Re: [Vyatta-users] Munin and Vyatta
No, but you can get 1 on-board and 1 on an expansion module. You can investigate the options for yourself: http://www.logicsupply.com/products/system3677 (just choose the Jetway mainboard to get the daughterboard options). Ken Felix (C) wrote: Question does that configuration comes with 2 onboard LAN interfaces? ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] happy with NAT. should I firewall also?
Thanks, Justin. I guess what I'm looking for is just to be reasonably secure. I
understand that, strictly speaking, reasonably secure will mean different
things to different people, so I'm just talking in broad terms.
For instance, I understand that my SMTP server shouldn't be an open relay and
so it's set to only send mail for authenticated clients and SMTP logins are
sent over TLS instead of clear text, I understand that TELNET communication is
unencrypted and SSH is strongly recommended instead and SSHv2 is recommended
over SSHv1.
So I'm just looking for similar best practice recommendations for Vyatta as
an edge router.
So, NAT rules will cause all traffic for defined ports to be forwarded and then
I make sure that services listening on those ports on my internal machines are
patched against application level vulnerabilities. Is NAT for incoming traffic
good enough or should one use some firewall rules in addition? If so, what
rules? Rules to limit traffic to protocols appropriate for services listening
on those ports (e.g. only allow SSH traffic on port 22) and rules to allow/deny
based on the state of the packet.
Traffic that doesn't get forwarded via NAT rules is considered local to the
router, right? So if I only want SSH from outside to the router, I define a
firewall rule to allow SSH and an implicit deny all else takes place?
thanks again, -Alain.
On Tue, 1 Jan 2008 20:18:20 -0800, Justin Fletcher [EMAIL PROTECTED] wrote:
Depends on what you're looking for (of course :-) )
Since you're under NAT, nothing can find your system that you don't
have set up for forwarding. You could set up firewall rules for the
public
address of your router, as it's wide-open otherwise, of course.
A happy 2008 to you,
Justin
On Jan 1, 2008 6:40 PM, Alain Kelder [EMAIL PROTECTED] wrote:
Hello,
At my home office, I have 1 public IP and I'm forwarding certain outside
port requests to the various machines inside using NAT. I'm allowing all
inside-out traffic. Given that I'm happy with this setup from the
functionality perspective, should I still add firewall rules to define
my current setup (e.g. to allow all inside-out traffic and to allow
http, smtp, etc to the various machines for outside-in traffic)? Am I
missing out on important security features the firewall would offer
which NAT doesn't?
Currently I just have the following firewall statements:
firewall {
log-martians: enable
send-redirects: disable
receive-redirects: disable
ip-src-route: disable
broadcast-ping: disable
syn-cookies: enable
}
[EMAIL PROTECTED] show version
Baseline Version: vc3
Booted From: disk
Happy New Year to all! Cheers, -Alain.
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users
[Vyatta-users] happy with NAT. should I firewall also?
Hello,
At my home office, I have 1 public IP and I'm forwarding certain outside
port requests to the various machines inside using NAT. I'm allowing all
inside-out traffic. Given that I'm happy with this setup from the
functionality perspective, should I still add firewall rules to define
my current setup (e.g. to allow all inside-out traffic and to allow
http, smtp, etc to the various machines for outside-in traffic)? Am I
missing out on important security features the firewall would offer
which NAT doesn't?
Currently I just have the following firewall statements:
firewall {
log-martians: enable
send-redirects: disable
receive-redirects: disable
ip-src-route: disable
broadcast-ping: disable
syn-cookies: enable
}
[EMAIL PROTECTED] show version
Baseline Version: vc3
Booted From: disk
Happy New Year to all! Cheers, -Alain.
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users
[Vyatta-users] Error: 102 Command failed TCP/UDP Protocol must be specified
Hello,
I'm trying to set protocols to all for a destination NAT rule. But Vyatta
complains that it wants either TCP or UDP. However, in this awesome how-to,
they did just that:
http://www.openmaniak.com/vyatta_case6.php#ancre-configurations
Here's what I tried:
[EMAIL PROTECTED] edit service nat rule 35
[edit service/nat/rule/35]
[EMAIL PROTECTED] set protocols all
[edit service/nat/rule/35]
[EMAIL PROTECTED] commit
[edit service/nat/rule/35]
Commit Failed
102 Command failed TCP/UDP Protocol must be specified
What's weird is that 'tab' (auto complete) shows all as an option:
[EMAIL PROTECTED] set protocols
`protocols' is ambiguous.
Possible completions:
[Enter]Execute this command
all Perform NAT on all protocol traffic
icmp Perform NAT on ICMP traffic only
tcp Perform NAT on TCP traffic only
udp Perform NAT on UDP traffic only
I'm able to set protocols to udp or tcp, but not all. What I'd like is
this:
rule 35 {
type: destination
translation-type: static
inbound-interface: eth0
protocols: all
source {
network: 0.0.0.0/0
}
destination {
address: 65.xx.xx.xx
port-number 53
}
inside-address {
address: 10.10.3.20
}
}
Interestingly, Vyatta accepts all for a source NAT rule:
rule 39 {
type: source
translation-type: static
outbound-interface: eth0
protocols: all
source {
address: 10.10.3.20
}
destination {
network: 0.0.0.0/0
}
outside-address {
address: 65.xx.xx.xx
}
}
Any ideas? Thanks a bunch in advance.. I'm at a loss!
[EMAIL PROTECTED] show version
Version:VC2
Built by: [EMAIL PROTECTED]
Built on: 200702080056 -- Thu Feb 8 00:56:19 UTC 2007
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Error: 102 Command failed TCP/UDP Protocolmustbespecified
Thanks, An-Cheng, you rock! Will setup two rules for now..
On Thu, 29 Nov 2007 11:07:37 -0800, An-Cheng Huang [EMAIL PROTECTED] wrote:
Hi Alain,
Currently, you'll have to enter 2 rules, one for TCP and the other for
UDP. Also, there is already an enhancement request for exactly what you are
asking for. See the following for details.
https://bugzilla.vyatta.com/show_bug.cgi?id=1445
An-Cheng
Alain Kelder wrote:
Hi An-Cheng,
That explains it, thanks! Any suggestions how I could accomplish this?
I'd like to allow both TCP and UDP requests on port 53... In other words an
equivalent to the below:
rule 35 {
type: destination
translation-type: static
inbound-interface: eth0
protocols: all
source {
network: 0.0.0.0/0
}
destination {
address: 65.xx.xx.xx
port-number 53
}
inside-address {
address: 10.10.3.20
}
}
thanks a million!
On Thu, 29 Nov 2007 10:54:39 -0800, An-Cheng Huang [EMAIL PROTECTED]
wrote:
Hi Alain,
The reason that TCP/UDP is required for your rule 35 is that you
specified
port in that rule, which is only meaningful for TCP/UDP in this
context.
The SNAT rule 39 accepts protocols all because it doesn't have
port.
Hope this helps.
An-Cheng
Alain Kelder wrote:
Hello,
I'm trying to set protocols to all for a destination NAT rule. But
Vyatta complains that it wants either TCP or UDP. However, in this
awesome
how-to, they did just that:
http://www.openmaniak.com/vyatta_case6.php#ancre-configurations
Here's what I tried:
[EMAIL PROTECTED] edit service nat rule 35
[edit service/nat/rule/35]
[EMAIL PROTECTED] set protocols all
[edit service/nat/rule/35]
[EMAIL PROTECTED] commit
[edit service/nat/rule/35]
Commit Failed
102 Command failed TCP/UDP Protocol must be specified
What's weird is that 'tab' (auto complete) shows all as an option:
[EMAIL PROTECTED] set protocols
`protocols' is ambiguous.
Possible completions:
[Enter]Execute this command
all Perform NAT on all protocol traffic
icmp Perform NAT on ICMP traffic only
tcp Perform NAT on TCP traffic only
udp Perform NAT on UDP traffic only
I'm able to set protocols to udp or tcp, but not all. What I'd
like is this:
rule 35 {
type: destination
translation-type: static
inbound-interface: eth0
protocols: all
source {
network: 0.0.0.0/0
}
destination {
address: 65.xx.xx.xx
port-number 53
}
inside-address {
address: 10.10.3.20
}
}
Interestingly, Vyatta accepts all for a source NAT rule:
rule 39 {
type: source
translation-type: static
outbound-interface: eth0
protocols: all
source {
address: 10.10.3.20
}
destination {
network: 0.0.0.0/0
}
outside-address {
address: 65.xx.xx.xx
}
}
Any ideas? Thanks a bunch in advance.. I'm at a loss!
[EMAIL PROTECTED] show version
Version:VC2
Built by: [EMAIL PROTECTED]
Built on: 200702080056 -- Thu Feb 8 00:56:19 UTC 2007
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Want to use Vyatta for our main BGP router - butwhat about traffic tracking?
Hello Dominic, Out of the various tools I've tried, netacct-mysql is currently my favorite. It collects bandwidth data through libpcap and stores in a MySQL DB. It comes with a PHP front end, but to me the real power is that it stores the stats in MySQL. Through SQL SELECT statements, I'm able to get all the stats I need. For instance: mysql SELECT SUM((input+output)/1073741824) FROM traffic WHERE IP='10.10.2.122' AND time LIKE '2007-09%'; gives me total (in+out) GBs of bandwith used by 10.10.2.122 during Sept 07. I run it on the Xen host to keep track of the guest domain bandwidth usage, but it should run on the Vyatta box just as well (haven't tried yet, sorry). The other thing I started playing with today is grabbing the data from the DB using PHP and feeding it to the chart PHP script from www.maani.us to get pretty graphs. I would love to know what you end up using! Cheers, -Alain. http://sourceforge.net/projects/netacct-mysql/ Dominic Williams wrote: Many thanks for your response. What we need to generate is a traffic graph for each IP that we serve i.e. At 4.20.00pm some IP was using 7Mbps, at 4.20.15pm it was using 5.2Mbps, at 4.20.30 it was using 6.3Mbps and so on. We need this data is used to understand how sites (which run on IPs) behave and also to provision overall bandwidth and pass bandwidth costs to clients. Is this possible and for example, is anyone doing 95th percentile billing using a Vyatta router? Best, Dominic -Original Message- From: Holtz,Robert [EMAIL PROTECTED] To: Dominic Williams [EMAIL PROTECTED]; [EMAIL PROTECTED] [EMAIL PROTECTED] Sent: 07/11/07 16:27 Subject: RE: [Vyatta-users] Want to use Vyatta for our main BGP router - butwhat about traffic tracking? You can collect SNMP interface performance data anywhere along the path to the outside world, not just the router. There's quite a bit of flexibility. Examples: The Web Server itself Load Balancer, if you have a bunch of web servers Ethernet Switch(s) Router Etc. If you are not the intended recipient of this message (including attachments), or if you have received this message in error, immediately notify us and delete it and any attachments. If you no longer wish to receive e-mail from Edward Jones, please send this request to [EMAIL PROTECTED] You must include the e-mail address that you wish not to receive e-mail communications. For important additional information related to this e-mail, visit www.edwardjones.com/US_email_disclosure -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dominic Williams Sent: Wednesday, November 07, 2007 10:07 AM To: [EMAIL PROTECTED] Subject: [Vyatta-users] Want to use Vyatta for our main BGP router - butwhat about traffic tracking? Hello all, My company is very keen to try a Vyatta solution, as we are about to move our hosting rack to a BGP solution and a 7204VXR with 1GB seems inordinately expensive!! But... we need to be able to monitor and track bandwidth to each individual IP address that we serve. This is a crucial requirement, as it is for many people involved in Web hosting. At the moment we just use Netflow exports from our Cisco router in conjunction with some tracking software... I know that Vyatta doesn't support Neflow, but somebody indicated on this list that you can get at these stats using SNMP. Is this really the case? Can you get at traffic flows for individual IPs that are being served through the router? -- I was under the impression SNMP was just of use for monitoring the status of a particular device / interface etc?? Many thanks for any advice you can give. Best, Dominic Dominic Williams www.System7.com www.Wyki.com Better Digital Publishing Email [EMAIL PROTECTED] Direct +44 (0) 203 0519110 ext. 8010 Mobile +44 (0) 7710 469456 Fax +44 (0) 8700 607555 Terms: This e-mail contains proprietary information some or all of which may be legally privileged. It is intended for the recipient only. If an addressing error or transmission error has misdirected this e-mail, please notify the sender immediately or contact [EMAIL PROTECTED] If you are not the intended recipient you must not use, disclose, distribute, copy, print or rely on this e-mail. ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Can't connect to SMTP Host
Hello David,
IMHO, this sounds more like a DNS problem than a routing problem. I
would ensure that workstations resolve mail.domain.com to the internal
IP rather than external. Typically, you'd just add the necessary
entries in your DNS server, but if you're not running an internal DNS
server on your network, then you can just add the entry to the hosts
file on the workstations (C:\windows\system32\drivers\etc for Windows,
/etc/hosts for Linux, etc):
10.10.30.xxxmail.domain.com
Cheers, -Alain.
David Marrow Jr wrote:
I created a NAT Rule that forwards all traffic on port 25 from the
external ip address of xx.xx.xx.xx to the internal ip address of
10.10.30.xxx on port 25. My problem is that all workstations on the
internal network 10.10.30.X connect resolve mail.domain.com to port 25
on the external ip address.
Using a external email client out side the network from a remote
client works with out issues. All the clients on the internal network
have to be configures to connect to the server directly by using the
internal ip addresss for that server in the smtp settings on their
client. Any suggestions?
Here is my running config file
protocols {
static {
disable: false
route 0.0.0.0/0 {
next-hop: XX.XX.XX.49
metric: 1
}
}
}
policy {
}
interfaces {
restore: false
loopback lo {
description:
address 10.0.0.65 {
prefix-length: 32
disable: false
}
}
ethernet eth0 {
disable: false
discard: false
description:
hw-id: 00:04:23:9f:42:30
duplex: auto
speed: auto
address XX.XX.XX.50 {
prefix-length: 29
disable: false
}
address XX.XX.XX.51 {
prefix-length: 29
disable: false
}
}
ethernet eth1 {
disable: false
discard: false
description:
hw-id: 00:04:23:9f:42:31
duplex: auto
speed: auto
address 10.10.30.254 {
prefix-length: 24
disable: false
}
}
ethernet eth2 {
disable: true
discard: false
description:
hw-id: 00:0d:61:30:b2:30
duplex: auto
speed: auto
}
}
service {
dhcp-server {
shared-network-name lan1 {
subnet 10.10.30.0/24 {
start 10.10.30.1 {
stop: 10.10.30.254
}
static-mapping btpwrk03 {
ip-address: 10.10.30.3
mac-address: 00:06:5B:2C:4A:DD
}
static-mapping btpwrk02 {
ip-address: 10.10.30.2
mac-address: 00:0C:76:9F:62:F1
}
static-mapping btpwrk04 {
ip-address: 10.10.30.4
mac-address: 00:08:74:f6:06:80
}
static-mapping btpwrk05 {
ip-address: 10.10.30.5
mac-address: 00:0c:29:0a:89:5b
}
static-mapping btpwrk01 {
ip-address: 10.10.30.1
mac-address: 00:d0:b7:13:ce:de
}
static-mapping btpsrv01 {
ip-address: 10.10.30.240
mac-address: 00:05:8D:F7:77:9D
}
static-mapping btpweb01 {
ip-address: 10.10.30.251
mac-address: 00:0C:29:B2:7F:2D
}
static-mapping btpweb02 {
ip-address: 10.10.30.252
mac-address: 00:0C:29:B2:7F:2D
}
static-mapping btpwrk00 {
ip-address: 10.10.30.100
mac-address: 00:15:C5:45:F2:85
}
client-prefix-length: 24
dns-server 65.17.91.254
dns-server 65.16.215.254
default-router: 10.10.30.254
lease: 86400
domain-name: internal.domain.local
authoritative: disable
}
}
}
nat {
rule 1 {
type: masquerade
outbound-interface: eth0
source {
network: XX.XX.XX.48/29
}
}
