I also would change rules 20 and 21 such that it's SOURCE port 22, and not destination port 22. This would apply if you are trying to permit inbound ssh requests from those specific hosts.
John Robyn Orosz wrote: > Hi Alain, > > Take a look at this post: > > http://mailman.vyatta.com/pipermail/vyatta-users/2007-November/002406.html > > It looks like you're running into bug 2502, which has been fixed in our > most recent set of updates and will no longer be an issue in the next > release. > > The link above has more information on the bug and an easy workaround so > you can specify "all" in rule 10. > > Thank you, > > Robyn > > Alain Kelder wrote: > >> Wondering if someone could help me with my firewall rules. At this >> point, I'm just firewalling local traffic. My objective is drop >> everything other than SSH and even then only allow SSH from for a >> handful of hosts. >> >> So for eth0 (my WAN interface), I added: >> >> firewall { >> local { >> name: "WAN-to-LOCAL" >> } >> } >> } >> >> And then the following firewall rules: >> >> firewall { >> log-martians: "enable" >> send-redirects: "disable" >> receive-redirects: "disable" >> ip-src-route: "disable" >> broadcast-ping: "disable" >> syn-cookies: "enable" >> name "WAN-to-LOCAL" { >> description: "Inbound traffic to router" >> rule 10 { >> description: "Accept established and related" >> protocol: "tcp" >> state { >> established: "enable" >> related: "enable" >> } >> action: "accept" >> log: "disable" >> } >> rule 20 { >> description: "Accept SSH" >> protocol: "tcp" >> state { >> established: "enable" >> related: "enable" >> new: "enable" >> invalid: "disable" >> } >> action: "accept" >> log: "enable" >> source { >> address: "XXX.XXX.XXX.XXX" >> } >> destination { >> port-number 22 >> } >> } >> rule 21 { >> description: "Accept SSH" >> protocol: "tcp" >> state { >> established: "enable" >> related: "enable" >> new: "enable" >> invalid: "disable" >> } >> action: "accept" >> log: "enable" >> source { >> network: ""XXX.XXX.XXX.XXX"/28" >> } >> destination { >> port-number 22 >> } >> } >> } >> } >> >> I'm pretty sure something isn't right with my rule 10 (established and >> related). For one thing, Vyatta complains if I set protocol to "all". >> Says only "tcp" is allowed when packet state is defined. So what should >> I do about UDP? I do need to allow related and established, right? >> >> I don't need to limit outgoing traffic, but is it a good idea to have >> rules for inbound traffic if I'm doing NAT? >> >> _______________________________________________ >> Vyatta-users mailing list >> Vyatta-users@mailman.vyatta.com >> http://mailman.vyatta.com/mailman/listinfo/vyatta-users >> >> > _______________________________________________ > Vyatta-users mailing list > Vyatta-users@mailman.vyatta.com > http://mailman.vyatta.com/mailman/listinfo/vyatta-users > _______________________________________________ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
