Hello!
I have a small issue with my firewall.
When I use nmap it show all ports are open when I scan any vif address.
The interface is closed with the exception of port 22 on the main
interface IP.
I added the following to the eth1 interface as firewall local which is
connected to the internet.
name "FW_IN" {
rule 10 {
protocol: "tcp"
action: "accept"
log: "disable"
source {
network: 0.0.0.0/0
}
destination {
port-name: "ssh"
}
}
}
Then I try firewall configs i can't seem to get it to block ports on the
vif addesses.
I have used NAT to route services to different servers. would this have
something to do with it.
below is my config with some dummy IP addresses. I have been lazy and
have not upgraded to Vyatta 2.
If that is the fix I will try that next weekend. If it is something
else any advice would be helpful
my full config
protocols {
static {
disable: false
route 0.0.0.0/0 {
next-hop: 12.128.15.1
metric: 1
}
}
}
policy {
}
interfaces {
restore-original-config-on-shutdown: false
loopback lo {
description: ""
}
ethernet eth0 {
disable: false
discard: false
description: "LAN"
duplex: "auto"
speed: "auto"
address 192.168.1.1 {
prefix-length: 24
disable: false
}
firewall {
in {
name: "FW_OUT"
}
}
}
ethernet eth1 {
disable: false
discard: false
description: "Internet WAN"
duplex: "auto"
speed: "auto"
address 12.128.15.194 {
prefix-length: 24
disable: false
}
vif 1 {
disable: false
description: "Plesk Server"
address 12.128.15.195 {
prefix-length: 24
disable: false
}
}
vif 2 {
disable: false
description: "QuD Backup Server"
address 12.128.15.196 {
prefix-length: 24
disable: false
}
}
vif 3 {
disable: false
description: "svn.domain.com"
address 12.128.15.197 {
prefix-length: 24
disable: false
}
}
vif 4 {
disable: false
description: "prj.domain.com"
address 12.128.15.198 {
prefix-length: 24
disable: false
}
}
firewall {
local {
name: "FW_IN"
}
}
}
firewall: "enabled"
}
firewall {
log-martians: "enable"
send-redirects: "disable"
receive-redirects: "disable"
ip-src-route: "disable"
broadcast-ping: "disable"
syn-cookies: "enable"
name FW_OUT {
rule 10 {
protocol: "tcp"
action: "accept"
log: "disable"
source {
address: 192.168.1.195
}
destination {
port-name: "smtp"
}
}
rule 11 {
protocol: "tcp"
action: "accept"
log: "disable"
source {
network: 192.168.1.0/24
}
destination {
address: 99.88.77.66.55
port-name: "smtp"
}
}
rule 12 {
protocol: "tcp"
action: "accept"
log: "disable"
source {
address: 192.168.1.105
}
destination {
port-name: "smtp"
}
}
rule 13 {
protocol: "tcp"
action: "accept"
log: "disable"
source {
address: 192.168.1.198
}
destination {
port-name: "smtp"
}
}
rule 20 {
protocol: "tcp"
action: "reject"
log: "enable"
source {
network: 192.168.1.0/24
}
destination {
port-name: "smtp"
}
}
rule 1024 {
protocol: "all"
action: "accept"
log: "disable"
source {
network: 0.0.0.0/0
}
destination {
network: 0.0.0.0/0
}
}
}
name "FW_IN" {
rule 10 {
protocol: "tcp"
action: "accept"
log: "disable"
source {
network: 0.0.0.0/0
}
destination {
port-name: "ssh"
}
}
}
}
service {
dhcp-server {
name M3LAN {
start 192.168.1.100 {
stop: 192.168.1.150
}
network-mask: 24
dns-server 192.168.1.195
dns-server 199.45.32.38
default-router: 192.168.1.1
lease: 86400
interface: "eth0"
domain-name: "domain.com"
authoritative: "disable"
}
}
ssh {
port: 22
protocol-version: "v2"
}
nat {
rule 1 {
type: "source"
translation-type: "static"
outbound-interface: "eth1"
protocols: "all"
source {
address: 192.168.1.105
}
destination {
network: 0.0.0.0/0
}
outside-address {
address: 12.128.15.196
}
}
rule 2 {
type: "source"
translation-type: "static"
outbound-interface: "eth1"
protocols: "all"
source {
address: 192.168.1.195
}
destination {
network: 0.0.0.0/0
}
outside-address {
address: 12.128.15.195
}
}
rule 3 {
type: "source"
translation-type: "static"
outbound-interface: "eth1"
protocols: "all"
source {
address: 192.168.1.198
}
destination {
network: 0.0.0.0/0
}
outside-address {
address: 12.128.15.198
}
}
rule 4 {
type: "source"
translation-type: "static"
outbound-interface: "eth1"
protocols: "all"
source {
address: 192.168.1.197
}
destination {
network: 0.0.0.0/0
}
outside-address {
address: 12.128.15.197
}
}
rule 5 {
type: "source"
translation-type: "masquerade"
outbound-interface: "eth1"
protocols: "all"
source {
network: 192.168.1.0/24
}
destination {
network: 0.0.0.0/0
}
}
rule 6 {
type: "destination"
translation-type: "static"
inbound-interface: "eth1"
protocols: "tcp"
source {
network: 0.0.0.0/0
}
destination {
address: 12.128.15.198
port-name http
}
inside-address {
address: 192.168.1.198
}
}
rule 7 {
type: "destination"
translation-type: "static"
inbound-interface: "eth1"
protocols: "tcp"
source {
network: 0.0.0.0/0
}
destination {
address: 12.128.15.197
port-name ssh
}
inside-address {
address: 192.168.1.197
}
}
rule 8 {
type: "destination"
translation-type: "static"
inbound-interface: "eth1"
protocols: "tcp"
source {
network: 0.0.0.0/0
}
destination {
address: 12.128.15.197
port-name http
}
inside-address {
address: 192.168.1.197
}
}
rule 9 {
type: "destination"
translation-type: "static"
inbound-interface: "eth1"
protocols: "tcp"
source {
network: 0.0.0.0/0
}
destination {
address: 12.128.15.198
port-name ssh
}
inside-address {
address: 192.168.1.198
}
}
rule 11 {
type: "destination"
translation-type: "static"
inbound-interface: "eth1"
protocols: "tcp"
source {
network: 0.0.0.0/0
}
destination {
address: 12.128.15.197
port-name https
}
inside-address {
address: 192.168.1.197
}
}
rule 12 {
type: "destination"
translation-type: "static"
inbound-interface: "eth1"
protocols: "tcp"
source {
network: 0.0.0.0/0
}
destination {
address: 12.128.15.195
port-name http
}
inside-address {
address: 192.168.1.195
}
}
rule 13 {
type: "destination"
translation-type: "static"
inbound-interface: "eth1"
protocols: "tcp"
source {
network: 0.0.0.0/0
}
destination {
address: 12.128.15.195
port-name ssh
}
inside-address {
address: 192.168.1.195
}
}
rule 14 {
type: "destination"
translation-type: "static"
inbound-interface: "eth1"
protocols: "tcp"
source {
network: 0.0.0.0/0
}
destination {
address: 12.128.15.195
port-number 3784
}
inside-address {
address: 192.168.1.149
}
}
rule 15 {
type: "destination"
translation-type: "static"
inbound-interface: "eth1"
protocols: "tcp"
source {
network: 0.0.0.0/0
}
destination {
address: 12.128.15.195
port-name ftp
}
inside-address {
address: 192.168.1.195
}
}
rule 16 {
type: "destination"
translation-type: "static"
inbound-interface: "eth1"
protocols: "tcp"
source {
network: 0.0.0.0/0
}
destination {
address: 12.128.15.195
port-number 8443
}
inside-address {
address: 192.168.1.195
}
}
rule 17 {
type: "destination"
translation-type: "static"
inbound-interface: "eth1"
protocols: "tcp"
source {
network: 0.0.0.0/0
}
destination {
address: 12.128.15.195
port-name smtp
}
inside-address {
address: 192.168.1.195
}
}
rule 18 {
type: "destination"
translation-type: "static"
inbound-interface: "eth1"
protocols: "tcp"
source {
network: 0.0.0.0/0
}
destination {
address: 12.128.15.195
port-name imap
}
inside-address {
address: 192.168.1.195
}
}
rule 19 {
type: "destination"
translation-type: "static"
inbound-interface: "eth1"
protocols: "tcp"
source {
network: 0.0.0.0/0
}
destination {
address: 12.128.15.195
port-name pop3
}
inside-address {
address: 192.168.1.195
}
}
rule 20 {
type: "destination"
translation-type: "static"
inbound-interface: "eth1"
protocols: "tcp"
source {
network: 0.0.0.0/0
}
destination {
address: 12.128.15.195
port-range {
start: 49152
stop: 65534
}
}
inside-address {
address: 192.168.1.195
}
}
rule 21 {
type: "destination"
translation-type: "static"
inbound-interface: "eth1"
protocols: "tcp"
source {
network: 0.0.0.0/0
}
destination {
address: 12.128.15.199
port-name http
}
inside-address {
address: 192.168.1.195
}
}
rule 22 {
type: "destination"
translation-type: "static"
inbound-interface: "eth1"
protocols: "tcp"
source {
network: 0.0.0.0/0
}
destination {
address: 12.128.15.196
port-name http
}
inside-address {
address: 192.168.1.105
}
}
rule 23 {
type: "destination"
translation-type: "static"
inbound-interface: "eth1"
protocols: "tcp"
source {
network: 0.0.0.0/0
}
destination {
address: 12.128.15.196
port-name smtp
}
inside-address {
address: 192.168.1.105
}
}
rule 24 {
type: "destination"
translation-type: "static"
inbound-interface: "eth1"
protocols: "tcp"
source {
network: 0.0.0.0/0
}
destination {
address: 12.128.15.196
port-name pop3
}
inside-address {
address: 192.168.1.105
}
}
}
}
system {
host-name: "M3-R1"
domain-name: "domain.com"
name-server 192.168.1.195
name-server 199.45.32.38
time-zone: "GMT"
ntp-server "69.59.150.135"
login {
user root {
full-name: ""
authentication {
encrypted-password: ""
plaintext-password: ""
}
}
user vyatta {
full-name: ""
authentication {
encrypted-password: ""
plaintext-password: ""
}
}
}
Phenbach
_______________________________________________
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users
