Jason,
For Vyatta questions, it's best directed to their forum at http://vyatta.org/forum. Their site also has excellent documentation on basic set up, which is found at http://vyatta.org/documentation.
I have a very similar set up as yours, Comcast business and Vyatta Community Edition with three nics - WAN, LAN, and DMZ. To set up Vyatta so that you can access internal servers from external sources, you would need to set up destination NAT's. You would then create firewall rules to allow specific destination ports into your network. With Vyatta for incoming traffic, DNAT is first performed before going to the firewall, that's why you see the internal IP address in the firewall rule and not external IP address.
Here is a sample DNAT rule for SMTP to my mail server:
rule 200 {
description "DNAT TCP connection from WAN to mail server"
destination {
address 123.123.123.100
port 25
}
inbound-interface eth0
inside-address {
address 10.10.10.10
}
protocol tcp
type destination
}
Here is a sample firewall rule for SMTP to my mail server:
rule 500 {
action accept
description "accept tcp port from WAN to alpha"
destination {
address 10.10.10.10
port 25
}
protocol tcp
source {
address 0.0.0.0/0
}
}
My cpu isn't all that powerful, but it serves my network well. If you have low traffic volume, your P3/P4's should be sufficient.
vyatta$ cat /proc/cpuinfo
processor : 0
vendor_id : CentaurHauls
cpu family : 6
model : 9
model name : VIA Nehemiah
stepping : 8
cpu MHz : 998.714
cache size : 64 KB
fdiv_bug : no
hlt_bug : no
f00f_bug : no
coma_bug : no
fpu : yes
fpu_exception : yes
cpuid level : 1
wp : yes
flags : fpu vme de pse tsc msr cx8 sep mtrr pge cmov pat mmx fxsr sse up rng rng_en ace ace_en
bogomips : 2000.40
clflush size : 32
power management:
Again, vyatta.org is the best place to get the information you need.
For Vyatta questions, it's best directed to their forum at http://vyatta.org/forum. Their site also has excellent documentation on basic set up, which is found at http://vyatta.org/documentation.
I have a very similar set up as yours, Comcast business and Vyatta Community Edition with three nics - WAN, LAN, and DMZ. To set up Vyatta so that you can access internal servers from external sources, you would need to set up destination NAT's. You would then create firewall rules to allow specific destination ports into your network. With Vyatta for incoming traffic, DNAT is first performed before going to the firewall, that's why you see the internal IP address in the firewall rule and not external IP address.
Here is a sample DNAT rule for SMTP to my mail server:
rule 200 {
description "DNAT TCP connection from WAN to mail server"
destination {
address 123.123.123.100
port 25
}
inbound-interface eth0
inside-address {
address 10.10.10.10
}
protocol tcp
type destination
}
Here is a sample firewall rule for SMTP to my mail server:
rule 500 {
action accept
description "accept tcp port from WAN to alpha"
destination {
address 10.10.10.10
port 25
}
protocol tcp
source {
address 0.0.0.0/0
}
}
My cpu isn't all that powerful, but it serves my network well. If you have low traffic volume, your P3/P4's should be sufficient.
vyatta$ cat /proc/cpuinfo
processor : 0
vendor_id : CentaurHauls
cpu family : 6
model : 9
model name : VIA Nehemiah
stepping : 8
cpu MHz : 998.714
cache size : 64 KB
fdiv_bug : no
hlt_bug : no
f00f_bug : no
coma_bug : no
fpu : yes
fpu_exception : yes
cpuid level : 1
wp : yes
flags : fpu vme de pse tsc msr cx8 sep mtrr pge cmov pat mmx fxsr sse up rng rng_en ace ace_en
bogomips : 2000.40
clflush size : 32
power management:
Again, vyatta.org is the best place to get the information you need.
Best,
Wilson
From: ML <mailinglists@xxxxxxxxxxxxxxx>
To: CentOS mailing list <centos@xxxxxxxxxx>
Sent: Monday, October 5, 2009 2:45:12 PM
Subject: More about firewalling
Hi All,
So before when I used PIX's for my employer, our traffic was
statically routed to one IP and then the firewall decided if allowed/
denied and passed it on or dropped it.
I have a Comcast business circuit with 13 IP's. The gateway device
they provide is a 'pass through' device. They sent traffic for all 13
IP's my way. It just allows traffic through. So if I put in a device
to firewall (like Ipcop or Vyatta or something) in front, say it has 3
NICS, how do I do that?
If the Firewall has IP A and Traffic for IP B comes in how would IP A
answer and decide if the traffic to IP B belonged? Without statically
routing I am confused on how to accomplish this?
How fast does this device need to be?
Best,
-Jason
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
Wilson
From: ML <mailinglists@xxxxxxxxxxxxxxx>
To: CentOS mailing list <centos@xxxxxxxxxx>
Sent: Monday, October 5, 2009 2:45:12 PM
Subject: More about firewalling
Hi All,
So before when I used PIX's for my employer, our traffic was
statically routed to one IP and then the firewall decided if allowed/
denied and passed it on or dropped it.
I have a Comcast business circuit with 13 IP's. The gateway device
they provide is a 'pass through' device. They sent traffic for all 13
IP's my way. It just allows traffic through. So if I put in a device
to firewall (like Ipcop or Vyatta or something) in front, say it has 3
NICS, how do I do that?
If the Firewall has IP A and Traffic for IP B comes in how would IP A
answer and decide if the traffic to IP B belonged? Without statically
routing I am confused on how to accomplish this?
How fast does this device need to be?
Best,
-Jason
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
_______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos
