Vyatta Network OS Documentation

Learn how to install, configure and operate the Vyatta NOS, which helps drive our virtual networking & physical platforms portfolio.

Troubleshoot: Port is blocked by the firewall

[Please suggest content for the Short Description, to summarise and introduce this topic.]

Vyatta contains a robust set of Layer 4 firewall features. A quick and simple way to check whether or not a problem relates to the firewall is to temporarily remove the firewall rule set and check whether the problem still exists.

However, in many environments this is not an acceptable first step, for security reasons. So, the network administrator must judge whether this step is: acceptable, acceptable only during a controlled change window, or unacceptable for their environment.

  1. Document the address and port details of the affected flow.
  2. Document the time that the problem began.
  3. Check the route that the flow would take: Use the show ip route command.
  4. Check whether or not packets for the affected flow are arriving and leaving Vyatta: Use the monitor interface ... traffic command.
    If the affected flow is arriving and leaving Vyatta correctly, stop here.
  5. Review changes to the firewall rule set: Use the show system commit command and examine the configuration for rules that relate to the affected flow.
  6. For each rule that you suspect, check whether or not counters are incrementing: Use the show firewall command.
  7. If the flow is stateful, check whether a session entry is created, and the state: Use the show session-table command.
  8. For each rule that you suspect, add a log statement to the rule.
  9. For each rule that you suspect, examine events for the rule: Use the show journal command.
  10. When you finish troubleshooting, remove the log statement that you added to each suspect rule.