fw01 configuration

Reference the lab below for more reference on any of the commands below:

Clear Firewall Configuration

configure 
load /opt/vyatta/etc/config.boot.default
commit
save

To save and load a backup config file

save backup_1 
Load /config/backup_1

Firewall Rule to Accept all Traffic

//replace DMZ-to-WAN with your rule name

set firewall name DMZ-to-WAN default-action accept
set firewall name WAN-to-DMZ default-action accept

//disable the all traffic rule

set firewall name DMZ-to-WAN default-action drop
set firewall name WAN-to-DMZ default-action drop

Create and link firewall zones to interfaces

 configure

//fw01 
 set zone-policy zone WAN interface eth0
 set zone-policy zone DMZ interface eth1
 set zone-policy zone LAN interface eth2
 
 //fw-mgmt 
 
set zone-policy zone LAN interface eth0
set zone-policy zone MGMT interface eth1

 commit 
 save

Create a firewall for a Zone

 //Firewalls for WAN, DMZ and LAN zones on fw01 
 
 configure
 set firewall name WAN-to-DMZ default-action drop
 set firewall name DMZ-to-WAN default-action drop
 
 set firewall name WAN-to-DMZ enable-default-log 
 set firewall name DMZ-to-WAN enable-default-log
 
set firewall name LAN-to-DMZ default-action drop
set firewall name LAN-to-DMZ enable-default-log

set firewall name DMZ-to-LAN default-action drop
set firewall name DMZ-to-LAN enable-default-log


set firewall name WAN-to-LAN default-action drop
set firewall name WAN-to-LAN enable-default-log
set firewall name WAN-to-LAN rule 1 description "allow connections back out"
set firewall name WAN-to-LAN rule 1 action accept
set firewall name WAN-to-LAN rule 1 state related enable
set firewall name WAN-to-LAN rule 1 state established enable

set firewall name LAN-to-WAN default-action drop
set firewall name LAN-to-WAN enable-default-log
set zone-policy zone WAN from LAN firewall name LAN-to-WAN
set firewall name LAN-to-WAN rule 1 action accept

//fw-mgmt

set firewall name LAN-to-MGMT default-action drop
set firewall name MGMT-to-LAN default-action drop
set firewall name LAN-to-MGMT enable-default-log
set firewall name MGMT-to-LAN enable-default-log

 commit
 save

Assigning Firewalls to Zones

configure

//fw01 

set zone-policy zone WAN from DMZ firewall name DMZ-to-WAN 
set zone-policy zone DMZ from WAN firewall name WAN-to-DMZ

set zone-policy zone DMZ from LAN firewall name LAN-to-DMZ
set zone-policy zone LAN from DMZ firewall name DMZ-to-LAN

set zone-policy zone LAN from WAN firewall name WAN-to-LAN

//fw-mgmt 

set zone-policy zone LAN from MGMT firewall name MGMT-to-LAN
set zone-policy zone MGMT from LAN firewall name LAN-to-MGMT

commit
save

Firewall Policies

/fw01

set firewall name LAN-to-DMZ rule 10 description "allow 80/tcp from LAN to web01"
set firewall name LAN-to-DMZ rule 10 action accept
set firewall name LAN-to-DMZ rule 10 destination address 172.16.50.3
set firewall name LAN-to-DMZ rule 10 destination port 80
set firewall name LAN-to-DMZ rule 10 protocol tcp

set firewall name LAN-to-DMZ rule 20 description "allow 22/tcp from mgmt01 to DMZ"
set firewall name LAN-to-DMZ rule 20 action accept
set firewall name LAN-to-DMZ rule 20 source address 172.16.150.10
set firewall name LAN-to-DMZ rule 20 destination address 172.16.50.0/29
set firewall name LAN-to-DMZ rule 20 destination port 22
set firewall name LAN-to-DMZ rule 20 protocol tcp

/fw-mgmt 

set firewall name LAN-to-MGMT rule 10 description "agent to wazuh server"
set firewall name LAN-to-MGMT rule 10 action accept
set firewall name LAN-to-MGMT rule 10 destination address 172.16.200.10
set firewall name LAN-to-MGMT rule 10 destination port 1514,1515
set firewall name LAN-to-MGMT rule 10 protocol tcp

set firewall name LAN-to-MGMT rule 20 description "MGMT to WAZUH ports 443 and 22"
set firewall name LAN-to-MGMT rule 20 action accept
set firewall name LAN-to-MGMT rule 20 destination address 172.16.200.10
set firewall name LAN-to-MGMT rule 20 destination port 443,22
set firewall name LAN-to-MGMT rule 20 protocol tcp

set firewall name LAN-to-MGMT rule 1 description "allow connections back out"
set firewall name LAN-to-MGMT rule 1 action accept
set firewall name LAN-to-MGMT rule 1 state established enable


set firewall name MGMT-to-LAN rule 10 description "MGMT to LAN"
set firewall name MGMT-to-LAN rule 10 action accept
set firewall name MGMT-to-LAN rule 10 destination address 172.16.150.0/24

set firewall name MGMT-to-LAN rule 20 description "MGMT to DMZ"
set firewall name MGMT-to-LAN rule 20 action accept
set firewall name MGMT-to-LAN rule 20 destination address 172.16.50.0/29

set firewall name MGMT-to-LAN rule 1 description "allow connections back out"
set firewall name MGMT-to-LAN rule 1 action accept
set firewall name MGMT-to-LAN rule 1 state established enable

Allow HTTP Inbound

Configure 

set firewall name WAN-to-DMZ rule 10
set firewall name WAN-to-DMZ rule 10 action accept
set firewall name WAN-to-DMZ rule 10 description "Allow HTTP from WAN to DMZ"
set firewall name WAN-to-DMZ rule 10 destination address 172.16.50.3
set firewall name WAN-to-DMZ rule 10 destination port 80
set firewall name WAN-to-DMZ rule 10 protocol tcp

commit
save

Allowing http-established connections back out

configure 
set firewall name DMZ-to-WAN rule 1 description "allow established connections back out"
set firewall name DMZ-to-WAN rule 1 action accept
set firewall name DMZ-to-WAN rule 1 state established enable
commit
save

Allow Wazah Agent Communications

configure

set firewall name DMZ-to-LAN rule 10 description "agent to wazuh"
set firewall name DMZ-to-LAN rule 10 action accept
set firewall name DMZ-to-LAN rule 10 destination address 172.16.200.10
set firewall name DMZ-to-LAN rule 10 destination port 1514,1515
set firewall name DMZ-to-LAN rule 10 protocol tcp

set firewall name DMZ-to-LAN rule 1 description "allow connections back out"
set firewall name DMZ-to-LAN rule 1 action accept
set firewall name DMZ-to-LAN rule 1 state established enable

set firewall name LAN-to-DMZ rule 1 description "allow connections back out"
set firewall name LAN-to-DMZ rule 1 action accept
set firewall name LAN-to-DMZ rule 1 state established enable

commit
save

PreviousSystem Specifications and Setup NextAssessment

Last updated 10 months ago

/fw01 set firewall name LAN-to-DMZ rule 10 description "allow 80/tcp from LAN to web01" set firewall name LAN-to-DMZ rule 10 action accept set firewall name LAN-to-DMZ rule 10 destination address 172.16.50.3 set firewall name LAN-to-DMZ rule 10 destination port 80 set firewall name LAN-to-DMZ rule 10 protocol tcp set firewall name LAN-to-DMZ rule 20 description "allow 22/tcp from mgmt01 to DMZ" set firewall name LAN-to-DMZ rule 20 action accept set firewall name LAN-to-DMZ rule 20 source address 172.16.150.10 set firewall name LAN-to-DMZ rule 20 destination address 172.16.50.0/29 set firewall name LAN-to-DMZ rule 20 destination port 22 set firewall name LAN-to-DMZ rule 20 protocol tcp /fw-mgmt set firewall name LAN-to-MGMT rule 10 description "agent to wazuh server" set firewall name LAN-to-MGMT rule 10 action accept set firewall name LAN-to-MGMT rule 10 destination address 172.16.200.10 set firewall name LAN-to-MGMT rule 10 destination port 1514,1515 set firewall name LAN-to-MGMT rule 10 protocol tcp set firewall name LAN-to-MGMT rule 20 description "MGMT to WAZUH ports 443 and 22" set firewall name LAN-to-MGMT rule 20 action accept set firewall name LAN-to-MGMT rule 20 destination address 172.16.200.10 set firewall name LAN-to-MGMT rule 20 destination port 443,22 set firewall name LAN-to-MGMT rule 20 protocol tcp set firewall name LAN-to-MGMT rule 1 description "allow connections back out" set firewall name LAN-to-MGMT rule 1 action accept set firewall name LAN-to-MGMT rule 1 state established enable set firewall name MGMT-to-LAN rule 10 description "MGMT to LAN" set firewall name MGMT-to-LAN rule 10 action accept set firewall name MGMT-to-LAN rule 10 destination address 172.16.150.0/24 set firewall name MGMT-to-LAN rule 20 description "MGMT to DMZ" set firewall name MGMT-to-LAN rule 20 action accept set firewall name MGMT-to-LAN rule 20 destination address 172.16.50.0/29 set firewall name MGMT-to-LAN rule 1 description "allow connections back out" set firewall name MGMT-to-LAN rule 1 action accept set firewall name MGMT-to-LAN rule 1 state established enable

hashtagClear Firewall Configuration

hashtagTo save and load a backup config file

hashtagFirewall Rule to Accept all Traffic

hashtagCreate and link firewall zones to interfaces

hashtagCreate a firewall for a Zone

hashtagAssigning Firewalls to Zones

hashtagFirewall Policies

hashtagAllow HTTP Inbound

hashtagAllowing http-established connections back out

hashtagAllow Wazah Agent Communications