Hi, Josh-- Hi, Josh
I think you speak for other users about the firewall documentation--we get lots of questions about firewall and NAT, and that tells me that the documentation needs to be strengthened, or made easier, or made richer, or made simpler, or made more relevant. Dave Roberts has offered me some suggestions for making this kind of documentation easier for folks to approach. I've re-written the Quick Start Guide for one of the upcoming releases along the lines of his suggestions, and I'm hoping the result is something that will be more helpful. If you don't mind, I'll keep your e-mail aside. When we feel the new guide is ready to "try out," perhaps I'll ask you to take a sneak preview of it and see what you think. I'd like to know whether, if you had seen this documentation first, it would have worked for you and allowed you to get on with doing what you wanted to do. Please let me know if you'd be willing to take a look. :-) (You can reply to me directly if you like.) So thank you for bothering to give us for your comments. I'll try to use them to make good improvements. --I do recognize how important the security features are (and yet how complex), and how critical it is to present the right information, in just the right amount, in the right form, so that folks can get done the things they want to get done and not be faced with a forest of information they don't need. Lindsay ____________________________________ Lindsay Burrell Technical Writer Vyatta, Inc. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Josh vyatta Sent: December 21, 2007 10:45 AM To: [EMAIL PROTECTED] Subject: [Vyatta-users] SOLVED: FIREWALL question: How can I "stealth" tcpports Adrian, I must express my deepest appreciation for listing out the steps to configure my firewall properly! You can't imagine my confusion until now. Your advice has helped me accomplish my first main objective of at least making the Vyatta as secure as a common SOHO router/firewall. I realize it can do so much more, but if I can't make it do the basics, how can I ever think of moving into the more complex config goals I have. I now have external SSH access properly configured, and internal-only WebGui access. All other ports on the outside (including http and https) are now filtered (or "stealthed" if scanned from GRC.com). Why is none of this valuable information DOCUMENTED in the Vyatta Manuals? (Or have I missed it somewhere)? It seems this is very elementary and is probably a very common configuration goal for many people. Adrian, I have one more question to reference your last statement... > In the same way you can set an in firewall instance for your local > interface(obviuosly for tcp you will have to use the new parameter and > now the source ports become destination ports). And also for the local > instance of you local interface. > Since "the rest" of the traffic is denied you need to carefully create > your rules. ...is it necessary to set an INBOUND firewall on my eth1 internal port for the traffic leaving OUTBOUND for http or DNS, for example? Currently, I can access DNS/HTTP/HTTPS/FTP, etc from internal to outbound. So wouldn't adding a firewall to eth1 open Pandora's box for requiring ALL types of traffic to be identified and specifically listed in order to be permitted outbound access once you add the first firewall rule to that interface? I guess it would not be a terribly bad idea to KNOW all the traffic that comes in OR GOES OUT, but wouldn't that be an administrative nightmare? Hope all of that makes sense. Thanks again for all your help! Josh On 12/12/07, Adrian F. Dimcev <[EMAIL PROTECTED]> wrote: > Hi Josh, > There is no firewall by default on Vyatta. > Your firewall rule does not prevent packets from "external" to your > Vyatta itself. > You can apply the firewall instance as in, out and local per interface. > You have used in, meaning that packets entering that interface will be > filtered by the firewall. > But you are scanning Vyatta's external IP address meaning that packets > are "sent to" the local instance. > So you should define a rule like: > > set firewall name extlocal rule 10 action accept > set firewall name extlocal rule 10 protocol tcp > set firewall name extlocal rule 10 state new enable > set firewall name extlocal rule 10 state established enable > set firewall name extlocal rule 10 destination port-number 22 > > set interfaces ethernet eth0 firewall local name extlocal > > Obviously this means that tcp port 22 will come as "open" because you > wanted to use ssh from the "external net". > Other traffic will be implicitly denied. So you won't be able to ping > from Vyatta itself say, google's ip addresses. > For that you need to add another rule allowing the returning echo reply > packet(unfortunetelly we cannot have state parameter for other protocols > then TCP with Vyatta VC3, there is a report on bugzilla for that, > https://bugzilla.vyatta.com/show_bug.cgi?id=2502): > > set firewall name extlocal rule 20 action accept > set firewall name extlocal rule 20 protocol icmp > set firewall name extlocal rule 20 icmp type 0 > set firewall name extlocal rule 20 icmp code 0 > > Also I assume that you will want to filter packets entering Vyatta's > external interface. You can use something like: > > Say for Http/Https returning traffic: > set firewall name exttoint rule 10 action accept > set firewall name exttoint rule 10 protocol tcp > set firewall name exttoint rule 10 destination network "your internal > network" > set firewall name exttoint rule 10 state established enable > set firewall name exttoint rule 10 state related enable > set firewall name exttoint rule 10 state invalid disable > set firewall name exttoint rule 10 source port-number 80 > set firewall name exttoint rule 10 source port-number 443 > > For DNS returning traffic(unfortunetelly again we cannot have the state > parameter for other protocols then TCP with Vyatta VC3), this may vary > depending on your DNS design, if you are using DNS forwarders...: > set firewall name exttoint rule 14 action accept > set firewall name exttoint rule 14 source address "Your External DNS > Server Address" > set firewall name exttoint rule 14 protocol udp > set firewall name exttoint rule 14 destination "your internal network or > your internal DNS server address" > set firewall name exttoint rule 14 source port-number 53 > > set interfaces ethernet eth0 firewall in name exttoint > > In the same way you can set an in firewall instance for your local > interface(obviuosly for tcp you will have to use the new parameter and > now the source ports become destination ports). And also for the local > instance of you local interface. > Since "the rest" of the traffic is denied you need to carefully create > your rules. > It will be better if you will use nmap to scan your Vyatta. There aren't > any "stealth ports". They are merely filtered. > Adrian > > _______________________________________________ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users _______________________________________________ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
