An-Cheng Huang wrote:
> Hi Rob,
>
> Each firewall rule set has an "implicit" default drop rule at the end.
> As a result, for the public_port_forwarding rule set, any packets not
> matching rules 10 and 20 (i.e., non-PPTP packets) are dropped by the
> default drop rule. So the problem is probably that the returning packets
> of the SNATed outgoing connections are also dropped this way.
>
> You might want to try adding something like the following to the rule
> set to allow the returning SNATed traffic.
>
> rule 30 {
> protocol: "tcp"
> state {
> established: "enable"
> new: "disable"
> related: "enable"
> invalid: "disable"
> }
> action: "accept"
> }
>
> You can also add more restrictions to match the SNAT rules, for example.
>
Thank you An-Cheng.
The documentation is weak for the "state" keywords. I see now that these
keywords are for matching traffic. Thanks.
However, it will only permit me to set state attributes of a rule if it is TCP
only. What happens to UDP,ICMP,GRE traffic? I will however test out your
comments above and report back.
Thanks very much, and kindest regards
Rob
--
Rob Shepherd BEng PhD | Computer and Network Engineer | CAST Ltd
Technium CAST | LL57 4HJ | http://www.techniumcast.com
_______________________________________________
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users
