migrate to git.charlotte.sh
This commit is contained in:
Charlotte Croce
commit
fbd588721e
412 changed files with 13750 additions and 0 deletions
197
net-sec-controls-sec350/machines/EDGE01.md
Normal file
197
net-sec-controls-sec350/machines/EDGE01.md
Normal file
|
|
@ -0,0 +1,197 @@
|
|||
# EDGE01 Configuration
|
||||
|
||||
## Initial Setup
|
||||
- Change password:
|
||||
```
|
||||
configure
|
||||
set system login user vyos authentication plaintext-password password123!
|
||||
commit
|
||||
save
|
||||
```
|
||||
- Change hostname:
|
||||
```
|
||||
configure
|
||||
set system host-name edge01-charlotte
|
||||
commit
|
||||
save
|
||||
```
|
||||
|
||||
## Interface Configuration
|
||||
```
|
||||
configure
|
||||
set interfaces ethernet eth0 description SEC350-WAN
|
||||
set interfaces ethernet eth1 description CHARLOTTE-DMZ
|
||||
set interfaces ethernet eth2 description CHARLOTTE-LAN
|
||||
set interfaces ethernet eth0 address 10.0.17.151/24
|
||||
set interfaces ethernet eth1 address 172.16.50.2/29
|
||||
set interfaces ethernet eth2 address 172.16.150.2/24
|
||||
commit
|
||||
save
|
||||
```
|
||||
## Gateway and DNS Configuration
|
||||
```
|
||||
configure
|
||||
set protocols static route 0.0.0.0/0 next-hop 10.0.17.2
|
||||
set system name-server 10.0.17.2
|
||||
commit
|
||||
save
|
||||
```
|
||||
## NAT Configuration
|
||||
```
|
||||
configure
|
||||
# DMZ to WAN NAT
|
||||
set nat source rule 10 description "NAT FROM DMZ to WAN"
|
||||
set nat source rule 10 outbound-interface eth0
|
||||
set nat source rule 10 source address 172.16.50.0/29
|
||||
set nat source rule 10 translation address masquerade
|
||||
|
||||
# LAN to WAN NAT
|
||||
set nat source rule 20 description "NAT FROM LAN to WAN"
|
||||
set nat source rule 20 outbound-interface eth0
|
||||
set nat source rule 20 source address 172.16.150.0/24
|
||||
set nat source rule 20 translation address masquerade
|
||||
|
||||
# MGMT to WAN NAT
|
||||
set nat source rule 30 description "NAT FROM MGMT to WAN"
|
||||
set nat source rule 30 outbound-interface eth0
|
||||
set nat source rule 30 source address 172.16.200.0/28
|
||||
set nat source rule 30 translation address masquerade
|
||||
|
||||
# Port Forwarding for HTTP
|
||||
set nat destination rule 10 description "HTTP->NGINX01"
|
||||
set nat destination rule 10 inbound-interface eth0
|
||||
set nat destination rule 10 destination port 80
|
||||
set nat destination rule 10 protocol tcp
|
||||
set nat destination rule 10 translation address 172.16.50.3
|
||||
|
||||
# Port Forwarding for SSH
|
||||
set nat destination rule 20 description "SSH->JUMP"
|
||||
set nat destination rule 20 inbound-interface eth0
|
||||
set nat destination rule 20 destination port 22
|
||||
set nat destination rule 20 protocol tcp
|
||||
set nat destination rule 20 translation address 172.16.50.4
|
||||
|
||||
commit
|
||||
save
|
||||
```
|
||||
## DNS Forwarding Configuration
|
||||
```
|
||||
configure
|
||||
# DMZ DNS Forwarding
|
||||
set service dns forwarding listen-address 172.16.50.2
|
||||
set service dns forwarding allow-from 172.16.50.0/29
|
||||
|
||||
# LAN DNS Forwarding
|
||||
set service dns forwarding listen-address 172.16.150.2
|
||||
set service dns forwarding allow-from 172.16.150.0/24
|
||||
|
||||
set service dns forwarding system
|
||||
commit
|
||||
save
|
||||
```
|
||||
|
||||
## Zone Configuration
|
||||
```
|
||||
configure
|
||||
set zone-policy zone WAN interface eth0
|
||||
set zone-policy zone DMZ interface eth1
|
||||
set zone-policy zone LAN interface eth2
|
||||
commit
|
||||
save
|
||||
```
|
||||
|
||||
## Firewall Configuration
|
||||
```
|
||||
configure
|
||||
# Create Zone-Based Firewalls
|
||||
|
||||
# WAN-to-DMZ
|
||||
set firewall name WAN-to-DMZ default-action drop
|
||||
set firewall name WAN-to-DMZ enable-default-log
|
||||
set firewall name WAN-to-DMZ rule 1 action accept
|
||||
set firewall name WAN-to-DMZ rule 1 state established enable
|
||||
set firewall name WAN-to-DMZ rule 10 description "allow HTTP from WAN to DMZ"
|
||||
set firewall name WAN-to-DMZ rule 10 action accept
|
||||
set firewall name WAN-to-DMZ rule 10 destination address 172.16.50.3
|
||||
set firewall name WAN-to-DMZ rule 10 destination port 80
|
||||
set firewall name WAN-to-DMZ rule 10 protocol tcp
|
||||
|
||||
set firewall name WAN-to-DMZ rule 20 action accept
|
||||
set firewall name WAN-to-DMZ rule 20 description "SSH to JUMP"
|
||||
set firewall name WAN-to-DMZ rule 20 destination address 172.16.50.4
|
||||
set firewall name WAN-to-DMZ rule 20 destination port 22
|
||||
set firewall name WAN-to-DMZ rule 20 protocol tcp
|
||||
|
||||
|
||||
# DMZ-to-WAN
|
||||
set firewall name DMZ-to-WAN default-action drop
|
||||
set firewall name DMZ-to-WAN enable-default-log
|
||||
set firewall name DMZ-to-WAN rule 1 action accept
|
||||
set firewall name DMZ-to-WAN rule 1 state established enable
|
||||
|
||||
# LAN-to-DMZ
|
||||
set firewall name LAN-to-DMZ default-action drop
|
||||
set firewall name LAN-to-DMZ enable-default-log
|
||||
set firewall name LAN-to-DMZ rule 1 action accept
|
||||
set firewall name LAN-to-DMZ rule 1 state established enable
|
||||
set firewall name LAN-to-DMZ rule 10 description "Allow HTTP from LAN to DMZ"
|
||||
set firewall name LAN-to-DMZ rule 10 action accept
|
||||
set firewall name LAN-to-DMZ rule 10 destination address 172.16.50.3
|
||||
set firewall name LAN-to-DMZ rule 10 destination port 80
|
||||
set firewall name LAN-to-DMZ rule 10 protocol tcp
|
||||
set firewall name LAN-to-DMZ rule 20 description "Allow SSH from MGMT-01 to DMZ"
|
||||
set firewall name LAN-to-DMZ rule 20 action accept
|
||||
set firewall name LAN-to-DMZ rule 20 destination port 22
|
||||
set firewall name LAN-to-DMZ rule 20 protocol tcp
|
||||
set firewall name LAN-to-DMZ rule 20 source address 172.16.150.10
|
||||
|
||||
# DMZ-to-LAN
|
||||
set firewall name DMZ-to-LAN default-action drop
|
||||
set firewall name DMZ-to-LAN enable-default-log
|
||||
set firewall name DMZ-to-LAN rule 1 action accept
|
||||
set firewall name DMZ-to-LAN rule 1 state established enable
|
||||
set firewall name DMZ-to-LAN rule 10 description "wazuh agent communication with server"
|
||||
set firewall name DMZ-to-LAN rule 10 action accept
|
||||
set firewall name DMZ-to-LAN rule 10 destination address 172.16.200.10
|
||||
set firewall name DMZ-to-LAN rule 10 destination port 1514,1515
|
||||
set firewall name DMZ-to-LAN rule 10 protocol tcp
|
||||
|
||||
# LAN-to-WAN
|
||||
set firewall name LAN-to-WAN default-action drop
|
||||
set firewall name LAN-to-WAN enable-default-log
|
||||
set firewall name LAN-to-WAN rule 1 action accept
|
||||
|
||||
# WAN-to-LAN
|
||||
set firewall name WAN-to-LAN default-action drop
|
||||
set firewall name WAN-to-LAN enable-default-log
|
||||
set firewall name WAN-to-LAN rule 1 action accept
|
||||
set firewall name WAN-to-LAN rule 1 state established enable
|
||||
|
||||
# Apply Zone Policies
|
||||
set zone-policy zone DMZ from LAN firewall name LAN-to-DMZ
|
||||
set zone-policy zone DMZ from WAN firewall name WAN-to-DMZ
|
||||
set zone-policy zone LAN from DMZ firewall name DMZ-to-LAN
|
||||
set zone-policy zone LAN from WAN firewall name WAN-to-LAN
|
||||
set zone-policy zone WAN from DMZ firewall name DMZ-to-WAN
|
||||
set zone-policy zone WAN from LAN firewall name LAN-to-WAN
|
||||
|
||||
commit
|
||||
save
|
||||
```
|
||||
## Rip Configuration
|
||||
```
|
||||
configure
|
||||
set protocols rip interface eth2
|
||||
set protocols rip network '172.16.50.0/29'
|
||||
commit
|
||||
save
|
||||
```
|
||||
|
||||
## SSH Configuration
|
||||
```
|
||||
# Restrict SSH access to LAN interface only
|
||||
configure
|
||||
set service ssh listen-address 172.16.150.2
|
||||
commit
|
||||
save
|
||||
```
|
||||
Loading…
Add table
Add a link
Reference in a new issue