Lab04 Network Firewall - Henryisgreat/TechJournal GitHub Wiki

FW01

  • Create and link firewall zones to interfaces (eth0, eth1, eth2)
    • Set zone-policy zone WAN interface eth0
    • Set zone-policy zone DMZ interface eth1
    • Set zone-policy zone LAN interface eth2
  • Name firewall on vyos
    • Set firewall name WAN-toDMZ default-action drop
    • Set firewall name WAN-toDMZ enable-default-log
    • Set firewall name DMZ-to-WAN default-action drop
    • Set firewall name DMZ-to-WAN enable-default-log
  • Apply firewall name to policy
    • set zone-policy zone DMZ from WAN firewall name WAN-to-DMZ
    • Set zone-policy zone WAN from DMZ firewall name DMZ-to-Wan
  • Allow http traffic from the WAN to the DMZ/web01
    • set firewall name WAN-to-DMZ rule 10 action accept
    • set firewall name WAN-to-DMZ rule 10 destination address 172.16.50.3
    • set firewall name WAN-to-DMZ rule 10 destination port 80
    • set firewall name WAN-to-DMZ rule 10 protocol tcp
    • set firewall name WAN-to-DMZ rule 10 description “Allow WAN Access to Web01 HTTP”
  • Tell DMZ-to-WAN firewall to allow authorized connected initiated from WAN back out again.
    • Set firewall name DMZ-to-WAN rule 1 action accept
    • Set firewall name DMz-to-WAN rule 1 state established enable
  • Create default firewalls for LAN and DMZ and link them to zone policies
    • Set firewall name DMZ-LAN default-action drop
    • Set firewall name DMZ-LAN enable-default-log
    • Set firewall name LAN-DMZ default-action drop
    • Set firewall name LAN-DMZ enable-default-log
  • Allow syslog traffic
    • set firewall name DMZ-LAN rule 10 action accept
    • set firewall name DMZ-LAN rule 10 destination address 172.16.200.10
    • set firewall name DMZ-LAN rule 10 destination port 514
    • set firewall name DMZ-LAN rule 10 protocol udp
  • Allow web01 to communicate out of the firewall over 80/tcp by creating firewall rules
    • Set firewall name LAN-DMZ rule 10 action accept
    • Set firewall name LAN-DMZ rule 10 destination address 172.16.50.3
    • Set firewall name LAN-DMZ rule 10 destination port 80
    • Set firewall name LAN-DMZ rule 10 protocol tcp
    • Commit
    • Save
      • Allow established traffic from within the DMZ to the lan
      • Set firewall name DMZ-to-LAN rule 1 action accept
      • Set firewall name DMz-to-LAN rule 1 state established enable

FW-MGMT

  • Create a LAN-MGMT firewall that allows 514/udp to from LAN to LOG01 - Allows ICMP to log01 from LAN
    • Configure
    • Set firewall name LAN-MGMT rule 10 action accept
    • Set firewall name LAN-MGMT rule 10 destination address 172.16.200.10
    • Set firewall name LAN-MGMT rule 10 destination port 514
    • Set firewall name LAN-MGMT rule 10 protocol tcp
  • Create Zones
    • Set zone-policy zone LAN interface eth0
    • Set zone-policy zone MGMT interface eth1