New Member
Posts: 22
Registered: ‎05-07-2018
Solutions: 1
Accepted Solution

Zone Based FW on ERL3

Hello,

 

I just followed a guide on setting up a zone based firwewall on the ERL3, but for the life of me cant figure out where I need to add rules to allow traffic on the lan and then allow the lan machine to communicate back out to the wan, I need to allow  RDP 3389 TCP/UDP traffic from the WAN to LAN and then LAN to WAN for the return traffic.

 

Here is my FW configuration :

 

show firewall
 all-ping enable
 broadcast-ping disable
 ipv6-name allow-all-6 {
     default-action accept
     rule 1 {
         action accept
         state {
             established enable
             related enable
         }
     }
     rule 2 {
         action drop
         log enable
         state {
             invalid enable
         }
     }
     rule 100 {
         action accept
         protocol ipv6-icmp
     }
 }
 ipv6-name allow-est-drop-inv-6 {
     default-action drop
     enable-default-log
     rule 1 {
         action accept
         state {
             established enable
             related enable
         }
     }
     rule 2 {
         action drop
         log enable
         state {
             invalid enable
         }
     }
     rule 100 {
         action accept
         protocol ipv6-icmp
     }
 }
 ipv6-name lan-local-6 {
     default-action drop
     enable-default-log
     rule 1 {
         action accept
         state {
             established enable
             related enable
         }
     }
     rule 2 {
         action drop
         log enable
         state {
             invalid enable
         }
     }
     rule 100 {
         action accept
         protocol ipv6-icmp
     }
     rule 200 {
         action accept
         description "Allow HTTP/HTTPS"
         destination {
             port 80,443
         }
         protocol tcp
     }
     rule 600 {
         action accept
         description "Allow DNS"
         destination {
             port 53
         }
         protocol tcp_udp
     }
     rule 700 {
         action accept
         description "Allow DHCP"
         destination {
             port 67,68
         }
         protocol udp
     }
     rule 800 {
         action accept
         description "Allow SSH"
         destination {
             port 22
         }
         protocol tcp
     }
 }
 ipv6-receive-redirects disable
 ipv6-src-route disable
 ip-src-route disable
 log-martians enable
 name allow-all {
     default-action accept
     rule 1 {
         action accept
         state {
             established enable
             related enable
         }
     }
     rule 2 {
         action drop
         log enable
         state {
             invalid enable
         }
     }
 }
 name allow-est-drop-inv {
     default-action drop
     enable-default-log
     rule 1 {
         action accept
         state {
             established enable
             related enable
         }
     }
     rule 2 {
         action drop
         log enable
         state {
             invalid enable
         }
     }
 }
 name lan-local {
     default-action drop
     enable-default-log
     rule 1 {
         action accept
         state {
             established enable
             related enable
         }
     }
     rule 2 {
         action drop
         log enable
         state {
             invalid enable
         }
     }
     rule 100 {
         action accept
         protocol icmp
     }
     rule 200 {
         action accept
         description "Allow HTTP/HTTPS"
         destination {
             port 80,443
         }
         protocol tcp
     }
     rule 600 {
         action accept
         description "Allow DNS"
         destination {
             port 53
         }
         protocol tcp_udp
     }
     rule 700 {
         action accept
         description "Allow DHCP"
         destination {
             port 67,68
         }
         protocol udp
     }
     rule 800 {
         action accept
         description "Allow SSH"
         destination {
             port 22
         }
         protocol tcp
     }
 }
 receive-redirects disable
 send-redirects enable
 source-validation disable
 syn-cookies enable
#ZONES
edit zone-policy zone LOCAL
set default-action drop
set local-zone
set from WAN firewall name allow-est-drop-inv
set from WAN firewall ipv6-name allow-est-drop-inv-6
set from LAN firewall name lan-local
set from LAN firewall ipv6-name lan-local-6
top


edit zone-policy zone LAN
set default-action drop
set interface eth0
set from LOCAL firewall name allow-all
set from LOCAL firewall ipv6-name allow-all-6
set from WAN firewall name allow-est-drop-inv
set from WAN firewall ipv6-name allow-est-drop-inv-6
top

edit zone-policy zone WAN
set default-action drop
set interface eth1
set from LOCAL firewall name allow-all
set from LOCAL firewall ipv6-name allow-all-6
set from LAN firewall name allow-all
set from LAN firewall ipv6-name allow-all-6
top

Accepted Solutions
SuperUser
Posts: 8,567
Registered: ‎01-05-2012
Kudos: 2260
Solutions: 1142

Re: Zone Based FW on ERL3

[ Edited ]

I use, for each zone-pair, its own ruleset, eg zone 01wan, zone 02guests, firewall name 01wan_2_02guests and firewall name 02guests_2_01wan, 03self (local-zone), 04staff, 05unifi, 06vpn, and so on, but since you have (currently) few zone-pair, and few firewall rulesets, doesn't matter so much...
Cheers,
jonatha

Edit ... generally speaking, rather than create the rules 1,2,3 ... use 10,20, 30 and so on, in this way, if you need to put a rule in between the first and the second rule, you can easily do it, without moving all rules.

View solution in original post


All Replies
SuperUser
Posts: 8,567
Registered: ‎01-05-2012
Kudos: 2260
Solutions: 1142

Re: Zone Based FW on ERL3

[ Edited ]

For IPv4, something like

Spoiler
configure
set firewall name wan2lan default-action drop
set firewall name wan2lan rule 10 action accept
set firewall name wan2lan rule 10 state established enable
set firewall name wan2lan rule 10 state related enable
set firewall name wan2lan rule 20 action drop
set firewall name wan2lan rule 20 state invalid enable
set firewall name wan2lan rule 30 action accept
set firewall name wan2lan rule 30 protocol tcp_udp
set firewall name wan2lan rule 30 destination port 3389
set zone-policy zone LAN from WAN firewall name wan2lan
commit

In the wan2lan rule 30, you can declare the destination ip address (the same as you probably already have in the port-forward/DNAT rule).

Cheers,

jonatha

 

New Member
Posts: 22
Registered: ‎05-07-2018
Solutions: 1

Re: Zone Based FW on ERL3

So if what I am thinking is correct, the below zone-policy is repsonsible for traffic coming on to the lan :

 

 

 

edit zone-policy zone LAN
set default-action drop
set interface eth0
set from LOCAL firewall name allow-all
set from LOCAL firewall ipv6-name allow-all-6
set from WAN firewall name allow-est-drop-inv
set from WAN firewall ipv6-name allow-est-drop-inv-6
top

 

Therefore I need to add the RDP rule to allow-est-drop-inv ?

 

Something like this :

 

edit firewall name allow-est-drop-inv
set default-action drop
set enable-default-log
set rule 1 action accept
set rule 1 state established enable
set rule 1 state related enable
set rule 2 action drop
set rule 2 log enable
set rule 2 state invalid enable
set rule 3 action accept
set rule 3 protocol tcp_udp
set rule 3 destination port 3389

 

SuperUser
Posts: 8,567
Registered: ‎01-05-2012
Kudos: 2260
Solutions: 1142

Re: Zone Based FW on ERL3

More or less, yes ...

New Member
Posts: 22
Registered: ‎05-07-2018
Solutions: 1

Re: Zone Based FW on ERL3

More or less ? ? Man Happy

 

It either is or isnt, no ?

Highlighted
SuperUser
Posts: 8,567
Registered: ‎01-05-2012
Kudos: 2260
Solutions: 1142

Re: Zone Based FW on ERL3

Yes, i mean... sometimes, the same ruleset is used for more zone-pair, if you declare that rule for RDP in that ruleset, the rule may still be valid even if the the same ruleset is re-utilized for another zone-pair, where maybe you don't need, or you don't want, that rule. But, for this zone-pair, is ok.
Cheers,
jonatha

New Member
Posts: 22
Registered: ‎05-07-2018
Solutions: 1

Re: Zone Based FW on ERL3

[ Edited ]

So what would be the best way to apply it for traffic coming in only to the lan ? Create a dedicated ruleset for lan to wan ?

 

set firewall name wan-2lan
set default-action drop
set enable-default-log
set rule 1 action accept
set rule 1 state established enable
set rule 1 state related enable
set rule 2 action drop
set rule 2 log enable
set rule 2 state invalid enable
set rule 3 action accept
set rule 3 protocol tcp_udp
set rule 3 destination port 3389
edit zone-policy zone LAN
set default-action drop
set interface eth0
set from LOCAL firewall name allow-all
set from LOCAL firewall ipv6-name allow-all-6
set from WAN firewall name wan-2-lan

 

SuperUser
Posts: 8,567
Registered: ‎01-05-2012
Kudos: 2260
Solutions: 1142

Re: Zone Based FW on ERL3

[ Edited ]

I use, for each zone-pair, its own ruleset, eg zone 01wan, zone 02guests, firewall name 01wan_2_02guests and firewall name 02guests_2_01wan, 03self (local-zone), 04staff, 05unifi, 06vpn, and so on, but since you have (currently) few zone-pair, and few firewall rulesets, doesn't matter so much...
Cheers,
jonatha

Edit ... generally speaking, rather than create the rules 1,2,3 ... use 10,20, 30 and so on, in this way, if you need to put a rule in between the first and the second rule, you can easily do it, without moving all rules.

New Member
Posts: 22
Registered: ‎05-07-2018
Solutions: 1

Re: Zone Based FW on ERL3

Thanks Redfive,

 

Im gonna deploy this tomorrow, I'm sure i'll have some more questions.