Jump to content

Training Lab 2: Firewall Rules and Aliases

From MediawikiCIT


Lab 2: Interfaces, Firewall Rules, and Aliases
This hands-on lab covers configuring the HQ DMZ interface, building firewall rules, creating aliases, and applying restrictive access policies. All configuration is performed on fw1-HQ at https://172.17.1.1.

Prerequisites

  • Lab topology from Training Lab 1 is in place
  • HQ LAN: 172.17.1.0/24
  • HQ DMZ: 172.17.2.0/24
  • Access to fw1-HQ web interface and VPN connection

Lab Overview

This lab starts with configuring the DMZ interface at HQ, going through the steps to assign and configure a new interface. This new interface will be used as an example of configuring an additional internal interface treated as a DMZ, with significant restrictions to the other internal networks.

Then we'll go through use cases and examples for firewall rules and aliases. Some firewall rules come in the context of NAT, which is covered in a later lab.

Exercise 1: Configure the DMZ Interface

Step 1: Review Interface Assignments

Browse to Interfaces > Assign.

The firewall's interfaces are assigned in order, from vtnet0 to vtnet4. Our DMZ interface will be OPT1, which is assigned to vtnet2.

Step 2: Enable and Configure OPT1

Browse to Interfaces > OPT1 and configure:

Setting Value
Enable ✓ Checked
Description DMZ
IPv4 Configuration Type Static IPv4
IPv4 Address 172.17.2.1/24

Save and Apply Changes.

After saving, OPT1 is still the underlying identifier in config.xml, but the interface is displayed as DMZ.

Exercise 2: Test Connectivity to DMZ

Ping the DMZ Gateway

From the HQ-Client VM: 

training@hq-client:~$ ping 172.17.2.1
PING 172.17.2.1 (172.17.2.1) 56(84) bytes of data.
64 bytes from 172.17.2.1: icmp_seq=1 ttl=64 time=0.298 ms
64 bytes from 172.17.2.1: icmp_seq=2 ttl=64 time=0.979 ms
64 bytes from 172.17.2.1: icmp_seq=3 ttl=64 time=1.27 ms

Ping server1 from HQ-Client

training@hq-client:~$ ping -c 5 172.17.2.10
PING 172.17.2.10 (172.17.2.10) 56(84) bytes of data.
64 bytes from 172.17.2.10: icmp_seq=1 ttl=63 time=0.711 ms
64 bytes from 172.17.2.10: icmp_seq=2 ttl=63 time=1.75 ms
...
5 packets transmitted, 5 received, 0% packet loss

This ping traverses two virtual networks, so latency is roughly doubled. Steady replies indicate good connectivity.

Exercise 3: Connectivity from DMZ Network

Verify Default Block Behavior

Newly-added interfaces have no firewall rules by default. All traffic initiated on that interface is blocked.

Log in to server1 via SSH from HQ-client: 

training@hq-client:~$ ssh training@172.17.2.10
Password for training@server1: password

From server1, attempt to ping: 

training@server1:~ % ping -c 5 172.17.2.1
PING 172.17.2.1 (172.17.2.1): 56 data bytes
--- 172.17.2.1 ping statistics ---
5 packets transmitted, 0 packets received, 100.0% packet loss

training@server1:~ % ping google.com
ping: cannot resolve google.com: Host name lookup failure

Troubleshooting: Check ARP Cache

Check the ARP cache to confirm Layer 2 connectivity: 

training@server1:~ % arp -an
? (172.17.2.10) at 08:00:27:ec:c0:6b on em0 permanent [ethernet]
? (172.17.2.1) at 08:00:27:59:b4:35 on em0 expires in 139 seconds [ethernet]

A valid MAC address for the gateway confirms the server is on the correct network segment. An incomplete entry indicates a Layer 2 issue.

Check Firewall Logs

Browse to Status > System Logs > Firewall on fw1-HQ to see blocked traffic.

Add Temporary Allow-All Rule

On Firewall > Rules > DMZ, add a temporary rule:

Setting Value
Action Pass
Interface DMZ
Protocol any
Source any
Destination any

Save and Apply Changes.

Verify connectivity from server1: 

training@server1:~ % ping -c 3 172.17.2.1
training@server1:~ % ping -c 3 google.com
training@server1:~ % ping -c 3 172.17.1.100

All three should succeed with the allow-all rule in place.

Exercise 4: Create Aliases

Aliases ease management by grouping IPs, networks, or ports.

Browse to Firewall > Aliases.

Alias: PrivateNetworks

Field Value
Name PrivateNetworks
Description All RFC1918 private IP space
Type Network
Members 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16

Alias: server1

Field Value
Name server1
Description server1.example.com
Type Host
Member 172.17.2.10

Alias: server2

Field Value
Name server2
Description server2.example.com
Type Host
Member 172.17.2.20

Alias: DNSservers

Field Value
Name DNSservers
Type Host
Members server1, server2

Alias: SMTPservers

Field Value
Name SMTPservers
Description authorized outbound SMTP servers
Type Host
Members server1

Alias: RemoteAdmin

Field Value
Name RemoteAdmin
Description IPs authorized for remote management
Type Host
Members 192.0.2.100 (student's system)

Alias: WebServers

Field Value
Name WebServers
Description publicly-reachable web servers
Type Host
Members server1, server2

Alias: WebPorts

Field Value
Name WebPorts
Description allowed ports to public web servers
Type Ports
Members 80, 443

Save each alias, then Apply Changes.

Exercise 5: Allow Remote Firewall Administration

Add a rule on Firewall > Rules > WAN:

Setting Value
Interface WAN
Protocol any
Source Single host or alias — RemoteAdmin
Destination WAN address
Description allow all from remote admin IPs

Save and Apply Changes.

Verify from your host: 

$ ping 192.0.2.2
$ curl -I https://192.0.2.2

Exercise 6: Configure Restrictive DMZ Rules

Remove the temporary allow-all rule (or ensure it is at the top, to be deleted later). Then add the following rules in order using the Add button (add to bottom):

Rule 1: Allow Ping to Firewall DMZ IP

Setting Value
Action Pass
Interface DMZ
Protocol ICMP
ICMP Type Echo request
Source DMZ net
Destination DMZ address
Description Allow ping to firewall's DMZ IP

Rule 2: Allow DNS to DMZ IP

Setting Value
Action Pass
Interface DMZ
Protocol TCP/UDP
Source DMZ net
Destination DMZ address
Destination Port DNS (53)
Description Allow DNS lookups to DNS Resolver

Rule 3: Reject All Else to Private Networks

Setting Value
Action Reject
Interface DMZ
Protocol any
Source any
Destination Single host or alias — PrivateNetworks
Log ✓ Checked
Description Reject all else from DMZ to private networks

This prevents DMZ hosts from reaching any other internal services and logs blocked attempts.

Rule 4: Allow DNS Outbound to Internet

Setting Value
Action Pass
Interface DMZ
Protocol TCP/UDP
Source Single host or alias — DNSservers
Destination any
Destination Port DNS (53)
Description Allow recursive queries from DNS servers to Internet

Rule 5: Allow SMTP Outbound to Internet

Setting Value
Action Pass
Interface DMZ
Protocol TCP
Source Single host or alias — SMTPservers
Destination any
Destination Port SMTP (25)
Description Allow SMTP servers to send to Internet

Rule 6: Allow HTTP Outbound for Management (Disabled)

Setting Value
Action Pass
Disabled ✓ Checked
Interface DMZ
Protocol TCP
Source DMZ net
Destination any
Destination Port HTTP (80)
Description Management — temp allow HTTP outbound from servers

This rule is disabled by default and should only be enabled during updates.

Save and Apply Changes after each rule.

Exercise 7: Verify Restrictive Ruleset

Review Rule Order

Ensure the temporary allow-all rule is at the top. With it at the top, all traffic matches it first and the restrictive rules are ineffective.

From server1, start a constant ping to HQ-client: 

training@server1:~ % ping 172.17.1.100

Replies confirm the allow-all rule is passing traffic.

Delete Allow-All Rule

Delete the temporary allow-all rule and Apply Changes.

The restrictive ruleset is now enforced for all new connections. The running ping is still permitted because the firewall is stateful — already-permitted connections are never re-evaluated.

Kill the Ping State

Browse to Diagnostics > States. Filter for 172.17.2.10: (note the colon to avoid matching similar IPs). Click the symbol next to the ping state to delete it.

The ping stops immediately.

Check Firewall Logs

Browse to Status > System Logs > Firewall. Log entries show the blocked traffic.

Click the red X in the Action column on a log entry to see which rule blocked the connection. User-defined rules show USER_RULE with the configured description.

Troubleshooting Reference

Symptom Likely Cause Resolution
Cannot ping gateway from DMZ host No firewall rules on DMZ interface Add pass rule or verify existing rules
Cannot resolve DNS from DMZ DNS port blocked; no DNS rule Add TCP/UDP pass rule to DMZ address port 53
Can reach Internet but not HQ LAN Reject rule to PrivateNetworks is working Verify rule order and alias contents
Ping stops after deleting allow-all rule Stateful firewall; existing state was killed Expected behavior — new connections follow current rules
Cannot SSH to server1 Layer 2 / ARP issue or VPN problem Check arp -an on server1; verify MAC address
Firewall web UI unreachable from WAN No WAN allow rule for remote admin Add WAN rule with RemoteAdmin alias as source

IP Addressing Quick Reference

Host / Network IP Address / Range
fw1-HQ LAN 172.17.1.1/24
fw1-HQ DMZ 172.17.2.1/24
fw1-HQ WAN 192.0.2.2
HQ-Client 172.17.1.100
server1 172.17.2.10
server2 172.17.2.20
RemoteAdmin 192.0.2.100
HQ LAN Network 172.17.1.0/24
HQ DMZ Network 172.17.2.0/24

Lab Completion Checklist

  • [ ] DMZ interface enabled and configured (172.17.2.1/24)
  • [ ] Connectivity tested from HQ-Client to DMZ
  • [ ] Default block behavior verified from DMZ
  • [ ] Aliases created (PrivateNetworks, DNSservers, SMTPservers, RemoteAdmin, WebServers, WebPorts, server1, server2)
  • [ ] Remote admin rule added on WAN
  • [ ] Restrictive DMZ rules configured and applied
  • [ ] Stateful behavior demonstrated (ping continues after rule change, stops after state kill)
  • [ ] Firewall logs reviewed and interpreted

This concludes Lab 2.

Previous Module: Section 2 — Interfaces and Firewall Rules

Source: Netgate FUND001-LIVE-Lab2-Rules.pdf

Retrieved from "https://mediawiki.comfac.net/index.php?title=Training_Lab_2:_Firewall_Rules_and_Aliases&oldid=228"