Hi Alain, Take a look at this post:
http://mailman.vyatta.com/pipermail/vyatta-users/2007-November/002406.html It looks like you're running into bug 2502, which has been fixed in our most recent set of updates and will no longer be an issue in the next release. The link above has more information on the bug and an easy workaround so you can specify "all" in rule 10. Thank you, Robyn Alain Kelder wrote: > Wondering if someone could help me with my firewall rules. At this > point, I'm just firewalling local traffic. My objective is drop > everything other than SSH and even then only allow SSH from for a > handful of hosts. > > So for eth0 (my WAN interface), I added: > > firewall { > local { > name: "WAN-to-LOCAL" > } > } > } > > And then the following firewall rules: > > firewall { > log-martians: "enable" > send-redirects: "disable" > receive-redirects: "disable" > ip-src-route: "disable" > broadcast-ping: "disable" > syn-cookies: "enable" > name "WAN-to-LOCAL" { > description: "Inbound traffic to router" > rule 10 { > description: "Accept established and related" > protocol: "tcp" > state { > established: "enable" > related: "enable" > } > action: "accept" > log: "disable" > } > rule 20 { > description: "Accept SSH" > protocol: "tcp" > state { > established: "enable" > related: "enable" > new: "enable" > invalid: "disable" > } > action: "accept" > log: "enable" > source { > address: "XXX.XXX.XXX.XXX" > } > destination { > port-number 22 > } > } > rule 21 { > description: "Accept SSH" > protocol: "tcp" > state { > established: "enable" > related: "enable" > new: "enable" > invalid: "disable" > } > action: "accept" > log: "enable" > source { > network: ""XXX.XXX.XXX.XXX"/28" > } > destination { > port-number 22 > } > } > } > } > > I'm pretty sure something isn't right with my rule 10 (established and > related). For one thing, Vyatta complains if I set protocol to "all". > Says only "tcp" is allowed when packet state is defined. So what should > I do about UDP? I do need to allow related and established, right? > > I don't need to limit outgoing traffic, but is it a good idea to have > rules for inbound traffic if I'm doing NAT? > > _______________________________________________ > Vyatta-users mailing list > Vyatta-users@mailman.vyatta.com > http://mailman.vyatta.com/mailman/listinfo/vyatta-users > _______________________________________________ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
