While obvious, make certain that the computers on the 10.20.0.0/24
have the Vyatta
router as their default gateway --
Justin
On Dec 10, 2007 12:39 PM, Lance Franklin <[EMAIL PROTECTED]> wrote:
> After reading some of the recent posts and configuring only one
> interface, I have gotten this to work.
>
> With the below configuration, I can remote desktop from the
> 10.10.0.0/24 network to computers on the 10.20.0.0/24 network. The
> computers on the 10.20.0.0/24 network cannot get to any other network.
> I may go back and add a firewall rule to the 10.20.0.0/24 interface
> and only allow established comunication into the router.
>
> ethernet eth0 {
> disable: false
> discard: false
> description: "Production Network"
> hw-id: 00:0e:0c:b8:4d:12
> duplex: "auto"
> speed: "auto"
> address 10.10.0.199 {
> prefix-length: 24
> disable: false
> }
> firewall {
> in {
> name: "Prod2Dev"
> }
> }
> }
>
>
>
> firewall {
> log-martians: "enable"
> send-redirects: "disable"
> receive-redirects: "disable"
> ip-src-route: "disable"
> broadcast-ping: "disable"
> syn-cookies: "enable"
> name Prod2Dev {
> description: "Production to Development"
> rule 1 {
> description: "Remote Desktop"
> protocol: "tcp"
> action: "accept"
> log: "enable"
> source {
> network: "10.10.0.0/24"
> }
> destination {
> network: "10.20.0.0/24"
> port-number 3389
>
> }
> }
> }
>
>
>
>
>
>
> Quoting Justin Fletcher <[EMAIL PROTECTED]>:
>
> > You also need to apply the firewall rules to an interface, as in
> >
> > firewall {
> > in {
> > name: "inbound"
> > }
> > local {
> > name: "inbound"
> > }
> > }
> >
> > In the above case, it's for inbound traffic, and traffic destined for
> > the router itself.
> >
> > Also remember that traffic will flow in both directions, unless you
> > just want to block the inbound traffic from the development network.
> >
> > Your current rule 4 prevents new connections - as well as everything else
> > ;-)
> >
> > Looks like your rules 1-3 should have the matching source and
> > destination networks as rule 4; otherwise, that inbound traffic will
> > only match rule 4, and not match one of the earlier rules for
> > permitted traffic.
> >
> > Best,
> > Justin
> >
> > You can do a "show firewall" to see the rules on the system, as well
> > as enable logging for a rule to see where the traffic is being
> > dropped.
> >
> > Justin
> >
> > On Dec 6, 2007 3:42 PM, Lance Franklin <[EMAIL PROTECTED]> wrote:
> >> After reading through the Quick Guide to Configuration Statements, I see:
> >> state {
> >> established: [enable|disable]
> >> new: [enable|disable]
> >> related: [enable|disable]
> >> invalid: [enable|disable]
> >> }
> >>
> >> How can I add this to my rule 4 to prevent new connections to the work
> >> network from the development network?
> >>
> >> Would it be:
> >>
> >> rule 4 {
> >> description: "10.10.0.0/24"
> >> protocol: "all"
> >> state {
> >> new: enable
> >> }
> >> action: "drop"
> >> log: "disable"
> >> source {
> >> network: "10.20.0.0/24"
> >> }
> >> destination {
> >> network: "10.10.0.0/24"
> >> }
> >> }
> >>
> >>
> >>
> >>
> >>
> >>
> >> _______________________________________________
> >> Vyatta-users mailing list
> >> Vyatta-users@mailman.vyatta.com
> >> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
> >>
> >
>
>
>
_______________________________________________
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users
