Lab 4.1 Network Firewalls - skyleroriordan/my-tech-journal GitHub Wiki

Config fw01

Created firewall zones, made drop and log rules and assigned firewalls to zones

set zone-policy zone WAN interface eth0

set zone-policy zone DMZ interface eth1

set zone-policy zone LAN interface eth2

set firewall name WAN-to-DMZ default-action drop

set firewall name WAN-to-DMZ enable-default-log

set firewall name DMZ-to-WAN default-action drop

set firewall name DMZ-to-WAN enable-default-log

set zone-policy zone WAN from DMZ firewall name DMZ-to-WAN

set zone-policy zone DMZ from WAN firewall name WAN-to-DMZ

Rules allowing incoming http and outgoing established connections

Made a rule on fw01 letting http traffic from WAN to DMZ

set firewall name WAN-to-DMZ rule 10

set firewall name WAN-to-DMZ rule 10 destination address 172.16.50.3

set firewall name WAN-to-DMZ rule 10 destination port 80

set firewall name WAN-to-DMZ rule 10 protocol tcp

set firewall name WAN-to-DMZ rule 10 action accept

set firewall name DMZ-to-WAN rule 1 action accept

set firewall name DMZ-to-WAN rule 1 state established enable

created firewalls for LAN and DMZ

set firewall name DMZ-to-LAN default-action drop

set firewall name LAN-to-DMZ default-action drop

set firewall name LAN-to-DMZ enable-default-log

set firewall name DMZ-to-LAN enable-default-log

set zone-policy zone LAN from DMZ firewall name DMZ-to-LAN

set zone-policy zone DMZ from LAN firewall name LAN-to-DMZ

Debugging technique

when connections fail look at logs for drop messages for ports

Fixing wazuh

Created a rule to allow ports 1514 and 1515 though DMZ-to-LAN and to allow established connections

set firewall name DMZ-to-LAN rule 10 destination address 172.16.200.10

set firewall name DMZ-to-LAN rule 10 destination port 1514,1515

set firewall name DMZ-to-LAN rule 10 protocol tcp

set firewall name DMZ-to-LAN rule 10 action accept

set firewall name LAN-to-DMZ rule 11 state established enable

set firewall name LAN-to-DMZ rule 11 action accept

LAN-to-WAN and WAN-to-LAN

created firewalls and zone polices. LAN can initiate connections to WAN and can receive established connections.

set firewall name LAN-to-WAN default-action drop

set firewall name WAN-to-LAN default-action drop

set firewall name LAN-to-WAN enable-default-log

set firewall name WAN-to-LAN enable-default-log

set firewall name LAN-to-WAN rule 1 action accept

set zone-policy zone WAN from LAN firewall name LAN-to-WAN

set zone-policy zone LAN from WAN firewall name WAN-to-LAN

set firewall name WAN-to-LAN rule 1 action accept

set firewall name WAN-to-LAN rule 1 state related enable

set firewall name WAN-to-LAN rule 1 state established enable

LAN to DMZ

created a firewall and zone policy for LAN-to-DMZ with rules that allow 80/tcp from LAN to web01 and 22/tcp from mgmt01 to DMZ

set firewall name LAN-to-DMZ rule 1 destination address 172.16.50.3

set firewall name LAN-to-DMZ rule 1 destination port 80

set firewall name LAN-to-DMZ rule 1 protocol tcp

set firewall name LAN-to-DMZ rule 1 action accept

set firewall name LAN-to-DMZ rule 2 source address 172.16.150.10

set firewall name LAN-to-DMZ rule 2 destination address 172.16.50.0/29

set firewall name LAN-to-DMZ rule 2 destination port 22

set firewall name LAN-to-DMZ rule 2 protocol tcp

set firewall name LAN-to-DMZ rule 2 action accept

Fw-mgmt

configured fw-mgmt in a similar manner with 2 zones LAN and MGMT. Assigned interfaces and firewalls.

Made rules on LAN-to-MGMT that allows 443/tcp and 22/tcp from mgmt01 on lan to wazuh, allows estalbled traffic back though, and allows 1514/tcp and 1515/tcp from LAN to wazuh.

Made rules on MGMT-to-LAN that allows MGMT to initiate any connection to the LAN and DMZ as well as allow back established traffic