SEC350‐4.1 - ConnorEast/Tech-Journal GitHub Wiki

<< Previous page

~~ Step 1 ~~

Steps Command Reasoning/images

fw01-SEC350
Step 1: configure
Step 2: set zone-policy zone WAN interface eth0
Step 3: set zone-policy zone DMZ interface eth1
Step 4: set zone-policy zone LAN interface eth2
Step 5: Commit Save
Step 6: set firewall name WAN-to-DMZ default-action drop
Step 7: set firewall name DMZ-to-WAN default-action drop
Step 8: set firewall name WAN-to-DMZ enable-default-log
Step 9: set firewall name DMZ-to-WAN enable-default-log
Step 10: set zone-policy zone WAN from DMZ firewall name DMZ-to-WAN
Step 11: set zone-policy zone DMZ from WAN firewall name WAN-to-DMZ
Step 12: commit save

RW01-SEC350
Step 1: Ping 172.16.50.3
Step 12: Attempt to access http site 172.16.50.3

FW01-SEC350
Step 11: Run the "tail -f /var/log/messages | grep WAN"

Do this before you ping in order to recieve log data.

deliverable 1:


~~ Step 2 ~~

allow inbound HTTP

Steps Command Reasoning/images
Step 3: set firewall name WAN-to-DMZ rule 10 action 'accept'
Step 1: set firewall name WAN-to-DMZ rule 10 destination address '172.16.50.3'
Step 2: set firewall name WAN-to-DMZ rule 10 destination port 80
Step 3: set firewall name WAN-to-DMZ rule 10 protocol tcp
Step 4: set firewall name WAN-to-DMZ rule 10 description "access to web"
Steps Command Reasoning/images
Step 1: set firewall name DMZ-to-WAN rule 1 action accept
Step 2: set firewall name DMZ-to-WAN rule 1 state establish 'enable'

deliverable 2:


~~ Step 4 ~~

DMZ and LAN

Steps Command Reasoning/images
Step 1: set firewall name LAN-to-DMZ default-action drop
Step 2: set firewall name DMZ-to-LAN default-action drop
Step 3: set firewall name LAN-to-DMZ enable-default-log
Step 4: set firewall name DMZ-to-LAN enable-default-log
Step 5: set zone-policy zone LAN from DMZ firewall name DMZ-to-LAN
Step 6: set zone-policy zone DMZ from LAN firewall name LAN-to-DMZ

deliverable 3:


Steps Command Reasoning/images
Step 1: set firewall name DMZ-to-LAN rule 10 action accept
Step 2: set firewall name DMZ-to-LAN rule 10 destination address 172.16.200.10
Step 3: set firewall name DMZ-to-LAN rule 10 destination port 1512,1515
Step 4: set firewall name DMZ-to-LAN rule 10 protocol tcp
Step 5: set firewall name LAN-to-DMZ rule 1 action accept
Step 6: set firewall name LAN-to-DMZ rule 1 establish enable
Step 7: commit
Step 1: save

deliverable 4:


~~ Step 8 ~~

Configure LAN-to-WAN

set firewall name LAN-to-WAN default-action drop
Steps Command Reasoning/images
Step 1:
Step 2: set firewall name LAN-to-WAN enable-default-log
Step 3: set firewall name LAN-to-WAN rule 1 action accept
Step 4: set zone-policy zone WAN from LAN firewall name LAN-to-WAN

~~ Step 9 ~~

Configure WAN-to-LAN

Step 1: set firewall name WAN-to-LAN default-action drop
Step 2: set firewall name WAN-to-LAN enable-default-log
Step 3: set firewall name WAN-to-LAN rule 10 state established enable
Step 4: set firewall name WAN-to-LAN rule 10 action accept
Step 5: set firewall name WAN-to-LAN rule 10 state related enable
Step 6: set zone-policy zone LAN from WAN firewall name WAN-to-LAN

deliverable 5:


~~ Step 10 ~~

Configure [LAN to DMZ] & [DMZ to LAN] Firewall rules

Steps Command Reasoning/images
Step 1: set firewall name LAN-to-DMZ rule 10 action accept
Step 2: set firewall name LAN-to-DMZ rule 10 source address 172.16.150.0/24
Step 3: set firewall name LAN-to-DMZ rule 10 destination address 172.16.50.3
Step 4: set firewall name LAN-to-DMZ rule 10 protocol tcp
Step 5: set firewall name LAN-to-DMZ rule 10 destination port 80,443
Step 6: set firewall name LAN-to-DMZ rule 20 action accept
Step 7: set firewall name LAN-to-DMZ rule 20 source address 172.16.150.10
Step 8: set firewall name LAN-to-DMZ rule 20 destination address 172.16.50.0/29
Step 9: set firewall name LAN-to-DMZ rule 20 destination port 22
Step 10: set firewall name LAN-to-DMZ rule 20 protocol tcp
Step 11: commit
Step 12: save
Step 11: set firewall name DMZ-to-LAN rule 1 action accept
Step 12: set firewall name DMZ-to-LAN rule 1 state establish enable
Step 11: set firewall name DMZ-to-LAN rule 1 state related enable
Step 12: save

deliverable 6: Wks01 to Web01:80


deliverable 7: SSH into web01


TASK 2: Configuring FW-MGMT

Configure [Lan to MGMT] Firewall rules


Prerequisits

Steps Command Reasoning/images
Step 1: set zone-policy zone LAN interface eth0
Step 2: set zone-policy zone MGMT interface eth1
Steps Command Reasoning/images
Step 1: set firewall name LAN-to-MGMT default-action drop
Step 2: set firewall name LAN-to-MGMT enable-default-log
Step 3: set firewall name LAN-to-MGMT rule 1 action accept
Step 4: set firewall name LAN-to-MGMT rule 1 state established enable
Step 5: set firewall name LAN-to-MGMT rule 10 action accept
Step 6: set firewall name LAN-to-MGMT rule 10 destination address 172.16.200.10
Step 7: set firewall name LAN-to-MGMT rule 10 destination port 1514,1515
Step 8: set firewall name LAN-to-MGMT rule 10 protocol tcp
Step 9: set firewall name LAN-to-MGMT rule 20 action accept
Step 10: set firewall name LAN-to-MGMT rule 20 destination address 172.16.200.10
Step 11: set firewall name LAN-to-MGMT rule 20 destination port 443
Step 12: set firewall name LAN-to-MGMT rule 20 protocol tcp
Step 13: set zone-policy zone MGMT from LAN firewall name LAN-to-MGMT

Configure [MGMT to LAN] Firewall rules

Steps Command Reasoning/images
Step 1: set firewall name MGMT-to-LAN default-action drop
Step 2: set firewall name MGMT-to-LAN enable-default-log
Step 3: set firewall name MGMT-to-LAN rule 1 action accept
Step 4: set firewall name MGMT-to-LAN rule 1 established enable
Step 5: set firewall name MGMT-to-LAN rule 10 action accept
Step 6: set firewall name MGMT-to-LAN rule 10 destination address 172.16.150.0/24
Step 7: set firewall name MGMT-to-LAN rule 20 action accept
Step 8: set firewall name MGMT-to-LAN rule 20 destination address 172.16.50.0/29
Step 9: set zone-policy zone LAN from MGMT firewall name MGMT-to-LAN
Step 10: commit
Step 11: save
Step 12: sudo contrack -F Flushes connections for proper connection. Do this on both firewalls
Step 13: sudo reboot

Deliverable 8:

Deliverable 9A:

Deliverable 9B:

Deliverable 10A:

Deliverable 10B:

Deliverable 11:

Deliverable 11B

Deliverable 12:

FW Printed

Fw-MGMT FW01
  • set firewall name LAN-to-MGMT default-action 'drop'
  • set firewall name LAN-to-MGMT enable-default-log
  • set firewall name LAN-to-MGMT rule 1 action 'accept'
  • set firewall name LAN-to-MGMT rule 1 state established 'enable'
  • set firewall name LAN-to-MGMT rule 10 action 'accept'
  • set firewall name LAN-to-MGMT rule 10 destination address '172.16.200.10'
  • set firewall name LAN-to-MGMT rule 10 destination port '1514,1515'
  • set firewall name LAN-to-MGMT rule 10 protocol 'tcp'
  • set firewall name LAN-to-MGMT rule 20 action 'accept'
  • set firewall name LAN-to-MGMT rule 20 description 'Allow https'
  • set firewall name LAN-to-MGMT rule 20 destination address '172.16.200.10'
  • set firewall name LAN-to-MGMT rule 20 destination port '443'
  • set firewall name LAN-to-MGMT rule 20 protocol 'tcp'
  • set firewall name MGMT-to-LAN default-action 'drop'
  • set firewall name MGMT-to-LAN enable-default-log
  • set firewall name MGMT-to-LAN rule 1 action 'accept'
  • set firewall name MGMT-to-LAN rule 1 state established 'enable'
  • set firewall name MGMT-to-LAN rule 10 action 'accept'
  • set firewall name MGMT-to-LAN rule 10 description 'MGMT to LAN'
  • set firewall name MGMT-to-LAN rule 10 destination address '[172.16.150.0/24](http://172.16.150.0/24)'
  • set firewall name MGMT-to-LAN rule 20 action 'accept'
  • set firewall name MGMT-to-LAN rule 20 description 'MGMT to DMZ'
  • set firewall name MGMT-to-LAN rule 20 destination address '[172.16.50.0/29](http://172.16.50.0/29)'
  • set interfaces ethernet eth0 address '[172.16.150.3/24](http://172.16.150.3/24)'
  • set interfaces ethernet eth0 description 'sec350-LAN'
  • set interfaces ethernet eth0 hw-id '00:50:56:a1:3a:2a'
  • set interfaces ethernet eth1 address '[172.16.200.2/28](http://172.16.200.2/28)'
  • set interfaces ethernet eth1 description 'sec350-MGMT'
  • set interfaces ethernet eth1 hw-id '00:50:56:a1:cc:4b'
  • set interfaces loopback lo
  • set nat source rule 30 description 'MGTM-LAN'
  • set nat source rule 30 outbound-interface 'eth0'
  • set nat source rule 30 source address '[172.16.200.0/28](http://172.16.200.0/28)'
  • set nat source rule 30 translation address 'masquerade'
  • set protocols rip interface eth0
  • set protocols rip network '[172.16.150.0/24](http://172.16.150.0/24)'
  • set protocols rip network '[172.16.200.0/28](http://172.16.200.0/28)'
  • set protocols static route [0.0.0.0/0](http://0.0.0.0/0) next-hop 172.16.150.2
  • set protocols static route [172.16.150.0/24](http://172.16.150.0/24) next-hop 172.16.150.3
  • set service dns forwarding allow-from '[172.16.200.0/24](http://172.16.200.0/24)'
  • set service dns forwarding listen-address '172.16.200.2'
  • set service ssh listen-address '0.0.0.0'
  • set system config-management commit-revisions '100'
  • set system conntrack modules ftp
  • set system conntrack modules h323
  • set system conntrack modules nfs
  • set system conntrack modules pptp
  • set system conntrack modules sip
  • set system conntrack modules sqlnet
  • set system conntrack modules tftp
  • set system console device ttyS0 speed '115200'
  • set system host-name 'fw-mgmt01'
  • set system login user vyos authentication encrypted-password '$6$YUTCBnIl7XuxPfv7$UQXsMiDLSJsDs9mPJ2PQ.9IjjMks5MrKu6IlQRJsS.VIvkYeQXFvupJVrZMTQFYjkbTkRshVAYECJS337kHAS/'
  • set system login user vyos authentication plaintext-password ''
  • set system ntp server [time1.vyos.net](http://time1.vyos.net/)
  • set system ntp server [time2.vyos.net](http://time2.vyos.net/)
  • set system ntp server [time3.vyos.net](http://time3.vyos.net/)
  • set system syslog global facility all level 'info'
  • set system syslog global facility protocols level 'debug'
  • set zone-policy zone LAN from MGMT firewall name 'MGMT-to-LAN'
  • set zone-policy zone LAN interface 'eth0'
  • set zone-policy zone MGMT from LAN firewall name 'LAN-to-MGMT'
  • set zone-policy zone MGMT interface 'eth1'
  • set firewall name DMZ-to-LAN default-action 'drop'
  • set firewall name DMZ-to-LAN enable-default-log
  • set firewall name DMZ-to-LAN rule 1 action 'accept'
  • set firewall name DMZ-to-LAN rule 1 state established 'enable'
  • set firewall name DMZ-to-LAN rule 1 state related 'enable'
  • set firewall name DMZ-to-LAN rule 10 action 'accept'
  • set firewall name DMZ-to-LAN rule 10 destination address '172.16.200.10'
  • set firewall name DMZ-to-LAN rule 10 destination port '1514,1515'
  • set firewall name DMZ-to-LAN rule 10 protocol 'tcp'
  • set firewall name DMZ-to-WAN default-action 'drop'
  • set firewall name DMZ-to-WAN enable-default-log
  • set firewall name DMZ-to-WAN rule 1 action 'accept'
  • set firewall name DMZ-to-WAN rule 1 state established 'enable'
  • set firewall name LAN-to-DMZ default-action 'drop'
  • set firewall name LAN-to-DMZ enable-default-log
  • set firewall name LAN-to-DMZ rule 1 action 'accept'
  • set firewall name LAN-to-DMZ rule 1 state established 'enable'
  • set firewall name LAN-to-DMZ rule 10 action 'accept'
  • set firewall name LAN-to-DMZ rule 10 destination address '172.16.50.3'
  • set firewall name LAN-to-DMZ rule 10 destination port '80,443'
  • set firewall name LAN-to-DMZ rule 10 protocol 'tcp'
  • set firewall name LAN-to-DMZ rule 10 source address '[172.16.150.0/24](http://172.16.150.0/24)'
  • set firewall name LAN-to-DMZ rule 20 action 'accept'
  • set firewall name LAN-to-DMZ rule 20 destination address '[172.16.50.0/29](http://172.16.50.0/29)'
  • set firewall name LAN-to-DMZ rule 20 destination port '22'
  • set firewall name LAN-to-DMZ rule 20 protocol 'tcp'
  • set firewall name LAN-to-DMZ rule 20 source address '172.16.150.10'
  • set firewall name LAN-to-WAN default-action 'drop'
  • set firewall name LAN-to-WAN enable-default-log
  • set firewall name LAN-to-WAN rule 1 action 'accept'
  • set firewall name WAN-to-DMZ default-action 'drop'
  • set firewall name WAN-to-DMZ enable-default-log
  • set firewall name WAN-to-DMZ rule 10 action 'accept'
  • set firewall name WAN-to-DMZ rule 10 description 'access to web'
  • set firewall name WAN-to-DMZ rule 10 destination address '172.16.50.3'
  • set firewall name WAN-to-DMZ rule 10 destination port '80'
  • set firewall name WAN-to-DMZ rule 10 protocol 'tcp'
  • set firewall name WAN-to-LAN default-action 'drop'
  • set firewall name WAN-to-LAN enable-default-log
  • set firewall name WAN-to-LAN rule 10 action 'accept'
  • set firewall name WAN-to-LAN rule 10 state established 'enable'
  • set firewall name WAN-to-LAN rule 10 state related 'enable'
  • set interfaces ethernet eth0 address '[10.0.17.132/24](http://10.0.17.132/24)'
  • set interfaces ethernet eth0 description 'SEC350-WAN'
  • set interfaces ethernet eth0 hw-id '00:50:56:a1:3c:11'
  • set interfaces ethernet eth1 address '[172.16.50.2/29](http://172.16.50.2/29)'
  • set interfaces ethernet eth1 description 'DMZ'
  • set interfaces ethernet eth1 hw-id '00:50:56:a1:27:b5'
  • set interfaces ethernet eth2 address '[172.16.150.2/24](http://172.16.150.2/24)'
  • set interfaces ethernet eth2 description 'LAN'
  • set interfaces ethernet eth2 hw-id '00:50:56:a1:f5:40'
  • set interfaces loopback lo
  • set nat source rule 10 description 'NAT FROM DMZ to WAN'
  • set nat source rule 10 outbound-interface 'eth0'
  • set nat source rule 10 source address '[172.16.50.0/29](http://172.16.50.0/29)'
  • set nat source rule 10 translation address 'masquerade'
  • set nat source rule 20 description 'NAT FROM DMZ to WAN'
  • set nat source rule 20 outbound-interface 'eth0'
  • set nat source rule 20 source address '[172.16.150.0/24](http://172.16.150.0/24)'
  • set nat source rule 20 translation address 'masquerade'
  • set protocols rip interface eth2
  • set protocols rip network '[172.16.50.0/29](http://172.16.50.0/29)'
  • set protocols static route [0.0.0.0/0](http://0.0.0.0/0) next-hop 10.0.17.2
  • set service dns forwarding allow-from '[172.16.50.0/29](http://172.16.50.0/29)'
  • set service dns forwarding allow-from '[172.16.150.0/24](http://172.16.150.0/24)'
  • set service dns forwarding listen-address '172.16.50.2'
  • set service dns forwarding listen-address '172.16.150.3'
  • set service dns forwarding listen-address '172.16.150.2'
  • set service dns forwarding system
  • set service ssh listen-address '0.0.0.0'
  • set system config-management commit-revisions '100'
  • set system conntrack modules ftp
  • set system conntrack modules h323
  • set system conntrack modules nfs
  • set system conntrack modules pptp
  • set system conntrack modules sip
  • set system conntrack modules sqlnet
  • set system conntrack modules tftp
  • set system console device ttyS0 speed '115200'
  • set system host-name 'fw1-East'
  • set system login user vyos authentication encrypted-password '$6$YUTCBnIl7XuxPfv7$UQXsMiDLSJsDs9mPJ2PQ.9IjjMks5MrKu6IlQRJsS.VIvkYeQXFvupJVrZMTQFYjkbTkRshVAYECJS337kHAS/'
  • set system login user vyos authentication plaintext-password ''
  • set system name-server '10.0.17.2'
  • set system ntp server [time1.vyos.net](http://time1.vyos.net/)
  • set system ntp server [time2.vyos.net](http://time2.vyos.net/)
  • set system ntp server [time3.vyos.net](http://time3.vyos.net/)
  • set system syslog global facility all level 'info'
  • set system syslog global facility protocols level 'debug'
  • set zone-policy zone DMZ from LAN firewall name 'LAN-to-DMZ'
  • set zone-policy zone DMZ from WAN firewall name 'WAN-to-DMZ'
  • set zone-policy zone DMZ interface 'eth1'
  • set zone-policy zone LAN from DMZ firewall name 'DMZ-to-LAN'
  • set zone-policy zone LAN from WAN firewall name 'WAN-to-LAN'
  • set zone-policy zone LAN interface 'eth2'
  • set zone-policy zone WAN from DMZ firewall name 'DMZ-to-WAN'
  • set zone-policy zone WAN from LAN firewall name 'LAN-to-WAN'
  • set zone-policy zone WAN interface 'eth0'
⚠️ **GitHub.com Fallback** ⚠️