Lab 4.1: Network Firewalls 1
Summary
In this lab we shut down and then manage traffic between the LAN, DMZ,WAN and MGMT Networks.
Updating
Documentation: https://docs.vyos.io/en/equuleus/installation/update.html
Rolling
add system image https://downloads.vyos.io/rolling/current/amd64/vyos-rolling-latest.iso
Specific Image
copy file <version>://config/config.boot to /tmp/config.boot.<version>
Configuring RIP
configure
set protocols rip interface <adapter>
set protocols rip network <network>/<subnet>
commit
save
EX:
configure
set protocols rip interface eth0
set protocols rip network '172.16.200.0/28'
commit
save
Firewall Zones Creation
configure
# Assign zone to apdater
set zone-policy zone <NETWORK-NAME> interface <adapter>
set zone-policy zone <NETWORK-NAME> interface <adapter>
set zone-policy zone <NETWORK-NAME> interface <adapter>
# Set zone to and from
set zone-policy zone <NETWORK-NAME> from <NETWORK-NAME-2> firewall name <NETWORK-NAME>-to-<NETWORK-NAME-2>
set zone-policy zone <NETWORK-NAME> interface <adapter>
commit
save
EX:
configure
# Assign zone to apdater
set zone-policy zone WAN interface eth0
set zone-policy zone DMZ interface eth1
set zone-policy zone LAN interface eth2
# Set zone to and from
set zone-policy zone WAN from LAN firewall name 'LAN-to-WAN'
set zone-policy zone WAN interface 'eth0'
commit
save
Firewall Rule Creation
# Default rules
set firewall name <NETWORK-NAME>-to-<NETWORK-NAME-2> default-action 'drop'
set firewall name <NETWORK-NAME>-to-<NETWORK-NAME-2> enable-default-log
# We will reserve rule 1 for two conditions. The first is to allow established connections back out again, the second would be to have an open rule where all connections are allowed.
set firewall name <NETWORK-NAME>-to-<NETWORK-NAME-2> rule 1 action 'accept'
set firewall name <NETWORK-NAME>-to-<NETWORK-NAME-2> rule 1 state established 'enable'
# Making a new rule
set firewall name <NETWORK-NAME>-to-<NETWORK-NAME-2> rule 10 action 'accept'
set firewall name <NETWORK-NAME>-to-<NETWORK-NAME-2> rule 10 description 'wazuh agent communications with wazuh'
set firewall name <NETWORK-NAME>-to-<NETWORK-NAME-2> rule 10 destination address '172.16.200.10'
set firewall name <NETWORK-NAME>-to-<NETWORK-NAME-2> rule 10 destination port '1514-1515'
set firewall name <NETWORK-NAME>-to-<NETWORK-NAME-2> rule 10 protocol 'tcp'
Debugging Firewall Blocks
REMEMBER TO CONFIGURE THE RIGHT FIREWALL.
Vyos Config
fw-mgmt
set firewall name LAN-to-MGMT default-action 'drop'
set firewall name LAN-to-MGMT enable-default-log
set firewall name LAN-to-MGMT rule 1 action 'accept'
set firewall name LAN-to-MGMT rule 1 state established 'enable'
set firewall name LAN-to-MGMT rule 10 action 'accept'
set firewall name LAN-to-MGMT rule 10 description 'wazuh agent communications with wazuh'
set firewall name LAN-to-MGMT rule 10 destination address '172.16.200.10'
set firewall name LAN-to-MGMT rule 10 destination port '1514-1515'
set firewall name LAN-to-MGMT rule 10 protocol 'tcp'
set firewall name LAN-to-MGMT rule 20 action 'accept'
set firewall name LAN-to-MGMT rule 20 description 'Allow 443/tcp from mgmt01 to wazuh'
set firewall name LAN-to-MGMT rule 20 destination address '172.16.200.10'
set firewall name LAN-to-MGMT rule 20 destination port '443'
set firewall name LAN-to-MGMT rule 20 protocol 'tcp'
set firewall name LAN-to-MGMT rule 20 source address '172.16.150.10'
set firewall name LAN-to-MGMT rule 30 action 'accept'
set firewall name LAN-to-MGMT rule 30 description 'Allow ssh from mgmt01 to wazuh'
set firewall name LAN-to-MGMT rule 30 destination address '172.16.200.10'
set firewall name LAN-to-MGMT rule 30 destination port '22'
set firewall name LAN-to-MGMT rule 30 protocol 'tcp'
set firewall name LAN-to-MGMT rule 30 source address '172.16.150.10'
set firewall name MGMT-to-LAN default-action 'drop'
set firewall name MGMT-to-LAN enable-default-log
set firewall name MGMT-to-LAN rule 1 action 'accept'
set firewall name MGMT-to-LAN rule 1 state established 'enable'
set firewall name MGMT-to-LAN rule 10 action 'accept'
set firewall name MGMT-to-LAN rule 10 description 'Allow all connections from MGMT to DMZ'
set firewall name MGMT-to-LAN rule 10 destination address '172.16.50.0/29'
set firewall name MGMT-to-LAN rule 20 action 'accept'
set firewall name MGMT-to-LAN rule 20 description 'Allow all connections from MGMT to LAN'
set firewall name MGMT-to-LAN rule 20 destination address '172.16.150.0/24'
set interfaces ethernet eth0 address '172.16.150.3/24'
set interfaces ethernet eth0 description 'SEC350-LAN'
set interfaces ethernet eth1 address '172.16.200.2/28'
set interfaces ethernet eth1 description 'SEC350-MGMT'
set nat source
set protocols rip interface eth0
set protocols rip network '172.16.200.0/28'
set protocols static route 0.0.0.0/0 next-hop 172.16.150.2
set service dns forwarding allow-from '172.16.200.0/28'
set service dns forwarding listen-address '172.16.200.2'
set service ssh listen-address '0.0.0.0'
set system host-name 'fw-mgmt-paul'
set system name-server '172.16.150.2'
set zone-policy zone LAN from MGMT firewall name 'MGMT-to-LAN'
set zone-policy zone LAN interface 'eth0'
set zone-policy zone MGMT from LAN firewall name 'LAN-to-MGMT'
set zone-policy zone MGMT interface 'eth1'
fw01
set firewall name DMZ-to-LAN default-action 'drop'
set firewall name DMZ-to-LAN enable-default-log
set firewall name DMZ-to-LAN rule 1 action 'accept'
set firewall name DMZ-to-LAN rule 1 state established 'enable'
set firewall name DMZ-to-LAN rule 10 action 'accept'
set firewall name DMZ-to-LAN rule 10 description 'wazuh agent communications with wazuh server'
set firewall name DMZ-to-LAN rule 10 destination address '172.16.200.10'
set firewall name DMZ-to-LAN rule 10 destination port '1514-1515'
set firewall name DMZ-to-LAN rule 10 protocol 'tcp'
set firewall name DMZ-to-WAN default-action 'drop'
set firewall name DMZ-to-WAN enable-default-log
set firewall name DMZ-to-WAN rule 1 action 'accept'
set firewall name DMZ-to-WAN rule 1 state established 'enable'
set firewall name LAN-to-DMZ default-action 'drop'
set firewall name LAN-to-DMZ enable-default-log
set firewall name LAN-to-DMZ rule 1 action 'accept'
set firewall name LAN-to-DMZ rule 1 state established 'enable'
set firewall name LAN-to-DMZ rule 10 action 'accept'
set firewall name LAN-to-DMZ rule 10 description 'Allow HTTP from LAN to web01'
set firewall name LAN-to-DMZ rule 10 destination address '172.16.50.3'
set firewall name LAN-to-DMZ rule 10 destination port '80'
set firewall name LAN-to-DMZ rule 10 protocol 'tcp'
set firewall name LAN-to-DMZ rule 20 action 'accept'
set firewall name LAN-to-DMZ rule 20 description 'ssh from mgmt01 to DMZ'
set firewall name LAN-to-DMZ rule 20 destination address '172.16.50.0/29'
set firewall name LAN-to-DMZ rule 20 destination port '22'
set firewall name LAN-to-DMZ rule 20 protocol 'tcp'
set firewall name LAN-to-DMZ rule 20 source address '172.16.150.10'
set firewall name LAN-to-WAN default-action 'drop'
set firewall name LAN-to-WAN enable-default-log
set firewall name LAN-to-WAN rule 1 action 'accept'
set firewall name WAN-to-DMZ default-action 'drop'
set firewall name WAN-to-DMZ enable-default-log
set firewall name WAN-to-DMZ rule 10 action 'accept'
set firewall name WAN-to-DMZ rule 10 description 'Allow HTTP from WAN to DMZ'
set firewall name WAN-to-DMZ rule 10 destination address '172.16.50.3'
set firewall name WAN-to-DMZ rule 10 destination port '80'
set firewall name WAN-to-DMZ rule 10 protocol 'tcp'
set firewall name WAN-to-LAN default-action 'drop'
set firewall name WAN-to-LAN enable-default-log
set firewall name WAN-to-LAN rule 1 action 'accept'
set firewall name WAN-to-LAN rule 1 state established 'enable'
set interfaces ethernet eth0 address '10.0.17.127/24'
set interfaces ethernet eth0 description 'SEC350-WAN'
set interfaces ethernet eth1 address '172.16.50.2/29'
set interfaces ethernet eth1 description 'PAUL-DMZ'
set interfaces ethernet eth2 address '172.16.150.2/24'
set interfaces ethernet eth2 description 'PAUL-LAN'
set nat source rule 10 description 'NAT FROM DMZ to WAN'
set nat source rule 10 outbound-interface 'eth0'
set nat source rule 10 source address '172.16.50.0/29'
set nat source rule 10 translation address 'masquerade'
set nat source rule 20 description 'NAT FROM LAN to WAN'
set nat source rule 20 outbound-interface 'eth0'
set nat source rule 20 source address '172.16.150.0/24'
set nat source rule 20 translation address 'masquerade'
set nat source rule 30 description 'NAT FROM MGMT to WAN'
set nat source rule 30 outbound-interface 'eth0'
set nat source rule 30 source address '172.16.200.0/28'
set nat source rule 30 translation address 'masquerade'
set protocols rip interface eth2
set protocols rip network '172.16.50.0/29'
set protocols static route 0.0.0.0/0 next-hop 10.0.17.2
set service dns forwarding allow-from '172.16.50.0/29'
set service dns forwarding allow-from '172.16.150.0/24'
set service dns forwarding listen-address '172.16.50.2'
set service dns forwarding listen-address '172.16.150.2'
set service dns forwarding system
set service ssh listen-address '0.0.0.0'
set system host-name 'fw1-paul'
set system name-server '10.0.17.2'
set zone-policy zone DMZ from LAN firewall name 'LAN-to-DMZ'
set zone-policy zone DMZ from WAN firewall name 'WAN-to-DMZ'
set zone-policy zone DMZ interface 'eth1'
set zone-policy zone LAN from DMZ firewall name 'DMZ-to-LAN'
set zone-policy zone LAN from WAN firewall name 'WAN-to-LAN'
set zone-policy zone LAN interface 'eth2'
set zone-policy zone WAN from DMZ firewall name 'DMZ-to-WAN'
set zone-policy zone WAN from LAN firewall name 'LAN-to-WAN'
set zone-policy zone WAN interface 'eth0'
Last updated