When ever i'm in need of a software firewall / router I use Vyatta.  A advanced firewall and still rather easy to setup. I'm going to have my latest setup as an example. I'm setting up a development enviroment for deployment of Windows7 and WindowsXP. I'm using the latest version of VmWare vsphere 4.

Setup

Download the ISO from the download section. Then you need to create a new virtual machine and give it some diskspace and ram. I gave it 200mb of disk and 128mb of RAM. This is up to you and what type of load is expected. Remember to add two network interfaces and set the type to e1000. One for outside and one for inside.

Start the machine and mount the ISO you downloaded.

When the system boots you will be greeted with the text

vyatta login:

Logon as root and with vyatta as password.

We now need to install vyatta on the diskdrive instead of the ISO. So type the following.

install-system

 Follow the instructions on the screen. Now the fun parts starts. Now we need to go in configuration mode(ie. enable in Cisco CLI) Write the following.

vyatta@vyatta:~$ configure
[edit]
vyatta@vyatta# set interfaces ethernet eth0 address 192.168.1.81/24
[edit]
vyatta@vyatta# commit
[edit]
vyatta@vyatta# exit
exit
vyatta@vyatta:~$

This will set the first network interface(eth0) to have address 192.168.1.81 with netmask 255.255.255.0
Then commit will save this to the running configuration. Exit will leave the configuration mode.
We now need to set up the inside interface. Use the syntax above but change the IP and eth0 to eth1.
Vyatta firewall should now respond to pings from computers on the same network and in the same subnet.

NAT

set service nat rule 1 outbound-interface eth0
set service nat rule 1 source address 10.1.1.0/24
set service nat rule 1 type masquerade

This will is a generic NAT route that sends all traffic that's outbound(not in the same subnet) to the outbound-interface. And we tell it that outside interface is eth0. This will only apply if the source network is 10.1.1.0/24(our inside network)
I like PuTTy and SSH in general so I will add a second NAT rule for SSH.

set service nat rule 2
set service nat rule 2 type destination
set service nat rule 2 inbound-interface eth0
set service nat rule 2 protocol tcp
set service nat rule 2 destination address 0.0.0.0/0
set service nat rule 2 destination port ssh
set service nat rule 2 source address 0.0.0.0/0
set service nat rule 2 inside-address address 10.1.1.1

Don't forget to save you changes to the running configuration.

commit

Then you need to save this to the statup config, this is done with the following command.

save
Saing configuration to '/opt/vyatta/etc/config/config.boot' ...
Done

You now have a vyatta firewall running as a router. There is a lot of things you can do with this so I suggest you read the documentation as I do. Will return to this topic when I have something interesting to write about.

To save bandwidth in a network or to enforce the company IT-policy you might need to block Spotify in some way. Spotify is using several ports to login(4070, 443 and 80). 443 and 80 is ports that you don't want to block.

Block the following IP-range: 78.31.8.0 MASK: 255.255.248.0
The user Daze have a nice solution for the Cisco guys at this forum but with 255.255.248.0 in the mask.

Then all you need to do is to wait for the first user to call and complain :)

Been a while since I posted on this blog but here we go!

I've been working with the Vyatta firewall and this is by far the best software router and firewall I've been working with. I'm using this as a virtual machine in a hosting solution. We have a VLAN for each customer and this works as a router and firewall between the infrastructure.

We found out that this is probably one of the few software routers that don't need to reboot when you add a new VLAN. It's quite tricky to use since it's all command line interface(CLI) but you get used to it and you can use tab-key to auto complete alot of configuration. If you need a firewall with performance and no limits in firewall features this is the application. So go check the Vyatta firewall out

Cisco released their new ASA software that's running on a linux platform and my guess is that the next step is to start ship virtual appliances.