Troubleshoot: Port is blocked by the firewall
[Please suggest content for the Short Description, to summarise and introduce this topic.]
Vyatta contains a robust set of Layer 4 firewall features. A quick and simple way to check whether or not a problem relates to the firewall is to temporarily remove the firewall rule set and check whether the problem still exists.
However, in many environments this is not an acceptable first step, for security reasons. So, the network administrator must judge whether this step is: acceptable, acceptable only during a controlled change window, or unacceptable for their environment.
- Document the address and port details of the affected flow.
- Document the time that the problem began.
- Check the route that the flow would take: Use the
show ip routecommand.
- Check whether or not packets for the affected flow are arriving and leaving Vyatta: Use the
monitor interface ... trafficcommand.If the affected flow is arriving and leaving Vyatta correctly, stop here.
- Review changes to the firewall rule set: Use the
show system commitcommand and examine the configuration for rules that relate to the affected flow.
- For each rule that you suspect, check whether or not counters are incrementing: Use the
- If the flow is stateful, check whether a session entry is created, and the state: Use the
- For each rule that you suspect, add a
logstatement to the rule.
- For each rule that you suspect, examine events for the rule: Use the
- When you finish troubleshooting, remove the
logstatement that you added to each suspect rule.