-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathfw01config.txt
321 lines (319 loc) · 7.12 KB
/
fw01config.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
firewall {
name DMZ-2-LAN {
default-action drop
enable-default-log
rule 1 {
action accept
state {
established enable
}
}
rule 10 {
action accept
description "wazuh agent comm with wazuh server"
destination {
address 172.16.200.10
port 1514,1515
}
protocol tcp
}
}
name DMZ-2-WAN {
default-action drop
enable-default-log
rule 420 {
action accept
description "The Stamp to allow connections"
state {
established enable
}
}
rule 999 {
action accept
source {
address 172.16.50.3
}
}
}
name LAN-2-DMZ {
default-action drop
enable-default-log
rule 10 {
action accept
description "80/tcp LAN to web01"
destination {
address 172.16.50.3
port 80
}
protocol tcp
}
rule 20 {
action accept
description "22/tcp from MGMT01 to DMZ"
destination {
address 172.16.50.0/29
port 22
}
protocol tcp
source {
address 172.16.150.10
}
}
rule 420 {
action accept
description "The LAN-2-DMZ Stamp of approval"
state {
established enable
}
}
}
name LAN-2-WAN {
default-action drop
enable-default-log
rule 420 {
action accept
}
}
name WAN-2-DMZ {
default-action drop
enable-default-log
rule 1 {
action accept
state {
established enable
}
}
rule 10 {
action accept
description "Allow HTTP from WAN to DMZ"
destination {
address 172.16.50.3
port 80
}
protocol tcp
}
rule 20 {
action accept
description "allow ssh from want to dmz"
destination {
address 172.16.50.4
port 22
}
protocol tcp
}
}
name WAN-2-LAN {
default-action drop
enable-default-log
rule 10 {
action accept
destination {
}
protocol tcp
state {
established enable
}
}
}
}
interfaces {
ethernet eth0 {
address 10.0.17.115/24
description SEC350-WAN
hw-id 00:50:56:a1:c9:2c
}
ethernet eth1 {
address 172.16.50.2/29
description THOMSEN-DMZ
hw-id 00:50:56:a1:1e:01
}
ethernet eth2 {
address 172.16.150.2/24
description THOMSEN-LAN
hw-id 00:50:56:a1:e1:dc
}
loopback lo {
}
}
nat {
destination {
rule 10 {
description HTTP->WEB01
destination {
port 80
}
inbound-interface eth0
protocol tcp
translation {
address 172.16.50.3
port 80
}
}
rule 20 {
destination {
port 22
}
inbound-interface eth0
protocol tcp
translation {
address 172.16.50.4
port 22
}
}
}
source {
rule 10 {
description "NAT FROM DMZ TO WAN"
outbound-interface eth0
source {
address 172.16.50.0/29
}
translation {
address masquerade
}
}
rule 20 {
description "NAT from LAN to WAN"
outbound-interface eth0
source {
address 172.16.150.0/24
}
translation {
address masquerade
}
}
rule 30 {
description "NAT FROM MGMT TO WAN"
outbound-interface eth0
source {
address 172.16.200.0/28
}
translation {
address masquerade
}
}
}
}
protocols {
rip {
interface eth2 {
}
network 172.16.50.0/29
}
static {
route 0.0.0.0/0 {
next-hop 10.0.17.2 {
}
}
}
}
service {
dns {
forwarding {
allow-from 172.16.50.0/29
allow-from 172.16.150.0/24
listen-address 172.16.50.2
listen-address 172.16.150.2
system
}
}
ssh {
listen-address 172.16.150.2
}
}
system {
config-management {
commit-revisions 100
}
conntrack {
modules {
ftp
h323
nfs
pptp
sip
sqlnet
tftp
}
}
console {
device ttyS0 {
speed 115200
}
}
host-name fw1-david
login {
user vyos {
authentication {
encrypted-password $6$kBzuSikOLAH5pZfq$Nh33peg27vElnZqrjakctM87yxFXruTZpvktkH4KRo4dkqPA4ky5rDjs7vS4Qzn9/DyXW7oDAGJqtY387K7sr0
}
}
}
name-server 10.0.17.2
ntp {
server time1.vyos.net {
}
server time2.vyos.net {
}
server time3.vyos.net {
}
}
syslog {
global {
facility all {
level info
}
facility protocols {
level debug
}
}
host 172.16.50.5 {
facility authpriv {
}
}
}
}
zone-policy {
zone DMZ {
from LAN {
firewall {
name LAN-2-DMZ
}
}
from WAN {
firewall {
name WAN-2-DMZ
}
}
interface eth1
}
zone LAN {
from DMZ {
firewall {
name DMZ-2-LAN
}
}
from WAN {
firewall {
name WAN-2-LAN
}
}
interface eth2
}
zone WAN {
from DMZ {
firewall {
name DMZ-2-WAN
}
}
from LAN {
firewall {
name LAN-2-WAN
}
}
interface eth0
}
}
// Warning: Do not remove the following line.
// vyos-config-version: "bgp@3:broadcast-relay@1:cluster@1:config-management@1:conntrack@3:conntrack-sync@2:dhcp-relay@2:dhcp-server@6:dhcpv6-server@1:dns-forwarding@3:firewall@7:flow-accounting@1:https@3:interfaces@26:ipoe-server@1:ipsec@9:isis@1:l2tp@4:lldp@1:mdns@1:monitoring@1:nat@5:nat66@1:ntp@1:openconnect@2:ospf@1:policy@3:pppoe-server@5:pptp@2:qos@1:quagga@10:rpki@1:salt@1:snmp@2:ssh@2:sstp@4:system@25:vrf@3:vrrp@3:vyos-accel-ppp@2:wanloadbalance@3:webproxy@2"
// Release version: 1.4-rolling-202209130217