Firewall Rule List - serate-actual/sec350final GitHub Wiki

Router firewalls

fw-edge

WAN-to-LAN

  • Rule 1
    • Allow established connections
set firewall name WAN-to-LAN rule 1 action accept
set firewall name WAN-to-LAN rule 1 state established enable

DMZ-to-LAN

  • Rule 1
    • Allow established connections
set firewall name DMZ-to-LAN rule 1 action accept
set firewall name DMZ-to-LAN rule 1 state established enable
  • Rule 10
    • Allow traffic on 514/udp going to 10.0.5.10
set firewall name DMZ-to-LAN rule 10 action accept
set firewall name DMZ-to-LAN rule 10 destination address 10.0.5.10
set firewall name DMZ-to-LAN rule 10 destination port 514
set firewall name DMZ-to-LAN rule 10 protocol udp
  • Rule 20
    • Allow traffic on 9997/tcp going to 10.0.5.10
set firewall name DMZ-to-LAN rule 20 action accept
set firewall name DMZ-to-LAN rule 20 destination address 10.0.5.10
set firewall name DMZ-to-LAN rule 20 destination port 9997
set firewall name DMZ-to-LAN rule 20 protocol tcp
  • Rule 30
    • Allow traffic on 8089/tcp going to 10.0.5.10
set firewall name DMZ-to-LAN rule 30 action accept
set firewall name DMZ-to-LAN rule 30 destination address 10.0.5.10
set firewall name DMZ-to-LAN rule 30 destination port 8089
set firewall name DMZ-to-LAN rule 30 protocol tcp

LAN-to-DMZ

  • Rule 10
    • Allow all
set firewall name LAN-to-DMZ rule 10 action accept

LAN-to-WAN

  • Rule 1
    • Allow all
set firewall name LAN-to-WAN rule 1 action accept

DMZ-to-WAN

  • Rule 1
    • Allow all
set firewall name DMZ-to-WAN rule 1 action accept

WAN-to-DMZ

  • Rule 1
    • Allow established connections
set firewall name WAN-to-DMZ rule 1 action accept
set firewall name WAN-to-DMZ rule 1 state established enable

fw-mgmt

MGMT-to-LAN

  • Rule 1
    • Allow all connections
set firewall name MGMT-to-LAN rule 1 action accept

LAN-to-MGMT

  • Rule 1
    • Allow established connections
set firewall name LAN-to-MGMT rule 1 action accept
set firewall name LAN-to-MGMT rule 1 state established enable
  • Rule 10
    • Allow established connections
set firewall name LAN-to-MGMT rule 10 action accept
set firewall name LAN-to-MGMT rule 10 state established enable
  • Rule 1
    • Allow established connections
set firewall name LAN-to-MGMT rule 20 action accept
set firewall name LAN-to-MGMT rule 20 destination address 10.0.5.10 
set firewall name LAN-to-MGMT rule 20 destination port 8089
set firewall name LAN-to-MGMT rule 20 protocol tcp
  • Open the following ports/protocols with the destination IP of 10.0.5.20
    • TCP/UDP port 88 for Kerberos
    • TCP port 135 for Kerberos
    • TCP port 139 for NetBIOS Session Service
    • TCP port 389 for LDAP
    • TCP port 455 for SMB and Net Logon
    • UDP port 53 for DNS
    • TCP/UDP port 464 for Kerberos Password Changes
    • TCP ports 5000-6000

Host firewalls

web01

  • Allowed ports with firewall-cmd
    • 22/tcp
    • 80/tcp

log01

  • Allowed ports with firewall-cmd
    • 80/tcp
    • 515/tcp
    • 514/udp
    • 9521/tcp
    • 9997/tcp