Hmm. well seems on second pass my previous issue with instability has gone
away. For now, I have added a 'lan2wan' rule set that is like:
name lan2wan {
description: "accept outboud all ports"
rule 11 {
protocol: "all"
action: "accept"
log: "disable"
source {
address: "192.168.xxx.191"
}
destination {
network: "0.0.0.0/0"
}
}
If this appears to function for awhile, I will consider changing the source
to use a network 192.168.xxx.0/24, at which point I think I will attempt to
configure dhcp.
Just for sanity's sake, can someone chime in and confirm if this appears to
be an appropriate configuration? Any suggestions are welcome!
Thanks!
Todd Worden
Web-Wired, LLC
434.906.0420
<mailto:[EMAIL PROTECTED]> [EMAIL PROTECTED]
<http://www.web-wired.com/> www.web-wired.com
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Todd Worden
Sent: Sunday, December 23, 2007 5:48 PM
To: vyatta-users@mailman.vyatta.com
Subject: [Vyatta-users] Got firewal inbound, what about the outbound?
Dear Vyatta Users:
I thought I had a working system with my Vyatta router, where firewall rules
were configured inbound and outbound, but noticed that my statically
configured hosts would be able to access the internet for a period of time,
but then drop their connection. 50% of the time doing a network repair
would bring the host back online, but after streaming binary content for a
few minutes via usenet, youtube, or wherever, the connection would drop. I
removed all my firewall rules and the problem went away, so I gather that I
have not configured them correctly.
Now I have reconfigured inbound firewall rules only, and I can serve up port
80, 443, and 22 traffic from another subnet no problems. Unfortunately, I
am afraid I am not certain how to configure getting out without the
instability I created before.
For starters. eth0 faces my lan, while eth1 faces the wan. After NAT, I
have my inbound firewall rules "wan2lan" are applied to the out for eth0.
My original thought was to create another rule set named "lan2wan" and would
be applied to the in of eth0, something like accept all from source
192.168.xxx.0/24, destination 0.0.0.0/0.
Here is my current config (please excuse the length):
protocols {
static {
route 0.0.0.0/0 {
next-hop: 75.145.xxx.190
}
}
}
policy {
}
interfaces {
loopback lo {
}
ethernet eth0 {
description: "lan"
hw-id: 00:40:63:ef:c3:1c
address 192.168.xxx.10 {
prefix-length: 24
}
firewall {
out {
name: "wan2lan"
}
}
}
ethernet eth1 {
description: "wan"
hw-id: 00:40:63:ef:c3:19
address 75.145.xxx.185 {
prefix-length: 29
}
address 75.145.xxx.186 {
prefix-length: 29
}
address 75.145.xxx.187 {
prefix-length: 29
}
vrrp {
vrrp-group: 99
virtual-address: 192.168.xxx.1
priority: 150
}
}
}
service {
nat {
rule 10 {
type: "masquerade"
outbound-interface: "eth1"
protocols: "all"
source {
network: "192.168.xxx.0/24"
}
destination {
network: "0.0.0.0/0"
}
}
rule 20 {
type: "destination"
inbound-interface: "eth1"
protocols: "tcp"
source {
network: "0.0.0.0/0"
}
destination {
address: "75.145.xxx.185"
}
inside-address {
address: 192.168.xxx.185
}
}
rule 21 {
type: "destination"
inbound-interface: "eth1"
protocols: "tcp"
source {
network: "0.0.0.0/0"
}
destination {
address: "75.145.xxx.186"
}
inside-address {
address: 192.168.xxx.186
}
}
rule 22 {
type: "destination"
inbound-interface: "eth1"
source {
network: "0.0.0.0/0"
}
destination {
address: "75.145.xxx.187"
}
inside-address {
address: 192.168.xxx.187
}
}
}
ssh {
}
webgui {
}
}
firewall {
name wan2lan {
rule 10 {
description: "accept http"
protocol: "tcp"
action: "accept"
log: "enable"
source {
network: "75.145.xxx.190/29"
}
destination {
address: "192.168.xxx.185"
port-number 80
}
}
rule 11 {
description: "accept https"
protocol: "tcp"
action: "accept"
log: "enable"
source {
network: "75.145.xxx.190/29"
}
destination {
address: "192.168.xxx.185"
port-number 443
}
}
rule 12 {
description: "accept ssh"
protocol: "tcp"
action: "accept"
log: "enable"
source {
network: "75.145.xxx.190/29"
}
destination {
address: "192.168.xxx.185"
port-number 22
}
}
rule 20 {
description: "accept http"
protocol: "tcp"
action: "accept"
log: "enable"
source {
network: "75.145.xxx.190/29"
}
destination {
address: "192.168.xxx.186"
port-number 80
}
}
rule 21 {
description: "accept https"
protocol: "tcp"
action: "accept"
log: "enable"
source {
network: "75.145.xxx.190/29"
}
destination {
address: "192.168.xxx.186"
port-number 443
}
}
rule 22 {
description: "accept ssh"
protocol: "tcp"
action: "accept"
log: "enable"
source {
network: "75.145.xxx.190/29"
}
destination {
address: "192.168.xxx.186"
port-number 443
}
}
rule 30 {
description: "accept http"
protocol: "tcp"
action: "accept"
log: "enable"
source {
network: "75.145.xxx.190/29"
}
destination {
address: "192.168.xxx.187"
port-number 80
}
}
rule 31 {
description: "accept https"
protocol: "tcp"
action: "accept"
log: "enable"
source {
network: "75.145.xxx.190/29"
}
destination {
address: "192.168.xxx.187"
port-number 443
}
}
}
}
system {
host-name: "isz-router01"
domain-name: "web-wired.com"
name-server 68.87.73.242
name-server 68.87.71.226
ntp-server "69.59.150.135"
gateway-address: 75.145.xxx.190
login {
user root {
authentication {
encrypted-password: "$1$$Ht7gBYnxI1xCdO/JOnodh."
}
}
user vyatta {
authentication {
encrypted-password: "$1$$Ht7gBYnxI1xCdO/JOnodh."
}
}
}
package {
repository community {
component: "main"
url: "http://archive.vyatta.com/vyatta";
}
repository debian {
component: "main"
url: "http://mirrors.kernel.org/debian/";
}
}
}
Any tips on better routing would be appreciated! Thoughts on how to setup
the outbound traffic?
Thanks!
Todd Worden
Web-Wired, LLC
434.906.0420
[EMAIL PROTECTED]
www.web-wired.com <http://www.web-wired.com/>
__________ NOD32 2744 (20071223) Information __________
This message was checked by NOD32 antivirus system.
http://www.eset.com
_______________________________________________
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users
