fw01 configuration
Reference the lab below for more reference on any of the commands below:
Lab 4.1 Network Firewalls 1Clear Firewall Configuration
configure
load /opt/vyatta/etc/config.boot.default
commit
saveTo save and load a backup config file
save backup_1
Load /config/backup_1Firewall Rule to Accept all Traffic
//replace DMZ-to-WAN with your rule name
set firewall name DMZ-to-WAN default-action accept
set firewall name WAN-to-DMZ default-action accept
//disable the all traffic rule
set firewall name DMZ-to-WAN default-action drop
set firewall name WAN-to-DMZ default-action dropCreate and link firewall zones to interfaces
configure
//fw01
set zone-policy zone WAN interface eth0
set zone-policy zone DMZ interface eth1
set zone-policy zone LAN interface eth2
//fw-mgmt
set zone-policy zone LAN interface eth0
set zone-policy zone MGMT interface eth1
commit
saveCreate a firewall for a Zone
//Firewalls for WAN, DMZ and LAN zones on fw01
configure
set firewall name WAN-to-DMZ default-action drop
set firewall name DMZ-to-WAN default-action drop
set firewall name WAN-to-DMZ enable-default-log
set firewall name DMZ-to-WAN enable-default-log
set firewall name LAN-to-DMZ default-action drop
set firewall name LAN-to-DMZ enable-default-log
set firewall name DMZ-to-LAN default-action drop
set firewall name DMZ-to-LAN enable-default-log
set firewall name WAN-to-LAN default-action drop
set firewall name WAN-to-LAN enable-default-log
set firewall name WAN-to-LAN rule 1 description "allow connections back out"
set firewall name WAN-to-LAN rule 1 action accept
set firewall name WAN-to-LAN rule 1 state related enable
set firewall name WAN-to-LAN rule 1 state established enable
set firewall name LAN-to-WAN default-action drop
set firewall name LAN-to-WAN enable-default-log
set zone-policy zone WAN from LAN firewall name LAN-to-WAN
set firewall name LAN-to-WAN rule 1 action accept
//fw-mgmt
set firewall name LAN-to-MGMT default-action drop
set firewall name MGMT-to-LAN default-action drop
set firewall name LAN-to-MGMT enable-default-log
set firewall name MGMT-to-LAN enable-default-log
commit
saveAssigning Firewalls to Zones
configure
//fw01
set zone-policy zone WAN from DMZ firewall name DMZ-to-WAN
set zone-policy zone DMZ from WAN firewall name WAN-to-DMZ
set zone-policy zone DMZ from LAN firewall name LAN-to-DMZ
set zone-policy zone LAN from DMZ firewall name DMZ-to-LAN
set zone-policy zone LAN from WAN firewall name WAN-to-LAN
//fw-mgmt
set zone-policy zone LAN from MGMT firewall name MGMT-to-LAN
set zone-policy zone MGMT from LAN firewall name LAN-to-MGMT
commit
save Firewall Policies
/fw01
set firewall name LAN-to-DMZ rule 10 description "allow 80/tcp from LAN to web01"
set firewall name LAN-to-DMZ rule 10 action accept
set firewall name LAN-to-DMZ rule 10 destination address 172.16.50.3
set firewall name LAN-to-DMZ rule 10 destination port 80
set firewall name LAN-to-DMZ rule 10 protocol tcp
set firewall name LAN-to-DMZ rule 20 description "allow 22/tcp from mgmt01 to DMZ"
set firewall name LAN-to-DMZ rule 20 action accept
set firewall name LAN-to-DMZ rule 20 source address 172.16.150.10
set firewall name LAN-to-DMZ rule 20 destination address 172.16.50.0/29
set firewall name LAN-to-DMZ rule 20 destination port 22
set firewall name LAN-to-DMZ rule 20 protocol tcp
/fw-mgmt
set firewall name LAN-to-MGMT rule 10 description "agent to wazuh server"
set firewall name LAN-to-MGMT rule 10 action accept
set firewall name LAN-to-MGMT rule 10 destination address 172.16.200.10
set firewall name LAN-to-MGMT rule 10 destination port 1514,1515
set firewall name LAN-to-MGMT rule 10 protocol tcp
set firewall name LAN-to-MGMT rule 20 description "MGMT to WAZUH ports 443 and 22"
set firewall name LAN-to-MGMT rule 20 action accept
set firewall name LAN-to-MGMT rule 20 destination address 172.16.200.10
set firewall name LAN-to-MGMT rule 20 destination port 443,22
set firewall name LAN-to-MGMT rule 20 protocol tcp
set firewall name LAN-to-MGMT rule 1 description "allow connections back out"
set firewall name LAN-to-MGMT rule 1 action accept
set firewall name LAN-to-MGMT rule 1 state established enable
set firewall name MGMT-to-LAN rule 10 description "MGMT to LAN"
set firewall name MGMT-to-LAN rule 10 action accept
set firewall name MGMT-to-LAN rule 10 destination address 172.16.150.0/24
set firewall name MGMT-to-LAN rule 20 description "MGMT to DMZ"
set firewall name MGMT-to-LAN rule 20 action accept
set firewall name MGMT-to-LAN rule 20 destination address 172.16.50.0/29
set firewall name MGMT-to-LAN rule 1 description "allow connections back out"
set firewall name MGMT-to-LAN rule 1 action accept
set firewall name MGMT-to-LAN rule 1 state established enableAllow HTTP Inbound
Configure
set firewall name WAN-to-DMZ rule 10
set firewall name WAN-to-DMZ rule 10 action accept
set firewall name WAN-to-DMZ rule 10 description "Allow HTTP from WAN to DMZ"
set firewall name WAN-to-DMZ rule 10 destination address 172.16.50.3
set firewall name WAN-to-DMZ rule 10 destination port 80
set firewall name WAN-to-DMZ rule 10 protocol tcp
commit
saveAllowing http-established connections back out
configure
set firewall name DMZ-to-WAN rule 1 description "allow established connections back out"
set firewall name DMZ-to-WAN rule 1 action accept
set firewall name DMZ-to-WAN rule 1 state established enable
commit
saveAllow Wazah Agent Communications
configure
set firewall name DMZ-to-LAN rule 10 description "agent to wazuh"
set firewall name DMZ-to-LAN rule 10 action accept
set firewall name DMZ-to-LAN rule 10 destination address 172.16.200.10
set firewall name DMZ-to-LAN rule 10 destination port 1514,1515
set firewall name DMZ-to-LAN rule 10 protocol tcp
set firewall name DMZ-to-LAN rule 1 description "allow connections back out"
set firewall name DMZ-to-LAN rule 1 action accept
set firewall name DMZ-to-LAN rule 1 state established enable
set firewall name LAN-to-DMZ rule 1 description "allow connections back out"
set firewall name LAN-to-DMZ rule 1 action accept
set firewall name LAN-to-DMZ rule 1 state established enable
commit
saveLast updated