[olug] Firewall / VPN Devices

Thu Oct 8 14:50:21 UTC 2009

On 10/07/2009 09:06 PM, Dan Linder wrote:
> On Wed, Oct 7, 2009 at 12:03, Obi-Wan<obiwan at jedi.com>  wrote:
>    
>> What's the firewall configuration like on Vyatta today?  I tried the
>> live CD a few years ago, but the text-based firewall rule configuration
>> was a nightmare for a multi-zone setup with scores of rules.  I
>> eventually dropped back to CentOS with iptables&  fwbuilder.  I also
>> run other stuff like my DHCP&  DNS servers as well as forward&
>> reverse web proxies on my firewall box.  Can I still do those things
>> if I install Vyatta?
>>      
> Honestly I haven't really done much with the actual firewall
> configurations since I only needed simple NAT.  And since the command
> set was different enough from Cisco/PIX that I was more familiar with
> I didn't pursue it after it was working.  (That, and our firewall died
> when I was out of town and the family was kinda put out until I could
> get home and rebuild it, so messing around with it wasn't high on the
> list...)
>
> Dan
>
>    

Setting up the NAT is quite simple..

It's a matter of 5 lines in the config.

  rule 1000 {
      destination {
          address 0.0.0.0/0
      }
      outbound-interface eth0
      source {
          address 0.0.0.0/0
     }
      type masquerade
  }

If you have a vpn, you want to exclude the traffic from leaving the 
firewall by adding an exclude statement.    Rule 4 is processed before 
rule 1000 therefore it sends the traffic through the IPSEC VPN.

  rule 4 {
      destination {
          address 10.81.34.0/24
      }
      exclude
      outbound-interface eth0
      source {
          address 0.0.0.0/0
      }
      type masquerade
}