Hi Robyn,
This works for me. Thank you very much.
Thanks and Regards,
Abhilash.S
On Jan 10, 2008 10:11 AM, Robyn Orosz <[EMAIL PROTECTED]> wrote:
> Hi Abhilash,
>
> There is an issue in VC3 that restricts the related/ established rule
> (your rule number 1) to TCP only. Most likely, the reason your VC2
> firewall was working is because return traffic of any type (ICMP, UDP,
> TCP, etc.) was allowed back in via rule number 1. Your new rule number
> 1 on VC3 only allows return traffic on TCP.
>
> For more information on the bug and to fix this issue on your system,
> see the following post to the user's list:
>
> http://mailman.vyatta.com/pipermail/vyatta-users/2007-November/002406.html
>
> This bug has been fixed and will no longer be an issue in the next release.
>
> Thank you,
>
> Robyn
>
>
>
> abhilash s wrote:
> > Hi All,
> >
> > I have upgraded VC2 to VC3. But when I tried to implement
> > firewall, all traffic to internet stops. Here is my old and new
> > firewall configuration:
> >
> >
> > OLD FIREWALL CONFIGURATION:
> >
> >
> > firewall {
> > log-martians: "enable"
> > send-redirects: "disable"
> > receive-redirects: "disable"
> > ip-src-route: "disable"
> > broadcast-ping: "disable"
> > syn-cookies: "enable"
> > name inbound {
> > rule 1 {
> > protocol: "all"
> > state {
> > established: "enable"
> > related: "enable"
> > }
> > action: "accept"
> > log: "disable"
> > }
> > rule 2 {
> > protocol: "tcp"
> > action: "accept"
> > log: "disable"
> > source {
> > address: x.x.x.x
> > }
> > destination {
> > port-name: "ssh"
> > }
> > }
> > rule 3 {
> > protocol: "tcp"
> > action: "accept"
> > log: "disable"
> > source {
> > address: x.x.x.x
> > }
> > destination {
> > port-name: "ssh"
> > }
> > }
> > rule 4 {
> > protocol: "icmp"
> > icmp {
> > type: "8"
> > }
> > action: "accept"
> > log: "disable"
> > }
> > rule 5 {
> > protocol: "icmp"
> > icmp {
> > type: "11"
> > }
> > action: "accept"
> > log: "disable"
> > }
> > rule 6 {
> > protocol: "udp"
> > action: "accept"
> > log: "disable"
> > destination {
> > port-number: xxx
> > }
> > }
> > rule 7 {
> > protocol: "all"
> > action: "drop"
> > log: "disable"
> > source {
> > network: 0.0.0.0/0
> > }
> > }
> > }
> > }
> >
> > NEW FIREWALL CONFIGURATION:
> >
> > firewall {
> > log-martians: "enable"
> > send-redirects: "disable"
> > receive-redirects: "disable"
> > ip-src-route: "disable"
> > broadcast-ping: "disable"
> > syn-cookies: "enable"
> > name inbound {
> > description: "inbound firewall"
> > rule 1 {
> > protocol: "tcp"
> > state {
> > established: "enable"
> > related: "enable"
> > }
> > action: "accept"
> > log: "disable"
> > }
> > rule 2 {
> > protocol: "tcp"
> > action: "accept"
> > log: "disable"
> > source {
> > address: "x.x.x.x"
> > }
> > destination {
> > port-name ssh
> > }
> > }
> > rule 3 {
> > protocol: "tcp"
> > action: "accept"
> > log: "disable"
> > source {
> > address: "x.x.x.x"
> > }
> > destination {
> > port-name ssh
> > }
> > }
> > rule 4 {
> > protocol: "icmp"
> > icmp {
> > type: "8"
> > }
> > action: "accept"
> > log: "disable"
> > }
> > rule 5 {
> > protocol: "icmp"
> > icmp {
> > type: "11"
> > }
> > action: "accept"
> > log: "disable"
> > }
> > rule 6 {
> > protocol: "udp"
> > action: "accept"
> > log: "disable"
> > destination {
> > port-number xxx
> > }
> > }
> > rule 7 {
> > protocol: "udp"
> > action: "accept"
> > log: "disable"
> > destination {
> > port-number xxx
> > }
> > }
> > rule 8 {
> > protocol: "all"
> > action: "drop"
> > log: "disable"
> > source {
> > network: "0.0.0.0/0"
> > }
> > }
> > }
> > }
> >
> > I have applied this setting to my interface's firewall as : in and local .
> > When I try to enable this firewall setting , I can't ping to my ISP
> > gateway (modem IP) too.
> > Please tell me what I want to change to implement it on VC3 ?
> >
> > Thanks in Advance,
> >
> > Regards,
> >
> > Abhilash S
> > _______________________________________________
> > Vyatta-users mailing list
> > Vyatta-users@mailman.vyatta.com
> > http://mailman.vyatta.com/mailman/listinfo/vyatta-users
> >
>
_______________________________________________
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users
