[code review request] - newbi looking for configuration advice

apaseall · December 10, 2015, 12:16am

Hi,
I think I just about finished making my first configuration and I am seeking advice.
I would like someone to take a look at my configuration and tell me;
A Am I going about firewalls the right way (ie filtering on LAN rather than WAN etc)
B Are my nat, load-balancing, static routes correct (ie subnets?)
C Am I using the correct addresses

I have the following;
2 ISP interfaces, IPs are assigned through their DHCPs
1 LAN interface
A pair of DNS servers on 10.40.0.1 and 10.40.0.3

My aim is to use Vyos mainly as a firewall and load-balancing.
I want to use my LAN to provide for itself DHCP, DNS and NAT.
So I would want my DNS to be able to reach out to the web DNSs, not caching in Vyos.

I am also trying to perform egress filtering, so that I am not spewing out random/bad stuff.

Let me know if you need more specific details.

Oh Yes I have not configured time servers yet.

show configuration
firewall {
    all-ping enable
    broadcast-ping disable
    config-trap enable
    group {
        address-group AG-WEB-1 {
            address 10.50.0.100
        }
        network-group NG-BLACKLISTED {
            network 1.1.1.1/32
        }
        network-group NG-DMZ {
            network 10.50.0.0/24
        }
        network-group NG-LAN {
            network 10.30.0.0/24
        }
        network-group NG-MANAGEMENT {
            network 10.30.0.251/32
            network 10.30.0.252/32
        }
        network-group NG-WAN {
            network 192.168.4.0/24
            network 192.168.1.0/24
        }
        port-group PG-DHCP {
            port 67
        }
        port-group PG-DNS {
            port 53
        }
        port-group PG-NTP {
            port 123
        }
        port-group PG-SNMP {
            port 161
        }
        port-group PG-SSH {
            port 52222
        }
        port-group PG-WEB {
            port 80
            port 443
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name DMZ-IN {
        default-action drop
        rule 1000 {
            action drop
            description "Block traffic FROM Blacklisted"
            source {
                group {
                    network-group NG-BLACKLISTED
                }
            }
        }
        rule 1001 {
            action drop
            description "Block traffic TO Blacklisted"
            destination {
                group {
                    network-group NG-BLACKLISTED
                }
            }
        }
        rule 1010 {
            action accept
            description "Allow Established and Related traffic"
            state {
                established enable
                related enable
            }
        }
        rule 1011 {
            action drop
            description "Block Invalid traffic"
            state {
                invalid enable
            }
        }
    }
    name DMZ-LOCAL {
        default-action drop
        rule 1000 {
            action drop
            description "Block traffic FROM Blacklisted"
            source {
                group {
                    network-group NG-BLACKLISTED
                }
            }
        }
        rule 1010 {
            action accept
            description "Allow Established and Related traffic"
            state {
                established enable
                related enable
            }
        }
        rule 1011 {
            action drop
            description "Block Invalid traffic"
            state {
                invalid enable
            }
        }
        rule 1020 {
            action accept
            description "Allow Ping traffic"
            icmp {
                type-name echo-request
            }
            protocol icmp
            state {
                new enable
            }
        }
        rule 1030 {
            action accept
            description "Allow DHCP traffic"
            destination {
                group {
                    port-group PG-DHCP
                }
            }
            protocol udp
            state {
                new enable
            }
        }
        rule 1040 {
            action accept
            description "Allow DNS traffic"
            destination {
                group {
                    port-group PG-DNS
                }
            }
            protocol tcp_udp
            state {
                new enable
            }
        }
        rule 1050 {
            action accept
            description "Allow Time traffic"
            destination {
                group {
                    port-group PG-NTP
                }
            }
            protocol udp
            state {
                new enable
            }
        }
        rule 1100 {
            action drop
            description "Limit rate of SSH FROM management network"
            destination {
                group {
                    port-group PG-SSH
                }
            }
            protocol tcp
            recent {
                count 4
                time 30
            }
            source {
                group {
                    network-group NG-MANAGEMENT
                }
            }
            state {
                new enable
            }
        }
        rule 1101 {
            action accept
            description "Allow SSH FROM management network"
            destination {
                group {
                    port-group PG-SSH
                }
            }
            protocol tcp
            source {
                group {
                    network-group NG-MANAGEMENT
                }
            }
            state {
                new enable
            }
        }
        rule 1110 {
            action accept
            description "Allow SNMP traffic"
            destination {
                group {
                    port-group PG-SNMP
                }
            }
            protocol udp
            source {
                group {
                    network-group NG-MANAGEMENT
                }
            }
            state {
                new enable
           }
        }
    }
    name DMZ-OUT {
        default-action drop
        rule 1000 {
            action drop
            description "Block traffic FROM Blacklisted"
            source {
                group {
                    network-group NG-BLACKLISTED
                }
            }
        }
        rule 1001 {
            action drop
            description "Block traffic TO Blacklisted"
            destination {
                group {
                    network-group NG-BLACKLISTED
                }
            }
        }
        rule 1010 {
            action accept
            description "Allow Established and Related traffic"
            state {
                established enable
                related enable
            }
        }
        rule 1011 {
            action drop
            description "Block Invalid traffic"
            state {
                invalid enable
            }
        }
        rule 1020 {
            action accept
            description "Allow Ping traffic"
            icmp {
                type-name echo-request
            }
            protocol icmp
            state {
                new enable
            }
        }
        rule 4000 {
            action accept
            description "Allow WebServer traffic"
            destination {
                group {
                    address-group AG-WEB-1
                    port-group PG-WEB
                }
            }
            protocol tcp
            state {
                new enable
            }
        }
        rule 9000 {
            action accept
            description "Allow traffic FROM LAN"
            source {
                group {
                    network-group NG-LAN
                }
            }
            state {
                new enable
            }
        }
    }
    name LAN-IN {
        default-action drop
        rule 1000 {
            action drop
            description "Block traffic FROM Blacklisted"
            source {
                group {
                    network-group NG-BLACKLISTED
                }
            }
        }
        rule 1001 {
            action drop
            description "Block traffic TO Blacklisted"
            destination {
                group {
                    network-group NG-BLACKLISTED
                }
            }
        }
        rule 1010 {
            action accept
            description "Allow Established and Related traffic"
            state {
                established enable
                related enable
            }
        }
        rule 1011 {
            action drop
            description "Block Invaid traffic"
            state {
                invalid enable
            }
        }
        rule 9000 {
            action accept
            description "Allow traffic FROM LAN"
            source {
                group {
                    network-group NG-LAN
                }
            }
            state {
                new enable
            }
        }
    }
    name LAN-LOCAL {
        default-action drop
        rule 1000 {
            action drop
            description "Block traffic FROM Blacklisted"
            source {
                group {
                    network-group NG-BLACKLISTED
                }
            }
        }
        rule 1010 {
            action accept
            description "Allow Established and Related traffic"
            state {
                established enable
                related enable
            }
        }
        rule 1011 {
            action drop
            description "Block Invalid traffic"
            state {
                invalid enable
            }
        }
        rule 1020 {
            action accept
            description "Allow Ping traffic"
            icmp {
                type-name echo-request
            }
            protocol icmp
            state {
                new enable
            }
        }
        rule 1030 {
            action accept
            description "Allow DHCP traffic"
            destination {
                group {
                    port-group PG-DHCP
                }
            }
            protocol udp
            state {
                new enable
            }
        }
        rule 1040 {
            action accept
            description "Allow DNS traffic"
            destination {
                group {
                    port-group PG-DNS
                }
            }
            protocol tcp_udp
            state {
                new enable
            }
        }
        rule 1050 {
            action accept
            description "Allow Time traffic"
            destination {
                group {
                    port-group PG-NTP
                }
            }
            protocol udp
            state {
                new enable
            }
        }
        rule 1100 {
            action drop
            description "Limit rate of SSH FROM management network"
            destination {
                group {
                    port-group PG-SSH
                }
            }
            protocol tcp
            recent {
                count 4
                time 30
            }
            source {
                group {
                    network-group NG-MANAGEMENT
                }
            }
            state {
                new enable
            }
        }
        rule 1101 {
            action accept
            description "Allow SSH FROM management network"
            destination {
                group {
                    port-group PG-SSH
                }
            }
            protocol tcp
            source {
                group {
                    network-group NG-MANAGEMENT
                }
            }
            state {
                new enable
            }
        }
        rule 1110 {
            action accept
            description "Allow SNMP traffic"
            destination {
                group {
                    port-group PG-SNMP
                }
            }
            protocol udp
            source {
                group {
                    network-group NG-MANAGEMENT
                }
            }
            state {
                new enable
            }
        }
    }
    name LAN-OUT {
        default-action drop
        rule 1000 {
            action drop
            description "Block traffic FROM Blacklisted"
            source {
                group {
                    network-group NG-BLACKLISTED
                }
            }
        }
        rule 1001 {
            action drop
            description "Block traffic TO Blacklisted"
            destination {
                group {
                    network-group NG-BLACKLISTED
                }
            }
        }
        rule 1010 {
            action accept
            description "Allow Established and Related trafic"
            state {
                established enable
                related enable
            }
        }
        rule 1011 {
            action drop
            description "Block Invalid traffic"
            state {
                invalid enable
            }
        }
        rule 1020 {
            action accept
            description "Allow Ping traffic"
            icmp {
                type-name echo-request
            }
            protocol icmp
            state {
                new enable
            }
        }
    }
    name WAN-LOCAL {
        default-action drop
        rule 1000 {
            action drop
            description "Block traffic FROM Blacklisted"
            source {
                group {
                    network-group NG-BLACKLISTED
                }
            }
        }
        rule 1010 {
            action accept
            description "Allow Established and Related traffic"
            state {
                established enable
                related enable
            }
        }
        rule 1011 {
            action drop
            description "Block Invalid traffic"
            state {
                invalid enable
            }
        }
        rule 1020 {
            action accept
            description "Allow Ping traffic"
            icmp {
                type-name echo-request
            }
            protocol icmp
            state {
                new enable
            }
        }
        rule 1100 {
            action drop
            description "Limit rate of SSH FROM management network"
            destination {
                group {
                    port-group PG-SSH
                }
            }
            protocol tcp
            recent {
                count 3
                time 30
            }
            source {
                group {
                    network-group NG-MANAGEMENT
                }
            }
            state {
                new enable
            }
        }
        rule 1101 {
            action accept
            description "Allow SSH FROM management network"
            destination {
                group {
                    port-group PG-SSH
                }
            }
            protocol tcp
            source {
                group {
                    network-group NG-MANAGEMENT
                }
            }
            state {
                new enable
            }
        }
        rule 1110 {
            action accept
            description "Allow SNMP traffic"
            destination {
                group {
                    port-group PG-SNMP
                }
            }
            protocol udp
            source {
                group {
                    network-group NG-MANAGEMENT
                }
            }
            state {
                new enable
            }
        }
    }
    name WAN-OUT {
        default-action drop
        rule 1010 {
            action accept
            description "Allow Established and Related traffic"
            state {
                established enable
                related enable
            }
        }
        rule 1011 {
            action drop
            description "Block Invalid traffic"
            state {
                invalid enable
            }
        }
        rule 9000 {
            action accept
            description "Allow traffic FROM LAN"
            source {
                group {
                    network-group NG-LAN
                }
            }
            state {
                new enable
            }
        }
    }
    receive-redirects disable
    send-redirects disable
    source-validation disable
    syn-cookies enable
    twa-hazards-protection disable
}
interfaces {
    ethernet eth0 {
        address dhcp
        description "WAN Cable 1"
        duplex auto
        firewall {
            local {
                name WAN-LOCAL
            }
            out {
                name WAN-OUT
            }
        }
        hw-id xx:xx:xx:xx:xx:xx
        smp_affinity auto
        speed auto
    }
    ethernet eth1 {
        address 10.30.0.254/24
        description LAN
        duplex auto
        firewall {
            in {
                name LAN-IN
            }
            local {
                name LAN-LOCAL
            }
            out {
                name LAN-OUT
            }
        }
        hw-id xx:xx:xx:xx:xx:xx
        smp_affinity auto
        speed auto
    }
    ethernet eth2 {
        address dhcp
        description "WAN Phone 1"
        duplex auto
        firewall {
            local {
                name WAN-LOCAL
            }
            out {
                name WAN-OUT
            }
        }
        hw-id xx:xx:xx:xx:xx:xx
        smp_affinity auto
        speed auto
    }
    ethernet eth3 {
        address 10.50.0.254/24
        description DMZ
        duplex auto
        firewall {
            in {
                name DMZ-IN
            }
            local {
                name DMZ-LOCAL
            }
            out {
                name DMZ-OUT
            }
        }
        hw-id xx:xx:xx:xx:xx:xx
        smp_affinity auto
        speed auto
    }
    loopback lo {
    }
}
load-balancing {
    wan {
        interface-health eth0 {
            failure-count 3
            nexthop 192.168.4.254
            success-count 10
            test 10 {
                resp-time 5
                target 8.8.8.8
                ttl-limit 1
                type ping
            }
        }
        interface-health eth2 {
            failure-count 3
            nexthop 192.168.1.254
            success-count 10
            test 10 {
                resp-time 5
                target 8.8.8.8
                ttl-limit 1
                type ping
            }
        }
        rule 10 {
            inbound-interface eth1
            interface eth0 {
                weight 1
            }
            interface eth2 {
                weight 1
            }
            protocol all
        }
    }
}
nat {
    source {
        rule 1 {
            description "NAT inside to Cable 1"
            outbound-interface eth0
            source {
                address 10.30.0.0/24
            }
            translation {
                address masquerade
            }
        }
        rule 2 {
            description "NAT inside to Phone 1"
            outbound-interface eth2
            source {
                address 10.30.0.0/24
            }
            translation {
                address masquerade
            }
        }
    }
}
protocols {
    static {
        route 0.0.0.0/0 {
            next-hop 192.168.1.254 {
                distance 2
            }
            next-hop 192.168.4.254 {
                distance 2
            }
        }
    }
}
service {
    dhcp-server {
        disabled true
        shared-network-name GATE {
            authoritative disable
            subnet 10.30.0.0/24 {
                default-router 10.30.0.254
                dns-server 8.8.8.8
                domain-name in.feanor.me.uk
                lease 86400
                start 10.30.0.10 {
                    stop 10.30.0.240
                }
            }
        }
    }
        port 22
    }
}
system {
            config-management {
        commit-revisions 20
    }
    console {
        device ttyS0 {
            speed 9600
        }
    }
    host-name vyos
    login {
        user xxxx {
            authentication {
                encrypted-password ****************
                plaintext-password ****************
            }
            level admin
        }
    }
    name-server 10.40.0.1
    name-server 10.40.0.3
    ntp {
        server 0.pool.ntp.org {
        }
        server 1.pool.ntp.org {
        }
        server 2.pool.ntp.org {
        }
    }
    package {
        auto-sync 1
        repository community {
            components main
            distribution helium
           password ****************
            url http://packages.vyos.net/vyos
            username ""
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
}

Thanks
Apa

apaseall · December 10, 2015, 6:22pm

Anyone?

apaseall · December 11, 2015, 10:25pm

Come on folks. I am looking for advice from people who actually use this in professional systems.
A little guidance, best practices.
For all I know my current config could be holier than the Turin Shroud.

uengin · December 13, 2015, 1:22am

Hi Apa, firstly, I’m a bit of a newbie my self. Some of the concepts in your configuration is probably beyond me at this stage. However, if the response rate continues the way it is going, I think you may find what little I have to say here useful.

Do you have a test environment on which you could simulate most of the configuration you have built?

My advice is build a test environment where you can test most of the configuration and post back here if you have trouble with a particular configuration section/element. I’m sure you’ll get much more of a response with this approach.

For your query (A) I also suggest reading up on some best practices from Cisco here, obviously there might be a lot of Cisco specific stuff but I think you would get a general idea.

Would help you more comprehensively if I could… But I hope that was of some use.

apaseall · December 13, 2015, 7:00pm

@uengin
Yes the lack of responses is disappointing.
The configuration is running in a test environment.
Well test plus.

I think the issue with responses is that I am not asking a specific enough question.
Whilst building the configuration and trying to understand it I have had to make some assumptions.
Maybe if I write another thread and ask one at a time I may get someone brave enough to help.

Either that or eventually someone will post.

apaseall · December 15, 2015, 3:14am

So here I am posting guidance for myself.

Seems I do not require this;

protocols {
    static {
        route 0.0.0.0/0 {
            next-hop 192.168.1.254 {
                distance 2
            }
            next-hop 192.168.4.254 {
                distance 2
            }
        }
    }
}

Why?
After some reading and thinking this is my reasoning as to why I do not need that part of my configuration.

I am using load-balancing.
During testing I noticed that there was a failure to change from failed to active.
I thought that might be due to the order of my static routes.
Reading further, I realized that in the examples for load-balancing, the static routes were for testing purposes.
Load-balancing itself chooses which interface to use to connect to the internet.
Therefore load-balancing acts as a router in a very basic way.

I have deleted the protocols setting from the above configuration and it appears to work, although I have not repeated the failed/active test yet.