Hi Gene,
For the first part of your question, I assume that you already have NAT
working, and you just want to block incoming connections from the Internet and
allow the NATed connections (those from your internal network) to go out.
If that is the case, one solution is to allow "established" and "related"
(these refer to the TCP connection states) traffic coming in on the external
(Internet-facing) interface and drop any other incoming traffic. You can first
create a rule set similar to the following.
firewall {
name "from-external" {
rule 10 {
protocol: "tcp"
state {
established: "enable"
new: "disable"
related: "enable"
invalid: "disable"
}
action: "accept"
}
}
}
Note that each rule set by default drops packets that do not match any rules in
the set, so in this case, any packets that are not "established" or "related"
TCP traffic will be dropped.
Then you need to apply this rule set to the incoming traffic on the external
interface, say, "eth0", as follows.
interfaces {
ethernet eth0 {
...
firewall {
in {
name: "from-external"
}
}
}
}
Of course, the above example only provides the basic functionality, and you
will need to modify the rules according to your requirements.
An-Cheng
Gene Cooper wrote:
> I want to implement a simple NAT Internet firewall function, similar to
> $50 boxes purchased anywhere. I also want to firewall internal
> (192.168.x.0/24) networks from each other.
>
> I found that simply enabling NAT doesn't seem to block any traffic. I
> can ping internal network hosts from the external gateway with a (temp)
> route in place pointing to the VOFR. This surprised me as I always
> thought NAT would block (new) external traffic of itself.
>
> OK, so I need a firewall. Out of all the documentation, there are no
> Internet NAT firewall examples that look appropriate for this most
> common of applications. Am I missing something? If so, please point me
> in the right direction and I'll tuck my tail and leave quietly.
>
> Otherwise, can someone share their NAT Internet gateway/firewall
> configuration with me? I would be very, very thankful.
>
> As for firewalling the internal nets from each other, I came up with
> this, but not being a firewall expert makes me doubt whether this is
> acceptable (it seems to work with rudimentary testing). Can somebody
> tell me if this is acceptable or the wrong way to do this?
>
> Basically, it blocks traffic to various private address ranges and
> allows everything else. I applied this firewall to all the internal
> interfaces (in).
>
> [EMAIL PROTECTED] show firewall
> name "lan-to-lan" {
> description: "Block Internal LAN Interaction"
> rule 10 {
> description: "Block 192.168.x.x Networks"
> action: "reject"
> source {
> network: "192.168.0.0/16"
> }
> destination {
> network: "192.168.0.0/16"
> }
> }
> rule 20 {
> description: "Block 172.16.x.x Networks"
> action: "reject"
> source {
> network: "192.168.0.0/16"
> }
> destination {
> network: "172.16.0.0/12"
> }
> }
> rule 30 {
> description: "Block 10.x.x.x Networks"
> action: "reject"
> source {
> network: "192.168.0.0/16"
> }
> destination {
> network: "10.0.0.0/8"
> }
> }
> rule 40 {
> description: "Allow All Traffic Not Previously Blocked"
> action: "accept"
> source {
> network: "0.0.0.0/0"
> }
> destination {
> network: "0.0.0.0/0"
> }
> }
> }
>
> Thanks very much in advance for _any_ comments.
>
> G
>
> _______________________________________________
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
_______________________________________________
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users
