Re: [Vyatta-users] Munin and Vyatta
No, but you can get 1 on-board and 1 on an expansion module. You can investigate the options for yourself: http://www.logicsupply.com/products/system3677 (just choose the Jetway mainboard to get the daughterboard options). Ken Felix (C) wrote: Question does that configuration comes with 2 onboard LAN interfaces? ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] happy with NAT. should I firewall also?
Thanks, Justin. I guess what I'm looking for is just to be reasonably secure. I understand that, strictly speaking, reasonably secure will mean different things to different people, so I'm just talking in broad terms. For instance, I understand that my SMTP server shouldn't be an open relay and so it's set to only send mail for authenticated clients and SMTP logins are sent over TLS instead of clear text, I understand that TELNET communication is unencrypted and SSH is strongly recommended instead and SSHv2 is recommended over SSHv1. So I'm just looking for similar best practice recommendations for Vyatta as an edge router. So, NAT rules will cause all traffic for defined ports to be forwarded and then I make sure that services listening on those ports on my internal machines are patched against application level vulnerabilities. Is NAT for incoming traffic good enough or should one use some firewall rules in addition? If so, what rules? Rules to limit traffic to protocols appropriate for services listening on those ports (e.g. only allow SSH traffic on port 22) and rules to allow/deny based on the state of the packet. Traffic that doesn't get forwarded via NAT rules is considered local to the router, right? So if I only want SSH from outside to the router, I define a firewall rule to allow SSH and an implicit deny all else takes place? thanks again, -Alain. On Tue, 1 Jan 2008 20:18:20 -0800, Justin Fletcher [EMAIL PROTECTED] wrote: Depends on what you're looking for (of course :-) ) Since you're under NAT, nothing can find your system that you don't have set up for forwarding. You could set up firewall rules for the public address of your router, as it's wide-open otherwise, of course. A happy 2008 to you, Justin On Jan 1, 2008 6:40 PM, Alain Kelder [EMAIL PROTECTED] wrote: Hello, At my home office, I have 1 public IP and I'm forwarding certain outside port requests to the various machines inside using NAT. I'm allowing all inside-out traffic. Given that I'm happy with this setup from the functionality perspective, should I still add firewall rules to define my current setup (e.g. to allow all inside-out traffic and to allow http, smtp, etc to the various machines for outside-in traffic)? Am I missing out on important security features the firewall would offer which NAT doesn't? Currently I just have the following firewall statements: firewall { log-martians: enable send-redirects: disable receive-redirects: disable ip-src-route: disable broadcast-ping: disable syn-cookies: enable } [EMAIL PROTECTED] show version Baseline Version: vc3 Booted From: disk Happy New Year to all! Cheers, -Alain. ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
[Vyatta-users] happy with NAT. should I firewall also?
Hello, At my home office, I have 1 public IP and I'm forwarding certain outside port requests to the various machines inside using NAT. I'm allowing all inside-out traffic. Given that I'm happy with this setup from the functionality perspective, should I still add firewall rules to define my current setup (e.g. to allow all inside-out traffic and to allow http, smtp, etc to the various machines for outside-in traffic)? Am I missing out on important security features the firewall would offer which NAT doesn't? Currently I just have the following firewall statements: firewall { log-martians: enable send-redirects: disable receive-redirects: disable ip-src-route: disable broadcast-ping: disable syn-cookies: enable } [EMAIL PROTECTED] show version Baseline Version: vc3 Booted From: disk Happy New Year to all! Cheers, -Alain. ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
[Vyatta-users] Error: 102 Command failed TCP/UDP Protocol must be specified
Hello, I'm trying to set protocols to all for a destination NAT rule. But Vyatta complains that it wants either TCP or UDP. However, in this awesome how-to, they did just that: http://www.openmaniak.com/vyatta_case6.php#ancre-configurations Here's what I tried: [EMAIL PROTECTED] edit service nat rule 35 [edit service/nat/rule/35] [EMAIL PROTECTED] set protocols all [edit service/nat/rule/35] [EMAIL PROTECTED] commit [edit service/nat/rule/35] Commit Failed 102 Command failed TCP/UDP Protocol must be specified What's weird is that 'tab' (auto complete) shows all as an option: [EMAIL PROTECTED] set protocols `protocols' is ambiguous. Possible completions: [Enter]Execute this command all Perform NAT on all protocol traffic icmp Perform NAT on ICMP traffic only tcp Perform NAT on TCP traffic only udp Perform NAT on UDP traffic only I'm able to set protocols to udp or tcp, but not all. What I'd like is this: rule 35 { type: destination translation-type: static inbound-interface: eth0 protocols: all source { network: 0.0.0.0/0 } destination { address: 65.xx.xx.xx port-number 53 } inside-address { address: 10.10.3.20 } } Interestingly, Vyatta accepts all for a source NAT rule: rule 39 { type: source translation-type: static outbound-interface: eth0 protocols: all source { address: 10.10.3.20 } destination { network: 0.0.0.0/0 } outside-address { address: 65.xx.xx.xx } } Any ideas? Thanks a bunch in advance.. I'm at a loss! [EMAIL PROTECTED] show version Version:VC2 Built by: [EMAIL PROTECTED] Built on: 200702080056 -- Thu Feb 8 00:56:19 UTC 2007 ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Error: 102 Command failed TCP/UDP Protocolmustbespecified
Thanks, An-Cheng, you rock! Will setup two rules for now.. On Thu, 29 Nov 2007 11:07:37 -0800, An-Cheng Huang [EMAIL PROTECTED] wrote: Hi Alain, Currently, you'll have to enter 2 rules, one for TCP and the other for UDP. Also, there is already an enhancement request for exactly what you are asking for. See the following for details. https://bugzilla.vyatta.com/show_bug.cgi?id=1445 An-Cheng Alain Kelder wrote: Hi An-Cheng, That explains it, thanks! Any suggestions how I could accomplish this? I'd like to allow both TCP and UDP requests on port 53... In other words an equivalent to the below: rule 35 { type: destination translation-type: static inbound-interface: eth0 protocols: all source { network: 0.0.0.0/0 } destination { address: 65.xx.xx.xx port-number 53 } inside-address { address: 10.10.3.20 } } thanks a million! On Thu, 29 Nov 2007 10:54:39 -0800, An-Cheng Huang [EMAIL PROTECTED] wrote: Hi Alain, The reason that TCP/UDP is required for your rule 35 is that you specified port in that rule, which is only meaningful for TCP/UDP in this context. The SNAT rule 39 accepts protocols all because it doesn't have port. Hope this helps. An-Cheng Alain Kelder wrote: Hello, I'm trying to set protocols to all for a destination NAT rule. But Vyatta complains that it wants either TCP or UDP. However, in this awesome how-to, they did just that: http://www.openmaniak.com/vyatta_case6.php#ancre-configurations Here's what I tried: [EMAIL PROTECTED] edit service nat rule 35 [edit service/nat/rule/35] [EMAIL PROTECTED] set protocols all [edit service/nat/rule/35] [EMAIL PROTECTED] commit [edit service/nat/rule/35] Commit Failed 102 Command failed TCP/UDP Protocol must be specified What's weird is that 'tab' (auto complete) shows all as an option: [EMAIL PROTECTED] set protocols `protocols' is ambiguous. Possible completions: [Enter]Execute this command all Perform NAT on all protocol traffic icmp Perform NAT on ICMP traffic only tcp Perform NAT on TCP traffic only udp Perform NAT on UDP traffic only I'm able to set protocols to udp or tcp, but not all. What I'd like is this: rule 35 { type: destination translation-type: static inbound-interface: eth0 protocols: all source { network: 0.0.0.0/0 } destination { address: 65.xx.xx.xx port-number 53 } inside-address { address: 10.10.3.20 } } Interestingly, Vyatta accepts all for a source NAT rule: rule 39 { type: source translation-type: static outbound-interface: eth0 protocols: all source { address: 10.10.3.20 } destination { network: 0.0.0.0/0 } outside-address { address: 65.xx.xx.xx } } Any ideas? Thanks a bunch in advance.. I'm at a loss! [EMAIL PROTECTED] show version Version:VC2 Built by: [EMAIL PROTECTED] Built on: 200702080056 -- Thu Feb 8 00:56:19 UTC 2007 ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Want to use Vyatta for our main BGP router - butwhat about traffic tracking?
Hello Dominic, Out of the various tools I've tried, netacct-mysql is currently my favorite. It collects bandwidth data through libpcap and stores in a MySQL DB. It comes with a PHP front end, but to me the real power is that it stores the stats in MySQL. Through SQL SELECT statements, I'm able to get all the stats I need. For instance: mysql SELECT SUM((input+output)/1073741824) FROM traffic WHERE IP='10.10.2.122' AND time LIKE '2007-09%'; gives me total (in+out) GBs of bandwith used by 10.10.2.122 during Sept 07. I run it on the Xen host to keep track of the guest domain bandwidth usage, but it should run on the Vyatta box just as well (haven't tried yet, sorry). The other thing I started playing with today is grabbing the data from the DB using PHP and feeding it to the chart PHP script from www.maani.us to get pretty graphs. I would love to know what you end up using! Cheers, -Alain. http://sourceforge.net/projects/netacct-mysql/ Dominic Williams wrote: Many thanks for your response. What we need to generate is a traffic graph for each IP that we serve i.e. At 4.20.00pm some IP was using 7Mbps, at 4.20.15pm it was using 5.2Mbps, at 4.20.30 it was using 6.3Mbps and so on. We need this data is used to understand how sites (which run on IPs) behave and also to provision overall bandwidth and pass bandwidth costs to clients. Is this possible and for example, is anyone doing 95th percentile billing using a Vyatta router? Best, Dominic -Original Message- From: Holtz,Robert [EMAIL PROTECTED] To: Dominic Williams [EMAIL PROTECTED]; [EMAIL PROTECTED] [EMAIL PROTECTED] Sent: 07/11/07 16:27 Subject: RE: [Vyatta-users] Want to use Vyatta for our main BGP router - butwhat about traffic tracking? You can collect SNMP interface performance data anywhere along the path to the outside world, not just the router. There's quite a bit of flexibility. Examples: The Web Server itself Load Balancer, if you have a bunch of web servers Ethernet Switch(s) Router Etc. If you are not the intended recipient of this message (including attachments), or if you have received this message in error, immediately notify us and delete it and any attachments. If you no longer wish to receive e-mail from Edward Jones, please send this request to [EMAIL PROTECTED] You must include the e-mail address that you wish not to receive e-mail communications. For important additional information related to this e-mail, visit www.edwardjones.com/US_email_disclosure -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dominic Williams Sent: Wednesday, November 07, 2007 10:07 AM To: [EMAIL PROTECTED] Subject: [Vyatta-users] Want to use Vyatta for our main BGP router - butwhat about traffic tracking? Hello all, My company is very keen to try a Vyatta solution, as we are about to move our hosting rack to a BGP solution and a 7204VXR with 1GB seems inordinately expensive!! But... we need to be able to monitor and track bandwidth to each individual IP address that we serve. This is a crucial requirement, as it is for many people involved in Web hosting. At the moment we just use Netflow exports from our Cisco router in conjunction with some tracking software... I know that Vyatta doesn't support Neflow, but somebody indicated on this list that you can get at these stats using SNMP. Is this really the case? Can you get at traffic flows for individual IPs that are being served through the router? -- I was under the impression SNMP was just of use for monitoring the status of a particular device / interface etc?? Many thanks for any advice you can give. Best, Dominic Dominic Williams www.System7.com www.Wyki.com Better Digital Publishing Email [EMAIL PROTECTED] Direct +44 (0) 203 0519110 ext. 8010 Mobile +44 (0) 7710 469456 Fax +44 (0) 8700 607555 Terms: This e-mail contains proprietary information some or all of which may be legally privileged. It is intended for the recipient only. If an addressing error or transmission error has misdirected this e-mail, please notify the sender immediately or contact [EMAIL PROTECTED] If you are not the intended recipient you must not use, disclose, distribute, copy, print or rely on this e-mail. ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Can't connect to SMTP Host
Hello David, IMHO, this sounds more like a DNS problem than a routing problem. I would ensure that workstations resolve mail.domain.com to the internal IP rather than external. Typically, you'd just add the necessary entries in your DNS server, but if you're not running an internal DNS server on your network, then you can just add the entry to the hosts file on the workstations (C:\windows\system32\drivers\etc for Windows, /etc/hosts for Linux, etc): 10.10.30.xxxmail.domain.com Cheers, -Alain. David Marrow Jr wrote: I created a NAT Rule that forwards all traffic on port 25 from the external ip address of xx.xx.xx.xx to the internal ip address of 10.10.30.xxx on port 25. My problem is that all workstations on the internal network 10.10.30.X connect resolve mail.domain.com to port 25 on the external ip address. Using a external email client out side the network from a remote client works with out issues. All the clients on the internal network have to be configures to connect to the server directly by using the internal ip addresss for that server in the smtp settings on their client. Any suggestions? Here is my running config file protocols { static { disable: false route 0.0.0.0/0 { next-hop: XX.XX.XX.49 metric: 1 } } } policy { } interfaces { restore: false loopback lo { description: address 10.0.0.65 { prefix-length: 32 disable: false } } ethernet eth0 { disable: false discard: false description: hw-id: 00:04:23:9f:42:30 duplex: auto speed: auto address XX.XX.XX.50 { prefix-length: 29 disable: false } address XX.XX.XX.51 { prefix-length: 29 disable: false } } ethernet eth1 { disable: false discard: false description: hw-id: 00:04:23:9f:42:31 duplex: auto speed: auto address 10.10.30.254 { prefix-length: 24 disable: false } } ethernet eth2 { disable: true discard: false description: hw-id: 00:0d:61:30:b2:30 duplex: auto speed: auto } } service { dhcp-server { shared-network-name lan1 { subnet 10.10.30.0/24 { start 10.10.30.1 { stop: 10.10.30.254 } static-mapping btpwrk03 { ip-address: 10.10.30.3 mac-address: 00:06:5B:2C:4A:DD } static-mapping btpwrk02 { ip-address: 10.10.30.2 mac-address: 00:0C:76:9F:62:F1 } static-mapping btpwrk04 { ip-address: 10.10.30.4 mac-address: 00:08:74:f6:06:80 } static-mapping btpwrk05 { ip-address: 10.10.30.5 mac-address: 00:0c:29:0a:89:5b } static-mapping btpwrk01 { ip-address: 10.10.30.1 mac-address: 00:d0:b7:13:ce:de } static-mapping btpsrv01 { ip-address: 10.10.30.240 mac-address: 00:05:8D:F7:77:9D } static-mapping btpweb01 { ip-address: 10.10.30.251 mac-address: 00:0C:29:B2:7F:2D } static-mapping btpweb02 { ip-address: 10.10.30.252 mac-address: 00:0C:29:B2:7F:2D } static-mapping btpwrk00 { ip-address: 10.10.30.100 mac-address: 00:15:C5:45:F2:85 } client-prefix-length: 24 dns-server 65.17.91.254 dns-server 65.16.215.254 default-router: 10.10.30.254 lease: 86400 domain-name: internal.domain.local authoritative: disable } } } nat { rule 1 { type: masquerade outbound-interface: eth0 source { network: XX.XX.XX.48/29 } }