WeOSFirewall HowTo
Introduction
This document details some common use-cases for a Firewall and how to configure them using WeOS.
For more information, see the Firewall Configuration Guide
Private Network With Web Server
Figure 1 shows a common network setup. Two LAN subnets and a WEB subnet are connected through a gateway and Firewall to the internet. The following example shows how the Firewall can be configured to allow devices on both the LANs to communicate with each other, access Gateway services and connect to the web server. Devices on the Internet are also supposed to access the web server while all other traffic is dropped.
Desired outcome:
- All private subnets can communicate with each other.
- All private subnets can access services on the Gateway such as DCHP etc.
- The web server is accessible by the LANs and Internet.
- All other external traffic is dropped.
.--.-.
( ( )__
(_, \ ) ,_) Internet/Intranet
'-'--`--'
| WAN (vlan4) ^
.---+----. |
| | Public
+-----+ GW/FW +-----+ ------
| .99| |.99 | Private
LAN (vlan1) | '----+---' | LAN (vlan2) |
192.168.1.0/24 | |.99 | 192.168.2.0/24 V
----+----+ | +----+----
|.1 | |.1
.-+--. | .-+--.
| H2 | | | H3 |
'----' | '----'
|
----+---- WEB (vlan3)
|.1 192.168.3.0/24
.-+--.
| H1 |
'----'
Figure 1: Showing the example network setup using a Firewall.
example:/#> configure example:/config/#> ip example:/config/ip/#> firewall example:/config/ip/firewall/#> policy input drop example:/config/ip/firewall/#> policy forward drop example:/config/ip/firewall/#> forward accept in vlan1 example:/config/ip/firewall/#> forward accept in vlan2 example:/config/ip/firewall/#> forward accept in vlan3 example:/config/ip/firewall/#> input accept in vlan1 example:/config/ip/firewall/#> input accept in vlan2 example:/config/ip/firewall/#> input accept in vlan3 example:/config/ip/firewall/#> port-forward in vlan4 dport 80 to-daddr 192.168.3.1 to-dport 8080 proto tcp example:/config/ip/firewall/#> forward accept in vlan4 daddr 192.168.3.1 dport 8080 proto tcp example:/config/ip/firewall/#> leave Configuration activated. Remember "copy run start" to save to flash (NVRAM). example:/#> copy run start
Example rules to allow input packets to individual services
When enabling the Firewall all incoming packets will be blocked unless the policy for input filters is changed from drop to accept or individual accept rules are created for each service.
Note, if you don’t allow any management access (ssh, http, https) on any interface you will not be able to reach the device after enabling the Firewall. Be careful and don’t lock yourself out!
Allow ssh access only on vlan1
example:/config/ip/firewall/#> input accept in vlan1 dport ssh proto tcp
Allow http access on any interface
example:/config/ip/firewall/#> input accept dport http proto tcp
Allow https access only on vlan1
example:/config/ip/firewall/#> input accept in vlan1 dport https proto tcp
Allow DNS access (tcp, port 53) on any interface
example:/config/ip/firewall/#> input accept dport 53 proto tcp
Allow DNS access (udp, port 53) on any interface
example:/config/ip/firewall/#> input accept dport 53 proto udp
Allow DHCP access on any interface (udp, port 67)
example:/config/ip/firewall/#> input accept dport 67 proto udp
Allow NTP on any interface (tcp, port 123)
example:/config/ip/firewall/#> input accept dport 123 proto tcp
Allow ping (ICMP) only on vlan2
example:/config/ip/firewall/#> input accept in vlan2 proto icmp
Allow traceroute on any interface
example:/config/ip/firewall/#> input accept proto udp dport 33434-33534
Allow tftp only on vlan1 (udp, port 69)
example:/config/ip/firewall/#> input accept in vlan1 dport 69 proto udp
Allow SNMP access on vlan1 (udp, portrange 161-162)
example:/config/ip/firewall/#> input accept in vlan1 dport 161-162 proto udp
Allow VRRP on interface vrrp1
example:/config/ip/firewall/#> input accept in vrrp1 proto carp
Allow OSPF on interface vlan1
example:/config/ip/firewall/#> input accept in vlan1 proto ospf
In a similar way other services can be reached by accepting the following protocol/port numbers:
- Modbus - tcp, port 502
- MlkII - udp, port 60000
- RIP - udp, port 520
- Telnet - tcp, port 23
- FTP - tcp, port 20-21 (not supported through NAT)
More port numbers can be found on wikipedia.
Status
As usual in WeOS there is a show command in the admin-exec context that can be used to view the current status.
example:/#> show ip firewall Firewall is enabled. Input Rules Pos Rule 001 input accept dport 22 proto tcp 002 input accept dport 80 proto tcp N/A drop Forward Rules Pos Rule N/A drop NAT Rules (NAPT/masquerading) Pos Rule Port-Forward Rules Pos Rule Application Level Gateway Alg Helpers TFTP ENABLED
You can also add another word to show detailed information about things like counters or conntrack. For instance the conntrack table shows information about active network connections.
example:/#> show ip firewall conntrack [DESTROY] udp 17 src=169.254.159.156 dst=239.255.255.250 sport=1900 dport=1900 [UNREPLIED] src=239.255.255.250 dst=169.254.159.156 sport=1900 dport=1900 [DESTROY] udp 17 src=198.18.1.1 dst=239.255.255.250 sport=1900 dport=1900 [UNREPLIED] src=239.255.255.250 dst=198.18.1.1 sport=1900 dport=1900 [UPDATE] tcp 6 432000 ESTABLISHED src=198.18.1.99 dst=198.18.1.1 sport=36934 dport=22 src=198.18.1.1 dst=198.18.1.99 sport=22 dport=36934 [ASSURED] mark=0 use=1 [UPDATE] unknown 2 510 src=198.18.1.1 dst=224.0.0.1 [UNREPLIED] src=224.0.0.1 dst=198.18.1.1 mark=0 use=1