Hi, Is this just for the firewall rules portion or should I do the same for NAT too?
Thanks. On 20/03/2008, Robyn Orosz <[EMAIL PROTECTED]> wrote: > Hi Joe, > > I'm not sure which version you are upgrading to but since you mentioned > xorpsh, I am assuming VC3? > > If so, the issue is probably the : and "" on the firewall port-number > and port-name nodes. If you edit your config.boot file and remove the : > and "" from the port-name and port-number settings in the firewall > portion of your config, you should be able to load the config in the new > version. > > See the following Bugzilla reports for more information: > > https://bugzilla.vyatta.com/show_bug.cgi?id=2573 > > https://bugzilla.vyatta.com/show_bug.cgi?id=2637 > > Thank you, > > Robyn > > > Joe Pub wrote: > > Hi All, > > > > I have recently done a live upgrade of vyatta to make sure everything > > was up to date. I saved the config.boot file just in case. After the > > reboot the loaded config was lost (not sure if this is by design on an > > upgrade). So I am now trying to load the config file from the ofr > > over tftp. > > > > Now the first problem was this, it failed to parse the config file on > > a firewall rule (which worked before the upgrade) > > > > which was this. > > > > rule 9 { > > protocol: "tcp" > > action: "accept" > > log: "disable" > > destination { > > address: 192.168.10.2 > > port-number: 1723 > > } > > } > > > > it was complaining about the port number. So I removed this rule out > > of the config file and tried to reaload it with this version. > > > > protocols { > > ospf4 { > > router-id: 10.1.1.3 > > rfc1583-compatibility: false > > ip-router-alert: false > > area 0.0.0.0 { > > area-type: "normal" > > interface eth0 { > > link-type: "broadcast" > > address 172.20.1.253 { > > priority: 128 > > hello-interval: 10 > > router-dead-interval: 40 > > interface-cost: 1 > > retransmit-interval: 5 > > transit-delay: 1 > > passive: false > > disable: false > > } > > } > > interface lo { > > link-type: "broadcast" > > address 10.1.1.3 { > > priority: 128 > > hello-interval: 10 > > router-dead-interval: 40 > > interface-cost: 1 > > retransmit-interval: 5 > > transit-delay: 1 > > passive: false > > disable: false > > } > > } > > } > > export: "static-to-OSPF" > > } > > static { > > disable: false > > route 0.0.0.0/0 { > > next-hop: x.x.x.30 > > metric: 1 > > } > > } > > } > > policy { > > policy-statement "static-to-OSPF" { > > term 1 { > > from { > > protocol: "static" > > } > > then { > > action: "accept" > > } > > } > > } > > } > > interfaces { > > restore: false > > loopback lo { > > description: "" > > address 10.1.1.3 { > > prefix-length: 32 > > disable: false > > } > > } > > ethernet eth1 { > > disable: false > > discard: false > > description: "" > > hw-id: 00:50:56:a8:29:60 > > duplex: "auto" > > speed: "auto" > > address x.x.x.29 { > > prefix-length: 27 > > disable: false > > } > > address x.x.x.3 { > > prefix-length: 27 > > disable: false > > } > > address x.x.x.2 { > > prefix-length: 27 > > disable: false > > } > > firewall { > > in { > > name: "DMZ_IN" > > } > > } > > } > > ethernet eth0 { > > disable: false > > discard: false > > description: "" > > hw-id: 00:50:56:a8:34:ec > > duplex: "auto" > > speed: "auto" > > address 172.20.1.253 { > > prefix-length: 23 > > disable: false > > } > > vrrp { > > vrrp-group: 100 > > virtual-address: 172.20.1.254 > > authentication: "xxxxxx" > > advertise-interval: 1 > > preempt: true > > priority: 1 > > } > > } > > } > > service { > > nat { > > rule 2 { > > type: "source" > > inbound-interface: "eth0" > > outbound-interface: "eth1" > > protocols: "all" > > source { > > address: "172.20.0.1" > > } > > destination { > > network: "0.0.0.0/0" > > } > > outside-address { > > address: x.x.x.2 > > } > > } > > rule 3 { > > type: "destination" > > inbound-interface: "eth1" > > outbound-interface: "eth0" > > protocols: "all" > > source { > > network: "0.0.0.0/0" > > } > > destination { > > address: "x.x.x.2" > > } > > inside-address { > > address: 172.20.0.1 > > } > > } > > rule 4 { > > type: "source" > > inbound-interface: "eth0" > > outbound-interface: "eth1" > > protocols: "tcp" > > source { > > address: "192.168.10.5" > > } > > destination { > > network: "0.0.0.0/0" > > } > > outside-address { > > address: x.x.x.3 > > } > > } > > rule 5 { > > type: "destination" > > inbound-interface: "eth1" > > outbound-interface: "eth0" > > protocols: "tcp" > > source { > > network: "0.0.0.0/0" > > } > > destination { > > address: "x.x.x.3" > > port-number 25 > > } > > inside-address { > > address: 192.168.10.5 > > port-number: 25 > > } > > } > > rule 6 { > > type: "destination" > > inbound-interface: "eth1" > > outbound-interface: "eth0" > > protocols: "tcp" > > source { > > network: "0.0.0.0/0" > > } > > destination { > > address: "x.x.x.3" > > port-number 80 > > } > > inside-address { > > address: 192.168.10.5 > > port-number: 80 > > } > > } > > rule 7 { > > type: "destination" > > inbound-interface: "eth1" > > outbound-interface: "eth0" > > protocols: "tcp" > > source { > > network: "0.0.0.0/0" > > } > > destination { > > address: "x.x.x.3" > > port-name https > > } > > inside-address { > > address: 192.168.10.5 > > port-number: 443 > > } > > } > > rule 8 { > > type: "destination" > > inbound-interface: "eth1" > > outbound-interface: "eth0" > > protocols: "tcp" > > destination { > > address: "x.x.x.29" > > port-number 1723 > > } > > inside-address { > > address: 192.168.10.2 > > port-number: 1723 > > } > > } > > rule 9 { > > type: "source" > > inbound-interface: "eth0" > > outbound-interface: "eth1" > > protocols: "tcp" > > source { > > address: "192.168.10.2" > > port-number 1723 > > } > > outside-address { > > address: x.x.x.29 > > port-number: 1723 > > } > > } > > rule 10 { > > type: "destination" > > inbound-interface: "eth1" > > outbound-interface: "eth0" > > protocols: "gre" > > destination { > > address: "x.x.x.29" > > } > > inside-address { > > address: 192.168.10.2 > > } > > } > > rule 1023 { > > type: "masquerade" > > outbound-interface: "eth1" > > source { > > network: "192.168.10.0/23" > > } > > } > > rule 1024 { > > type: "masquerade" > > outbound-interface: "eth1" > > source { > > network: "172.20.0.0/23" > > } > > } > > } > > webgui { > > http-port: 80 > > https-port: 443 > > } > > } > > firewall { > > log-martians: "enable" > > send-redirects: "disable" > > receive-redirects: "disable" > > ip-src-route: "disable" > > broadcast-ping: "disable" > > syn-cookies: "enable" > > name "DMZ_IN" { > > description: "Input packet from public network into DMZ" > > rule 1 { > > protocol: "udp" > > action: "accept" > > log: "disable" > > source { > > port-name: "domain" > > } > > } > > rule 2 { > > protocol: "icmp" > > action: "accept" > > log: "disable" > > } > > rule 3 { > > protocol: "udp" > > action: "accept" > > log: "disable" > > destination { > > port-name: "domain" > > } > > } > > rule 4 { > > protocol: "tcp" > > action: "accept" > > log: "disable" > > source { > > port-name: "domain" > > } > > } > > rule 5 { > > protocol: "tcp" > > state { > > established: "enable" > > } > > action: "accept" > > log: "disable" > > } > > rule 6 { > > protocol: "tcp" > > action: "accept" > > log: "disable" > > destination { > > address: 192.168.10.5 > > port-name: "smtp" > > } > > } > > rule 7 { > > protocol: "tcp" > > action: "accept" > > log: "disable" > > destination { > > port-name: "http" > > } > > } > > rule 8 { > > protocol: "tcp" > > action: "accept" > > log: "disable" > > destination { > > port-name: "https" > > } > > } > > rule 9 { > > protocol: "gre" > > action: "accept" > > log: "disable" > > destination { > > address: 192.168.10.2 > > } > > } > > rule 10 { > > protocol: "tcp" > > action: "accept" > > log: "disable" > > destination { > > port-range { > > start: 20 > > stop: 21 > > } > > } > > } > > } > > } > > > > > > but it fails to load. the xorpsh process shot up to 100% cpu and did > > not load the config. The shell just sits there with [edit] showing > > and does not return me back to the shell. I have to press Ctrl-C to > > abort the operation. When I then exit configuration mode I get the > > message > > > > Finder disconnected. No Finder? > > > > Does anyone have any idea why this could be? > > Thanks > > > _______________________________________________ > > Vyatta-users mailing list > > Vyatta-users@mailman.vyatta.com > > http://mailman.vyatta.com/mailman/listinfo/vyatta-users > > > _______________________________________________ > Vyatta-users mailing list > Vyatta-users@mailman.vyatta.com > http://mailman.vyatta.com/mailman/listinfo/vyatta-users > _______________________________________________ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
