SEC 350:Lab 4.1 - WanderlustPenguin/Charles-Tech-Journal GitHub Wiki
| Fw01 | Second Header |
|---|---|
| set firewall name LAN-to-MGMT default-action 'drop' | |
| set firewall name LAN-to-MGMT enable-default-log | |
| set firewall name LAN-to-MGMT rule 1 action 'accept' | |
| set firewall name LAN-to-MGMT rule 1 state established 'enable' | |
| set firewall name LAN-to-MGMT rule 10 action 'accept' | |
| set firewall name LAN-to-MGMT rule 10 description 'wazuh agent to wazuh server' | |
| set firewall name LAN-to-MGMT rule 10 destination address '172.16.200.10' | |
| set firewall name LAN-to-MGMT rule 10 destination port '1515,1514' | |
| set firewall name LAN-to-MGMT rule 10 protocol 'tcp' | |
| set firewall name LAN-to-MGMT rule 20 action 'accept' | |
| set firewall name LAN-to-MGMT rule 20 description 'web interface to wazuh for mgmt01' | |
| set firewall name LAN-to-MGMT rule 20 destination address '172.16.200.10' | |
| set firewall name LAN-to-MGMT rule 20 destination port '443' | |
| set firewall name LAN-to-MGMT rule 20 protocol 'tcp' | |
| set firewall name LAN-to-MGMT rule 20 source address '0.0.0.0/0' | |
| set firewall name LAN-to-MGMT rule 30 action 'accept' | |
| set firewall name LAN-to-MGMT rule 30 description 'ssh to wazuh from mgmt01' | |
| set firewall name LAN-to-MGMT rule 30 destination address '172.16.200.10' | |
| set firewall name LAN-to-MGMT rule 30 destination port '22' | |
| set firewall name LAN-to-MGMT rule 30 protocol 'tcp' | |
| set firewall name LAN-to-MGMT rule 30 source address '0.0.0.0/0' | |
| set firewall name MGMT-to-LAN default-action 'drop' | |
| set firewall name MGMT-to-LAN enable-default-log | |
| set firewall name MGMT-to-LAN rule 1 action 'accept' | |
| set firewall name MGMT-to-LAN rule 1 description 'allow established and related back to MGMT' | |
| set firewall name MGMT-to-LAN rule 1 state established 'enable' | |
| set firewall name MGMT-to-LAN rule 1 state related 'enable' | |
| set firewall name MGMT-to-LAN rule 3 action 'accept' | |
| set firewall name MGMT-to-LAN rule 3 description 'allow all mgmt to DMZ' | |
| set firewall name MGMT-to-LAN rule 3 destination address '172.16.50.0/29' | |
| set firewall name MGMT-to-LAN rule 3 log 'enable' | |
| set firewall name MGMT-to-LAN rule 3 source address '0.0.0.0/0' | |
| set firewall name MGMT-to-LAN rule 3 state established 'enable' | |
| set firewall name MGMT-to-LAN rule 110 action 'accept' | |
| set firewall name MGMT-to-LAN rule 110 description 'allow all MGMT to LAN' | |
| set firewall name MGMT-to-LAN rule 110 destination address '172.16.150.0/24' | |
| set firewall name MGMT-to-LAN rule 110 log 'enable' | |
| set firewall name MGMT-to-LAN rule 110 source address '0.0.0.0/0' | |
| set interfaces ethernet eth0 address '172.16.150.3/24' | |
| set interfaces ethernet eth0 description 'SEC350-LAN' | |
| set interfaces ethernet eth0 hw-id '00:50:56:a1:4a:72' | |
| set interfaces ethernet eth1 address '172.16.200.2/28' | |
| set interfaces ethernet eth1 description 'SEC350-MGMT' | |
| set interfaces ethernet eth1 hw-id '00:50:56:a1:89:8f' | |
| set interfaces loopback lo | |
| set nat source rule 30 description 'MGMT-LAN' | |
| set nat source rule 30 outbound-interface 'eth0' | |
| set nat source rule 30 source address '172.16.200.0' | |
| set nat source rule 30 translation address 'masquerade' | |
| set protocols rip interface eth0 | |
| set protocols rip network '172.16.200.0/28' | |
| set protocols rip network '172.16.150.0/24' | |
| set protocols static route 0.0.0.0/0 next-hop 172.16.150.2 | |
| set protocols static route 172.16.50.0/24 next-hop 172.16.150.3 | |
| set protocols static route 172.16.50.0/29 next-hop 172.16.150.2 | |
| set service dns forwarding allow-from '172.16.200.0/28' | |
| set service dns forwarding listen-address '172.16.200.2' | |
| set service dns forwarding system | |
| set service ssh listen-address '0.0.0.0' | |
| set system config-management commit-revisions '100' | |
| set system conntrack modules ftp | |
| set system conntrack modules h323 | |
| set system conntrack modules nfs | |
| set system conntrack modules pptp | |
| set system conntrack modules sip | |
| set system conntrack modules sqlnet | |
| set system conntrack modules tftp | |
| set system console device ttyS0 speed '115200' | |
| set system host-name 'fw-mgmt' | |
| set system login user vyos authentication encrypted-password '$6$YUTCBnIl7XuxPfv7$UQXsMiDLSJsDs9mPJ2PQ.9IjjMks5MrKu6IlQRJsS.VIvkYeQXFvupJVrZMTQFYjkbTkRshVAYECJS337kHAS/' | |
| set system login user vyos authentication plaintext-password '' | |
| set system name-server '172.16.150.2' | |
| set system ntp server time1.vyos.net | |
| set system ntp server time2.vyos.net | |
| set system ntp server time3.vyos.net | |
| set system syslog global facility all level 'info' | |
| set system syslog global facility protocols level 'debug' | |
| set zone-policy zone LAN from MGMT firewall name 'MGMT-to-LAN' | |
| set zone-policy zone LAN interface 'eth0' | |
| set zone-policy zone MGMT from LAN firewall name 'LAN-to-MGMT' | |
| set zone-policy zone MGMT interface 'eth1' |
| FWmgmt | Second Header |
|---|---|
| set firewall name LAN-to-MGMT default-action 'drop' | |
| set firewall name LAN-to-MGMT enable-default-log | |
| set firewall name LAN-to-MGMT rule 1 action 'accept' | |
| set firewall name LAN-to-MGMT rule 1 state established 'enable' | |
| set firewall name LAN-to-MGMT rule 10 action 'accept' | |
| set firewall name LAN-to-MGMT rule 10 description 'wazuh agent to wazuh server' | |
| set firewall name LAN-to-MGMT rule 10 destination address '172.16.200.10' | |
| set firewall name LAN-to-MGMT rule 10 destination port '1515,1514' | |
| set firewall name LAN-to-MGMT rule 10 protocol 'tcp' | |
| set firewall name LAN-to-MGMT rule 20 action 'accept' | |
| set firewall name LAN-to-MGMT rule 20 description 'web interface to wazuh for mgmt01' | |
| set firewall name LAN-to-MGMT rule 20 destination address '172.16.200.10' | |
| set firewall name LAN-to-MGMT rule 20 destination port '443' | |
| set firewall name LAN-to-MGMT rule 20 protocol 'tcp' | |
| set firewall name LAN-to-MGMT rule 20 source address '0.0.0.0/0' | |
| set firewall name LAN-to-MGMT rule 30 action 'accept' | |
| set firewall name LAN-to-MGMT rule 30 description 'ssh to wazuh from mgmt01' | |
| set firewall name LAN-to-MGMT rule 30 destination address '172.16.200.10' | |
| set firewall name LAN-to-MGMT rule 30 destination port '22' | |
| set firewall name LAN-to-MGMT rule 30 protocol 'tcp' | |
| set firewall name LAN-to-MGMT rule 30 source address '0.0.0.0/0' | |
| set firewall name MGMT-to-LAN default-action 'drop' | |
| set firewall name MGMT-to-LAN enable-default-log | |
| set firewall name MGMT-to-LAN rule 1 action 'accept' | |
| set firewall name MGMT-to-LAN rule 1 description 'allow established and related back to MGMT' | |
| set firewall name MGMT-to-LAN rule 1 state established 'enable' | |
| set firewall name MGMT-to-LAN rule 1 state related 'enable' | |
| set firewall name MGMT-to-LAN rule 3 action 'accept' | |
| set firewall name MGMT-to-LAN rule 3 description 'allow all mgmt to DMZ' | |
| set firewall name MGMT-to-LAN rule 3 destination address '172.16.50.0/29' | |
| set firewall name MGMT-to-LAN rule 3 log 'enable' | |
| set firewall name MGMT-to-LAN rule 3 source address '0.0.0.0/0' | |
| set firewall name MGMT-to-LAN rule 3 state established 'enable' | |
| set firewall name MGMT-to-LAN rule 110 action 'accept' | |
| set firewall name MGMT-to-LAN rule 110 description 'allow all MGMT to LAN' | |
| set firewall name MGMT-to-LAN rule 110 destination address '172.16.150.0/24' | |
| set firewall name MGMT-to-LAN rule 110 log 'enable' | |
| set firewall name MGMT-to-LAN rule 110 source address '0.0.0.0/0' | |
| set interfaces ethernet eth0 address '172.16.150.3/24' | |
| set interfaces ethernet eth0 description 'SEC350-LAN' | |
| set interfaces ethernet eth0 hw-id '00:50:56:a1:4a:72' | |
| set interfaces ethernet eth1 address '172.16.200.2/28' | |
| set interfaces ethernet eth1 description 'SEC350-MGMT' | |
| set interfaces ethernet eth1 hw-id '00:50:56:a1:89:8f' | |
| set interfaces loopback lo | |
| set nat source rule 30 description 'MGMT-LAN' | |
| set nat source rule 30 outbound-interface 'eth0' | |
| set nat source rule 30 source address '172.16.200.0' | |
| set nat source rule 30 translation address 'masquerade' | |
| set protocols rip interface eth0 | |
| set protocols rip network '172.16.200.0/28' | |
| set protocols rip network '172.16.150.0/24' | |
| set protocols static route 0.0.0.0/0 next-hop 172.16.150.2 | |
| set protocols static route 172.16.50.0/24 next-hop 172.16.150.3 | |
| set protocols static route 172.16.50.0/29 next-hop 172.16.150.2 | |
| set service dns forwarding allow-from '172.16.200.0/28' | |
| set service dns forwarding listen-address '172.16.200.2' | |
| set service dns forwarding system | |
| set service ssh listen-address '0.0.0.0' | |
| set system config-management commit-revisions '100' | |
| set system conntrack modules ftp | |
| set system conntrack modules h323 | |
| set system conntrack modules nfs | |
| set system conntrack modules pptp | |
| set system conntrack modules sip | |
| set system conntrack modules sqlnet | |
| set system conntrack modules tftp | |
| set system console device ttyS0 speed '115200' | |
| set system host-name 'fw-mgmt' | |
| set system login user vyos authentication encrypted-password '$6$YUTCBnIl7XuxPfv7$UQXsMiDLSJsDs9mPJ2PQ.9IjjMks5MrKu6IlQRJsS.VIvkYeQXFvupJVrZMTQFYjkbTkRshVAYECJS337kHAS/' | |
| set system login user vyos authentication plaintext-password '' | |
| set system name-server '172.16.150.2' | |
| set system ntp server time1.vyos.net | |
| set system ntp server time2.vyos.net | |
| set system ntp server time3.vyos.net | |
| set system syslog global facility all level 'info' | |
| set system syslog global facility protocols level 'debug' | |
| set zone-policy zone LAN from MGMT firewall name 'MGMT-to-LAN' | |
| set zone-policy zone LAN interface 'eth0' | |
| set zone-policy zone MGMT from LAN firewall name 'LAN-to-MGMT' | |
| set zone-policy zone MGMT interface 'eth1' |
- show configuration commands- prints configuration commands, which can then be copy pasted into a document
- set zone-policy zone XXX interface 'eth0'- set each zone to a specific interface
- set zone-policy zone XXX from YYY firewall name 'YYY-to-XXX'- set up a firewall connecting the two zones
- if an error occurs between networks, double check the zone and firewall setups to see if communication is interrupted or prevented from returning