Lab 4.1 Network Firewalls 1 - Cyber-JL/SEC-350-01 GitHub Wiki

Prerequisites

  • rw01 can ping web01 via its static route, rw01 can browse to web01

  • wks01 can browse web01

  • wks01 can browse wazuh

  • web01 can ping wazuh

Configuring fw01

Create and Link Zones

  • Create and link firewall zones to interfaces (eth0, eth1, eth2)

     set zone-policy zone WAN interface eth0
 set zone-policy zone DMZ interface eth1
 set zone-policy zone LAN interface eth2
 commit 
 save

Creating Firewalls for WAN-to-DMZ and DMZ-to-WAN

  • Next we need to create the firewalls for the zones, and disallow all traffic that isn't defined.

     set firewall name WAN-to-DMZ default-action drop
 set firewall name DMZ-to-WAN default-action drop
 set firewall name WAN-to-DMZ enable-default-log 
 set firewall name DMZ-to-WAN enable-default-log

  • To assign these firewalls to zones run:

     set zone-policy zone WAN from DMZ firewall name DMZ-to-WAN 
 set zone-policy zone DMZ from WAN firewall name WAN-to-DMZ

Allow HTTP Traffic

  • allow HTTP traffic by creating a rule for the WAN-to-DMZ firewall

    set firewall name WAN-to-DMZ rule 1 state established 'enable'
set firewall name WAN-to-DMZ rule 10 action 'accept'
set firewall name WAN-to-DMZ rule 10 action accept
set firewall name WAN-to-DMZ rule 10 description "Allow HTTP from WAN to DMZ"
set firewall name WAN-to-DMZ rule 10 destination address 172.16.50.3
set firewall name WAN-to-DMZ rule 10 destination port 80
set firewall name WAN-to-DMZ rule 10 protocol tcp

Allow Outbound Traffic

  • allow outbound traffic by creating a rule for the DMZ-to-WAN firewall

    set firewall name DMZ-to-WAN rule 1 action accept
set firewall name DMZ-to-WAN rule 1 state established enable

  • Now ping should work. Make sure to delete the welcome.conf file from /etc/httpd/conf.d/, and create an index.html file with a basic header in /var/www/html/

Point-to-Point LAN and DMZ configurations

LAN-to-DMZ

  set firewall name LAN-to-DMZ default-action 'drop'
  set firewall name LAN-to-DMZ enable-default-log

  set firewall name LAN-to-DMZ rule 1 action 'accept'
  set firewall name LAN-to-DMZ rule 1 state established 'enable'

  set firewall name LAN-to-DMZ rule 10 action 'accept'
  set firewall name LAN-to-DMZ rule 10 destination address '172.16.50.3'
  set firewall name LAN-to-DMZ rule 10 destination port '80'
  set firewall name LAN-to-DMZ rule 10 protocol 'tcp'

  set firewall name LAN-to-DMZ rule 20 action 'accept'
  set firewall name LAN-to-DMZ rule 20 destination port '22'
  set firewall name LAN-to-DMZ rule 20 protocol 'tcp'
  set firewall name LAN-to-DMZ rule 20 source address '172.16.150.10'

DMZ-to-LAN

  set firewall name DMZ-to-LAN default-action 'drop'
  set firewall name DMZ-to-LAN enable-default-log

  set firewall name DMZ-to-LAN rule 1 action 'accept'
  set firewall name DMZ-to-LAN rule 1 state established 'enable'

  set firewall name DMZ-to-LAN rule 10 action 'accept'
  set firewall name DMZ-to-LAN rule 10 description 'wazuh agent communications with wazuh server'
  set firewall name DMZ-to-LAN rule 10 destination address '172.16.200.10'
  set firewall name DMZ-to-LAN rule 10 destination port '1514,1515'
  set firewall name DMZ-to-LAN rule 10 protocol 'tcp'

Point-to-Point WAN and LAN configurations

LAN-to-WAN

  set firewall name LAN-to-WAN default-action 'drop'
  set firewall name LAN-to-WAN enable-default-log

  set firewall name LAN-to-WAN rule 1 action 'accept'

WAN-to-LAN

  set firewall name WAN-to-LAN default-action 'drop'
  set firewall name WAN-to-LAN enable-default-log

  set firewall name WAN-to-LAN rule 1 action 'accept'
  set firewall name WAN-to-LAN rule 1 state established 'enable'

Point-to-Point LAN and MGMT configurations

LAN-to-MGMT

  set firewall name LAN-to-MGMT default-action 'drop'
  set firewall name LAN-to-MGMT enable-default-log

  set firewall name LAN-to-MGMT rule 1 action 'accept'
  set firewall name LAN-to-MGMT rule 1 state established 'enable'

  set firewall name LAN-to-MGMT rule 10 action 'accept'
  set firewall name LAN-to-MGMT rule 10 destination address '172.16.200.10'
  set firewall name LAN-to-MGMT rule 10 destination port '1514,1515'
  set firewall name LAN-to-MGMT rule 10 protocol 'tcp'

  set firewall name LAN-to-MGMT rule 20 action 'accept'
  set firewall name LAN-to-MGMT rule 20 destination address '172.16.200.10'
  set firewall name LAN-to-MGMT rule 20 destination port '443'
  set firewall name LAN-to-MGMT rule 20 protocol 'tcp'

  set firewall name LAN-to-MGMT rule 30 action 'accept'
  set firewall name LAN-to-MGMT rule 30 destination address '172.16.200.10'
  set firewall name LAN-to-MGMT rule 30 destination port '22'
  set firewall name LAN-to-MGMT rule 30 protocol 'tcp'

MGMT-to-LAN

  set firewall name MGMT-to-LAN default-action 'drop'
  set firewall name MGMT-to-LAN enable-default-log

  set firewall name MGMT-to-LAN rule 1 action 'accept'
  set firewall name MGMT-to-LAN rule 1 state established 'enable'

  set firewall name MGMT-to-LAN rule 10 action 'accept'
  set firewall name MGMT-to-LAN rule 10 description 'MGMT to LAN'
  set firewall name MGMT-to-LAN rule 10 destination address '172.16.50.0/29'

  set firewall name MGMT-to-LAN rule 20 action 'accept'
  set firewall name MGMT-to-LAN rule 20 description 'MGMT to DMZ'
  set firewall name MGMT-to-LAN rule 20 destination address '172.16.150.0/24'

Policy Zones

LAN

  set zone-policy zone LAN from DMZ firewall name 'DMZ-to-LAN'
  set zone-policy zone LAN from WAN firewall name 'WAN-to-LAN'
  set zone-policy zone LAN interface 'eth2'

WAN

  set zone-policy zone WAN from DMZ firewall name 'DMZ-to-WAN'
  set zone-policy zone WAN from LAN firewall name 'LAN-to-WAN'
  set zone-policy zone WAN interface 'eth0'

DMZ

  set zone-policy zone DMZ from LAN firewall name 'LAN-to-DMZ'
  set zone-policy zone DMZ from WAN firewall name 'WAN-to-DMZ'
  set zone-policy zone DMZ interface 'eth1'

MGMT

  MGMT
  set zone-policy zone LAN from MGMT firewall name 'MGMT-to-LAN'
  set zone-policy zone LAN interface 'eth0'

  LAN
  set zone-policy zone MGMT from LAN firewall name 'LAN-to-MGMT'
  set zone-policy zone MGMT interface 'eth1'

Debugging Firewall Blocks

Sometimes, traffic is blocked that is intended to allow. To debug do the folllowing:

  tail -f /var/logs/messages

  • Identify the log in question

  • Take a note of:

    • Hostname
    • Firewall name/rule (MGMT-to-LAN-default-D)
    • eth interfaces in use (eth0/eth1)
    • Source (and/or destination) IP address (172.16.200.11)
    • Protocol (ICMP)
    • Port (N/a)

Exporting VyOS configurations

  1. Generate the text file containing the configuration

    show configuration commands | grep -v "syslog global|ntp|login|console|config|hw-id|loopback|conntrack" > fw-mgmt-week4.txt

  2. SCP this file to machine with Git installed

    scp fw-mgmt-week4.txt [email protected]:/home/jude

  3. Move the file into the correct GitHub repository folder

    mv fw-mgmt-week4.txt /SEC-350/fw-mgmt.week4.config.txt

  4. Git add

    git add fw-mgmt.week4.config.txt

  5. Git commit

    git commit -m week 4 firewall configs

Git push

  git push