Network Firewalls (SEC 350) - Chromosom3/TechNotes GitHub Wiki
For this week's lab, we needed to update our firewall to a specific version. We used one of the VyOS nightly builds that was released a few days prior to class and the professor confirmed that it was stable for what we were doing. The actual update process was pretty straightforward, all you had to do was run add system image <URL>. After entering that you would use the default options and reboot. The commands that were ran on the two firewalls for this lab are shown below. The nightly builds can be found here: https://vyos.net/get/nightly-builds/
add system image https://s3.amazonaws.com/s3-us.vyos.io/rolling/current/vyos-1.4-rolling-202202030910-amd64.iso
# Use the defaults
reboot
yFor routing to work in this network we needed to configure a routing protocol between the two firewalls. For this lab, we were instructed to use RIP. Below you can see the commands that were run on each of the two firewalls to configure RIP between them. Additional screenshots have also been included to show the results of commands.
show ip route
configure
delete protocols static route 172.16.200.0/28
set protocols rip interface eth2
#share routes to the DMZ
set protocols rip network 172.16.50.0/29
set nat source rule 30 description "NAT from MGMT to WAN"
set nat source rule 30 outbound-interface eth0
set nat source rule 30 source address 172.16.200.0/28
set nat source rule 30 translation address masquerade
commit
save
show ip route
configure
set protocols rip interface eth0
#share routes to the management network
set protocols rip network '172.16.200.0/28'
commit
exit
show nat source rule
configure
delete nat source rule 10
commit
save
exit
show nat source rule
Now that we have configured networking between the different subnets we can begin to implement firewall rules to secure the network. Firewall rules were configured on both fw01-dylan and fw-mgmt-dylan. Below you can see a detailed list of all the commands that were run on each system to configure them. Additional exports of the VyOS configuration of each system can be found in this repository.
Lets create our different zones for VyOS. Zones are assigned to interfaces. These zones allow us to assign firewall policies to them. For more information on zone-based policy in VyOS view this docs entry.
configure
set zone-policy zone WAN interface eth0
set zone-policy zone DMZ interface eth1
set zone-policy zone LAN interface eth2
commit
# This will stop networking between the zones.
saveNow that the zones are created and assigned to interfaces let's crate some new firewall rule-set. Firewall rule-sets can be applied to an interface or zone. For more information on rule-sets check out the documentation. Once the rule-sets are created let's apply them to their corresponding zones. First, we will start with rule sets that apply when dealing with the DMZ and WAN networks.
configure
set firewall name WAN-to-DMZ default-action drop
set firewall name WAN-to-DMZ enable-default-log
set firewall name DMZ-to-WAN default-action drop
set firewall name DMZ-to-WAN enable-default-log
set zone-policy zone DMZ from WAN firewall name WAN-to-DMZ
set zone-policy zone WAN from DMZ firewall name DMZ-to-WAN
commit
saveNow that we have created and applied the rule sets for DMZ ↔ WAN communication lets start creating some rules. The rules are self-explanatory and each entry has a description so I won’t go into too much detail about them.
configure
set firewall name WAN-to-DMZ rule 10 action accept
set firewall name WAN-to-DMZ rule 10 destination address 172.16.50.3
set firewall name WAN-to-DMZ rule 10 destination port 80
set firewall name WAN-to-DMZ rule 10 protocol tcp
set firewall name WAN-to-DMZ rule 10 description "Allow WAN Access to Web01 HTTP"
commit
save
set firewall name DMZ-to-WAN rule 1 action accept
set firewall name DMZ-to-WAN rule 1 state established enable
commit
saveNow that I have covered the basics for setting up firewall rules between two zones I will cover the settings for the remaining zone-to-zone communication. The following commands were used to set up communication between WAN/LAN and DMZ/LAN.
configure
set firewall name DMZ-to-LAN default-action drop
set firewall name DMZ-to-LAN enable-default-log
set firewall name LAN-to-DMZ default-action drop
set firewall name LAN-to-DMZ enable-default-log
set zone-policy zone DMZ from LAN firewall name LAN-to-DMZ
set zone-policy zone LAN from DMZ firewall name DMZ-to-LAN
commit
save
set firewall name DMZ-to-LAN rule 10 action accept
set firewall name DMZ-to-LAN rule 10 destination address 172.16.200.10
set firewall name DMZ-to-LAN rule 10 destination port 1514
set firewall name DMZ-to-LAN rule 10 protocol udp
set firewall name DMZ-to-LAN rule 10 description "Allow DMZ to Log01"
commit
save
set firewall name LAN-to-DMZ rule 10 action accept
set firewall name LAN-to-DMZ rule 10 destination address 172.16.50.3
set firewall name LAN-to-DMZ rule 10 destination port 80
set firewall name LAN-to-DMZ rule 10 protocol tcp
set firewall name LAN-to-DMZ rule 10 description "Allow access to web server from LAN"
commit
save
set firewall name DMZ-to-LAN rule 1 action accept
set firewall name DMZ-to-LAN rule 1 state established enable
commit
save
set firewall name LAN-to-WAN default-action drop
set firewall name LAN-to-WAN enable-default-log
set firewall name LAN-to-WAN rule 1 action accept
set firewall name WAN-to-LAN default-action drop
set firewall name WAN-to-LAN enable-default-log
set firewall name WAN-to-LAN rule 1 action accept
set firewall name WAN-to-LAN rule 1 state established enable
set zone-policy zone LAN from WAN firewall name WAN-to-LAN
set zone-policy zone WAN from LAN firewall name LAN-to-WAN
commit
saveSince there was nothing new done when configuring the management firewall I will just be including the commands I ran on that system here for reference. For more details on what the commands do please see the section above on fw01-dylan.
configure
set zone-policy zone LAN interface eth0
set zone-policy zone MGMT interface eth1
set firewall name LAN-to-MGMT default-action drop
set firewall name LAN-to-MGMT enable-default-log
set firewall name MGMT-to-LAN default-action drop
set firewall name MGMT-to-LAN enable-default-log
set zone-policy zone MGMT from LAN firewall name LAN-to-MGMT
set zone-policy zone LAN from MGMT firewall name MGMT-to-LAN
set firewall name LAN-to-MGMT rule 1 action accept
set firewall name LAN-to-MGMT rule 1 state established enable
set firewall name LAN-to-MGMT rule 10 action accept
set firewall name LAN-to-MGMT rule 10 destination address 172.16.200.10
set firewall name LAN-to-MGMT rule 10 destination port 9000
set firewall name LAN-to-MGMT rule 10 protocol tcp
set firewall name LAN-to-MGMT rule 10 description "Allow LAN Access to Graylog Web"
set firewall name LAN-to-MGMT rule 20 action accept
set firewall name LAN-to-MGMT rule 20 destination address 172.16.200.10
set firewall name LAN-to-MGMT rule 20 destination port 1514
set firewall name LAN-to-MGMT rule 20 protocol udp
set firewall name LAN-to-MGMT rule 20 description "Allow LAN Access to Graylog Logging"
set firewall name LAN-to-MGMT rule 30 action accept
set firewall name LAN-to-MGMT rule 30 destination address 172.16.200.10
set firewall name LAN-to-MGMT rule 30 protocol icmp
set firewall name LAN-to-MGMT rule 30 description "Allow ICMP ping to Log01"
set firewall name MGMT-to-LAN rule 1 action accept
commit
saveFirewall rules can get complicated quickly. Due to this, it is important to know how to troubleshoot and figure out what’s happening with a connection. In the earlier section we ran set firewall name <FIREWALL Rule-Set> enable-default-log. This means that we will get additional log messages. These additional logs will be if no rule matches and the default action occurs. This is good for troubleshooting issues when rules don’t work as intended. We can use the command tail /var/log/message | grep FIREWALL-RULE-SET to find the logs for specific rule-sets that just occurred. Below is an example of running the tail /var/log/message | grep WAN command on fw01-dylan.
This is a lot of configurations! We want to make sure to make a backup of these in case we need to rebuild these in the future. Saving the configurations is pretty simple. In the configuration menu, just type save FILE-PATH. This will save the current configuration to the specified file. You can also use save with SCP. To transfer the file to a remote host you can do save scp://username:password@IP:FILE-PATH. Note this will put your password in the bash history. You can use the history -d NUMBER command to remove the line entry that contains your password.
This week's configuration files.
Note: Archiving seems like a really cool feature. I’d like to look into this further so I’m throwing this link here so I don’t forget.
https://blog.vyos.io/configuration-versioning-and-archiving-in-vyos