Thanks, Justin. I guess what I'm looking for is just to be reasonably secure. I
understand that, strictly speaking, "reasonably secure" will mean different
things to different people, so I'm just talking in broad terms.
For instance, I understand that my SMTP server shouldn't be an open relay and
so it's set to only send mail for authenticated clients and SMTP logins are
sent over TLS instead of clear text, I understand that TELNET communication is
unencrypted and SSH is strongly recommended instead and SSHv2 is recommended
over SSHv1.
So I'm just looking for similar "best practice" recommendations for Vyatta as
an edge router.
So, NAT rules will cause all traffic for defined ports to be forwarded and then
I make sure that services listening on those ports on my internal machines are
patched against application level vulnerabilities. Is NAT for incoming traffic
good enough or should one use some firewall rules in addition? If so, what
rules? Rules to limit traffic to protocols appropriate for services listening
on those ports (e.g. only allow SSH traffic on port 22) and rules to allow/deny
based on the state of the packet.
Traffic that doesn't get forwarded via NAT rules is considered local to the
router, right? So if I only want SSH from outside to the router, I define a
firewall rule to allow SSH and an implicit deny all else takes place?
thanks again, -Alain.
On Tue, 1 Jan 2008 20:18:20 -0800, "Justin Fletcher" <[EMAIL PROTECTED]> wrote:
> Depends on what you're looking for (of course :-) )
>
> Since you're under NAT, nothing can find your system that you don't
> have set up for forwarding. You could set up firewall rules for the
> public
> address of your router, as it's wide-open otherwise, of course.
>
> A happy 2008 to you,
> Justin
>
> On Jan 1, 2008 6:40 PM, Alain Kelder <[EMAIL PROTECTED]> wrote:
>> Hello,
>>
>> At my home office, I have 1 public IP and I'm forwarding certain outside
>> port requests to the various machines inside using NAT. I'm allowing all
>> inside->out traffic. Given that I'm happy with this setup from the
>> functionality perspective, should I still add firewall rules to define
>> my current setup (e.g. to allow all inside->out traffic and to allow
>> http, smtp, etc to the various machines for outside->in traffic)? Am I
>> missing out on important security features the firewall would offer
>> which NAT doesn't?
>>
>> Currently I just have the following firewall statements:
>>
>> firewall {
>> log-martians: "enable"
>> send-redirects: "disable"
>> receive-redirects: "disable"
>> ip-src-route: "disable"
>> broadcast-ping: "disable"
>> syn-cookies: "enable"
>> }
>>
>> [EMAIL PROTECTED]> show version
>> Baseline Version: vc3
>> Booted From: disk
>>
>> Happy New Year to all! Cheers, -Alain.
>> _______________________________________________
>> Vyatta-users mailing list
>> Vyatta-users@mailman.vyatta.com
>> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>>
_______________________________________________
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users
