SEC350

set firewall name DMZ-TO-LAN default-action 'drop'

set firewall name DMZ-TO-LAN enable-default-log

set firewall name DMZ-TO-LAN rule 1 action 'accept'

set firewall name DMZ-TO-LAN rule 1 state established 'enable'

set firewall name DMZ-TO-LAN rule 10 action 'accept'

set firewall name DMZ-TO-LAN rule 10 destination address '172.16.200.10'

set firewall name DMZ-TO-LAN rule 10 destination port '1514'

set firewall name DMZ-TO-LAN rule 10 protocol 'udp'

set firewall name DMZ-TO-LAN rule 20 action 'accept'

set firewall name DMZ-TO-LAN rule 20 destination address '172.16.200.10'

set firewall name DMZ-TO-LAN rule 20 protocol 'icmp'

set firewall name DMZ-TO-LAN rule 20 source address '172.16.50.4'

set firewall name DMZ-TO-LAN rule 30 action 'accept'

set firewall name DMZ-TO-LAN rule 30 destination address '172.16.200.10'

set firewall name DMZ-TO-LAN rule 30 destination port '22'

set firewall name DMZ-TO-LAN rule 30 protocol 'tcp'

set firewall name DMZ-TO-WAN default-action 'drop'

set firewall name DMZ-TO-WAN enable-default-log

set firewall name DMZ-TO-WAN rule 1 action 'accept'

set firewall name DMZ-TO-WAN rule 1 state established 'enable'

set firewall name DMZ-TO-WAN rule 10 action 'accept'

set firewall name DMZ-TO-WAN rule 10 description 'network time update'

set firewall name DMZ-TO-WAN rule 10 destination port '123'

set firewall name DMZ-TO-WAN rule 10 protocol 'udp'

set firewall name DMZ-TO-WAN rule 10 source address '172.16.50.3'

set firewall name LAN-TO-DMZ default-action 'drop'

set firewall name LAN-TO-DMZ enable-default-log

set firewall name LAN-TO-DMZ rule 1 action 'accept'

set firewall name LAN-TO-DMZ rule 1 state established 'enable'

set firewall name LAN-TO-DMZ rule 10 action 'accept'

set firewall name LAN-TO-DMZ rule 10 description 'lan access to web'

set firewall name LAN-TO-DMZ rule 10 destination address '172.16.50.3'

set firewall name LAN-TO-DMZ rule 10 destination port '80'

set firewall name LAN-TO-DMZ rule 10 protocol 'tcp'

set firewall name LAN-TO-DMZ rule 20 action 'accept'

set firewall name LAN-TO-DMZ rule 20 destination address '172.16.50.1-172.16.50.6'

set firewall name LAN-TO-DMZ rule 20 destination port '22'

set firewall name LAN-TO-DMZ rule 20 protocol 'tcp'

set firewall name LAN-TO-DMZ rule 20 source address '172.16.200.11'

set firewall name LAN-TO-DMZ rule 30 action 'accept'

set firewall name LAN-TO-DMZ rule 30 description 'tcp/80 to nginx'

set firewall name LAN-TO-DMZ rule 30 destination address '172.16.50.5'

set firewall name LAN-TO-DMZ rule 30 destination port '80'

set firewall name LAN-TO-DMZ rule 30 protocol 'tcp'

set firewall name LAN-TO-WAN default-action 'drop'

set firewall name LAN-TO-WAN enable-default-log

set firewall name LAN-TO-WAN rule 1 action 'accept'

set firewall name WAN-TO-DMZ default-action 'drop'

set firewall name WAN-TO-DMZ enable-default-log

set firewall name WAN-TO-DMZ rule 1 action 'accept'

set firewall name WAN-TO-DMZ rule 1 state established 'enable'

set firewall name WAN-TO-DMZ rule 10 action 'accept'

set firewall name WAN-TO-DMZ rule 10 description 'allow web wan access'

set firewall name WAN-TO-DMZ rule 10 destination address '172.16.50.3'

set firewall name WAN-TO-DMZ rule 10 destination port '80'

set firewall name WAN-TO-DMZ rule 10 protocol 'tcp'

set firewall name WAN-TO-DMZ rule 30 action 'accept'

set firewall name WAN-TO-DMZ rule 30 description 'allow wan ssh access to jump'

set firewall name WAN-TO-DMZ rule 30 destination address '172.16.50.4'

set firewall name WAN-TO-DMZ rule 30 destination port '22'

set firewall name WAN-TO-DMZ rule 30 protocol 'tcp'

set firewall name WAN-TO-LAN default-action 'drop'

set firewall name WAN-TO-LAN enable-default-log

set firewall name WAN-TO-LAN rule 1 action 'accept'

set firewall name WAN-TO-LAN rule 1 state established 'enable'

set interfaces ethernet eth0 address '10.0.17.119/24'

set interfaces ethernet eth0 description 'SEC350-WAN'

set interfaces ethernet eth0 hw-id '00:50:56:b3:f7:6b'

set interfaces ethernet eth1 address '172.16.50.2/24'

set interfaces ethernet eth1 description 'SEC350-DMZ'

set interfaces ethernet eth1 hw-id '00:50:56:b3:46:08'

set interfaces ethernet eth2 address '172.16.150.2/24'

set interfaces ethernet eth2 description 'SEC350-LAN'

set interfaces ethernet eth2 hw-id '00:50:56:b3:28:27'

set interfaces loopback lo

set nat destination rule 30 description 'portforwarding ssh to the jump'

set nat destination rule 30 destination port '22'

set nat destination rule 30 inbound-interface 'eth0'

set nat destination rule 30 protocol 'tcp'

set nat destination rule 30 translation address '172.16.50.4'

set nat destination rule 30 translation port '22'

set nat destination rule 40 description 'nginx to web'

set nat destination rule 40 destination port '80'

set nat destination rule 40 inbound-interface 'eth0'

set nat destination rule 40 protocol 'tcp'

set nat destination rule 40 translation address '172.16.50.5'

set nat destination rule 40 translation port '80'

set nat source rule 10 description 'DMA to WAN nat'

set nat source rule 10 outbound-interface 'eth0'

set nat source rule 10 source address '172.16.50.0/29'

set nat source rule 10 translation address 'masquerade'

set nat source rule 15 description 'lan to dmz nat'

set nat source rule 15 outbound-interface 'eth0'

set nat source rule 15 source address '172.16.150.0/24'

set nat source rule 15 translation address 'masquerade'

set nat source rule 20 description 'WAN to MGMT nat'

set nat source rule 20 outbound-interface 'eth0'

set nat source rule 20 source address '172.16.200.0/28'

set nat source rule 20 translation address 'masquerade'

set protocols rip interface eth2

set protocols rip network '172.16.50.0/29'

set protocols static route 0.0.0.0/0 next-hop 10.0.17.2

set service dns forwarding allow-from '172.16.50.0/29'

set service dns forwarding allow-from '172.16.150.0/24'

set service dns forwarding allow-from '172.16.200.0/24'

set service dns forwarding listen-address '172.16.50.2'

set service dns forwarding listen-address '172.16.150.2'

set service dns forwarding listen-address '172.16.200.2'

set service dns forwarding system

set service ssh listen-address '0.0.0.0'

set service ssh listen-address '172.16.150.2'

set service ssh loglevel 'verbose'

set system config-management commit-revisions '100'

set system conntrack modules ftp

set system conntrack modules h323

set system conntrack modules nfs

set system conntrack modules pptp

set system conntrack modules sip

set system conntrack modules sqlnet

set system conntrack modules tftp

set system console

set system host-name 'edge01-alex'

set system login user vyos authentication encrypted-password '$6$di6k7nmYf/77uBTh$iWooraPQrQZT4jSoJW.buHBlGGB2Fo0d7pL7eiG6Yh/qHUjfZCxFMbc.mATZc9HdPmWpAb8mq.qux9o5WWEOR.'

set system name-server '10.0.17.2'

set system ntp server time1.vyos.net

set system ntp server time2.vyos.net

set system ntp server time3.vyos.net

set system syslog global facility all level 'info'

set system syslog global facility protocols level 'debug'

set system syslog host 172.16.200.10 facility kern level 'debug'

set system syslog host 172.16.200.10 format octet-counted

set system syslog host 172.16.200.10 port '1514'

set zone-policy zone DMZ from LAN firewall name 'LAN-TO-DMZ'

set zone-policy zone DMZ from WAN firewall name 'WAN-TO-DMZ'

set zone-policy zone DMZ interface 'eth1'

set zone-policy zone LAN from DMZ firewall name 'DMZ-TO-LAN'

set zone-policy zone LAN from WAN firewall name 'WAN-TO-LAN'

set zone-policy zone LAN interface 'eth2'

set zone-policy zone WAN from DMZ firewall name 'DMZ-TO-WAN'

set zone-policy zone WAN from LAN firewall name 'LAN-TO-WAN'

set zone-policy zone WAN interface 'eth0'

set interfaces wireguard wg0 address '10.0.99.1/24'

set interfaces wireguard wg0 peer traveler-yourname allowed-ips '10.0.99.100/32'

set interfaces wireguard wg0 peer traveler-yourname public-key traveler-key-goes-here

set interfaces wireguard wg0 port '51820'

run generate pki wireguard key-pair install interface wg0

Set firewall name VPN-LAN default action drop

Set firewall name Vpn-lan enable-defualt-log

Set firewall name vpn-lan rule 10 source address 10.0.99.100

Set firewall name vpn-lan rule 10 destination address 10.0.99.1

Set firewall name vpn-lan rule 10 protocol tcp

Set firewall name vpn-lan rule 10 destination destination or source port

Set zone-policy zone vpn interface wg0

\set zone-poilicy zone lan from vpn firewall name vpn-lan

Set zone policy zone vpn from lan firewall name lan-vpn

Set firewall name lan-vpn default action drop

Set firewall name lan-vpn enable-default-log

Set firewall name lan-vpn rule 1 state established enable

sudo dnf install epel-release

sudo dnf install easy-rsa

mkdir ~/easy-rsa

ln -s /usr/share/easy-rsa/3/* ~/easy-rsa/

chmod 700 /home/sammy/easy-rsa

cd ~/easy-rsa

./easyrsa init-pki

sudo dnf install nano

cd ~/easy-rsa

nano vars

~/easy-rsa/vars

set_var EASYRSA_REQ_COUNTRY "US"

set_var EASYRSA_REQ_PROVINCE "NewYork"

set_var EASYRSA_REQ_CITY "New York City"

set_var EASYRSA_REQ_ORG "DigitalOcean"

set_var EASYRSA_REQ_EMAIL "[email protected]"

set_var EASYRSA_REQ_OU "Community"

set_var EASYRSA_ALGO "ec"

set_var EASYRSA_DIGEST "sha512"

./easyrsa build-ca

if not password ./easyrsa build-ca nopass

cat ~/easy-rsa/pki/ca.crt

Copy everything, including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines and the dashes.

On your second Linux system use nano or your preferred text editor to open a file called /tmp/ca.crt:

1. nano /tmp/ca.crt

requesting

sudo cp /tmp/ca.crt /etc/pki/ca-trust/source/anchors/

update-ca-trust

ALLOW 443 THROUGH FIREWALL

To configure an HTTPS server, the ssl parameter must be enabled on listening sockets in the server block, and the locations of the server certificate and private key files should be specified:

server {

listen 443 ssl;

server_name www.example.com;

ssl_certificate www.example.com.crt;

ssl_certificate_key www.example.com.key;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_ciphers HIGH:!aNULL:!MD5;

...

}

The server certificate is a public entity. It is sent to every client that connects to the server. The private key is a secure entity and should be stored in a file with restricted access, however, it must be readable by nginx’s master process. The private key may alternately be stored in the same file as the certificate:

ssl_certificate www.example.com.cert;

ssl_certificate_key www.example.com.cert;

in which case the file access rights should also be restricted. Although the certificate and the key are stored in one file, only the certificate is sent to a client.

CA FIREWALLD

* Rich rule

firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="172.16.200.11/28" service name="ssh" accept'

Copy over the ca.crt to the windows machine and put in in trusteed root certificate authority