While obvious, make certain that the computers on the 10.20.0.0/24 have the Vyatta router as their default gateway --
Justin On Dec 10, 2007 12:39 PM, Lance Franklin <[EMAIL PROTECTED]> wrote: > After reading some of the recent posts and configuring only one > interface, I have gotten this to work. > > With the below configuration, I can remote desktop from the > 10.10.0.0/24 network to computers on the 10.20.0.0/24 network. The > computers on the 10.20.0.0/24 network cannot get to any other network. > I may go back and add a firewall rule to the 10.20.0.0/24 interface > and only allow established comunication into the router. > > ethernet eth0 { > disable: false > discard: false > description: "Production Network" > hw-id: 00:0e:0c:b8:4d:12 > duplex: "auto" > speed: "auto" > address 10.10.0.199 { > prefix-length: 24 > disable: false > } > firewall { > in { > name: "Prod2Dev" > } > } > } > > > > firewall { > log-martians: "enable" > send-redirects: "disable" > receive-redirects: "disable" > ip-src-route: "disable" > broadcast-ping: "disable" > syn-cookies: "enable" > name Prod2Dev { > description: "Production to Development" > rule 1 { > description: "Remote Desktop" > protocol: "tcp" > action: "accept" > log: "enable" > source { > network: "10.10.0.0/24" > } > destination { > network: "10.20.0.0/24" > port-number 3389 > > } > } > } > > > > > > > Quoting Justin Fletcher <[EMAIL PROTECTED]>: > > > You also need to apply the firewall rules to an interface, as in > > > > firewall { > > in { > > name: "inbound" > > } > > local { > > name: "inbound" > > } > > } > > > > In the above case, it's for inbound traffic, and traffic destined for > > the router itself. > > > > Also remember that traffic will flow in both directions, unless you > > just want to block the inbound traffic from the development network. > > > > Your current rule 4 prevents new connections - as well as everything else > > ;-) > > > > Looks like your rules 1-3 should have the matching source and > > destination networks as rule 4; otherwise, that inbound traffic will > > only match rule 4, and not match one of the earlier rules for > > permitted traffic. > > > > Best, > > Justin > > > > You can do a "show firewall" to see the rules on the system, as well > > as enable logging for a rule to see where the traffic is being > > dropped. > > > > Justin > > > > On Dec 6, 2007 3:42 PM, Lance Franklin <[EMAIL PROTECTED]> wrote: > >> After reading through the Quick Guide to Configuration Statements, I see: > >> state { > >> established: [enable|disable] > >> new: [enable|disable] > >> related: [enable|disable] > >> invalid: [enable|disable] > >> } > >> > >> How can I add this to my rule 4 to prevent new connections to the work > >> network from the development network? > >> > >> Would it be: > >> > >> rule 4 { > >> description: "10.10.0.0/24" > >> protocol: "all" > >> state { > >> new: enable > >> } > >> action: "drop" > >> log: "disable" > >> source { > >> network: "10.20.0.0/24" > >> } > >> destination { > >> network: "10.10.0.0/24" > >> } > >> } > >> > >> > >> > >> > >> > >> > >> _______________________________________________ > >> Vyatta-users mailing list > >> Vyatta-users@mailman.vyatta.com > >> http://mailman.vyatta.com/mailman/listinfo/vyatta-users > >> > > > > > _______________________________________________ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users