fir3net
PPS-Firenetbanner-780.5x190-30-03-17

Vyatta - How do I secure management access ?

In order to secure management access you will need to A) enable the firewall and B) create a firewall policy and assign this to your management interface.

Enable Firewall

First of all enable the firewall.

set firewall                                         
set firewall state-policy related action accept      
set firewall state-policy established action accept   
set firewall state-policy invalid action drop

Define Management IPs

Next, create an address group that contains all of the IPs that you will be managing your Vyatta appliance from.

set firewall group address-group MANAGEMENT-IP address 7.7.7.7
set firewall group address-group MANAGEMENT-IP address 8.8.8.8

Create Firewall Policy

Next, create a firewall policy. The policy below allows all traffic from the management IPs, all traffic from the Vyatta itself and also VPN traffic (IKE/ESP/NAT-T/L2TP).
All dropped traffic is then also logged and can be view by running the command 'show log firewall name MANAGEMENT'

set firewall name MANAGEMENT rule 10 action accept
set firewall name MANAGEMENT rule 10 source group address-group MANAGEMENT-IP
set firewall name MANAGEMENT rule 20 action accept
set firewall name MANAGEMENT rule 20 source address <MANAGEMENT IP OF VYATTA APPLIANCE>
set firewall name MANAGEMENT rule 30 action 'accept'
set firewall name MANAGEMENT rule 30 protocol esp
set firewall name MANAGEMENT rule 40 action 'accept'
set firewall name MANAGEMENT rule 40 protocol udp
set firewall name MANAGEMENT rule 40 destination port 500
set firewall name MANAGEMENT rule 50 action 'accept'

set firewall name MANAGEMENT rule 50 destination port '1701'

set firewall name MANAGEMENT rule 50 ipsec 'match-ipsec'

set firewall name MANAGEMENT rule 50 protocol 'udp'

set firewall name MANAGEMENT rule 60 action 'accept'

set firewall name MANAGEMENT rule 60 destination port '4500'

set firewall name MANAGEMENT rule 60 protocol 'udp'
set firewall name MANAGEMENT rule 70 action 'drop'
set firewall name MANAGEMENT rule 70 log 'enable'

Assign Policy

Finally the policy is assigned to the management interface.

set interfaces ethernet eth3 firewall local name MANAGEMENT

Tags: Vyatta

About the Author

RDonato

R Donato

Rick Donato is the Founder and Chief Editor of Fir3net.com. He currently works as a Principal Network Security Engineer and has a keen interest in automation and the cloud.

You can find Rick on Twitter @f3lix001