
3.  I'd also like to place all other tcp ports in a condition that causes
them to "stealthily" DROP packets from the outside, unless
intentionally/administratively opened. How do I accomplish that?

I've also included my full config to help those who may need further
insight. I appreciate anyone who can help!

Thanks,
Josh

@vyagw# show
protocols {
static {
route 0.0.0.0/0 {
next-hop: xx.xx.xx.33
}
route 10.5.203.0/24 {
next-hop: 10.5.201.253
}
}
}
policy {
}
interfaces {
loopback lo {
address 10.5.5.252 {
prefix-length: 24
}
}
ethernet eth0 {
description: "OUTSIDE"
hw-id: 00:05:5d:29:f7:45
address xx.xx.xx.42 {
prefix-length: 28
}
firewall {
in {
name: "from-external"
}
}
}
ethernet eth1 {
description: "Inside"
hw-id: 00:06:5b:01:5c:36
address 10.5.50.252 {
prefix-length: 24
}
address 10.5.201.252 {
prefix-length: 24
}
}
ethernet eth2 {
hw-id: 00:05:5d:52:1b:75
}
}
service {
nat {
rule 10 {
type: "masquerade"
outbound-interface: "eth0"
protocols: "all"
source {
network: " 10.5.201.0/24"
}
destination {
network: "0.0.0.0/0"
}
}
rule 11 {
type: "masquerade"
outbound-interface: "eth0"
protocols: "all"
source {
network: " 10.5.50.0/24"
}
destination {
network: "0.0.0.0/0"
}
}
}
ssh {
}
webgui {
}
}
firewall {
name "from-external" {
rule 10 {
protocol: "tcp"
action: "drop"
destination {
port-number 80
}
}
rule 30 {
protocol: "tcp"
state {
established: "enable"
new: "disable"
related: "enable"
invalid: "disable"
}
action: "accept"
}
}
}
system {
host-name: "vyagw"
name-server 151.164.1.8
name-server 151.164.11.201
time-zone: "GMT-6"
ntp-server "69.59.150.135"
login {
user root {
authentication {
encrypted-password: "xxx"
plaintext-password: ""
}
}
user  {
authentication {
encrypted-password: "xxx"
plaintext-password: ""
}
}
}
package {
repository community {
component: "main"
url: " http://archive.vyatta.com/vyatta";
}
}
}

[edit]
 --More-- (END)
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Firewall question

[Jacobo Pereira]

Thanks... I got it.

If I set a rule to drop packets for destination port-number N*, it will drop:
TCP traffic on port N?
UDP traffic on port N?
TCP and UDP traffic on port N?

Im used to talk about TCP port number N, and UDP port number N as different 
ports. When i set a drop rule on port-number N what am I droping?

*: N is a whole number.

Sorry to bother...

- Original Message 
From: Justin Fletcher <[EMAIL PROTECTED]>
To: Jacobo Pereira <[EMAIL PROTECTED]>
Sent: Wednesday, August 29, 2007 3:15:44 PM
Subject: Re: [Vyatta-users] Firewall question

Firewall rules are on a first-match basis; in the first example, a packet from
10.0.0.50 will match the drop 10.0.0.0/8 and be discarded,  It'll never reach
the accept 10.0.0.50/32.  (I assume you meant 10.0.0.50/32 :-) )

You just need to change the rule order -

1. Accept 10.0.0.50/32
2. Drop 10.0.0.0/8

so it'll match the first rule, accept it, and never reach the drop rule.

Justin

On 8/29/07, Jacobo Pereira <[EMAIL PROTECTED]> wrote:
>
> My fellow Vyattans...
>
> Hello, I am not capable to do a test of this right now, so I'm going to ask.
>
> If I set a firewall instance and the first rule is to drop all packets
> coming from network 10.0.0.0/8, and the second rule is to accept packets
> coming from address 10.0.0.50..
>
> What would happen?
>
> 1) The firewall will drop all packets coming from network 10.0.0.0/8 except
> for those coming from address 10.0.0.50/8
>
> 2) The firewall will drop all packets coming from network 10.0.0.0/8.
>
> If the answer is option 2...
> How do I block every packet coming from a network BUT those coming from an
> specific address?
>
> If this cannot be done..., then what is the point of setting a rule for
> accept packets?
>
> Jacobo
>
>
>  
> Sick sense of humor? Visit Yahoo! TV's Comedy with an Edge to see what's on,
> when.
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
>







  

Shape Yahoo! in your own image.  Join our Network Research Panel today!   
http://surveylink.yahoo.com/gmrs/yahoo_panel_invite.asp?a=7 

___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] Firewall question

[An-Cheng Huang]

Hi Jacobo,

In your example, (2) is the behavior that will result from the rules. To get 
your desired behavior, one solution will be to add a first rule that accepts 
all packets from address 10.0.0.50, and then add a second rule that drop all 
packets from network 10.0.0.0/8.

Another possibility is to add a first rule that accepts all packets from 
network "!10.0.0.0/8", and then add a second rule that drops all packets from 
address "!10.0.0.50". This can be used if you want to do some further filtering 
on packets from 10.0.0.50.

An-Cheng

Jacobo Pereira wrote:
> My fellow Vyattans...
> 
> Hello, I am not capable to do a test of this right now, so I'm going to 
> ask.
> 
> If I set a firewall instance and the first rule is to drop all packets 
> coming from network 10.0.0.0/8, and the second rule is to accept packets 
> coming from address 10.0.0.50..   
> 
> What would happen?
> 
> 1) The firewall will drop all packets coming from network 10.0.0.0/8 
> except for those coming from address 10.0.0.50/8
> 
> 2) The firewall will drop all packets coming from network 10.0.0.0/8.
> 
> If the answer is option 2...
> How do I block every packet coming from a network BUT those coming from 
> an specific address?
> 
> If this cannot be done..., then what is the point of setting a rule for 
> accept packets?
> 
> Jacobo
> 
> 
> 
> Sick sense of humor? Visit Yahoo! TV's Comedy with an Edge 
> to 
> see what's on, when.
> 
> 
> 
> 
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

[Vyatta-users] Firewall question

[Jacobo Pereira]

My fellow Vyattans...

Hello, I am not capable to do a test of this right now, so I'm going to ask. 

If I set a firewall instance and the first rule is to drop all packets coming 
from network 10.0.0.0/8, and the second rule is to accept packets coming from 
address 10.0.0.50..

What would happen?

1) The firewall will drop all packets coming from network 10.0.0.0/8 except for 
those coming from address 10.0.0.50/8

2) The firewall will drop all packets coming from network 10.0.0.0/8.

If the answer is option 2... 
How do I block every packet coming from a network BUT those coming from an 
specific address?

If this cannot be done..., then what is the point of setting a rule for accept 
packets?

Jacobo





   

Building a website is a piece of cake. Yahoo! Small Business gives you all the 
tools to get online.
http://smallbusiness.yahoo.com/webhosting ___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

[Vyatta-users] Firewall Question

[FaPhenbach Phenbach]

Hello!

I have a small issue with my firewall. 
When I use nmap it show all ports are open when I scan any vif address. 
The interface is closed with the exception of port 22 on the main 
interface IP.
I added the following to the eth1 interface as firewall local which is 
connected to the internet.
name "FW_IN" {
rule 10 {
protocol: "tcp"
action: "accept"
log: "disable"
source {
network: 0.0.0.0/0
}
destination {
port-name: "ssh"
}
}
}

Then I try firewall configs i can't seem to get it to block ports on the 
vif addesses.
I have used NAT to route services to different servers. would this have 
something to do with it.
below is my config with some dummy IP addresses. I have been lazy and 
have not upgraded to Vyatta 2.
If that is the fix I will try that next weekend.  If it is something 
else any advice would be helpful

my full config
protocols {
static {
disable: false
route 0.0.0.0/0 {
next-hop: 12.128.15.1
metric: 1
}
}
}
policy {
}
interfaces {
restore-original-config-on-shutdown: false
loopback lo {
description: ""
}
ethernet eth0 {
disable: false
discard: false
description: "LAN"
duplex: "auto"
speed: "auto"
address 192.168.1.1 {
prefix-length: 24
disable: false
}
firewall {
in {
name: "FW_OUT"
}
}
}
ethernet eth1 {
disable: false
discard: false
description: "Internet WAN"
duplex: "auto"
speed: "auto"
address 12.128.15.194 {
prefix-length: 24
disable: false
}
vif 1 {
disable: false
description: "Plesk Server"
address 12.128.15.195 {
prefix-length: 24
disable: false
}
}
vif 2 {
disable: false
description: "QuD Backup Server"
address 12.128.15.196 {
prefix-length: 24
disable: false
}
}
vif 3 {
disable: false
description: "svn.domain.com"
address 12.128.15.197 {
prefix-length: 24
disable: false
}
}
vif 4 {
disable: false
description: "prj.domain.com"
address 12.128.15.198 {
prefix-length: 24
disable: false
}
}
firewall {
local {
name: "FW_IN"
}
}
}
firewall: "enabled"
}
firewall {
log-martians: "enable"
send-redirects: "disable"
receive-redirects: "disable"
ip-src-route: "disable"
broadcast-ping: "disable"
syn-cookies: "enable"
name FW_OUT {
rule 10 {
protocol: "tcp"
action: "accept"
log: "disable"
source {
address: 192.168.1.195
}
destination {
port-name: "smtp"
}
}
rule 11 {
protocol: "tcp"
action: "accept"
log: "disable"
source {
network: 192.168.1.0/24
}
destination {
address: 99.88.77.66.55
port-name: "smtp"
}
}
rule 12 {
protocol: "tcp"
action: "accept"
log: "disable"
source {
address: 192.168.1.105
}
destination {
port-name: "smtp"
}
}
rule 13 {
protocol: "tcp"
action: "accept"
log: "disable"
source {
address: 192.168.1.198
}
destination {
port-name: "smtp"
}
}
rule 20 {
protocol: "tcp"
action: "reject"
log: "enable"
source {
network: 192.168.1.0/24
}
destination {
port-name: "smtp"
}
}
rule 1024 {
protocol: "all"
action: "accept"
log: "disable"
source {
network: 0.0.0.0/0
}
destination {
network: 0.0.0.0/0
}
}
}
name "FW_IN" {
rule 10 {
protocol: "tcp"
action: "accept"
log: "disable"
source {
network: 0.0.0.0/0
}
destination {
port-name: "ssh"
}
}
}
}
service {
dhcp-server {
name M3LAN {
start 192.168.1.100 {
stop: 192.168