FW01 config - 5huckle/OFFICIALTECHJOURNAL GitHub Wiki

Interface commands

set interfaces ethernet eth0 address '10.0.17.134/24' set interfaces ethernet eth0 description 'SEC350-WAN' set interfaces ethernet eth0 hw-id '00:50:56:b3:61:fb' set interfaces ethernet eth1 address '172.16.50.2/29' set interfaces ethernet eth1 description 'JIBREEL-DMZ' set interfaces ethernet eth1 hw-id '00:50:56:b3:1d:62' set interfaces ethernet eth2 address '172.16.150.2/24' set interfaces ethernet eth2 description 'JIBREEL-LAN' set interfaces ethernet eth2 hw-id '00:50:56:b3:f8:ca'

System Commands

set system host-name 'fw01-jibreel' set system name-server '10.0.17.2' set system syslog host 172.16.200.10 facility kern level 'debug' set system syslog host 172.16.200.10 format octet-counted set system syslog host 172.16.200.10 port '1514'

set protocols static route 0.0.0.0/0 next-hop 10.0.17.2

Service Commands

set service dns forwarding allow-from '172.16.50.0/29' set service dns forwarding allow-from '172.16.150.0/24' set service dns forwarding allow-from '172.16.200.0/28' set service dns forwarding listen-address '172.16.150.2' set service dns forwarding listen-address '172.16.50.2' set service dns forwarding system set service ssh listen-address '172.16.150.2'

Nat Source Commands

set nat source rule 10 description 'NAT FROM DMZ to WAN' set nat source rule 10 outbound-interface 'eth0' set nat source rule 10 source address '172.16.50.0/29' set nat source rule 10 translation address 'masquerade' set nat source rule 15 description 'NAT FROM LAN to WAN' set nat source rule 15 outbound-interface 'eth0' set nat source rule 15 source address '172.16.150.0/24' set nat source rule 15 translation address 'masquerade' set nat source rule 20 description 'NAT FROM MGMT TO WAN' set nat source rule 20 outbound-interface 'eth0' set nat source rule 20 source address '172.16.200.0/28' set nat source rule 20 translation address 'masquerade'

Protocols Command

set protocols rip interface eth2 set protocols rip network '172.16.50.0/29'

Nat Destination Commands

set nat destination rule 10 description 'HTTP->WEB01' set nat destination rule 10 destination port '80' set nat destination rule 10 inbound-interface 'eth0' set nat destination rule 10 protocol 'tcp' set nat destination rule 10 translation address '172.16.50.3' set nat destination rule 10 translation port '80' set nat destination rule 20 description '--> jump' set nat destination rule 20 destination port '22' set nat destination rule 20 inbound-interface 'eth0' set nat destination rule 20 protocol 'tcp' set nat destination rule 20 translation address '172.16.50.4' set nat destination rule 20 translation port '22'

Zone Policy One

set zone-policy zone DMZ from LAN firewall name 'LAN-to-DMZ' set zone-policy zone DMZ from WAN firewall name 'WAN-to-DMZ' set zone-policy zone DMZ interface 'eth1' set zone-policy zone LAN from DMZ firewall name 'DMZ-to-LAN' set zone-policy zone LAN from WAN firewall name 'WAN-to-LAN' set zone-policy zone LAN interface 'eth2' set zone-policy zone WAN from DMZ firewall name 'DMZ-to-WAN' set zone-policy zone WAN from LAN firewall name 'LAN-to-WAN' set zone-policy zone WAN interface 'eth0'

WAN-to-DMZ

set firewall name WAN-to-DMZ default-action 'drop' set firewall name WAN-to-DMZ enable-default-log set firewall name WAN-to-DMZ rule 10 action 'accept' set firewall name WAN-to-DMZ rule 10 description 'Allow WAN Access to WEB01 HTTP' set firewall name WAN-to-DMZ rule 10 destination address '172.16.50.3' set firewall name WAN-to-DMZ rule 10 destination port '80' set firewall name WAN-to-DMZ rule 10 protocol 'tcp' set firewall name WAN-to-DMZ rule 20 action 'accept' set firewall name WAN-to-DMZ rule 20 state established 'enable' set firewall name WAN-to-DMZ rule 25 action 'accept' set firewall name WAN-to-DMZ rule 25 description 'ssh-->jump' set firewall name WAN-to-DMZ rule 25 destination address '172.16.50.4' set firewall name WAN-to-DMZ rule 25 destination port '22' set firewall name WAN-to-DMZ rule 25 protocol 'tcp' set firewall name WAN-to-DMZ rule 25 source address '10.0.17.34'

DMZ-to-WAN

set firewall name DMZ-to-WAN default-action 'drop' set firewall name DMZ-to-WAN enable-default-log set firewall name DMZ-to-WAN rule 10 action 'accept' set firewall name DMZ-to-WAN rule 10 description 'Allows DMZ to WAN Access' set firewall name DMZ-to-WAN rule 10 destination port '1514' set firewall name DMZ-to-WAN rule 10 protocol 'udp' set firewall name DMZ-to-WAN rule 15 action 'accept' set firewall name DMZ-to-WAN rule 15 state established 'enable' set firewall name DMZ-to-WAN rule 30 action 'accept' set firewall name DMZ-to-WAN rule 30 description 'WEB01 access to internet' set firewall name DMZ-to-WAN rule 30 destination port '123' set firewall name DMZ-to-WAN rule 30 protocol 'udp' set firewall name DMZ-to-WAN rule 30 source address '172.16.50.3'

#DMZ-to-LAN set firewall name DMZ-to-LAN default-action 'drop' set firewall name DMZ-to-LAN enable-default-log set firewall name DMZ-to-LAN rule 1 action 'accept' set firewall name DMZ-to-LAN rule 1 state established 'enable' set firewall name DMZ-to-LAN rule 10 action 'accept' set firewall name DMZ-to-LAN rule 10 description 'Allows DMZ to LAN Access' set firewall name DMZ-to-LAN rule 10 destination port '1514' set firewall name DMZ-to-LAN rule 10 protocol 'udp'

#LAN-to-DMZ set firewall name LAN-to-DMZ default-action 'drop' set firewall name LAN-to-DMZ enable-default-log set firewall name LAN-to-DMZ rule 10 action 'accept' set firewall name LAN-to-DMZ rule 10 description 'WKS browsing rule' set firewall name LAN-to-DMZ rule 10 destination port '80' set firewall name LAN-to-DMZ rule 10 protocol 'tcp' set firewall name LAN-to-DMZ rule 20 action 'accept' set firewall name LAN-to-DMZ rule 20 description 'SSH from MGMT to WEB01' set firewall name LAN-to-DMZ rule 20 destination address '172.16.50.3' set firewall name LAN-to-DMZ rule 20 destination port '22' set firewall name LAN-to-DMZ rule 20 protocol 'tcp' set firewall name LAN-to-DMZ rule 20 source address '172.16.200.11' set firewall name LAN-to-DMZ rule 25 action 'accept' set firewall name LAN-to-DMZ rule 25 description 'MGMT->DMZ' set firewall name LAN-to-DMZ rule 25 destination address '172.16.50.0/29' set firewall name LAN-to-DMZ rule 25 source address '172.16.200.11' set firewall name LAN-to-DMZ rule 30 action 'accept' set firewall name LAN-to-DMZ rule 30 description 'ssh from MGMT to WEB01' set firewall name LAN-to-DMZ rule 30 destination address '172.16.50.0' set firewall name LAN-to-DMZ rule 30 destination port '22' set firewall name LAN-to-DMZ rule 30 protocol 'tcp' set firewall name LAN-to-DMZ rule 30 source address '172.16.200.11'

#WAN-to-LAN set firewall name WAN-to-LAN rule 1 action 'accept' set firewall name WAN-to-LAN rule 1 state established 'enable'

#LAN-to-WAN set firewall name LAN-to-WAN default-action 'drop' set firewall name LAN-to-WAN enable-default-log set firewall name LAN-to-WAN rule 1 action 'accept'