Creating a firewall SEC_480 - jwells24/Tech-Journal GitHub Wiki

Creating our VYOS firewall

  • We are using VYOS as a firewall, so remember to enter configure mode, then commit and save.

  • Link to Milestone 1 480-fw commands: Milestone1-480-fw

Creating the box

  1. Navigate to the Virtual machines tab, and select create a new virtual machine. Fill out the prompts and select your ISO, storage, and other prompts. Make sure to trim ram and memory if necessary, as well as selecting thin provisioning for the hard drive. Hit finish when complete.

image

Installing VYOS Image

  1. Once your VYOS virtual machine has been created, power on the machine and log into the vyos user with password vyos. Once you have logged in, type install image to begin the image installation. Use the default inputs for all of the prompts, and set a simple password. Restart the box once the login has been completed.

image

VYOS Configuration

  1. After the restart, look at the interfaces with the command show interfaces. Our first step is to remove the hw-id's of the interfaces using the command below.
delete interfaces ethernet eth0 hw-id
  1. Next, we want to give our first interface, eth0, a dhcp address using the command below.
set interfaces ethernet eth0 address dhcp
  1. Next, we want to set our ssh listen-address to ssh is working with the command below.
set service ssh listen-address 0.0.0.0
  1. Power down the system and turn it back on to check if dhcp is working. The next step is to change our vyos password to a stronger password using the command below.
set system login user vyos authentication plaintext-password secretpassword
  1. Next, delete the ethernet eth0 dhcp address because it is unnecessary, using the command below.
delete interfaces ethernet eth0 address dhcp
  1. Set the static IP of the eth0 interfaces on 480-fw using the command below.
set interfaces ethernet eth0 address 192.168.1.1/24
  1. Next, we set the default gateway of our vyos box with the command below.
set protocols static route 0.0.0.0/0 next-hop 192.168.7.250
  1. Now, set the default address for our eth1 interface to a WAN address using the command below.
set interfaces ethernet eth1 address 10.0.17.2/24
  1. Next, set the default name servers for our network with the commands below.
set system name-server 192.168.4.4
set system name-server 192.168.4.5
  1. Next, let's set some rules for dns forwarding so our box nows how to handle name resolution with the commands below.
set service dns forwarding listen-address 10.0.17.2

set service dns forwarding allow-from 10.0.17.0/24

set service dns forwarding system
  1. Now let's set a nat rule for addresses coming from the WAN with the commands below.
set nat source rule 10 source address 10.0.17.0/24

set nat source rule 10 outbound-interface eth0

set nat source rule 10 translation address masquerade
  1. Lastly, set the system host name using the command below.
set system host-name 480-fw