FW01 Configuration

set firewall ipv4 name DMZ-to-LAN default-action 'drop'
set firewall ipv4 name DMZ-to-LAN default-log
set firewall ipv4 name DMZ-to-LAN rule 1 action 'accept'
set firewall ipv4 name DMZ-to-LAN rule 1 description 'allowed back out'
set firewall ipv4 name DMZ-to-LAN rule 1 state 'established'
set firewall ipv4 name DMZ-to-LAN rule 10 action 'accept'
set firewall ipv4 name DMZ-to-LAN rule 10 description 'Wazuh agent communications with Wazuh server'
set firewall ipv4 name DMZ-to-LAN rule 10 destination address '172.16.200.10'
set firewall ipv4 name DMZ-to-LAN rule 10 destination port '1514-1515'
set firewall ipv4 name DMZ-to-LAN rule 10 protocol 'tcp'
set firewall ipv4 name DMZ-to-WAN default-action 'drop'
set firewall ipv4 name DMZ-to-WAN default-log
set firewall ipv4 name DMZ-to-WAN rule 1 action 'accept'
set firewall ipv4 name DMZ-to-WAN rule 1 description 'allow established back'
set firewall ipv4 name DMZ-to-WAN rule 1 state 'established'
set firewall ipv4 name DMZ-to-WAN rule 400 action 'accept'
set firewall ipv4 name DMZ-to-WAN rule 400 source address '172.16.50.4'
set firewall ipv4 name LAN-to-DMZ default-action 'drop'
set firewall ipv4 name LAN-to-DMZ default-log
set firewall ipv4 name LAN-to-DMZ rule 1 action 'accept'
set firewall ipv4 name LAN-to-DMZ rule 1 description 'allowed back out'
set firewall ipv4 name LAN-to-DMZ rule 1 state 'established'
set firewall ipv4 name LAN-to-DMZ rule 10 action 'accept'
set firewall ipv4 name LAN-to-DMZ rule 10 description 'allow LAN to web01'
set firewall ipv4 name LAN-to-DMZ rule 10 destination address '172.16.50.3'
set firewall ipv4 name LAN-to-DMZ rule 10 destination port '80'
set firewall ipv4 name LAN-to-DMZ rule 10 protocol 'tcp'
set firewall ipv4 name LAN-to-DMZ rule 20 action 'accept'
set firewall ipv4 name LAN-to-DMZ rule 20 description 'mgmt01 to DMZ via 22/tcp'
set firewall ipv4 name LAN-to-DMZ rule 20 destination address '172.16.50.0/29'
set firewall ipv4 name LAN-to-DMZ rule 20 destination port '22'
set firewall ipv4 name LAN-to-DMZ rule 20 protocol 'tcp'
set firewall ipv4 name LAN-to-DMZ rule 20 source address '172.16.150.10'
set firewall ipv4 name LAN-to-WAN default-action 'drop'
set firewall ipv4 name LAN-to-WAN default-log
set firewall ipv4 name LAN-to-WAN rule 1 action 'accept'
set firewall ipv4 name WAN-to-DMZ default-action 'drop'
set firewall ipv4 name WAN-to-DMZ default-log
set firewall ipv4 name WAN-to-DMZ rule 1 action 'accept'
set firewall ipv4 name WAN-to-DMZ rule 1 description 'allow back out'
set firewall ipv4 name WAN-to-DMZ rule 1 state 'established'
set firewall ipv4 name WAN-to-DMZ rule 10 action 'accept'
set firewall ipv4 name WAN-to-DMZ rule 10 description 'Allow HTTP from WAN to DMZ'
set firewall ipv4 name WAN-to-DMZ rule 10 destination address '172.16.50.3'
set firewall ipv4 name WAN-to-DMZ rule 10 destination port '80'
set firewall ipv4 name WAN-to-DMZ rule 10 protocol 'tcp'
set firewall ipv4 name WAN-to-DMZ rule 11 action 'accept'
set firewall ipv4 name WAN-to-DMZ rule 11 description 'ssh to jump'
set firewall ipv4 name WAN-to-DMZ rule 11 destination address '172.16.50.4'
set firewall ipv4 name WAN-to-DMZ rule 11 destination port '22'
set firewall ipv4 name WAN-to-DMZ rule 11 protocol 'tcp'
set firewall ipv4 name WAN-to-LAN default-action 'drop'
set firewall ipv4 name WAN-to-LAN default-log
set firewall ipv4 name WAN-to-LAN rule 1 action 'accept'
set firewall ipv4 name WAN-to-LAN rule 1 description 'allow established back'
set firewall ipv4 name WAN-to-LAN rule 1 state 'related'
set firewall ipv4 name WAN-to-LAN rule 1 state 'established'
set firewall zone DMZ from LAN firewall name 'LAN-to-DMZ'
set firewall zone DMZ from WAN firewall name 'WAN-to-DMZ'
set firewall zone DMZ member interface 'eth1'
set firewall zone LAN from DMZ firewall name 'DMZ-to-LAN'
set firewall zone LAN from WAN firewall name 'WAN-to-LAN'
set firewall zone LAN member interface 'eth2'
set firewall zone WAN from DMZ firewall name 'DMZ-to-WAN'
set firewall zone WAN from LAN firewall name 'LAN-to-WAN'
set firewall zone WAN member interface 'eth0'
set interfaces ethernet eth0 address '10.0.17.126/24'
set interfaces ethernet eth0 description 'SEC350-WAN'
set interfaces ethernet eth0 offload gro
set interfaces ethernet eth0 offload gso
set interfaces ethernet eth0 offload sg
set interfaces ethernet eth0 offload tso
set interfaces ethernet eth1 address '172.16.50.2/29'
set interfaces ethernet eth1 description 'michael-DMZ'
set interfaces ethernet eth2 address '172.16.150.2/24'
set interfaces ethernet eth2 description 'michael-LAN'
set nat destination rule 10 description 'HTTP->WEB01'
set nat destination rule 10 destination port '80'
set nat destination rule 10 inbound-interface name 'eth0'
set nat destination rule 10 protocol 'tcp'
set nat destination rule 10 translation address '172.16.50.3'
set nat destination rule 10 translation port '80'
set nat destination rule 11 description 'ssh to jump'
set nat destination rule 11 destination port '22'
set nat destination rule 11 inbound-interface name 'eth0'
set nat destination rule 11 protocol 'tcp'
set nat destination rule 11 translation address '172.16.50.4'
set nat destination rule 11 translation port '22'
set nat destination rule 20 description 'ssh-to-jump'
set nat destination rule 20 destination port '22'
set nat destination rule 20 inbound-interface name 'eth0'
set nat destination rule 20 protocol 'tcp'
set nat destination rule 20 translation address '172.16.50.4'
set nat source rule 10 description 'NAT FROM DMZ to WAN'
set nat source rule 10 outbound-interface name 'eth0'
set nat source rule 10 source address '172.16.50.0/29'
set nat source rule 10 translation address 'masquerade'
set nat source rule 20 description 'NAT FROM LAN TO WAN'
set nat source rule 20 outbound-interface name 'eth0'
set nat source rule 20 source address '172.16.150.0/24'
set nat source rule 20 translation address 'masquerade'
set nat source rule 30 description 'NAT FROM MGMT TO WAN'
set nat source rule 30 outbound-interface name 'eth0'
set nat source rule 30 source address '172.16.200.0/28'
set nat source rule 30 translation address 'masquerade'
set protocols rip interface eth2
set protocols rip network '172.16.50.0/29'
set protocols static route 0.0.0.0/0 next-hop 10.0.17.2
set service dns forwarding allow-from '172.16.50.0/29'
set service dns forwarding allow-from '172.16.150.0/24'
set service dns forwarding listen-address '172.16.50.2'
set service dns forwarding listen-address '172.16.150.2'
set service dns forwarding system
set service ssh listen-address '172.16.150.2'
set system host-name 'fw1-michael'
set system name-server '10.0.17.2'
set system option reboot-on-upgrade-failure '5'
set system syslog local facility all level 'info'
set system syslog local facility local7 level 'debug'

nginx setup sorta

• sudo apt update

• sudo apt install nginx

• sudo systemctl start/status nginx

• sudo ufw status (this is like the http stuff of it)

• sudo ufw app list (this shows what we app can enable, which will be http)

• sudo ufw allow ‘Nginx HTTP’

• sudo ufw enable/status

Nat Rule 13 recently added

this nat rule allows for the http into the jump for practice

• set nat destination rule 13 description "http->jump"

• set nat destination rule 13 destination port 80

• set nat destination rule 13 inbound-interface name eth0

• set nat destination rule 13 protocol tcp

• set nat destination rule 13 translation address 172.16.50.4

• set nat destination rule 13 translation port 80