Lab 4.1: Network Firewalls 1

Summary

In this lab we shut down and then manage traffic between the LAN, DMZ,WAN and MGMT Networks.

Updating

Documentation: https://docs.vyos.io/en/equuleus/installation/update.html

Rolling

add system image https://downloads.vyos.io/rolling/current/amd64/vyos-rolling-latest.iso

Specific Image

copy file <version>://config/config.boot to /tmp/config.boot.<version>

Configuring RIP

configure
set protocols rip interface <adapter>
set protocols rip network <network>/<subnet>
commit
save

EX:

configure
set protocols rip interface eth0
set protocols rip network '172.16.200.0/28'
commit
save

Firewall Zones Creation

configure
# Assign zone to apdater
set zone-policy zone <NETWORK-NAME> interface <adapter>
set zone-policy zone <NETWORK-NAME> interface <adapter>
set zone-policy zone <NETWORK-NAME> interface <adapter>

# Set zone to and from
set zone-policy zone <NETWORK-NAME> from <NETWORK-NAME-2> firewall name <NETWORK-NAME>-to-<NETWORK-NAME-2> 
set zone-policy zone <NETWORK-NAME> interface <adapter>
commit
save

EX:

configure
# Assign zone to apdater
set zone-policy zone WAN interface eth0
set zone-policy zone DMZ interface eth1
set zone-policy zone LAN interface eth2

# Set zone to and from
set zone-policy zone WAN from LAN firewall name 'LAN-to-WAN'
set zone-policy zone WAN interface 'eth0'
commit
save

Firewall Rule Creation

# Default rules
set firewall name <NETWORK-NAME>-to-<NETWORK-NAME-2> default-action 'drop'
set firewall name <NETWORK-NAME>-to-<NETWORK-NAME-2> enable-default-log

# We will reserve rule 1 for two conditions.  The first is to allow established connections back out again, the second would be to have an open rule where all connections are allowed.
set firewall name <NETWORK-NAME>-to-<NETWORK-NAME-2> rule 1 action 'accept'
set firewall name <NETWORK-NAME>-to-<NETWORK-NAME-2> rule 1 state established 'enable'

# Making a new rule
set firewall name <NETWORK-NAME>-to-<NETWORK-NAME-2> rule 10 action 'accept'
set firewall name <NETWORK-NAME>-to-<NETWORK-NAME-2> rule 10 description 'wazuh agent communications with wazuh'
set firewall name <NETWORK-NAME>-to-<NETWORK-NAME-2> rule 10 destination address '172.16.200.10'
set firewall name <NETWORK-NAME>-to-<NETWORK-NAME-2> rule 10 destination port '1514-1515'
set firewall name <NETWORK-NAME>-to-<NETWORK-NAME-2> rule 10 protocol 'tcp'

Debugging Firewall Blocks

REMEMBER TO CONFIGURE THE RIGHT FIREWALL.

Vyos Config

fw-mgmt

set firewall name LAN-to-MGMT default-action 'drop'
set firewall name LAN-to-MGMT enable-default-log
set firewall name LAN-to-MGMT rule 1 action 'accept'
set firewall name LAN-to-MGMT rule 1 state established 'enable'
set firewall name LAN-to-MGMT rule 10 action 'accept'
set firewall name LAN-to-MGMT rule 10 description 'wazuh agent communications with wazuh'
set firewall name LAN-to-MGMT rule 10 destination address '172.16.200.10'
set firewall name LAN-to-MGMT rule 10 destination port '1514-1515'
set firewall name LAN-to-MGMT rule 10 protocol 'tcp'
set firewall name LAN-to-MGMT rule 20 action 'accept'
set firewall name LAN-to-MGMT rule 20 description 'Allow 443/tcp from mgmt01 to wazuh'
set firewall name LAN-to-MGMT rule 20 destination address '172.16.200.10'
set firewall name LAN-to-MGMT rule 20 destination port '443'
set firewall name LAN-to-MGMT rule 20 protocol 'tcp'
set firewall name LAN-to-MGMT rule 20 source address '172.16.150.10'
set firewall name LAN-to-MGMT rule 30 action 'accept'
set firewall name LAN-to-MGMT rule 30 description 'Allow ssh from mgmt01 to wazuh'
set firewall name LAN-to-MGMT rule 30 destination address '172.16.200.10'
set firewall name LAN-to-MGMT rule 30 destination port '22'
set firewall name LAN-to-MGMT rule 30 protocol 'tcp'
set firewall name LAN-to-MGMT rule 30 source address '172.16.150.10'
set firewall name MGMT-to-LAN default-action 'drop'
set firewall name MGMT-to-LAN enable-default-log
set firewall name MGMT-to-LAN rule 1 action 'accept'
set firewall name MGMT-to-LAN rule 1 state established 'enable'
set firewall name MGMT-to-LAN rule 10 action 'accept'
set firewall name MGMT-to-LAN rule 10 description 'Allow all connections from MGMT to DMZ'
set firewall name MGMT-to-LAN rule 10 destination address '172.16.50.0/29'
set firewall name MGMT-to-LAN rule 20 action 'accept'
set firewall name MGMT-to-LAN rule 20 description 'Allow all connections from MGMT to LAN'
set firewall name MGMT-to-LAN rule 20 destination address '172.16.150.0/24'
set interfaces ethernet eth0 address '172.16.150.3/24'
set interfaces ethernet eth0 description 'SEC350-LAN'
set interfaces ethernet eth1 address '172.16.200.2/28'
set interfaces ethernet eth1 description 'SEC350-MGMT'
set nat source
set protocols rip interface eth0
set protocols rip network '172.16.200.0/28'
set protocols static route 0.0.0.0/0 next-hop 172.16.150.2
set service dns forwarding allow-from '172.16.200.0/28'
set service dns forwarding listen-address '172.16.200.2'
set service ssh listen-address '0.0.0.0'
set system host-name 'fw-mgmt-paul'
set system name-server '172.16.150.2'
set zone-policy zone LAN from MGMT firewall name 'MGMT-to-LAN'
set zone-policy zone LAN interface 'eth0'
set zone-policy zone MGMT from LAN firewall name 'LAN-to-MGMT'
set zone-policy zone MGMT interface 'eth1'

fw01

set firewall name DMZ-to-LAN default-action 'drop'
set firewall name DMZ-to-LAN enable-default-log
set firewall name DMZ-to-LAN rule 1 action 'accept'
set firewall name DMZ-to-LAN rule 1 state established 'enable'
set firewall name DMZ-to-LAN rule 10 action 'accept'
set firewall name DMZ-to-LAN rule 10 description 'wazuh agent communications with wazuh server'
set firewall name DMZ-to-LAN rule 10 destination address '172.16.200.10'
set firewall name DMZ-to-LAN rule 10 destination port '1514-1515'
set firewall name DMZ-to-LAN rule 10 protocol 'tcp'
set firewall name DMZ-to-WAN default-action 'drop'
set firewall name DMZ-to-WAN enable-default-log
set firewall name DMZ-to-WAN rule 1 action 'accept'
set firewall name DMZ-to-WAN rule 1 state established 'enable'
set firewall name LAN-to-DMZ default-action 'drop'
set firewall name LAN-to-DMZ enable-default-log
set firewall name LAN-to-DMZ rule 1 action 'accept'
set firewall name LAN-to-DMZ rule 1 state established 'enable'
set firewall name LAN-to-DMZ rule 10 action 'accept'
set firewall name LAN-to-DMZ rule 10 description 'Allow HTTP from LAN to web01'
set firewall name LAN-to-DMZ rule 10 destination address '172.16.50.3'
set firewall name LAN-to-DMZ rule 10 destination port '80'
set firewall name LAN-to-DMZ rule 10 protocol 'tcp'
set firewall name LAN-to-DMZ rule 20 action 'accept'
set firewall name LAN-to-DMZ rule 20 description 'ssh from mgmt01 to DMZ'
set firewall name LAN-to-DMZ rule 20 destination address '172.16.50.0/29'
set firewall name LAN-to-DMZ rule 20 destination port '22'
set firewall name LAN-to-DMZ rule 20 protocol 'tcp'
set firewall name LAN-to-DMZ rule 20 source address '172.16.150.10'
set firewall name LAN-to-WAN default-action 'drop'
set firewall name LAN-to-WAN enable-default-log
set firewall name LAN-to-WAN rule 1 action 'accept'
set firewall name WAN-to-DMZ default-action 'drop'
set firewall name WAN-to-DMZ enable-default-log
set firewall name WAN-to-DMZ rule 10 action 'accept'
set firewall name WAN-to-DMZ rule 10 description 'Allow HTTP from WAN to DMZ'
set firewall name WAN-to-DMZ rule 10 destination address '172.16.50.3'
set firewall name WAN-to-DMZ rule 10 destination port '80'
set firewall name WAN-to-DMZ rule 10 protocol 'tcp'
set firewall name WAN-to-LAN default-action 'drop'
set firewall name WAN-to-LAN enable-default-log
set firewall name WAN-to-LAN rule 1 action 'accept'
set firewall name WAN-to-LAN rule 1 state established 'enable'
set interfaces ethernet eth0 address '10.0.17.127/24'
set interfaces ethernet eth0 description 'SEC350-WAN'
set interfaces ethernet eth1 address '172.16.50.2/29'
set interfaces ethernet eth1 description 'PAUL-DMZ'
set interfaces ethernet eth2 address '172.16.150.2/24'
set interfaces ethernet eth2 description 'PAUL-LAN'
set nat source rule 10 description 'NAT FROM DMZ to WAN'
set nat source rule 10 outbound-interface 'eth0'
set nat source rule 10 source address '172.16.50.0/29'
set nat source rule 10 translation address 'masquerade'
set nat source rule 20 description 'NAT FROM LAN to WAN'
set nat source rule 20 outbound-interface 'eth0'
set nat source rule 20 source address '172.16.150.0/24'
set nat source rule 20 translation address 'masquerade'
set nat source rule 30 description 'NAT FROM MGMT to WAN'
set nat source rule 30 outbound-interface 'eth0'
set nat source rule 30 source address '172.16.200.0/28'
set nat source rule 30 translation address 'masquerade'
set protocols rip interface eth2
set protocols rip network '172.16.50.0/29'
set protocols static route 0.0.0.0/0 next-hop 10.0.17.2
set service dns forwarding allow-from '172.16.50.0/29'
set service dns forwarding allow-from '172.16.150.0/24'
set service dns forwarding listen-address '172.16.50.2'
set service dns forwarding listen-address '172.16.150.2'
set service dns forwarding system
set service ssh listen-address '0.0.0.0'
set system host-name 'fw1-paul'
set system name-server '10.0.17.2'
set zone-policy zone DMZ from LAN firewall name 'LAN-to-DMZ'
set zone-policy zone DMZ from WAN firewall name 'WAN-to-DMZ'
set zone-policy zone DMZ interface 'eth1'
set zone-policy zone LAN from DMZ firewall name 'DMZ-to-LAN'
set zone-policy zone LAN from WAN firewall name 'WAN-to-LAN'
set zone-policy zone LAN interface 'eth2'
set zone-policy zone WAN from DMZ firewall name 'DMZ-to-WAN'
set zone-policy zone WAN from LAN firewall name 'LAN-to-WAN'
set zone-policy zone WAN interface 'eth0'

PreviousLab 3.2: Wazuh NextLab 6.1: Port Forwarding and Jump Boxes

Last updated 2 years ago

hashtagSummary

hashtagUpdating

hashtagConfiguring RIP

hashtagFirewall Zones Creation

hashtagFirewall Rule Creation

hashtagDebugging Firewall Blocks

hashtagVyos Config

Summary

Updating

Configuring RIP

Firewall Zones Creation

Firewall Rule Creation

Debugging Firewall Blocks

Vyos Config