Hi Abhilash, There is an issue in VC3 that restricts the related/ established rule (your rule number 1) to TCP only. Most likely, the reason your VC2 firewall was working is because return traffic of any type (ICMP, UDP, TCP, etc.) was allowed back in via rule number 1. Your new rule number 1 on VC3 only allows return traffic on TCP.
For more information on the bug and to fix this issue on your system, see the following post to the user's list: http://mailman.vyatta.com/pipermail/vyatta-users/2007-November/002406.html This bug has been fixed and will no longer be an issue in the next release. Thank you, Robyn abhilash s wrote: > Hi All, > > I have upgraded VC2 to VC3. But when I tried to implement > firewall, all traffic to internet stops. Here is my old and new > firewall configuration: > > > OLD FIREWALL CONFIGURATION: > > > firewall { > log-martians: "enable" > send-redirects: "disable" > receive-redirects: "disable" > ip-src-route: "disable" > broadcast-ping: "disable" > syn-cookies: "enable" > name inbound { > rule 1 { > protocol: "all" > state { > established: "enable" > related: "enable" > } > action: "accept" > log: "disable" > } > rule 2 { > protocol: "tcp" > action: "accept" > log: "disable" > source { > address: x.x.x.x > } > destination { > port-name: "ssh" > } > } > rule 3 { > protocol: "tcp" > action: "accept" > log: "disable" > source { > address: x.x.x.x > } > destination { > port-name: "ssh" > } > } > rule 4 { > protocol: "icmp" > icmp { > type: "8" > } > action: "accept" > log: "disable" > } > rule 5 { > protocol: "icmp" > icmp { > type: "11" > } > action: "accept" > log: "disable" > } > rule 6 { > protocol: "udp" > action: "accept" > log: "disable" > destination { > port-number: xxx > } > } > rule 7 { > protocol: "all" > action: "drop" > log: "disable" > source { > network: 0.0.0.0/0 > } > } > } > } > > NEW FIREWALL CONFIGURATION: > > firewall { > log-martians: "enable" > send-redirects: "disable" > receive-redirects: "disable" > ip-src-route: "disable" > broadcast-ping: "disable" > syn-cookies: "enable" > name inbound { > description: "inbound firewall" > rule 1 { > protocol: "tcp" > state { > established: "enable" > related: "enable" > } > action: "accept" > log: "disable" > } > rule 2 { > protocol: "tcp" > action: "accept" > log: "disable" > source { > address: "x.x.x.x" > } > destination { > port-name ssh > } > } > rule 3 { > protocol: "tcp" > action: "accept" > log: "disable" > source { > address: "x.x.x.x" > } > destination { > port-name ssh > } > } > rule 4 { > protocol: "icmp" > icmp { > type: "8" > } > action: "accept" > log: "disable" > } > rule 5 { > protocol: "icmp" > icmp { > type: "11" > } > action: "accept" > log: "disable" > } > rule 6 { > protocol: "udp" > action: "accept" > log: "disable" > destination { > port-number xxx > } > } > rule 7 { > protocol: "udp" > action: "accept" > log: "disable" > destination { > port-number xxx > } > } > rule 8 { > protocol: "all" > action: "drop" > log: "disable" > source { > network: "0.0.0.0/0" > } > } > } > } > > I have applied this setting to my interface's firewall as : in and local . > When I try to enable this firewall setting , I can't ping to my ISP > gateway (modem IP) too. > Please tell me what I want to change to implement it on VC3 ? > > Thanks in Advance, > > Regards, > > Abhilash S > _______________________________________________ > Vyatta-users mailing list > Vyatta-users@mailman.vyatta.com > http://mailman.vyatta.com/mailman/listinfo/vyatta-users > _______________________________________________ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
