Lab 4.1 Network Firewalls 1

Intro

  • In this lab, we are going to shut down and then manage traffic between the LAN, DMZ, WAN, and MGMT networks.

  • The initial configuration of fw01 will be illustrated in detail, but you will need to use that information to configure fw-mgmt.

Prerequisites

Make sure you are able to do the following before you proceed with the rest of the lab:

  • rw01 can ping web01 via its static route, rw01 can browse to web01

  • wks01 can browse web01

  • wks01 can browse wazuh

  • web01 can ping wazuh

I was initally fooled into thinking that rw01 could browse to web01, but it was just cached in the web browser. I went back in an looked at nmtui and that was configure find from Lab 1.1. I then tried to do traceroute 172.16.50.3 and it didn't work, so I knew that the static route must not have been wokring. I then added it again with sudo ip route add 172.16.50.0/29 via 10.0.17.2/143 and then did systemctl restart NetworkManager and the traceroute command worked and I was actually able to browse to my html file again!

Task 1: Configuring fw01

Create and link firewall zones to interfaces (eth0, eth1, eth2)

 configure 
 set zone-policy zone WAN interface eth0
 set zone-policy zone DMZ interface eth1
 set zone-policy zone LAN interface eth2
 commit 
 save

Creating Firewalls for WAN-to-DMZ and DMZ-to-WAN

We are now going to create the firewalls for each of the zones. We will be disallowing traffic that isn't pre-defined.

Firewalls for WAN and DMZ

 configure
 set firewall name WAN-to-DMZ default-action drop
 set firewall name DMZ-to-WAN default-action drop
 set firewall name WAN-to-DMZ enable-default-log 
 set firewall name DMZ-to-WAN enable-default-log
 commit
 save

Assigning Firewalls to Zones

 configure
 set zone-policy zone WAN from DMZ firewall name DMZ-to-WAN 
 set zone-policy zone DMZ from WAN firewall name WAN-to-DMZ
 commit
 save

Testing

  • Attempt to connect to web01 via RW01; it should fail

  • On fw01 monitor logs with tail -f /var/log/messages | grep WAN

    • Try the failed connection again; you should get a failed message on fw01

This screenshot indicates

  1. That the default drop rule for WAN-TO-DMZ via eth0 was invoked.

  2. The source ip is rw01

  3. The destination ip is web01

  4. The protocol was TCP

Deliverable 1: Provide a screenshot showing a [WAN-TO-DMZ-default-D] log entry similar to the one above.

Allow HTTP Inbound

Allow HTTP traffic by creating a rule for the WAN-to-DMZ firewall. Use your IP address for web01 

Configure 

set firewall name WAN-to-DMZ rule 10
set firewall name WAN-to-DMZ rule 10 action accept
set firewall name WAN-to-DMZ rule 10 description "Allow HTTP from WAN to DMZ"
set firewall name WAN-to-DMZ rule 10 destination address 172.16.50.3
set firewall name WAN-to-DMZ rule 10 destination port 80
set firewall name WAN-to-DMZ rule 10 protocol tcp

commit
save

Testing

Try connecting to web01 via http, it should fail

The communication was stopped on the way back out, not on the way in. We need to explicitly tell the DMZ-TO-WAN firewall to allow established connections initiated from the WAN back out again.

Allowing http-established connections back out

We will reserve rule 1 for two conditions. The first is to allow established connections back out again, the second would be to have an open rule where all connections are allowed. Typically this would be the only rule in such a firewall.

configure 
set firewall name DMZ-to-WAN rule 1 description "allow established connections back out"
set firewall name DMZ-to-WAN rule 1 action accept
set firewall name DMZ-to-WAN rule 1 state established enable
commit
save

Deliverable 2: Take a screenshot that shows a failed wget or curl (1) followed by a successful connection to your web server. Make sure you've deleted the default welcome.conf file, you've restarted httpd and have added a simple index.html banner as shown in (2).

Create a simple web page

  • Go to web01

  • Comment out all the lines in the welcome.conf file in /etc/httpd/conf.d

  • Go to /var/www/html

  • sudo nano index.html and make your webpage

  • Reload your webpage; you should be able to connect to it now!

  • You should also be able to run the wget command and be successful.

DMZ and LAN Traffic Firewalls

We are going to continue our firewalling by creating default firewalls for LAN and DMZ and link them to zone policies. 

configure 
set firewall name LAN-to-DMZ default-action drop
set firewall name LAN-to-DMZ enable-default-log
set firewall name DMZ-to-LAN default-action drop
set firewall name DMZ-to-LAN enable-default-log
set zone-policy zone DMZ from LAN firewall name LAN-to-DMZ
set zone-policy zone LAN from DMZ firewall name DMZ-to-LAN
commit
save

Wazuh Ports 1515/TCP and 1516/TCP

Currently the firewall rules drop all traffic except port 80 to web01 from the WAN. Currently, the wazuh traffic doesn’t work between DMZ and LAN. The Wazuh server expects clients to connect to it via tcp/1514 and tcp/1515.

DMZ to LAN

Deliverable 3: Provide a screenshot similar to the one above of /var/log/messages on fw01 that shows a drop message like the one below, make sure you select the message that indicated PROTO=TCP and DPT=1514 or 1515

Allow Wazuh agent communications

Ping 172.16.200.10 (wazuh) so it fails

Create filewall rules that allow ports 1514 and 1515 TCP through the DMZ-to-LAN firewall.

configure
set firewall name DMZ-to-LAN rule 10 description "agent to wazuh"
set firewall name DMZ-to-LAN rule 10 action accept
set firewall name DMZ-to-LAN rule 10 destination address 172.16.200.10
set firewall name DMZ-to-LAN rule 10 destination port 1514,1515
set firewall name DMZ-to-LAN rule 10 protocol tcp

set firewall name DMZ-to-LAN rule 1 description "allow connections back out"
set firewall name DMZ-to-LAN rule 1 action accept
set firewall name DMZ-to-LAN rule 1 state established enable

set firewall name LAN-to-DMZ rule 1 description "allow connections back out"
set firewall name LAN-to-DMZ rule 1 action accept
set firewall name LAN-to-DMZ rule 1 state established enable
commit
save

Deliverable 4. Provide a screenshot of your new LAN-to-DMZ rule 1 that allows established connections back through the LAN-to-DMZ firewall.

Configure WAN-to-LAN firewall

Create the WAN-TO-LAN firewall, link it to the appropriate zones and allow established connections back from WAN to LAN

configure
set firewall name WAN-to-LAN default-action drop
set firewall name WAN-to-LAN enable-default-log
set zone-policy zone LAN from WAN firewall name WAN-to-LAN
set firewall name WAN-to-LAN rule 1 description "allow connections back out"
set firewall name WAN-to-LAN rule 1 action accept
set firewall name WAN-to-LAN rule 1 state related enable
set firewall name WAN-to-LAN rule 1 state established enable
commit
save

Configure LAN-TO-WAN Firewall

Create a default LAN to WAN firewall and associate it with the appropriate zone policy.set f This firewall will have only one rule allowing LAN clients to initiate WAN connections. 

set firewall name LAN-to-WAN default-action drop
set firewall name LAN-to-WAN enable-default-log
set zone-policy zone WAN from LAN firewall name LAN-to-WAN
set firewall name LAN-to-WAN rule 1 action accept
commit
save

Deliverable 5: Submit a screenshot showing a LAN-TO-WAN browsing session between wks01 and champlain.edu

Configure LAN to DMZ Firewall

As communication between LAN and DMZ is currently broken, I need to:

  • Create a firewall

  • Assign to the appropriate zone policy

  • Adjust it to only allow the traffic we want to go through.

  • Goal: Want wks01 to be able to browse to web01 and want mgmt01 to ssh into anything on the DMZ.

With that in mind, I need to create firewall rules on LAN-TO-DMZ that allows:

  • 80/tcp from LAN to web01.

  • 22/tcp from mgmt01 to the DMZ

set firewall name LAN-to-DMZ rule 10 description "allow 80/tcp from LAN to web01"
set firewall name LAN-to-DMZ rule 10 action accept
set firewall name LAN-to-DMZ rule 10 destination address 172.16.50.3
set firewall name LAN-to-DMZ rule 10 destination port 80
set firewall name LAN-to-DMZ rule 10 protocol tcp

set firewall name LAN-to-DMZ rule 20 description "allow 22/tcp from mgmt01 to DMZ"
set firewall name LAN-to-DMZ rule 20 action accept
set firewall name LAN-to-DMZ rule 20 source address 172.16.150.10
set firewall name LAN-to-DMZ rule 20 destination address 172.16.50.0/29
set firewall name LAN-to-DMZ rule 20 destination port 22
set firewall name LAN-to-DMZ rule 20 protocol tcp

Deliverable 6: Screenshot showing web session between wks01 and web01.

Deliverable 7. ssh into web01 from using the username testwazuhafterfirewall. Attempt this until the session is closed by web01. Provide a screenshot similar to the one below that shows a related security event in wazuh, after fw1 was configured.

Task 2: Configuring fw-mgmt

Create LAN and MGMT zones on fw-mgmt

set zone-policy zone LAN interface eth0
set zone-policy zone MGMT interface eth1
set firewall name LAN-to-MGMT default-action drop
set firewall name MGMT-to-LAN default-action drop
set firewall name LAN-to-MGMT enable-default-log
set firewall name MGMT-to-LAN enable-default-log
set zone-policy zone LAN from MGMT firewall name MGMT-to-LAN
set zone-policy zone MGMT from LAN firewall name LAN-to-MGMT

LAN-to-MGMT 

set firewall name LAN-to-MGMT rule 10 description "agent to wazuh server"
set firewall name LAN-to-MGMT rule 10 action accept
set firewall name LAN-to-MGMT rule 10 destination address 172.16.200.10
set firewall name LAN-to-MGMT rule 10 destination port 1514,1515
set firewall name LAN-to-MGMT rule 10 protocol tcp

set firewall name LAN-to-MGMT rule 20 description "MGMT to WAZUH ports 443 and 22"
set firewall name LAN-to-MGMT rule 20 action accept
set firewall name LAN-to-MGMT rule 20 destination address 172.16.200.10
set firewall name LAN-to-MGMT rule 20 destination port 443,22
set firewall name LAN-to-MGMT rule 20 protocol tcp

set firewall name LAN-to-MGMT rule 1 description "allow connections back out"
set firewall name LAN-to-MGMT rule 1 action accept
set firewall name LAN-to-MGMT rule 1 state established enable

MGMT-to-LAN 

set firewall name MGMT-to-LAN rule 10 description "MGMT to LAN"
set firewall name MGMT-to-LAN rule 10 action accept
set firewall name MGMT-to-LAN rule 10 destination address 172.16.150.0/24

set firewall name MGMT-to-LAN rule 20 description "MGMT to DMZ"
set firewall name MGMT-to-LAN rule 20 action accept
set firewall name MGMT-to-LAN rule 20 destination address 172.16.50.0/29

set firewall name MGMT-to-LAN rule 1 description "allow connections back out"
set firewall name MGMT-to-LAN rule 1 action accept
set firewall name MGMT-to-LAN rule 1 state established enable

Deliverable 8. Show the correct connections from mgmt02-hanne '

The ping to champlain.edu doesn't work because we didn't configure a rule on fw-mgmt for LAN-to-WAN connections. We can connect with the web server on 172.16.50.3 because we made a MGMT-to-LAN to rule and then also an MGMT-to-DMZ rule. We can connect to mgmt01 because we made a MGMT-to-LAN rule.

Deliverable 9. Provide the output of show zone on fw-mgmt

Deliverable 10. Provide the output of show firewall name LAN-TO-MGMT

Deliverable 11. Provide the output of show firewall name MGMT-TO-LAN

Deliverable 12. From mgmt01, Run an ssh test on web01 with a tag that indicates that this is a test of fw-mgmt. Take a screenshot of the resulting log within wazuh.

PreviousModule 4: Network FirewallsNextModule 5: Wazuh and Web Application Firewalls

Last updated