>Just for sanity's sake, can someone chime in and confirm if this appears to be >an appropriate configuration? >Any suggestions are welcome! Don't know if you've noticed or if this was your intention but are you aware that your Vyatta is fully accessible from the Internet(or at least your posted configuration shows this)? Also again don't know if you've noticed or if this was your intention but your firewall "out" instance on eth0 isn't a truly "Inbound" one since your Vyatta accepts *any* incoming packets on eth1. And can I suggest you to mess with the "State" parameter on your TCP rules which will enable Vyatta to become indeed a firewall? Ideally you should follow the traffic flow with your firewall rules: Say packets coming in on eth0(so IN firewall instance), going out on eth1(so OUT firewall instance) and returning on eth1(so IN firewall instance) and going out on eth0(so OUT firewall instance). The "State" parameter should be appropiate for each firewall instance. But it's all about the role Vyatta plays in your environment, therefore it might be no need for all those firewall instances. Adrian
_______________________________________________ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
