Network Firewalls Lab 1 - Zacham17/my-tech-journal GitHub Wiki

Firewall Configuration

On fw01

Firewall Zone Creation

  • On fw01, I created firewall zones and linked them to their respective interfaces using the following commands:
set zone-policy zone WAN interface eth0
set zone-policy zone DMZ interface eth1
set zone-policy zone LAN interface eth2
commit
save

WAN and DMZ

  • I then created firewalls for the WAN and DMZ and set them to have a default drop directive and I enabled violation logging for the firewalls using the following commands:
set firewall name WAN-to-DMZ default-action drop
set firewall name DMZ-to-WAN default-action drop
set firewall name WAN-to-DMZ enable-default-log 
set firewall name DMZ-to-WAN enable-default-log
  • I then assigned the firewalls to their respective zones using the following commands:
set zone-policy zone WAN from DMZ firewall name DMZ-to-WAN 
set zone-policy zone DMZ from WAN firewall name WAN-to-DMZ 
commit
save

Firewall Rules

  • At this point, connections to web01 from rw01 will still fail because traffic rules are not set yet.
  • I set a firewall rule on the WAN-to-DMZ firewall to allow http connections from the WAN to web01, using the following commands:
set firewall name WAN-to-DMZ rule 10 action 'accept'
set firewall name WAN-to-DMZ rule 10 description 'Allow HTTP from WAN to DMZ'
set firewall name WAN-to-DMZ rule 10 destination address '172.16.50.3'
set firewall name WAN-to-DMZ rule 10 destination port '80'
set firewall name WAN-to-DMZ rule 10 protocol 'tcp'
commit
save
  • At this point, a connection from rw01 on the WAN still fails because the connection is only allowed one way.
  • To fix this, I added a firewall rule to the DMZ-to-WAN firewall that allows established connections back through the firewall using the following commands:
set firewall name DMZ-to-WAN rule 1 action 'accept'
set firewall name DMZ-to-WAN rule 1 state established 'enable'
commit
save
  • After this, I was able to browse to web01.
  • I followed similar steps to configure firewall rules for the other firewalls

LAN and DMZ

  • I then created firewalls for the LAN and DMZ and set them to have a default drop directive and I enabled violation logging for the firewalls using the following commands:
set firewall name LAN-to-DMZ default-action drop
set firewall name DMZ-to-LAN default-action drop
set firewall name LAN-to-DMZ enable-default-log 
set firewall name DMZ-to-LAN enable-default-log
  • I then assigned the firewalls to their respective zones using the following commands:
set zone-policy zone LAN from DMZ firewall name DMZ-to-LAN 
set zone-policy zone DMZ from LAN firewall name LAN-to-DMZ 
commit
save

Firewall Rules

  • I set a firewall rule on the LAN-to-DMZ firewall to allow http connections from the WAN to web01, using the following commands:
    • Rule 20 to allow http connections
set firewall name LAN-to-DMZ rule 20 action 'accept'
set firewall name LAN-to-DMZ rule 20 description 'LAN to web01'
set firewall name LAN-to-DMZ rule 20 destination address '172.16.50.3'
set firewall name LAN-to-DMZ rule 20 destination port '80'
set firewall name LAN-to-DMZ rule 20 protocol 'tcp'
commit
save
  • Rule 30 to allow SSH connections
set firewall name LAN-to-DMZ rule 30 action 'accept'
set firewall name LAN-to-DMZ rule 30 description 'mgmt01 to DMZ'
set firewall name LAN-to-DMZ rule 30 destination address '172.16.50.3'
set firewall name LAN-to-DMZ rule 30 destination port '22'
set firewall name LAN-to-DMZ rule 30 protocol 'tcp'
commit
save
  • I added a firewall rule to the DMZ-to-LAN firewall that allows established traffic back through the firewall using the following commands:
set firewall name DMZ-to-LAN rule 1 action 'accept'
set firewall name DMZ-to-LAN rule 1 state established 'enable'
commit
save
  • After this, I was able to browse to web01.
  • I followed similar steps to configure firewall rules for the other firewalls
  • I also needed to allow wazuh traffic, which uses ports 1514 and 1515On the DMZ-to-LAN. I added a firewall rule to do this, using the following commands:
set firewall name DMZ-to-LAN rule 10 action 'accept'
set firewall name DMZ-to-LAN rule 10 description 'wazuh agent communications with wazuh server'
set firewall name DMZ-to-LAN rule 10 destination address '172.16.200.10'
set firewall name DMZ-to-LAN rule 10 destination port '1514,1515'
set firewall name DMZ-to-LAN rule 10 protocol 'tcp'
commit
save

LAN and WAN

  • I then created firewalls for the LAN and WAN and set them to have a default drop directive and I enabled violation logging for the firewalls using the following commands:
set firewall name LAN-to-WAN default-action drop
set firewall name WAN-to-LAN default-action drop
set firewall name LAN-to-WAN enable-default-log 
set firewall name WAN-to-LAN enable-default-log
  • I then assigned the firewalls to their respective zones using the following commands:
set zone-policy zone LAN from WAN firewall name WAN-to-LAN 
set zone-policy zone WAN from LAN firewall name LAN-to-WAN 
commit
save

Firewall Rules

  • I set a firewall rule on the LAN-to-WAN firewall to allow all traffic:
    • Rule 1 to accept connections
set firewall name LAN-to-WAN rule 1 action 'accept'
commit
save
  • I set a firewall rule on the WAN-to-LAN firewall to allow all traffic and allow established connections back through using the following commands:
set firewall name WAN-to-LAN rule 1 action 'accept'
set firewall name WAN-to-LAN rule 1 state established 'enable'
commit
save
  • This allows for LAN connected devices to connect to the internet.
  • NOTE: Since firewall rules for http and ssh connection for the LAN-to-DMZ firewall were created, connections between the LAN and DMZ are possible. If these rules were not created, then the LAN would not be able to access the DMZ.

On fw-mgmt

Firewall Zone Creation

  • On fw-mgmt, I created firewall zones and linked them to their respective interfaces using the following commands:
set zone-policy zone LAN interface 'eth0'
set zone-policy zone MGMT interface 'eth1'
commit
save

LAN and MGMT

  • I then created firewalls for the WAN and DMZ and set them to have a default drop directive and I enabled violation logging for the firewalls using the following commands:
set firewall name LAN-to-MGMT default-action drop
set firewall name MGMT-to-LAN default-action drop
set firewall name LAN-to-MGMT enable-default-log 
set firewall name MGMT-to-LAN enable-default-log
commit
save
  • I assigned the firewalls to their respective zones using the commands:
set zone-policy zone LAN from MGMT firewall name 'MGMT-to-LAN'
set zone-policy zone MGMT from LAN firewall name 'LAN-to-MGMT'
commit
save

Firewall Rules(MGMT-to-LAN)

  • I created a rule on the LAN-to-MGMT firewall that allows port 1514 and 1515 tcp connections from LAN to wazuh. I used the following commands to do this:
set firewall name LAN-to-MGMT rule 10 action 'accept'
set firewall name LAN-to-MGMT rule 10 description 'LAN to wazuh'
set firewall name LAN-to-MGMT rule 10 destination address '172.16.200.10'
set firewall name LAN-to-MGMT rule 10 destination port '1514,1515'
set firewall name LAN-to-MGMT rule 10 protocol 'tcp'
commit
save
  • I created a rule on the LAN-to-MGMT firewall that allows port 443 tcp connections from LAN to wazuh. I used the following commands to do this:
set firewall name LAN-to-MGMT rule 20 action 'accept'
set firewall name LAN-to-MGMT rule 20 description 'HTTPS from LAN to wazuh'
set firewall name LAN-to-MGMT rule 20 destination address '172.16.200.10'
set firewall name LAN-to-MGMT rule 20 destination port '443'
set firewall name LAN-to-MGMT rule 20 protocol 'tcp'
commit
save
  • I created a rule on the LAN-to-MGMT firewall that allows port 22 tcp connections from LAN to wazuh. I used the following commands to do this:
set firewall name LAN-to-MGMT rule 30 action 'accept'
set firewall name LAN-to-MGMT rule 30 description 'SSH from LAN to WAZUH'
set firewall name LAN-to-MGMT rule 30 destination address '172.16.200.10'
set firewall name LAN-to-MGMT rule 30 destination port '22'
set firewall name LAN-to-MGMT rule 30 protocol 'tcp'
commit
save
  • I then made a rule on the LAN-to-MGMT firewall that allows established traffic back through the firewall, using the following commands:
set firewall name LAN-to-MGMT rule 1 action 'accept'
set firewall name LAN-to-MGMT rule 1 state established 'enable'

Firewall Rules(LAN-to-MGMT)

  • I created a rule on the MGMT-to-LAN firewall that allows MGMT to initiate any connection to the LAN. I was able to do this by setting the destination address in the firewall rule to the network address of the LAN. I used the following commands:
set firewall name MGMT-to-LAN rule 10 action 'accept'
set firewall name MGMT-to-LAN rule 10 description 'MGMT to all of LAN'
set firewall name MGMT-to-LAN rule 10 destination address '172.16.150.0/24'
commit
save
  • I created a rule on the MGMT-to-LAN firewall that allows MGMT to initiate any connection to the DMZ. I was able to do this by setting the destination address in the firewall rule to the network address of the DMZ. I used the following commands:
set firewall name MGMT-to-LAN rule 20 action 'accept'
set firewall name MGMT-to-LAN rule 20 description 'MGMT to all of DMZ'
set firewall name MGMT-to-LAN rule 20 destination address '172.16.50.0/29'
commit
save
  • I then made a rule on the LAN-to-MGMT firewall that allows established traffic back through the firewall, using the following commands:
set firewall name MGMT-to-LAN rule 1 action 'accept'
set firewall name MGMT-to-LAN rule 1 state established 'enable'
commit
save
  • After configuring this firewall, I was able to navigate browser to web01 and ping to mgmt01 from mgmt02, but I was unable to ping outsize of the network. This is because I didn't allow MGMT to go anywhere except the LAN and DMZ

Debugging Firewall Blocks

  • A way that firewall blocks can be troubleshot is with firewall logs.
  • A command that I used in this lab is tail -f /var/log/messages | grep WAN
  • The command above shows the contents of the /var/log/messages file that contain the term "WAN". I was able to use the outputs of this command to see which connections were being blocked by which firewall. I could then adjust my firewall rules accordingly.

Exporting vyos configurations

  • To export vyos configurations in an easy-to-read way, the following commands can be used: show configuration commands | grep -v "syslog global\|ntp\|login\|console\|config\|hw-id\|loopback\|conntrack"

My Firewall Configurations

The firewall configuration commands that I used up through this Lab can be found below.

Reflection

I didn't run into many issues in this lab. I learned a lot about firewalls on VYOS. This lab helped me become familiarized with commands used for firewall configuration and rules. I also learned more about the interworking of the firewall and how connections work with the firewall. Connections that are let through the firewall also need to be let out, which is where "state established enable" comes into play. This lab was also a good reminder to use the commit and save commands to save the configurations that I set.