Anyone who can help,
My problem seems to be fairly basic, but I cannot find any documentation
that addresses my situation. I've also tried searching the archives, but
haven't found any answers yet.
I have tried to configure the firewall so that all traffic to port 80 will
be dropped. However, a simple Port Scan conducted at www.grc.com reveals
http, https, ssh to be OPEN as well as ALL OTHER ports to be "CLOSED", not
"STEALTH" , indicating that at the least the following command may not be
configured properly:
firewall {
name "from-external" {
rule 10 {
protocol: "tcp"
action: "drop"
destination {
port-number 80
I realize I have "webgui" enabled, which opens tcp 80 and 8080. I would like
to keep this functionality on the INSIDE, but NOT on the OUTSIDE. I would
prefer only SSH for outside inbound configuration access.
So my questions are:
1. Does the process of enabling "webgui" preclude, or take effect before,
any firewall rule that would otherwise close access to port 80?
2. If so, then how can I still enable webui on the inside, while
blocking/stealthing tcp 80 on the outside?
3. I'd also like to place all other tcp ports in a condition that causes
them to "stealthily" DROP packets from the outside, unless
intentionally/administratively opened. How do I accomplish that?
I've also included my full config to help those who may need further
insight. I appreciate anyone who can help!
Thanks,
Josh
@vyagw# show
protocols {
static {
route 0.0.0.0/0 {
next-hop: xx.xx.xx.33
}
route 10.5.203.0/24 {
next-hop: 10.5.201.253
}
}
}
policy {
}
interfaces {
loopback lo {
address 10.5.5.252 {
prefix-length: 24
}
}
ethernet eth0 {
description: "OUTSIDE"
hw-id: 00:05:5d:29:f7:45
address xx.xx.xx.42 {
prefix-length: 28
}
firewall {
in {
name: "from-external"
}
}
}
ethernet eth1 {
description: "Inside"
hw-id: 00:06:5b:01:5c:36
address 10.5.50.252 {
prefix-length: 24
}
address 10.5.201.252 {
prefix-length: 24
}
}
ethernet eth2 {
hw-id: 00:05:5d:52:1b:75
}
}
service {
nat {
rule 10 {
type: "masquerade"
outbound-interface: "eth0"
protocols: "all"
source {
network: " 10.5.201.0/24"
}
destination {
network: "0.0.0.0/0"
}
}
rule 11 {
type: "masquerade"
outbound-interface: "eth0"
protocols: "all"
source {
network: " 10.5.50.0/24"
}
destination {
network: "0.0.0.0/0"
}
}
}
ssh {
}
webgui {
}
}
firewall {
name "from-external" {
rule 10 {
protocol: "tcp"
action: "drop"
destination {
port-number 80
}
}
rule 30 {
protocol: "tcp"
state {
established: "enable"
new: "disable"
related: "enable"
invalid: "disable"
}
action: "accept"
}
}
}
system {
host-name: "vyagw"
name-server 151.164.1.8
name-server 151.164.11.201
time-zone: "GMT-6"
ntp-server "69.59.150.135"
login {
user root {
authentication {
encrypted-password: "xxxxxxxxxxx"
plaintext-password: ""
}
}
user xxxxxxxxxxxx {
authentication {
encrypted-password: "xxxxxxxxxxx"
plaintext-password: ""
}
}
}
package {
repository community {
component: "main"
url: " http://archive.vyatta.com/vyatta";
}
}
}
[edit]
--More-- (END)
_______________________________________________
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users
