[Vyatta-users] NAT Firewall Configuration

[Gene Cooper]

Hi All,

I already sent a message to this list on this subject, but I got no 
responses at all.  I suspect I need to rephrase my question.

I have read _all_ of the documentation on firewalls in several different 
Vyatta documents.  Though useful, the documentation is skeletal at best 
on the subject of firewalls.  I have read _many_ of the list archives, 
as well.

I want to implement a simple NAT Internet firewall function, similar to 
$50 boxes purchased anywhere.  I also want to firewall internal 
(192.168.x.0/24) networks from each other.

I found that simply enabling NAT doesn't seem to block any traffic.  I 
can ping internal network hosts from the external gateway with a (temp) 
route in place pointing to the VOFR.  This surprised me as I always 
thought NAT would block (new) external traffic of itself.

OK, so I need a firewall.  Out of all the documentation, there are no 
Internet NAT firewall examples that look appropriate for this most 
common of applications.  Am I missing something?  If so, please point me 
in the right direction and I'll tuck my tail and leave quietly.

Otherwise, can someone share their NAT Internet gateway/firewall 
configuration with me?  I would be very, very thankful.

As for firewalling the internal nets from each other, I came up with 
this, but not being a firewall expert makes me doubt whether this is 
acceptable (it seems to work with rudimentary testing).  Can somebody 
tell me if this is acceptable or the wrong way to do this?

Basically, it blocks traffic to various private address ranges and 
allows everything else.  I applied this firewall to all the internal 
interfaces (in).

[EMAIL PROTECTED] show firewall
     name "lan-to-lan" {
         description: "Block Internal LAN Interaction"
         rule 10 {
             description: "Block 192.168.x.x Networks"
             action: "reject"
             source {
                 network: "192.168.0.0/16"
             }
             destination {
                 network: "192.168.0.0/16"
             }
         }
         rule 20 {
             description: "Block 172.16.x.x Networks"
             action: "reject"
             source {
                 network: "192.168.0.0/16"
             }
             destination {
                 network: "172.16.0.0/12"
             }
         }
         rule 30 {
             description: "Block 10.x.x.x Networks"
             action: "reject"
             source {
                 network: "192.168.0.0/16"
             }
             destination {
                 network: "10.0.0.0/8"
             }
         }
         rule 40 {
             description: "Allow All Traffic Not Previously Blocked"
             action: "accept"
             source {
                 network: "0.0.0.0/0"
             }
             destination {
                 network: "0.0.0.0/0"
             }
         }
     }

Thanks very much in advance for _any_ comments.

G

_______________________________________________
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users