SEC350 - Snowboundport37/champlain GitHub Wiki

fw01 Configuration Firewall Rules bash Copy Edit

Default deny rule for LAN-IN

set firewall name LAN-IN default-action 'drop'

Allow LAN to WAN

set firewall name LAN-IN rule 10 action 'accept' set firewall name LAN-IN rule 10 description 'Allow LAN to WAN' set firewall name LAN-IN rule 10 destination address '172.16.150.0/24' set firewall name LAN-IN rule 10 source address '172.16.150.0/24'

Allow LAN to Internet

set firewall name LAN-IN rule 20 action 'accept' set firewall name LAN-IN rule 20 description 'Allow LAN to Internet' set firewall name LAN-IN rule 20 destination address '0.0.0.0/0' set firewall name LAN-IN rule 20 source address '172.16.150.0/24'

Deny all other traffic

set firewall name LAN-IN rule 30 action 'drop' set firewall name LAN-IN rule 30 description 'Deny all other traffic'

Allow MGMT to LAN (ICMP)

set firewall name LAN-IN rule 50 action 'accept' set firewall name LAN-IN rule 50 description 'Allow MGMT to LAN' set firewall name LAN-IN rule 50 destination address '172.16.150.0/24' set firewall name LAN-IN rule 50 protocol 'icmp' set firewall name LAN-IN rule 50 source address '172.16.200.0/28' Interface Configuration bash Copy Edit

WAN Interface

set interfaces ethernet eth0 address '10.0.17.155/24' set interfaces ethernet eth0 description 'SEC350-WAN' set interfaces ethernet eth0 firewall in

DMZ Interface

set interfaces ethernet eth1 address '172.16.50.2/29' set interfaces ethernet eth1 description 'SEC350-DMZ'

LAN Interface

set interfaces ethernet eth2 address '172.16.150.2/24' set interfaces ethernet eth2 description 'SEC350-LAN' NAT Configuration bash Copy Edit

NAT for DMZ to WAN

set nat source rule 10 description 'NAT from DMZ to WAN' set nat source rule 10 outbound-interface 'eth0' set nat source rule 10 source address '172.16.50.0/29' set nat source rule 10 translation address 'masquerade'

NAT for LAN to WAN

set nat source rule 20 description 'NAT FROM LAN to WAN' set nat source rule 20 outbound-interface 'eth0' set nat source rule 20 source address '172.16.150.0/24' set nat source rule 20 translation address 'masquerade'

NAT for MGMT to WAN

set nat source rule 30 description 'NAT FROM MGMT to WAN' set nat source rule 30 outbound-interface 'eth0' set nat source rule 30 source address '172.16.200.0/28' set nat source rule 30 translation address 'masquerade' Routing Configuration bash Copy Edit

Default route

set protocols static route 0.0.0.0/0 next-hop 10.0.17.2

Static routes for internal networks

set protocols static route 172.16.50.0/29 next-hop 172.16.50.2 set protocols static route 172.16.200.0/28 next-hop 172.16.150.3 DNS & System Settings bash Copy Edit

DNS Forwarding

set service dns forwarding allow-from '172.16.50.0/29' set service dns forwarding allow-from '172.16.150.0/24' set service dns forwarding listen-address '172.16.50.2' set service dns forwarding listen-address '172.16.150.2' set service dns forwarding system

Enable SSH

set service ssh port '22'

Disable IPv6 Forwarding

set system ipv6 disable-forwarding

System Name Servers

set system name-server '10.0.17.2'

Syslog Configuration

set system syslog host 172.16.50.5 facility authpriv level 'info' fw-mgmt Configuration Firewall Rules bash Copy Edit

Allow SSH from MGMT to FW

set firewall name MGMT-TO-FW rule 10 action 'accept' set firewall name MGMT-TO-FW rule 10 destination port '22' set firewall name MGMT-TO-FW rule 10 protocol 'tcp' set firewall name MGMT-TO-FW rule 10 source address '172.16.200.0/28' Interface Configuration bash Copy Edit

LAN Interface

set interfaces ethernet eth0 address '172.16.150.3/24' set interfaces ethernet eth0 description 'SEC350-LAN'

MGMT Interface

set interfaces ethernet eth1 address '172.16.200.2/28' set interfaces ethernet eth1 description 'SEC350-MGMT' Routing Configuration bash Copy Edit

Enable RIP on LAN

set protocols rip interface eth0 set protocols rip network '172.16.200.0/28'

Static routes

set protocols static route 0.0.0.0/0 next-hop 10.0.17.1 set protocols static route 0.0.0.0/0 next-hop 172.16.150.2 set protocols static route 172.16.150.0/24 next-hop 172.16.200.2 DNS & System Settings bash Copy Edit

DNS Forwarding

set service dns forwarding allow-from '172.16.200.0/28' set service dns forwarding allow-from '10.0.17.0/24' set service dns forwarding listen-address '172.16.200.2' set service dns forwarding listen-address '10.0.17.156' set service dns forwarding name-server '8.8.8.8'

Enable SSH

set service ssh listen-address '0.0.0.0'

Set Hostname

set system host-name 'fw-mgmt-andrei'

System Name Servers

set system name-server '172.16.150.2'