Hi Adrian: Yep, that's what I need, a second set of eyes! I tried hitting my vyatta router from the internet, but was not able to and thought since NAT was redirecting traffic then it was 'ok', but I see that isn't the safest thing. So if I understand, I should create a rule for eth1 Local that denies all traffic sourced from 0.0.0.0/0 destined to the router? I have no need to access my router externally.
I'll see if I can dig up info on 'state' and also see if I can find some firewall configuration examples that other people followed. Thanks a bunch! Todd Worden Web-Wired, LLC 434.906.0420 [EMAIL PROTECTED] www.web-wired.com -----Original Message----- From: Adrian F. Dimcev [mailto:[EMAIL PROTECTED] Sent: Monday, December 24, 2007 5:19 AM To: Todd Worden Cc: vyatta-users@mailman.vyatta.com Subject: RE: [Vyatta-users] Got firewal inbound, what about the outbound? >Just for sanity's sake, can someone chime in and confirm if this appears to be an appropriate configuration? >Any suggestions are welcome! Don't know if you've noticed or if this was your intention but are you aware that your Vyatta is fully accessible from the Internet(or at least your posted configuration shows this)? Also again don't know if you've noticed or if this was your intention but your firewall "out" instance on eth0 isn't a truly "Inbound" one since your Vyatta accepts *any* incoming packets on eth1. And can I suggest you to mess with the "State" parameter on your TCP rules which will enable Vyatta to become indeed a firewall? Ideally you should follow the traffic flow with your firewall rules: Say packets coming in on eth0(so IN firewall instance), going out on eth1(so OUT firewall instance) and returning on eth1(so IN firewall instance) and going out on eth0(so OUT firewall instance). The "State" parameter should be appropiate for each firewall instance. But it's all about the role Vyatta plays in your environment, therefore it might be no need for all those firewall instances. Adrian __________ NOD32 2745 (20071224) Information __________ This message was checked by NOD32 antivirus system. http://www.eset.com _______________________________________________ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users