Firewall

From VyOS Wiki
Jump to: navigation, search

Basic Firewall

The purpose of this basic config, is so you have a starting point (without setting up zones) if you have a Vyos Router that has a WAN interface with a Public IP address as well as a LAN network you have configured that is used to access the internet via the WAN interface from the LAN, this is for you.

So first off Disable the the sevices you don't need so that the ports are closed. You will need SSH to login to your device but you don't want the WAN interface to respond to TCP port 22 (SSH) 

!

!!!!!!!!!!!!!!!!General settings!!!!!!!(adjust as needed)!!!!!!!!!!!
set firewall all-ping 'enable'
set firewall broadcast-ping 'disable'
set firewall config-trap 'disable'
set firewall ipv6-receive-redirects 'disable'
set firewall ipv6-src-route 'disable'
set firewall ip-src-route 'disable'
set firewall log-martians 'enable'
set firewall receive-redirects 'disable'
set firewall send-redirects 'enable'
set firewall source-validation 'disable'
set firewall syn-cookies 'enable'
set firewall twa-hazards-protection 'disable'
!
!!!!!!!!!!!!!!!!!!!!!BLOCK Active service on the WAN port ETH0!!!!!!!!!!!!!!!!!
!
set firewall name BLOCK-WAN-SSH default-action 'accept'
set firewall name BLOCK-WAN-SSH 'enable-default-log'
set firewall name BLOCK-WAN-SSH rule 5 action 'drop'
set firewall name BLOCK-WAN-SSH rule 5 destination port '22'
set firewall name BLOCK-WAN-SSH rule 5 protocol 'tcp'
set firewall name BLOCK-WAN-SSH rule 6 action 'drop'
set firewall name BLOCK-WAN-SSH rule 6 destination port '500'
set firewall name BLOCK-WAN-SSH rule 6 protocol 'udp'
!
set interfaces ethernet eth0 firewall local name 'BLOCK-WAN-SSH'
!
This is how to check: https://hackertarget.com/nmap-online-port-scanner/
!
My TEST results:
!
Starting Nmap 7.40 ( https://nmap.org ) at 2018-12-27 23:18 UTC
Nmap scan report for <YOUR DNS and IP would be here- but omitted for Security>
Host is up (0.062s latency).
PORT     STATE    SERVICE
21/tcp   closed   ftp
22/tcp   filtered ssh
23/tcp   closed   telnet
80/tcp   closed   http
110/tcp  closed   pop3
143/tcp  closed   imap
443/tcp  closed   https
3389/tcp closed   ms-wbt-server
Nmap done: 1 IP address (1 host up) scanned in 1.45 seconds