vyatta@R1:~$ configure [edit]vyatta@R1# show firewall name local-two {

1. vyatta@R1:~$ configure
2. [edit]
3. vyatta@R1# show firewall
4. name local-two {
5. enable-default-log
6. rule 10 {
7. action accept
8. state {
9. established enable
10. }
11. }
12. }
13. name one-two {
14. enable-default-log
15. rule 10 {
16. action accept
17. destination {
18. port 90
19. }
20. protocol tcp
21. }
22. }
23. name two-local {
24. default-action drop
25. enable-default-log
26. rule 10 {
27. action accept
28. destination {
29. port 22,23
30. }
31. protocol tcp
32. }
33. }
34. name two-one {
35. enable-default-log
36. rule 10 {
37. action accept
38. state {
39. established enable
40. }
41. }
42. }
43. [edit]
44. vyatta@R1# show zone-policy
45. zone local {
46. from two {
47. firewall {
48. name two-local
49. }
50. }
51. local-zone
52. }
53. zone one {
54. from two {
55. firewall {
56. name two-one
57. }
58. }
59. interface eth0
60. }
61. zone two {
62. from local {
63. firewall {
64. name local-two
65. }
66. }
67. from one {
68. firewall {
69. name one-two
70. }
71. }
72. interface eth2
73. interface eth1
74. }
75. [edit]
76. vyatta@R1#
77. [edit]
78. vyatta@R1# sudo iptables -vnL
79. Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
80. pkts bytes target prot opt in out source destination
81. 190 10702 VZONE_local_IN all -- * * 0.0.0.0/0 0.0.0.0/0
82. 72783 38M VYATTA_POST_FW_HOOK all -- * * 0.0.0.0/0 0.0.0.0/0
83.  
84. Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
85. pkts bytes target prot opt in out source destination
86. 0 0 VYATTA_IN_HOOK all -- * * 0.0.0.0/0 0.0.0.0/0
87. 0 0 VYATTA_OUT_HOOK all -- * * 0.0.0.0/0 0.0.0.0/0
88. 0 0 VZONE_one all -- * eth0 0.0.0.0/0 0.0.0.0/0
89. 0 0 VZONE_two all -- * eth2 0.0.0.0/0 0.0.0.0/0
90. 0 0 VZONE_two all -- * eth1 0.0.0.0/0 0.0.0.0/0
91. 713 96093 VYATTA_POST_FW_HOOK all -- * * 0.0.0.0/0 0.0.0.0/0
92.  
93. Chain OUTPUT (policy ACCEPT 74942 packets, 12M bytes)
94. pkts bytes target prot opt in out source destination
95. 150 11461 VZONE_local_OUT all -- * * 0.0.0.0/0 0.0.0.0/0
96.  
97. Chain VYATTA_IN_HOOK (1 references)
98. pkts bytes target prot opt in out source destination
99.  
100. Chain VYATTA_OUT_HOOK (1 references)
101. pkts bytes target prot opt in out source destination
102.  
103. Chain VYATTA_POST_FW_HOOK (2 references)
104. pkts bytes target prot opt in out source destination
105. 23962 3460K VYATTA_SNORT_all_HOOK all -- * * 0.0.0.0/0 0.0.0.0/0
106. 29 2134 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
107.  
108. Chain VYATTA_SNORT_all_HOOK (1 references)
109. pkts bytes target prot opt in out source destination
110. 73467 38M QUEUE all -- * * 0.0.0.0/0 0.0.0.0/0
111.  
112. Chain VZONE_local_IN (1 references)
113. pkts bytes target prot opt in out source destination
114. 0 0 RETURN all -- lo * 0.0.0.0/0 0.0.0.0/0
115. 0 0 two-local all -- eth2 * 0.0.0.0/0 0.0.0.0/0
116. 0 0 RETURN all -- eth2 * 0.0.0.0/0 0.0.0.0/0
117. 135 7170 two-local all -- eth1 * 0.0.0.0/0 0.0.0.0/0
118. 132 6990 RETURN all -- eth1 * 0.0.0.0/0 0.0.0.0/0
119. 33 2169 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
120.  
121. Chain VZONE_local_OUT (1 references)
122. pkts bytes target prot opt in out source destination
123. 0 0 RETURN all -- * lo 0.0.0.0/0 0.0.0.0/0
124. 12 720 local-two all -- * eth2 0.0.0.0/0 0.0.0.0/0
125. 0 0 RETURN all -- * eth2 0.0.0.0/0 0.0.0.0/0
126. 79 6141 local-two all -- * eth1 0.0.0.0/0 0.0.0.0/0
127. 79 6141 RETURN all -- * eth1 0.0.0.0/0 0.0.0.0/0
128. 42 3448 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
129.  
130. Chain VZONE_one (1 references)
131. pkts bytes target prot opt in out source destination
132. 0 0 RETURN all -- eth0 * 0.0.0.0/0 0.0.0.0/0
133. 0 0 two-one all -- eth2 * 0.0.0.0/0 0.0.0.0/0
134. 0 0 RETURN all -- eth2 * 0.0.0.0/0 0.0.0.0/0
135. 0 0 two-one all -- eth1 * 0.0.0.0/0 0.0.0.0/0
136. 0 0 RETURN all -- eth1 * 0.0.0.0/0 0.0.0.0/0
137. 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
138.  
139. Chain VZONE_two (2 references)
140. pkts bytes target prot opt in out source destination
141. 0 0 RETURN all -- eth1 * 0.0.0.0/0 0.0.0.0/0
142. 0 0 RETURN all -- eth2 * 0.0.0.0/0 0.0.0.0/0
143. 0 0 one-two all -- eth0 * 0.0.0.0/0 0.0.0.0/0
144. 0 0 RETURN all -- eth0 * 0.0.0.0/0 0.0.0.0/0
145. 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
146.  
147. Chain local-two (2 references)
148. pkts bytes target prot opt in out source destination
149. 90 6933 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* local-two-10 */ state ESTABLISHED
150. 18 1080 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 /* local-two-10000 default-action drop */ LOG flags 0 level 4 prefix `[local-two-default-D]'
151. 18 1080 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* local-two-10000 default-action drop */
152.  
153. Chain one-two (1 references)
154. pkts bytes target prot opt in out source destination
155. 0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* one-two-10 */ tcp dpt:90
156. 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 /* one-two-10000 default-action drop */ LOG flags 0 level 4 prefix `[one-two-default-D]'
157. 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* one-two-10000 default-action drop */
158.  
159. Chain two-local (2 references)
160. pkts bytes target prot opt in out source destination
161. 132 6990 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* two-local-10 */ multiport dports 22,23
162. 25 1543 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 /* two-local-10000 default-action drop */ LOG flags 0 level 4 prefix `[two-local-default-D]'
163. 25 1543 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* two-local-10000 default-action drop */
164.  
165. Chain two-one (2 references)
166. pkts bytes target prot opt in out source destination
167. 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* two-one-10 */ state ESTABLISHED
168. 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 /* two-one-10000 default-action drop */ LOG flags 0 level 4 prefix `[two-one-default-D]'
169. 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* two-one-10000 default-action drop */
170. [edit]
171. vyatta@R1# delete zone-policy
172. [edit]
173. vyatta@R1# commit
174. [edit]
175. vyatta@R1#
176. [edit]
177. vyatta@R1# sudo iptables -vnL
178. Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
179. pkts bytes target prot opt in out source destination
180. 72833 38M VYATTA_POST_FW_HOOK all -- * * 0.0.0.0/0 0.0.0.0/0
181.  
182. Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
183. pkts bytes target prot opt in out source destination
184. 0 0 VYATTA_IN_HOOK all -- * * 0.0.0.0/0 0.0.0.0/0
185. 0 0 VYATTA_OUT_HOOK all -- * * 0.0.0.0/0 0.0.0.0/0
186. 713 96093 VYATTA_POST_FW_HOOK all -- * * 0.0.0.0/0 0.0.0.0/0
187.  
188. Chain OUTPUT (policy ACCEPT 74975 packets, 12M bytes)
189. pkts bytes target prot opt in out source destination
190.  
191. Chain VYATTA_IN_HOOK (1 references)
192. pkts bytes target prot opt in out source destination
193.  
194. Chain VYATTA_OUT_HOOK (1 references)
195. pkts bytes target prot opt in out source destination
196.  
197. Chain VYATTA_POST_FW_HOOK (2 references)
198. pkts bytes target prot opt in out source destination
199. 24012 3462K VYATTA_SNORT_all_HOOK all -- * * 0.0.0.0/0 0.0.0.0/0
200. 29 2134 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
201.  
202. Chain VYATTA_SNORT_all_HOOK (1 references)
203. pkts bytes target prot opt in out source destination
204. 73517 38M QUEUE all -- * * 0.0.0.0/0 0.0.0.0/0
205.  
206. Chain local-two (0 references)
207. pkts bytes target prot opt in out source destination
208. 115 15211 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* local-two-10 */ state ESTABLISHED
209. 19 1140 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 /* local-two-10000 default-action drop */ LOG flags 0 level 4 prefix `[local-two-default-D]'
210. 19 1140 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* local-two-10000 default-action drop */
211.  
212. Chain one-two (0 references)
213. pkts bytes target prot opt in out source destination
214. 0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* one-two-10 */ tcp dpt:90
215. 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 /* one-two-10000 default-action drop */ LOG flags 0 level 4 prefix `[one-two-default-D]'
216. 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* one-two-10000 default-action drop */
217.  
218. Chain two-local (0 references)
219. pkts bytes target prot opt in out source destination
220. 170 8983 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* two-local-10 */ multiport dports 22,23
221. 25 1543 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 /* two-local-10000 default-action drop */ LOG flags 0 level 4 prefix `[two-local-default-D]'
222. 25 1543 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* two-local-10000 default-action drop */
223.  
224. Chain two-one (0 references)
225. pkts bytes target prot opt in out source destination
226. 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* two-one-10 */ state ESTABLISHED
227. 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 /* two-one-10000 default-action drop */ LOG flags 0 level 4 prefix `[two-one-default-D]'
228. 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* two-one-10000 default-action drop */
229. [edit]