Firewall HowTo
Introduction
This document details some common use-cases for a Firewall and how to configure them using WeOS.
For more information, see the Firewall Configuration Guide
Private Network With Web Server
Figure 1 shows a common network setup. Two LAN subnets and a WEB subnet are connected through a gateway and Firewall to the internet. The following example shows how the Firewall can be configured to allow devices on both the LANs to communicate with eachother, access Gateway services and connect to the web server. Devices on the Internet are also supposed to access the web server while all other traffic is dropped.
Desired outcome:
- All private subnets can communicate with eachother.
- All private subnets can access services on the Gateway such as DCHP etc.
- The web server is accessible by the LANs and Internet.
- All other external traffic is dropped.
.--.-. ( ( )__ (_, \ ) ,_) Internet/Intranet '-'--`--' | WAN (vlan4) ^ .---+----. | | | Public +-----+ GW/FW +-----+ ------ | .99| |.99 | Private LAN (vlan1) | '----+---' | LAN (vlan2) | 192.168.1.0/24 | |.99 | 192.168.2.0/24 V ----+----+ | +----+---- |.1 | |.1 .-+--. | .-+--. | H2 | | | H3 | '----' | '----' | ----+---- WEB (vlan3) |.1 192.168.3.0/24 .-+--. | H1 | '----'
Figure 1: Showing the example network setup using a Firewall.
example:/#> configure example:/config/#> ip example:/config/ip/#> firewall example:/config/ip/firewall/#> policy input drop example:/config/ip/firewall/#> policy forward drop example:/config/ip/firewall/#> forward accept in vlan1 example:/config/ip/firewall/#> forward accept in vlan2 example:/config/ip/firewall/#> forward accept in vlan3 example:/config/ip/firewall/#> input accept in vlan1 example:/config/ip/firewall/#> input accept in vlan2 example:/config/ip/firewall/#> input accept in vlan3 example:/config/ip/firewall/#> port-forward in vlan4 dport 80 to-daddr 192.168.3.1 to-dport 8080 proto tcp example:/config/ip/firewall/#> forward accept in vlan4 daddr 192.168.3.1 dport 8080 proto tcp example:/config/ip/firewall/#> leave Configuration activated. Remember "copy run start" to save to flash (NVRAM). example:/#> copy run start
Example rules to allow input packets to individual services
When enabling the Firewall all incoming packets will be blocked unless the policy for input filters is changed from drop to accept or individual accept rules are created for each service.
Note, if you don’t allow any management access (ssh, http, https) on any interface you will not be able to reach the device after enabling the Firewall. Be careful and don’t lock yourself out!
Allow ssh access only on vlan1
example:/config/ip/firewall/#> input accept in vlan1 dport ssh proto tcp
Allow http access on any interface
example:/config/ip/firewall/#> input accept dport http proto tcp
Allow https access only on vlan1
example:/config/ip/firewall/#> input accept in vlan1 dport https proto tcp
Allow DNS access (tcp, port 53) on any interface
example:/config/ip/firewall/#> input accept dport 53 proto tcp
Allow DNS access (udp, port 53) on any interface
example:/config/ip/firewall/#> input accept dport 53 proto udp
Allow DHCP access on any interface (udp, port 67)
example:/config/ip/firewall/#> input accept dport 67 proto udp
Allow NTP on any interface (tcp, port 123)
example:/config/ip/firewall/#> input accept dport 123 proto tcp
Allow ping (ICMP) only on vlan2
example:/config/ip/firewall/#> input accept in vlan2 proto icmp
Allow traceroute on any interface
example:/config/ip/firewall/#> input accept proto udp dport 33434-33534
Allow tftp only on vlan1 (udp, port 69)
example:/config/ip/firewall/#> input accept in vlan1 dport 69 proto udp
Allow SNMP access on vlan1 (udp, portrange 161-162)
example:/config/ip/firewall/#> input accept in vlan1 dport 161-162 proto udp
Allow VRRP on interface vrrp1
example:/config/ip/firewall/#> input accept in vrrp1 proto carp
Allow OSPF on interface vlan1
example:/config/ip/firewall/#> input accept in vlan1 proto ospf
In a similar way other services can be reached by accepting the following protocol/port numbers:
- Modbus - tcp, port 502
- MlkII - udp, port 60000
- RIP - udp, port 520
- Telnet - tcp, port 23
- FTP - tcp, port 20-21 (not supported through NAT)
More port numbers can be found on wikipedia.