Setting up fw edge firewalls - serate-actual/sec350final GitHub Wiki

Initial setup of zones and firewalls

  • This will set up all firewalls for the WAN, DMZ, and LAN interfaces. This will lock down all traffic.

Configure Zones

  • Set zone-policies for the appropriate interfaces
set zone-policy zone WAN interface eth0
set zone-policy zone DMZ interface eth1
set zone-policy zone LAN interface eth2

Creating DMZ-WAN firewalls

  • Run these commands
set zone-policy zone DMZ from WAN firewall name WAN-to-DMZ
set zone-policy zone WAN from DMZ firewall name DMZ-to-WAN

Creating DMZ-LAN firewalls

  • Run these commands
set zone-policy zone DMZ from LAN firewall name LAN-to-DMZ
set zone-policy zone LAN from DMZ firewall name DMZ-to-LAN

Creating LAN-WAN firewalls

  • Run these commands
set zone-policy zone WAN from LAN firewall name LAN-to-WAN
set zone-policy zone LAN from WAN firewall name WAN-to-LAN

Setting up default rules

  • VyOS will be unable to commit and save until you set a default action for each of the firewalls. We are setting the default action to drop
  • Repeat this process for each of the firewalls
set firewall name (firewall name) default-action drop
set firewall name (firewall name) enable-default-log
  • Commit and save

Opening up firewall for traffic

WAN-to-LAN

  • Rule 1
    • Allow established connections
set firewall name WAN-to-LAN rule 1 action accept
set firewall name WAN-to-LAN rule 1 state established enable

DMZ-to-LAN

  • Rule 1
    • Allow established connections
set firewall name DMZ-to-LAN rule 1 action accept
set firewall name DMZ-to-LAN rule 1 state established enable
  • Rule 10
    • Allow packets to reach OSSEC server
    • Allow packets from the 10.0.10.0/24 network going to 10.0.5.10
    • Allow packets that are going to port 1514/udp
set firewall name DMZ-to-LAN rule 10 action accept
set firewall name DMZ-to-LAN rule 10 source address 10.0.10.0/24
set firewall name DMZ-to-LAN rule 10 destination address 10.0.5.10
set firewall name DMZ-to-LAN rule 10 destination port 1514
set firewall name DMZ-to-LAN rule 10 protocol udp
set firewall name DMZ-to-LAN rule 10 description "Allows secure transmissions of logs to the OSSEC server

LAN-to-DMZ

  • Rule 10
    • Allow established connections
set firewall name LAN-to-DMZ rule 10 action accept
set firewall name LAN-to-DMZ rule 10 established enable

LAN-to-WAN

  • Rule 1
    • Allow all
set firewall name LAN-to-WAN rule 1 action accept

DMZ-to-WAN

  • Rule 1
    • Allow established connections
set firewall name DMZ-to-WAN rule 1 action accept
set firewall name DMZ-to-WAN rule 1 state established enable
  • Rule 10
    • Allow connections to 10.0.10.10 on port 80
set firewall name DMZ-to-WAN rule 10 action accept
set firewall name DMZ-to-WAN rule 10 destination address 10.0.10.10
set firewall name DMZ-to-WAN rule 10 destination port 80
set firewall name DMZ-to-WAN rule 10 protocol tcp

WAN-to-DMZ

  • Rule 1
    • Allow established connections
set firewall name WAN-to-DMZ rule 1 action accept
set firewall name WAN-to-DMZ rule 1 state established enable