Adrian, Once again, thank you for your invaluable input! I will begin working on your below suggestions, as this does make a lot of sense. I also need to peruse the Vyatta_CommandRef_VC3_v02.pdf more thoroughly to "take the pieces from there and complete [the] puzzle" . But I first needed a starting point, and this has helped a great deal.
Thank you for providing clear answers! Josh On 12/21/07, Adrian F. Dimcev <[EMAIL PROTECTED]> wrote: > > Hi Josh, > Guess what, all that info and much more is documented now here(Community > Documentation): > http://www.vyatta.com/twiki/bin/view/Community/CommunityDocumentation > More exactly within the article How to Create a VPN Site-to-Site IPsec > Tunnel Mode Connection Between a Vyatta OFR and an ISA 2006 > Firewall(http://www.carbonwind.net/ISA/VyattaVPN/VyattaVPN.htm). > Regarding your question about setting an "IN" firewall instance on your > internal eth1 interface I would say yes, if you want security you should > enable Vyatta to perform stateful inspection. > And yes is you only allow HTTP the rest is implicitely denied(normal > behaviour of a firewall). > Also I would say that you should create an "IN" firewall instance on > your external eth0 interface. > Your "Local" firewall instance on your external eth0 interface does not > stop packets entering that interface destined to your internal > network(NAT also does not help here). If we play a little game with nmap > and send some packets with the destination the IP address of a host > behind Vyatta to the eth0 interface(simply telling the host on which we > run nmap that the respective IP address is accesible through Vyatta's > external IP address by adding a route), and you monitor with Wireshark > that internal host you will see the packets sent by nmap reaching it. > This "IN" firewall instance should allow the returning traffic. For > example you need to allow HTTP traffic: > set firewall name exttoint rule 10 action accept > set firewall name exttoint rule 10 protocol tcp > set firewall name exttoint rule 10 destination network "your internal > network" > set firewall name exttoint rule 10 state established enable > set firewall name exttoint rule 10 state related enable > set firewall name exttoint rule 10 state invalid disable > set firewall name exttoint rule 10 source port-number 80 > As said before by adding this rule all other traffic entering this > interface will be implicitely denied. So you need to add rules for > returning DNS traffic... > Try not to confuse the "IN" and "Local" firewall instances. > The "IN" firewall instance addresses traffic entering the interface and > the "Local" firewall instance addresses traffic destined to Vyatta > itself on that interface(altough this traffic is "entering" the > interface, the two instance do not overlap, or at least I did not > noticed that). > If you want to gain more security you can setup an "OUT" firewall > instance too. For example HTTP traffic is entering interface eth1 and > exits on interface eth0. > About the nightmare I think you want a wizard which would create all > these for you automatically in background, say allowing HTTP from > Internal to External. > Allowing everything from Internal to External is easy but not secure. > Best, > Adrian > >
_______________________________________________ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
