Scribd Logo
Upload

Welcome to Scribd!

  • nts415 Rthompson Wk2assessment

    Uploaded by

    api-374835421
    85 views8 pages

    Original Title

    nts415 rthompson wk2assessment

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    85 views8 pages

    nts415 Rthompson Wk2assessment

    Uploaded by

    api-374835421

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 8

    VyOS FIREWALL CONFIGURATION 1

    VyOS Firewall Configuration

    Robert Thompson
    VyOS FIREWALL CONFIGURATION 2

    Contents
    Post Installation ............................................................................................................................... 3

    Setting up the Firewall .................................................................................................................... 3

    Testing Connectivity ....................................................................................................................... 7

    References ....................................................................................................................................... 8
    VyOS FIREWALL CONFIGURATION 3

    Post Installation

    After the second network interface is added to the VM, drop into the configure interface

    in the command line by typing configure. The first interface, eth0, should be the interface which

    connects to the internet, as well as the interface which receives an address via DHCP. The

    second interface, eth1, should be the internal facing interface which your isolated network will

    communicate through; its address should be statically set to an unallocated address available on

    your network. In this write-up, the address range used is the 192.168.112.0/24 range. We also

    want the ssh service to be available from remote hosts into this system; running the command set

    service ssh port 22 will start the SSH daemon and allow connections.

    Setting up the Firewall

    First, we need to set up NAT for packets traversing the firewall and route through

    appropriately from the hosts behind the firewall to the public net.

    The first command sets the eth0 interface as the outbound interface, routing traffic from the

    internal network to the public network. The second command specifies which internal address

    range is allowed to traverse through that interface to the public network. The final command

    specifies that the interface associated with the rule as the translation address for the network.
    VyOS FIREWALL CONFIGURATION 4

    Once NAT is configured, we will configure our firewall to be our internal DHCP server.

    The first command starts the DHCP service on the system; the second command establishes the

    systems as the default router for the internal network the 192.168.112.0/24 range is the eth1

    (internal) interface in this example, and 192.168.112.1 address is the address of the interface on

    this machine. The third command establishes the system as the DHCP server for the internal

    network. The fourth command sets the domain name for the internal network. The fifth

    command sets the lease for each address to 24 hours; when the lease expires, the host will have

    to request a new address from the DHCP server. The final command sets the scope of addresses

    that it is allowed to distribute.

    Next, we will configure DNS forwarding. The following commands will ensure that our

    local DNS records do not cache results, and that all internal network DNS is resolved using

    Googles DNS server:

    set service dns forwarding cache-size 0


    VyOS FIREWALL CONFIGURATION 5

    set service dns forwarding listen-on eth1

    set service dns forwarding name-server 8.8.8.8

    set service dns forwarding name server 8.8.4.4

    Now we need to set our firewall rules. Firewall rules are set up using a numeric system

    the lower labeled rule numbers are applied first. Under this logic, stricter rules should be applied

    with higher values, so if the prior rules do not apply to the type of traffic traversing the firewall,

    the stricter ones will act as a catch-all for all unwanted traffic.

    The first ruleset we will set up will be labeled OUTSIDE-IN these rules will apply to packets

    destined to traverse the VyOS system. The default action in Vyatta based systems is equivalent

    to rule 10,000. The following will allow connections to the protected systems from the outside:

    set firewall name OUTSIDE-IN default-action drop

    set firewall name OUTSIDE-IN rule 10 action accept

    set firewall name OUTSIDE-IN rule 10 state established enable

    set firewall name OUTSIDE-IN rule 10 state related enable

    The second ruleset will be labeled OUTSIDE-LOCAL these rules will apply to packets destined

    to the VyOS system itself. The default action is set to drop all packets; rule 10 will be set to

    accept connections to the functioning services on the system remotely:

    set firewall name OUTSIDE-LOCAL default-action drop

    set firewall name OUTSIDE-LOCAL rule 10 action accept

    set firewall name OUTSIDE-LOCAL rule 10 state established enable

    set firewall name OUTSIDE-LOCAL rule 10 state related enable


    VyOS FIREWALL CONFIGURATION 6

    Rule 20 will allow the system to respond to ICMP packets:

    set firewall name OUTSIDE-LOCAL rule 20 action accept

    set firewall name OUTSIDE-LOCAL rule 20 icmp type-name echo-request

    set firewall name OUTSIDE-LOCAL rule 20 protocol icmp

    set firewall name OUTSIDE-LOCAL rule 20 state new enable

    Rule 30 and 31 will define that TCP connections over port 20 over SSH will be permitted, but

    only 4 new connection requests every minute:


    VyOS FIREWALL CONFIGURATION 7

    Finally, we will apply the new firewall policies and exit the configure interface:

    Testing Connectivity

    With a Xubuntu client VM on the same VLAN as the Inside-NIC on the VyOS system,

    we received a DHCP address from our system and have successfully connected out to the

    internet.
    VyOS FIREWALL CONFIGURATION 8

    References

    BROCADE. (n.d.). Masquerade NAT. Retrieved from Brocade:

    http://www.brocade.com/content/html/en/vrouter5600/40r1/vrouter-40r1-nat/GUID-

    B0CF4865-CF5D-43D1-BCC8-A810BBA153C8.html

    Satyam, S. (2015, April 16). Configuring and interface-based firewall on the Vyatta network

    appliance. Retrieved from Rackspace: https://support.rackspace.com/how-to/configuring-

    interface-based-firewall-on-the-vyatta-network-appliance/

    Todd, J. (2010). Deploying a Vyatta Core Firewall. Retrieved from SANS:

    https://www.sans.org/reading-room/whitepapers/firewalls/deploying-vyatta-core-firewall-

    33493

    Vy. (2015, February 3). Zone-policy example. Retrieved from Vy:

    http://wiki.vyos.net/wiki/Zone-policy_example

    Vy. (2016, September 16). User Guide. Retrieved from Vy:

    http://wiki.vyos.net/wiki/User_Guide

    You might also like