Your first problem is trying to use Vyatta as if it were a linksys.
Go do a little more reading on how to use a firewall such as pix or
other enterprise firewall and you will answer your own questions.
On Nov 10, 2007 5:51 PM, Gene Cooper <[EMAIL PROTECTED]> wrote:
> Hi All,
>
> I already sent a message to this list on this subject, but I got no
> responses at all. I suspect I need to rephrase my question.
>
> I have read _all_ of the documentation on firewalls in several different
> Vyatta documents. Though useful, the documentation is skeletal at best
> on the subject of firewalls. I have read _many_ of the list archives,
> as well.
>
> I want to implement a simple NAT Internet firewall function, similar to
> $50 boxes purchased anywhere. I also want to firewall internal
> (192.168.x.0/24) networks from each other.
>
> I found that simply enabling NAT doesn't seem to block any traffic. I
> can ping internal network hosts from the external gateway with a (temp)
> route in place pointing to the VOFR. This surprised me as I always
> thought NAT would block (new) external traffic of itself.
>
> OK, so I need a firewall. Out of all the documentation, there are no
> Internet NAT firewall examples that look appropriate for this most
> common of applications. Am I missing something? If so, please point me
> in the right direction and I'll tuck my tail and leave quietly.
>
> Otherwise, can someone share their NAT Internet gateway/firewall
> configuration with me? I would be very, very thankful.
>
> As for firewalling the internal nets from each other, I came up with
> this, but not being a firewall expert makes me doubt whether this is
> acceptable (it seems to work with rudimentary testing). Can somebody
> tell me if this is acceptable or the wrong way to do this?
>
> Basically, it blocks traffic to various private address ranges and
> allows everything else. I applied this firewall to all the internal
> interfaces (in).
>
> [EMAIL PROTECTED] show firewall
> name "lan-to-lan" {
> description: "Block Internal LAN Interaction"
> rule 10 {
> description: "Block 192.168.x.x Networks"
> action: "reject"
> source {
> network: "192.168.0.0/16"
> }
> destination {
> network: "192.168.0.0/16"
> }
> }
> rule 20 {
> description: "Block 172.16.x.x Networks"
> action: "reject"
> source {
> network: "192.168.0.0/16"
> }
> destination {
> network: "172.16.0.0/12"
> }
> }
> rule 30 {
> description: "Block 10.x.x.x Networks"
> action: "reject"
> source {
> network: "192.168.0.0/16"
> }
> destination {
> network: "10.0.0.0/8"
> }
> }
> rule 40 {
> description: "Allow All Traffic Not Previously Blocked"
> action: "accept"
> source {
> network: "0.0.0.0/0"
> }
> destination {
> network: "0.0.0.0/0"
> }
> }
> }
>
> Thanks very much in advance for _any_ comments.
>
> G
>
> _______________________________________________
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
--
No one can build his security upon the nobleness of another person.
_______________________________________________
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users
