Sorry everyone - I am mistaken on this last point. Alain's original config is correct wrt port 22 assignment to destination port.
John John Gong wrote: > I also would change rules 20 and 21 such that it's SOURCE port 22, and > not destination port 22. This would apply if you are trying to permit > inbound ssh requests from those specific hosts. > > John > > > Robyn Orosz wrote: > >> Hi Alain, >> >> Take a look at this post: >> >> http://mailman.vyatta.com/pipermail/vyatta-users/2007-November/002406.html >> >> It looks like you're running into bug 2502, which has been fixed in our >> most recent set of updates and will no longer be an issue in the next >> release. >> >> The link above has more information on the bug and an easy workaround so >> you can specify "all" in rule 10. >> >> Thank you, >> >> Robyn >> >> Alain Kelder wrote: >> >> >>> Wondering if someone could help me with my firewall rules. At this >>> point, I'm just firewalling local traffic. My objective is drop >>> everything other than SSH and even then only allow SSH from for a >>> handful of hosts. >>> >>> So for eth0 (my WAN interface), I added: >>> >>> firewall { >>> local { >>> name: "WAN-to-LOCAL" >>> } >>> } >>> } >>> >>> And then the following firewall rules: >>> >>> firewall { >>> log-martians: "enable" >>> send-redirects: "disable" >>> receive-redirects: "disable" >>> ip-src-route: "disable" >>> broadcast-ping: "disable" >>> syn-cookies: "enable" >>> name "WAN-to-LOCAL" { >>> description: "Inbound traffic to router" >>> rule 10 { >>> description: "Accept established and related" >>> protocol: "tcp" >>> state { >>> established: "enable" >>> related: "enable" >>> } >>> action: "accept" >>> log: "disable" >>> } >>> rule 20 { >>> description: "Accept SSH" >>> protocol: "tcp" >>> state { >>> established: "enable" >>> related: "enable" >>> new: "enable" >>> invalid: "disable" >>> } >>> action: "accept" >>> log: "enable" >>> source { >>> address: "XXX.XXX.XXX.XXX" >>> } >>> destination { >>> port-number 22 >>> } >>> } >>> rule 21 { >>> description: "Accept SSH" >>> protocol: "tcp" >>> state { >>> established: "enable" >>> related: "enable" >>> new: "enable" >>> invalid: "disable" >>> } >>> action: "accept" >>> log: "enable" >>> source { >>> network: ""XXX.XXX.XXX.XXX"/28" >>> } >>> destination { >>> port-number 22 >>> } >>> } >>> } >>> } >>> >>> I'm pretty sure something isn't right with my rule 10 (established and >>> related). For one thing, Vyatta complains if I set protocol to "all". >>> Says only "tcp" is allowed when packet state is defined. So what should >>> I do about UDP? I do need to allow related and established, right? >>> >>> I don't need to limit outgoing traffic, but is it a good idea to have >>> rules for inbound traffic if I'm doing NAT? >>> >>> _______________________________________________ >>> Vyatta-users mailing list >>> Vyatta-users@mailman.vyatta.com >>> http://mailman.vyatta.com/mailman/listinfo/vyatta-users >>> >>> >>> >> _______________________________________________ >> Vyatta-users mailing list >> Vyatta-users@mailman.vyatta.com >> http://mailman.vyatta.com/mailman/listinfo/vyatta-users >> >> > > _______________________________________________ > Vyatta-users mailing list > Vyatta-users@mailman.vyatta.com > http://mailman.vyatta.com/mailman/listinfo/vyatta-users > _______________________________________________ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users