Re: [Vyatta-users] Firewall

2008-04-01 Thread John Mason Jr 
It is not normally recommended to open port 135 to the internet
If you need outlook -> exchange connectivity either use a vpn or rpc 
over https

John


Tyrone Miles wrote:
> Does anyone have easy directions to allow exchange (Outlook port 135) 
> through my Vyatta router?
> 
> I need traffic to go both ways, in and out of my network.
> 
> Thanks everyone. :-)
> 
> -- 
> The Geek Patrol.
> Providing e-Business solutions to small businesses.
> Visit us at: http://www.gpatrol.com
> Contact us at: [EMAIL PROTECTED] 
> (800)385-4615
> (240)793-7959
> 
> 
> 
> 
> ___
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users


___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

Re: [Vyatta-users] [Fwd: Re: Starting to get really frustrated... GRRR :D]

2008-01-29 Thread John Mason Jr 
Or if network is very small or doesn't have internal DNS the hosts file 
works as well.

I found a link that is interesting but don't have time to experiment

<http://www.gurulabs.com/goodies/routeronastick.php>

John

Aubrey Wells wrote:
> Its been a while since I researched it, but I think there was  
> something about the way netfilter_conntrac tracks the NAT sessions  
> that prevents the hairpin nat from working. I never figured out a way  
> around it and no one on google was helpful either.
> 
> The usual solution is to put a dns entry in your internal dns server  
> to point the domain name to the internal ip of the web site.
> 
> --
> Aubrey Wells
> Senior Engineer
> Shelton | Johns Technology Group
> A Vyatta Ready Partner
> www.sheltonjohns.com
> 
> 
> 
> 
> 
> On Jan 29, 2008, at 10:21 PM, Nathan McBride wrote:
> 
>> Can't I do another nat rule?
>>
>> On Tue, 2008-01-29 at 22:25 -0500, Aubrey Wells wrote:
>>> It sounds like you're a victim of hairpin natting. Very frustrating.
>>> Iptables doesnt do it (that I know of.) I first encountered this on a
>>> PIX firewall years ago and thought it was an absurd limitation  
>>> (then I
>>> found out my beloved linux couldn't do it either and was crushed).
>>> Cisco fixed it in v7 of the PIX software IIRC but iptables still  
>>> can't
>>> do it.
>>>
>>> --
>>> Aubrey Wells
>>> Senior Engineer
>>> Shelton | Johns Technology Group
>>> A Vyatta Ready Partner
>>> www.sheltonjohns.com
>>>
>>>
>>>
>>>
>>>
>>> On Jan 29, 2008, at 10:05 PM, Nathan McBride wrote:
>>>
>>>> John just told me he can get to the page too.
>>>>> From inside the lan I am going to a browser and typing
>>>> www.nombyte.com.  And it doesn't work?
>>>>
>>>> Nate
>>>>
>>>> On Tue, 2008-01-29 at 22:08 -0500, Aubrey Wells wrote:
>>>>> *shrug* same here
>>>>>
>>>>> Are you trying to hit the natted address from inside the LAN that  
>>>>> is
>>>>> being natted to? Hairpin NAT doesnt work in iptables...
>>>>>
>>>>> --
>>>>> Aubrey Wells
>>>>> Senior Engineer
>>>>> Shelton | Johns Technology Group
>>>>> A Vyatta Ready Partner
>>>>> www.sheltonjohns.com
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Jan 29, 2008, at 10:06 PM, John Mason Jr wrote:
>>>>>
>>>>>> I just connected and see the Apache 2 test page running on CentOS
>>>>>>
>>>>>> John
>>>>>>
>>>>>>
>>>>>>
>>>>>> Nathan McBride wrote:
>>>>>>> First off I appreciate help from everyone, this is a nice  
>>>>>>> change to
>>>>>>> some
>>>>>>> mailing lists I'm used to.  Unfortunately, I am still having the
>>>>>>> same
>>>>>>> problem.  I'm giving out real information, probably shouldn't,  
>>>>>>> but
>>>>>>> that's how frustrated I am.  I just get an unable to connect
>>>>>>> error.  The
>>>>>>> firewalls are fine I promise.  I can see the page on  
>>>>>>> 192.168.0.105
>>>>>>> from
>>>>>>> inside the lan, and I can see and use the webgui of the router  
>>>>>>> just
>>>>>>> fine.  Altho I did disable it of course since I want the port
>>>>>>> forwarded.
>>>>>>> In the ssh example sent to me which is below, I notice that the
>>>>>>> address
>>>>>>> are just numbers where mine have "" around them.  Does this
>>>>>>> matter?  Can
>>>>>>> anyone please give any suggestions?
>>>>>>>
>>>>>>> Thanks alot,
>>>>>>> Nate
>>>>>>>
>>>>>>> My domain is:
>>>>>>> www.nombyte.com
>>>>>>>
>>>>>>> The IP is:
>>>>>>> 71.62.193.105
>>>>>>>
>>>>>>> Full Nat is:
>>>>>>>
>>>

Re: [Vyatta-users] [Fwd: Re: Starting to get really frustrated... GRRR :D]

2008-01-29 Thread John Mason Jr 
I just connected and see the Apache 2 test page running on CentOS

John



Nathan McBride wrote:
> First off I appreciate help from everyone, this is a nice change to some
> mailing lists I'm used to.  Unfortunately, I am still having the same
> problem.  I'm giving out real information, probably shouldn't, but
> that's how frustrated I am.  I just get an unable to connect error.  The
> firewalls are fine I promise.  I can see the page on 192.168.0.105 from
> inside the lan, and I can see and use the webgui of the router just
> fine.  Altho I did disable it of course since I want the port forwarded.
> In the ssh example sent to me which is below, I notice that the address
> are just numbers where mine have "" around them.  Does this matter?  Can
> anyone please give any suggestions?
> 
> Thanks alot,
> Nate
> 
> My domain is: 
> www.nombyte.com
> 
> The IP is: 
> 71.62.193.105
> 
> Full Nat is:
> 
> nat {
> rule 1 {
> type: "destination"
> inbound-interface: "eth0"
> protocols: "tcp"
> source {
> network: "0.0.0.0/0"
> }
> destination {
> address: "71.62.193.105"
> port-name http
> }
> inside-address {
> address: 192.168.0.105
> }
> }
> rule 2 {
> type: "masquerade"
> outbound-interface: "eth0"
> protocols: "all"
> source {
> network: "192.168.0.0/24"
> }
> destination {
> network: "0.0.0.0/0"
> }
> }
> rule 3 {
> type: "masquerade"
> outbound-interface: "eth0"
> protocols: "all"
> source {
> network: "192.168.1.0/24"
> }
> destination {
> network: "0.0.0.0/0"
> }
> }
> 
> 
> 
> 
> On Tue, 2008-01-29 at 08:08 -0800, Justin Fletcher wrote:
>> Here's what I use to port-forward ssh; just adjust for address (where
>> destination address is the public IP) and change it to http.
>>
>> rule 2 {
>> type: "destination"
>> inbound-interface: "eth0"
>> protocols: "tcp"
>> source {
>> network: 0.0.0.0/0
>> }
>> destination {
>> address: 1.2.3.4
>> port-name ssh
>> }
>> inside-address {
>> address: 10.0.0.30
>> }
>> }
>>
>> Best,
>> Justin
>>
>> On Jan 29, 2008 7:46 AM, Nathan McBride <[EMAIL PROTECTED]> wrote:
>>> Can someone please help me get this worked out?
>>> Nate
>>>
>>>
 Ok these are my nat rules now, I didn't see a command to change
> the rule
 numbers so i just redid them all by hand.  It still doesn't work.

  rule 1 {
 type: "destination"
 inbound-interface: "eth0"
 protocols: "tcp"
 destination {
 address: "71.62.193.105"
 port-name http
 }
 inside-address {
 address: 192.168.0.105
 }
 }
 rule 2 {
 type: "masquerade"
 outbound-interface: "eth0"
 protocols: "all"
 source {
 network: "192.168.0.0/24"
 }
 destination {
 network: "0.0.0.0/0"
 }
 }
 rule 3 {
 type: "masquerade"
 outbound-interface: "eth0"
 protocols: "all"
 source {
 network: "192.168.1.0/24"
 }
 destination {
 network: "0.0.0.0/0"
 }
 }

 Nate

 On Mon, 2008-01-28 at 21:39 -0800, An-Cheng Huang wrote:
> Hi Nate,
>
> The "inside-address" is the internal (private) IP address of
> your Web server, which in your case is 192.168.0.105. The "destination
> address" should actually be the public IP address that outside clients
> will use to access your server, so usually this is the public IP address
> of your router.
> An-Cheng
>
> Nathan McBride wrote:
>> I went and looked at the old docs.  I thought I set them up
> correctly
>> but aparently I didn't.  I'll im trying to do is to get people
> on the
>> internet to view the website on my comp (192.168.0.105).  The
> only
>> difference that i noticed when I tried to commit the example
> in the old
>> docs was that vc3 requires an 'inside-address'.  Could someone
> please
>> help me correct this to get it working?
>>
>> rule 3 {
>> type: "destination"
>> inbound-interface: "eth0"
>> protocols: "tcp"
>>

Re: [Vyatta-users] SOLVED: FIREWALL question: How can I "stealth" tcpports

2007-12-21 Thread John Mason Jr 
I'll throw my $.02 in here

Examples of how to accomplish common configurations is very important,
with graphics where possible to allow a vyatta beginner to easily select
 an appropriate config.


I would add info on some of the tasks Vyatta doesn't do out of the box,
like antivirus, webcontent inspection that kind of thing.


Also I would but links in the documentation where it makes sense to
basic sources on networking firewalls and other topics, so folks can
help themselves learn.



John




Lindsay Burrell wrote:
> Hi, Josh--
> 
> Hi, Josh
> 
> I think you speak for other users about the firewall documentation--we get
> lots of questions about firewall and NAT, and that tells me that the
> documentation needs to be strengthened, or made easier, or made richer, or
> made simpler, or made more relevant.
> 
> Dave Roberts has offered me some suggestions for making this kind of
> documentation easier for folks to approach. I've re-written the Quick Start
> Guide for one of the upcoming releases along the lines of his suggestions,
> and I'm hoping the result is something that will be more helpful.
> 
> If you don't mind, I'll keep your e-mail aside. When we feel the new guide
> is ready to "try out," perhaps I'll ask you to take a sneak preview of it
> and see what you think. I'd like to know whether, if you had seen this
> documentation first, it would have worked for you and allowed you to get on
> with doing what you wanted to do.
> 
> Please let me know if you'd be willing to take a look. :-)
> 
> (You can reply to me directly if you like.)
> 
> So thank you for bothering to give us for your comments. I'll try to use
> them to make good improvements. 
> 
> --I do recognize how important the security features are (and yet how
> complex), and how critical it is to present the right information, in just
> the right amount, in the right form, so that folks can get done the things
> they want to get done and not be faced with a forest of information they
> don't need.
> 
> Lindsay
> 
> 
> Lindsay Burrell
> Technical Writer
> Vyatta, Inc.
> 

___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

[Vyatta-users] Upgrading an existing installation

2007-11-28 Thread John Mason Jr 
I have a Vyatta router v 1.03  that I would like to upgrade to the
current version 3.

To test I did an init-floppy to write the config file to floppy, and
then rebooted with v 3 live CD.

The existing config is not being accepted, and attempts to login as any
user other than root fail.


Am I missing something ?


John

___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users

[Vyatta-users] Bridging question

2007-09-03 Thread John Mason Jr 
I looked for a FAQ covering bridging but was unable to find one.

I am looking to use vyatta as a filtering bridge between a host on the
network and the rest of the network only allowing required traffic to pass

Currently hardware includes 2 Ethernet adapters eth0 & eth1

In my first attempt I

set the host name
set domain name
set static host mapping to host-name
set ip address on eth0
enabled web and ssh

I was able to login to web interface, and created br0

As  soon as I added eth0 & eth1 to bridge group vyatta was no longer
accessible via the network.


Do I need to add a third interface to manage the bridge?


Can someone point me in the right direction, I'd be happy to RTFM if I
could find the relevant docs


John






___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users