Wondering if someone could help me with my firewall rules. At this
point, I'm just firewalling local traffic. My objective is drop
everything other than SSH and even then only allow SSH from for a
handful of hosts.
So for eth0 (my WAN interface), I added:
firewall {
local {
name: "WAN-to-LOCAL"
}
}
}
And then the following firewall rules:
firewall {
log-martians: "enable"
send-redirects: "disable"
receive-redirects: "disable"
ip-src-route: "disable"
broadcast-ping: "disable"
syn-cookies: "enable"
name "WAN-to-LOCAL" {
description: "Inbound traffic to router"
rule 10 {
description: "Accept established and related"
protocol: "tcp"
state {
established: "enable"
related: "enable"
}
action: "accept"
log: "disable"
}
rule 20 {
description: "Accept SSH"
protocol: "tcp"
state {
established: "enable"
related: "enable"
new: "enable"
invalid: "disable"
}
action: "accept"
log: "enable"
source {
address: "XXX.XXX.XXX.XXX"
}
destination {
port-number 22
}
}
rule 21 {
description: "Accept SSH"
protocol: "tcp"
state {
established: "enable"
related: "enable"
new: "enable"
invalid: "disable"
}
action: "accept"
log: "enable"
source {
network: ""XXX.XXX.XXX.XXX"/28"
}
destination {
port-number 22
}
}
}
}
I'm pretty sure something isn't right with my rule 10 (established and
related). For one thing, Vyatta complains if I set protocol to "all".
Says only "tcp" is allowed when packet state is defined. So what should
I do about UDP? I do need to allow related and established, right?
I don't need to limit outgoing traffic, but is it a good idea to have
rules for inbound traffic if I'm doing NAT?
_______________________________________________
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users
