Hi All,
I have recently done a live upgrade of vyatta to make sure everything
was up to date. I saved the config.boot file just in case. After the
reboot the loaded config was lost (not sure if this is by design on an
upgrade). So I am now trying to load the config file from the ofr
over tftp.
Now the first problem was this, it failed to parse the config file on
a firewall rule (which worked before the upgrade)
which was this.
rule 9 {
protocol: "tcp"
action: "accept"
log: "disable"
destination {
address: 192.168.10.2
port-number: 1723
}
}
it was complaining about the port number. So I removed this rule out
of the config file and tried to reaload it with this version.
protocols {
ospf4 {
router-id: 10.1.1.3
rfc1583-compatibility: false
ip-router-alert: false
area 0.0.0.0 {
area-type: "normal"
interface eth0 {
link-type: "broadcast"
address 172.20.1.253 {
priority: 128
hello-interval: 10
router-dead-interval: 40
interface-cost: 1
retransmit-interval: 5
transit-delay: 1
passive: false
disable: false
}
}
interface lo {
link-type: "broadcast"
address 10.1.1.3 {
priority: 128
hello-interval: 10
router-dead-interval: 40
interface-cost: 1
retransmit-interval: 5
transit-delay: 1
passive: false
disable: false
}
}
}
export: "static-to-OSPF"
}
static {
disable: false
route 0.0.0.0/0 {
next-hop: x.x.x.30
metric: 1
}
}
}
policy {
policy-statement "static-to-OSPF" {
term 1 {
from {
protocol: "static"
}
then {
action: "accept"
}
}
}
}
interfaces {
restore: false
loopback lo {
description: ""
address 10.1.1.3 {
prefix-length: 32
disable: false
}
}
ethernet eth1 {
disable: false
discard: false
description: ""
hw-id: 00:50:56:a8:29:60
duplex: "auto"
speed: "auto"
address x.x.x.29 {
prefix-length: 27
disable: false
}
address x.x.x.3 {
prefix-length: 27
disable: false
}
address x.x.x.2 {
prefix-length: 27
disable: false
}
firewall {
in {
name: "DMZ_IN"
}
}
}
ethernet eth0 {
disable: false
discard: false
description: ""
hw-id: 00:50:56:a8:34:ec
duplex: "auto"
speed: "auto"
address 172.20.1.253 {
prefix-length: 23
disable: false
}
vrrp {
vrrp-group: 100
virtual-address: 172.20.1.254
authentication: "xxxxxx"
advertise-interval: 1
preempt: true
priority: 1
}
}
}
service {
nat {
rule 2 {
type: "source"
inbound-interface: "eth0"
outbound-interface: "eth1"
protocols: "all"
source {
address: "172.20.0.1"
}
destination {
network: "0.0.0.0/0"
}
outside-address {
address: x.x.x.2
}
}
rule 3 {
type: "destination"
inbound-interface: "eth1"
outbound-interface: "eth0"
protocols: "all"
source {
network: "0.0.0.0/0"
}
destination {
address: "x.x.x.2"
}
inside-address {
address: 172.20.0.1
}
}
rule 4 {
type: "source"
inbound-interface: "eth0"
outbound-interface: "eth1"
protocols: "tcp"
source {
address: "192.168.10.5"
}
destination {
network: "0.0.0.0/0"
}
outside-address {
address: x.x.x.3
}
}
rule 5 {
type: "destination"
inbound-interface: "eth1"
outbound-interface: "eth0"
protocols: "tcp"
source {
network: "0.0.0.0/0"
}
destination {
address: "x.x.x.3"
port-number 25
}
inside-address {
address: 192.168.10.5
port-number: 25
}
}
rule 6 {
type: "destination"
inbound-interface: "eth1"
outbound-interface: "eth0"
protocols: "tcp"
source {
network: "0.0.0.0/0"
}
destination {
address: "x.x.x.3"
port-number 80
}
inside-address {
address: 192.168.10.5
port-number: 80
}
}
rule 7 {
type: "destination"
inbound-interface: "eth1"
outbound-interface: "eth0"
protocols: "tcp"
source {
network: "0.0.0.0/0"
}
destination {
address: "x.x.x.3"
port-name https
}
inside-address {
address: 192.168.10.5
port-number: 443
}
}
rule 8 {
type: "destination"
inbound-interface: "eth1"
outbound-interface: "eth0"
protocols: "tcp"
destination {
address: "x.x.x.29"
port-number 1723
}
inside-address {
address: 192.168.10.2
port-number: 1723
}
}
rule 9 {
type: "source"
inbound-interface: "eth0"
outbound-interface: "eth1"
protocols: "tcp"
source {
address: "192.168.10.2"
port-number 1723
}
outside-address {
address: x.x.x.29
port-number: 1723
}
}
rule 10 {
type: "destination"
inbound-interface: "eth1"
outbound-interface: "eth0"
protocols: "gre"
destination {
address: "x.x.x.29"
}
inside-address {
address: 192.168.10.2
}
}
rule 1023 {
type: "masquerade"
outbound-interface: "eth1"
source {
network: "192.168.10.0/23"
}
}
rule 1024 {
type: "masquerade"
outbound-interface: "eth1"
source {
network: "172.20.0.0/23"
}
}
}
webgui {
http-port: 80
https-port: 443
}
}
firewall {
log-martians: "enable"
send-redirects: "disable"
receive-redirects: "disable"
ip-src-route: "disable"
broadcast-ping: "disable"
syn-cookies: "enable"
name "DMZ_IN" {
description: "Input packet from public network into DMZ"
rule 1 {
protocol: "udp"
action: "accept"
log: "disable"
source {
port-name: "domain"
}
}
rule 2 {
protocol: "icmp"
action: "accept"
log: "disable"
}
rule 3 {
protocol: "udp"
action: "accept"
log: "disable"
destination {
port-name: "domain"
}
}
rule 4 {
protocol: "tcp"
action: "accept"
log: "disable"
source {
port-name: "domain"
}
}
rule 5 {
protocol: "tcp"
state {
established: "enable"
}
action: "accept"
log: "disable"
}
rule 6 {
protocol: "tcp"
action: "accept"
log: "disable"
destination {
address: 192.168.10.5
port-name: "smtp"
}
}
rule 7 {
protocol: "tcp"
action: "accept"
log: "disable"
destination {
port-name: "http"
}
}
rule 8 {
protocol: "tcp"
action: "accept"
log: "disable"
destination {
port-name: "https"
}
}
rule 9 {
protocol: "gre"
action: "accept"
log: "disable"
destination {
address: 192.168.10.2
}
}
rule 10 {
protocol: "tcp"
action: "accept"
log: "disable"
destination {
port-range {
start: 20
stop: 21
}
}
}
}
}
but it fails to load. the xorpsh process shot up to 100% cpu and did
not load the config. The shell just sits there with [edit] showing
and does not return me back to the shell. I have to press Ctrl-C to
abort the operation. When I then exit configuration mode I get the
message
Finder disconnected. No Finder?
Does anyone have any idea why this could be?
Thanks
_______________________________________________
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users
