Hi Josh, There is no firewall by default on Vyatta. Your firewall rule does not prevent packets from "external" to your Vyatta itself. You can apply the firewall instance as in, out and local per interface. You have used in, meaning that packets entering that interface will be filtered by the firewall. But you are scanning Vyatta's external IP address meaning that packets are "sent to" the local instance. So you should define a rule like:
set firewall name extlocal rule 10 action accept set firewall name extlocal rule 10 protocol tcp set firewall name extlocal rule 10 state new enable set firewall name extlocal rule 10 state established enable set firewall name extlocal rule 10 destination port-number 22 set interfaces ethernet eth0 firewall local name extlocal Obviously this means that tcp port 22 will come as "open" because you wanted to use ssh from the "external net". Other traffic will be implicitly denied. So you won't be able to ping from Vyatta itself say, google's ip addresses. For that you need to add another rule allowing the returning echo reply packet(unfortunetelly we cannot have state parameter for other protocols then TCP with Vyatta VC3, there is a report on bugzilla for that, https://bugzilla.vyatta.com/show_bug.cgi?id=2502): set firewall name extlocal rule 20 action accept set firewall name extlocal rule 20 protocol icmp set firewall name extlocal rule 20 icmp type 0 set firewall name extlocal rule 20 icmp code 0 Also I assume that you will want to filter packets entering Vyatta's external interface. You can use something like: Say for Http/Https returning traffic: set firewall name exttoint rule 10 action accept set firewall name exttoint rule 10 protocol tcp set firewall name exttoint rule 10 destination network "your internal network" set firewall name exttoint rule 10 state established enable set firewall name exttoint rule 10 state related enable set firewall name exttoint rule 10 state invalid disable set firewall name exttoint rule 10 source port-number 80 set firewall name exttoint rule 10 source port-number 443 For DNS returning traffic(unfortunetelly again we cannot have the state parameter for other protocols then TCP with Vyatta VC3), this may vary depending on your DNS design, if you are using DNS forwarders...: set firewall name exttoint rule 14 action accept set firewall name exttoint rule 14 source address "Your External DNS Server Address" set firewall name exttoint rule 14 protocol udp set firewall name exttoint rule 14 destination "your internal network or your internal DNS server address" set firewall name exttoint rule 14 source port-number 53 set interfaces ethernet eth0 firewall in name exttoint In the same way you can set an in firewall instance for your local interface(obviuosly for tcp you will have to use the new parameter and now the source ports become destination ports). And also for the local instance of you local interface. Since "the rest" of the traffic is denied you need to carefully create your rules. It will be better if you will use nmap to scan your Vyatta. There aren't any "stealth ports". They are merely filtered. Adrian _______________________________________________ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
