That seems to have done the trick. Thank you.
On 20/03/2008, Robyn Orosz <[EMAIL PROTECTED]> wrote: > From what I can remember, this issue does not apply to NAT so you > shouldn't have to. > > Thanks, > > > Robyn > > Joe Pub wrote: > > Hi, > > > > Is this just for the firewall rules portion or should I do the same for > NAT too? > > > > Thanks. > > > > On 20/03/2008, Robyn Orosz <[EMAIL PROTECTED]> wrote: > > > >> Hi Joe, > >> > >> I'm not sure which version you are upgrading to but since you mentioned > >> xorpsh, I am assuming VC3? > >> > >> If so, the issue is probably the : and "" on the firewall port-number > >> and port-name nodes. If you edit your config.boot file and remove the : > >> and "" from the port-name and port-number settings in the firewall > >> portion of your config, you should be able to load the config in the new > >> version. > >> > >> See the following Bugzilla reports for more information: > >> > >> https://bugzilla.vyatta.com/show_bug.cgi?id=2573 > >> > >> https://bugzilla.vyatta.com/show_bug.cgi?id=2637 > >> > >> Thank you, > >> > >> Robyn > >> > >> > >> Joe Pub wrote: > >> > Hi All, > >> > > >> > I have recently done a live upgrade of vyatta to make sure everything > >> > was up to date. I saved the config.boot file just in case. After the > >> > reboot the loaded config was lost (not sure if this is by design on an > >> > upgrade). So I am now trying to load the config file from the ofr > >> > over tftp. > >> > > >> > Now the first problem was this, it failed to parse the config file on > >> > a firewall rule (which worked before the upgrade) > >> > > >> > which was this. > >> > > >> > rule 9 { > >> > protocol: "tcp" > >> > action: "accept" > >> > log: "disable" > >> > destination { > >> > address: 192.168.10.2 > >> > port-number: 1723 > >> > } > >> > } > >> > > >> > it was complaining about the port number. So I removed this rule out > >> > of the config file and tried to reaload it with this version. > >> > > >> > protocols { > >> > ospf4 { > >> > router-id: 10.1.1.3 > >> > rfc1583-compatibility: false > >> > ip-router-alert: false > >> > area 0.0.0.0 { > >> > area-type: "normal" > >> > interface eth0 { > >> > link-type: "broadcast" > >> > address 172.20.1.253 { > >> > priority: 128 > >> > hello-interval: 10 > >> > router-dead-interval: 40 > >> > interface-cost: 1 > >> > retransmit-interval: 5 > >> > transit-delay: 1 > >> > passive: false > >> > disable: false > >> > } > >> > } > >> > interface lo { > >> > link-type: "broadcast" > >> > address 10.1.1.3 { > >> > priority: 128 > >> > hello-interval: 10 > >> > router-dead-interval: 40 > >> > interface-cost: 1 > >> > retransmit-interval: 5 > >> > transit-delay: 1 > >> > passive: false > >> > disable: false > >> > } > >> > } > >> > } > >> > export: "static-to-OSPF" > >> > } > >> > static { > >> > disable: false > >> > route 0.0.0.0/0 { > >> > next-hop: x.x.x.30 > >> > metric: 1 > >> > } > >> > } > >> > } > >> > policy { > >> > policy-statement "static-to-OSPF" { > >> > term 1 { > >> > from { > >> > protocol: "static" > >> > } > >> > then { > >> > action: "accept" > >> > } > >> > } > >> > } > >> > } > >> > interfaces { > >> > restore: false > >> > loopback lo { > >> > description: "" > >> > address 10.1.1.3 { > >> > prefix-length: 32 > >> > disable: false > >> > } > >> > } > >> > ethernet eth1 { > >> > disable: false > >> > discard: false > >> > description: "" > >> > hw-id: 00:50:56:a8:29:60 > >> > duplex: "auto" > >> > speed: "auto" > >> > address x.x.x.29 { > >> > prefix-length: 27 > >> > disable: false > >> > } > >> > address x.x.x.3 { > >> > prefix-length: 27 > >> > disable: false > >> > } > >> > address x.x.x.2 { > >> > prefix-length: 27 > >> > disable: false > >> > } > >> > firewall { > >> > in { > >> > name: "DMZ_IN" > >> > } > >> > } > >> > } > >> > ethernet eth0 { > >> > disable: false > >> > discard: false > >> > description: "" > >> > hw-id: 00:50:56:a8:34:ec > >> > duplex: "auto" > >> > speed: "auto" > >> > address 172.20.1.253 { > >> > prefix-length: 23 > >> > disable: false > >> > } > >> > vrrp { > >> > vrrp-group: 100 > >> > virtual-address: 172.20.1.254 > >> > authentication: "xxxxxx" > >> > advertise-interval: 1 > >> > preempt: true > >> > priority: 1 > >> > } > >> > } > >> > } > >> > service { > >> > nat { > >> > rule 2 { > >> > type: "source" > >> > inbound-interface: "eth0" > >> > outbound-interface: "eth1" > >> > protocols: "all" > >> > source { > >> > address: "172.20.0.1" > >> > } > >> > destination { > >> > network: "0.0.0.0/0" > >> > } > >> > outside-address { > >> > address: x.x.x.2 > >> > } > >> > } > >> > rule 3 { > >> > type: "destination" > >> > inbound-interface: "eth1" > >> > outbound-interface: "eth0" > >> > protocols: "all" > >> > source { > >> > network: "0.0.0.0/0" > >> > } > >> > destination { > >> > address: "x.x.x.2" > >> > } > >> > inside-address { > >> > address: 172.20.0.1 > >> > } > >> > } > >> > rule 4 { > >> > type: "source" > >> > inbound-interface: "eth0" > >> > outbound-interface: "eth1" > >> > protocols: "tcp" > >> > source { > >> > address: "192.168.10.5" > >> > } > >> > destination { > >> > network: "0.0.0.0/0" > >> > } > >> > outside-address { > >> > address: x.x.x.3 > >> > } > >> > } > >> > rule 5 { > >> > type: "destination" > >> > inbound-interface: "eth1" > >> > outbound-interface: "eth0" > >> > protocols: "tcp" > >> > source { > >> > network: "0.0.0.0/0" > >> > } > >> > destination { > >> > address: "x.x.x.3" > >> > port-number 25 > >> > } > >> > inside-address { > >> > address: 192.168.10.5 > >> > port-number: 25 > >> > } > >> > } > >> > rule 6 { > >> > type: "destination" > >> > inbound-interface: "eth1" > >> > outbound-interface: "eth0" > >> > protocols: "tcp" > >> > source { > >> > network: "0.0.0.0/0" > >> > } > >> > destination { > >> > address: "x.x.x.3" > >> > port-number 80 > >> > } > >> > inside-address { > >> > address: 192.168.10.5 > >> > port-number: 80 > >> > } > >> > } > >> > rule 7 { > >> > type: "destination" > >> > inbound-interface: "eth1" > >> > outbound-interface: "eth0" > >> > protocols: "tcp" > >> > source { > >> > network: "0.0.0.0/0" > >> > } > >> > destination { > >> > address: "x.x.x.3" > >> > port-name https > >> > } > >> > inside-address { > >> > address: 192.168.10.5 > >> > port-number: 443 > >> > } > >> > } > >> > rule 8 { > >> > type: "destination" > >> > inbound-interface: "eth1" > >> > outbound-interface: "eth0" > >> > protocols: "tcp" > >> > destination { > >> > address: "x.x.x.29" > >> > port-number 1723 > >> > } > >> > inside-address { > >> > address: 192.168.10.2 > >> > port-number: 1723 > >> > } > >> > } > >> > rule 9 { > >> > type: "source" > >> > inbound-interface: "eth0" > >> > outbound-interface: "eth1" > >> > protocols: "tcp" > >> > source { > >> > address: "192.168.10.2" > >> > port-number 1723 > >> > } > >> > outside-address { > >> > address: x.x.x.29 > >> > port-number: 1723 > >> > } > >> > } > >> > rule 10 { > >> > type: "destination" > >> > inbound-interface: "eth1" > >> > outbound-interface: "eth0" > >> > protocols: "gre" > >> > destination { > >> > address: "x.x.x.29" > >> > } > >> > inside-address { > >> > address: 192.168.10.2 > >> > } > >> > } > >> > rule 1023 { > >> > type: "masquerade" > >> > outbound-interface: "eth1" > >> > source { > >> > network: "192.168.10.0/23" > >> > } > >> > } > >> > rule 1024 { > >> > type: "masquerade" > >> > outbound-interface: "eth1" > >> > source { > >> > network: "172.20.0.0/23" > >> > } > >> > } > >> > } > >> > webgui { > >> > http-port: 80 > >> > https-port: 443 > >> > } > >> > } > >> > firewall { > >> > log-martians: "enable" > >> > send-redirects: "disable" > >> > receive-redirects: "disable" > >> > ip-src-route: "disable" > >> > broadcast-ping: "disable" > >> > syn-cookies: "enable" > >> > name "DMZ_IN" { > >> > description: "Input packet from public network into DMZ" > >> > rule 1 { > >> > protocol: "udp" > >> > action: "accept" > >> > log: "disable" > >> > source { > >> > port-name: "domain" > >> > } > >> > } > >> > rule 2 { > >> > protocol: "icmp" > >> > action: "accept" > >> > log: "disable" > >> > } > >> > rule 3 { > >> > protocol: "udp" > >> > action: "accept" > >> > log: "disable" > >> > destination { > >> > port-name: "domain" > >> > } > >> > } > >> > rule 4 { > >> > protocol: "tcp" > >> > action: "accept" > >> > log: "disable" > >> > source { > >> > port-name: "domain" > >> > } > >> > } > >> > rule 5 { > >> > protocol: "tcp" > >> > state { > >> > established: "enable" > >> > } > >> > action: "accept" > >> > log: "disable" > >> > } > >> > rule 6 { > >> > protocol: "tcp" > >> > action: "accept" > >> > log: "disable" > >> > destination { > >> > address: 192.168.10.5 > >> > port-name: "smtp" > >> > } > >> > } > >> > rule 7 { > >> > protocol: "tcp" > >> > action: "accept" > >> > log: "disable" > >> > destination { > >> > port-name: "http" > >> > } > >> > } > >> > rule 8 { > >> > protocol: "tcp" > >> > action: "accept" > >> > log: "disable" > >> > destination { > >> > port-name: "https" > >> > } > >> > } > >> > rule 9 { > >> > protocol: "gre" > >> > action: "accept" > >> > log: "disable" > >> > destination { > >> > address: 192.168.10.2 > >> > } > >> > } > >> > rule 10 { > >> > protocol: "tcp" > >> > action: "accept" > >> > log: "disable" > >> > destination { > >> > port-range { > >> > start: 20 > >> > stop: 21 > >> > } > >> > } > >> > } > >> > } > >> > } > >> > > >> > > >> > but it fails to load. the xorpsh process shot up to 100% cpu and did > >> > not load the config. The shell just sits there with [edit] showing > >> > and does not return me back to the shell. I have to press Ctrl-C to > >> > abort the operation. When I then exit configuration mode I get the > >> > message > >> > > >> > Finder disconnected. No Finder? > >> > > >> > Does anyone have any idea why this could be? > >> > Thanks > >> > >> > >>> _______________________________________________ > >>> > >> > Vyatta-users mailing list > >> > Vyatta-users@mailman.vyatta.com > >> > http://mailman.vyatta.com/mailman/listinfo/vyatta-users > >> > > >> _______________________________________________ > >> Vyatta-users mailing list > >> Vyatta-users@mailman.vyatta.com > >> http://mailman.vyatta.com/mailman/listinfo/vyatta-users > >> > >> > > _______________________________________________ > > Vyatta-users mailing list > > Vyatta-users@mailman.vyatta.com > > http://mailman.vyatta.com/mailman/listinfo/vyatta-users > > > _______________________________________________ > Vyatta-users mailing list > Vyatta-users@mailman.vyatta.com > http://mailman.vyatta.com/mailman/listinfo/vyatta-users > _______________________________________________ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
