Hi Josh, Guess what, all that info and much more is documented now here(Community Documentation): http://www.vyatta.com/twiki/bin/view/Community/CommunityDocumentation More exactly within the article How to Create a VPN Site-to-Site IPsec Tunnel Mode Connection Between a Vyatta OFR and an ISA 2006 Firewall(http://www.carbonwind.net/ISA/VyattaVPN/VyattaVPN.htm). Regarding your question about setting an "IN" firewall instance on your internal eth1 interface I would say yes, if you want security you should enable Vyatta to perform stateful inspection. And yes is you only allow HTTP the rest is implicitely denied(normal behaviour of a firewall). Also I would say that you should create an "IN" firewall instance on your external eth0 interface. Your "Local" firewall instance on your external eth0 interface does not stop packets entering that interface destined to your internal network(NAT also does not help here). If we play a little game with nmap and send some packets with the destination the IP address of a host behind Vyatta to the eth0 interface(simply telling the host on which we run nmap that the respective IP address is accesible through Vyatta's external IP address by adding a route), and you monitor with Wireshark that internal host you will see the packets sent by nmap reaching it. This "IN" firewall instance should allow the returning traffic. For example you need to allow HTTP traffic: set firewall name exttoint rule 10 action accept set firewall name exttoint rule 10 protocol tcp set firewall name exttoint rule 10 destination network "your internal network" set firewall name exttoint rule 10 state established enable set firewall name exttoint rule 10 state related enable set firewall name exttoint rule 10 state invalid disable set firewall name exttoint rule 10 source port-number 80 As said before by adding this rule all other traffic entering this interface will be implicitely denied. So you need to add rules for returning DNS traffic... Try not to confuse the "IN" and "Local" firewall instances. The "IN" firewall instance addresses traffic entering the interface and the "Local" firewall instance addresses traffic destined to Vyatta itself on that interface(altough this traffic is "entering" the interface, the two instance do not overlap, or at least I did not noticed that). If you want to gain more security you can setup an "OUT" firewall instance too. For example HTTP traffic is entering interface eth1 and exits on interface eth0. About the nightmare I think you want a wizard which would create all these for you automatically in background, say allowing HTTP from Internal to External. Allowing everything from Internal to External is easy but not secure. Best, Adrian
_______________________________________________ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users