From what I can remember, this issue does not apply to NAT so you shouldn't have to.
Thanks, Robyn Joe Pub wrote: > Hi, > > Is this just for the firewall rules portion or should I do the same for NAT > too? > > Thanks. > > On 20/03/2008, Robyn Orosz <[EMAIL PROTECTED]> wrote: > >> Hi Joe, >> >> I'm not sure which version you are upgrading to but since you mentioned >> xorpsh, I am assuming VC3? >> >> If so, the issue is probably the : and "" on the firewall port-number >> and port-name nodes. If you edit your config.boot file and remove the : >> and "" from the port-name and port-number settings in the firewall >> portion of your config, you should be able to load the config in the new >> version. >> >> See the following Bugzilla reports for more information: >> >> https://bugzilla.vyatta.com/show_bug.cgi?id=2573 >> >> https://bugzilla.vyatta.com/show_bug.cgi?id=2637 >> >> Thank you, >> >> Robyn >> >> >> Joe Pub wrote: >> > Hi All, >> > >> > I have recently done a live upgrade of vyatta to make sure everything >> > was up to date. I saved the config.boot file just in case. After the >> > reboot the loaded config was lost (not sure if this is by design on an >> > upgrade). So I am now trying to load the config file from the ofr >> > over tftp. >> > >> > Now the first problem was this, it failed to parse the config file on >> > a firewall rule (which worked before the upgrade) >> > >> > which was this. >> > >> > rule 9 { >> > protocol: "tcp" >> > action: "accept" >> > log: "disable" >> > destination { >> > address: 192.168.10.2 >> > port-number: 1723 >> > } >> > } >> > >> > it was complaining about the port number. So I removed this rule out >> > of the config file and tried to reaload it with this version. >> > >> > protocols { >> > ospf4 { >> > router-id: 10.1.1.3 >> > rfc1583-compatibility: false >> > ip-router-alert: false >> > area 0.0.0.0 { >> > area-type: "normal" >> > interface eth0 { >> > link-type: "broadcast" >> > address 172.20.1.253 { >> > priority: 128 >> > hello-interval: 10 >> > router-dead-interval: 40 >> > interface-cost: 1 >> > retransmit-interval: 5 >> > transit-delay: 1 >> > passive: false >> > disable: false >> > } >> > } >> > interface lo { >> > link-type: "broadcast" >> > address 10.1.1.3 { >> > priority: 128 >> > hello-interval: 10 >> > router-dead-interval: 40 >> > interface-cost: 1 >> > retransmit-interval: 5 >> > transit-delay: 1 >> > passive: false >> > disable: false >> > } >> > } >> > } >> > export: "static-to-OSPF" >> > } >> > static { >> > disable: false >> > route 0.0.0.0/0 { >> > next-hop: x.x.x.30 >> > metric: 1 >> > } >> > } >> > } >> > policy { >> > policy-statement "static-to-OSPF" { >> > term 1 { >> > from { >> > protocol: "static" >> > } >> > then { >> > action: "accept" >> > } >> > } >> > } >> > } >> > interfaces { >> > restore: false >> > loopback lo { >> > description: "" >> > address 10.1.1.3 { >> > prefix-length: 32 >> > disable: false >> > } >> > } >> > ethernet eth1 { >> > disable: false >> > discard: false >> > description: "" >> > hw-id: 00:50:56:a8:29:60 >> > duplex: "auto" >> > speed: "auto" >> > address x.x.x.29 { >> > prefix-length: 27 >> > disable: false >> > } >> > address x.x.x.3 { >> > prefix-length: 27 >> > disable: false >> > } >> > address x.x.x.2 { >> > prefix-length: 27 >> > disable: false >> > } >> > firewall { >> > in { >> > name: "DMZ_IN" >> > } >> > } >> > } >> > ethernet eth0 { >> > disable: false >> > discard: false >> > description: "" >> > hw-id: 00:50:56:a8:34:ec >> > duplex: "auto" >> > speed: "auto" >> > address 172.20.1.253 { >> > prefix-length: 23 >> > disable: false >> > } >> > vrrp { >> > vrrp-group: 100 >> > virtual-address: 172.20.1.254 >> > authentication: "xxxxxx" >> > advertise-interval: 1 >> > preempt: true >> > priority: 1 >> > } >> > } >> > } >> > service { >> > nat { >> > rule 2 { >> > type: "source" >> > inbound-interface: "eth0" >> > outbound-interface: "eth1" >> > protocols: "all" >> > source { >> > address: "172.20.0.1" >> > } >> > destination { >> > network: "0.0.0.0/0" >> > } >> > outside-address { >> > address: x.x.x.2 >> > } >> > } >> > rule 3 { >> > type: "destination" >> > inbound-interface: "eth1" >> > outbound-interface: "eth0" >> > protocols: "all" >> > source { >> > network: "0.0.0.0/0" >> > } >> > destination { >> > address: "x.x.x.2" >> > } >> > inside-address { >> > address: 172.20.0.1 >> > } >> > } >> > rule 4 { >> > type: "source" >> > inbound-interface: "eth0" >> > outbound-interface: "eth1" >> > protocols: "tcp" >> > source { >> > address: "192.168.10.5" >> > } >> > destination { >> > network: "0.0.0.0/0" >> > } >> > outside-address { >> > address: x.x.x.3 >> > } >> > } >> > rule 5 { >> > type: "destination" >> > inbound-interface: "eth1" >> > outbound-interface: "eth0" >> > protocols: "tcp" >> > source { >> > network: "0.0.0.0/0" >> > } >> > destination { >> > address: "x.x.x.3" >> > port-number 25 >> > } >> > inside-address { >> > address: 192.168.10.5 >> > port-number: 25 >> > } >> > } >> > rule 6 { >> > type: "destination" >> > inbound-interface: "eth1" >> > outbound-interface: "eth0" >> > protocols: "tcp" >> > source { >> > network: "0.0.0.0/0" >> > } >> > destination { >> > address: "x.x.x.3" >> > port-number 80 >> > } >> > inside-address { >> > address: 192.168.10.5 >> > port-number: 80 >> > } >> > } >> > rule 7 { >> > type: "destination" >> > inbound-interface: "eth1" >> > outbound-interface: "eth0" >> > protocols: "tcp" >> > source { >> > network: "0.0.0.0/0" >> > } >> > destination { >> > address: "x.x.x.3" >> > port-name https >> > } >> > inside-address { >> > address: 192.168.10.5 >> > port-number: 443 >> > } >> > } >> > rule 8 { >> > type: "destination" >> > inbound-interface: "eth1" >> > outbound-interface: "eth0" >> > protocols: "tcp" >> > destination { >> > address: "x.x.x.29" >> > port-number 1723 >> > } >> > inside-address { >> > address: 192.168.10.2 >> > port-number: 1723 >> > } >> > } >> > rule 9 { >> > type: "source" >> > inbound-interface: "eth0" >> > outbound-interface: "eth1" >> > protocols: "tcp" >> > source { >> > address: "192.168.10.2" >> > port-number 1723 >> > } >> > outside-address { >> > address: x.x.x.29 >> > port-number: 1723 >> > } >> > } >> > rule 10 { >> > type: "destination" >> > inbound-interface: "eth1" >> > outbound-interface: "eth0" >> > protocols: "gre" >> > destination { >> > address: "x.x.x.29" >> > } >> > inside-address { >> > address: 192.168.10.2 >> > } >> > } >> > rule 1023 { >> > type: "masquerade" >> > outbound-interface: "eth1" >> > source { >> > network: "192.168.10.0/23" >> > } >> > } >> > rule 1024 { >> > type: "masquerade" >> > outbound-interface: "eth1" >> > source { >> > network: "172.20.0.0/23" >> > } >> > } >> > } >> > webgui { >> > http-port: 80 >> > https-port: 443 >> > } >> > } >> > firewall { >> > log-martians: "enable" >> > send-redirects: "disable" >> > receive-redirects: "disable" >> > ip-src-route: "disable" >> > broadcast-ping: "disable" >> > syn-cookies: "enable" >> > name "DMZ_IN" { >> > description: "Input packet from public network into DMZ" >> > rule 1 { >> > protocol: "udp" >> > action: "accept" >> > log: "disable" >> > source { >> > port-name: "domain" >> > } >> > } >> > rule 2 { >> > protocol: "icmp" >> > action: "accept" >> > log: "disable" >> > } >> > rule 3 { >> > protocol: "udp" >> > action: "accept" >> > log: "disable" >> > destination { >> > port-name: "domain" >> > } >> > } >> > rule 4 { >> > protocol: "tcp" >> > action: "accept" >> > log: "disable" >> > source { >> > port-name: "domain" >> > } >> > } >> > rule 5 { >> > protocol: "tcp" >> > state { >> > established: "enable" >> > } >> > action: "accept" >> > log: "disable" >> > } >> > rule 6 { >> > protocol: "tcp" >> > action: "accept" >> > log: "disable" >> > destination { >> > address: 192.168.10.5 >> > port-name: "smtp" >> > } >> > } >> > rule 7 { >> > protocol: "tcp" >> > action: "accept" >> > log: "disable" >> > destination { >> > port-name: "http" >> > } >> > } >> > rule 8 { >> > protocol: "tcp" >> > action: "accept" >> > log: "disable" >> > destination { >> > port-name: "https" >> > } >> > } >> > rule 9 { >> > protocol: "gre" >> > action: "accept" >> > log: "disable" >> > destination { >> > address: 192.168.10.2 >> > } >> > } >> > rule 10 { >> > protocol: "tcp" >> > action: "accept" >> > log: "disable" >> > destination { >> > port-range { >> > start: 20 >> > stop: 21 >> > } >> > } >> > } >> > } >> > } >> > >> > >> > but it fails to load. the xorpsh process shot up to 100% cpu and did >> > not load the config. The shell just sits there with [edit] showing >> > and does not return me back to the shell. I have to press Ctrl-C to >> > abort the operation. When I then exit configuration mode I get the >> > message >> > >> > Finder disconnected. No Finder? >> > >> > Does anyone have any idea why this could be? >> > Thanks >> >> >>> _______________________________________________ >>> >> > Vyatta-users mailing list >> > Vyatta-users@mailman.vyatta.com >> > http://mailman.vyatta.com/mailman/listinfo/vyatta-users >> > >> _______________________________________________ >> Vyatta-users mailing list >> Vyatta-users@mailman.vyatta.com >> http://mailman.vyatta.com/mailman/listinfo/vyatta-users >> >> > _______________________________________________ > Vyatta-users mailing list > Vyatta-users@mailman.vyatta.com > http://mailman.vyatta.com/mailman/listinfo/vyatta-users > _______________________________________________ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
