In order to secure management access you will need to A) enable the firewall and B) create a firewall policy and assign this to your management interface.
Table of Contents
Enable Firewall
First of all enable the firewall.
set firewall
set firewall state-policy related action accept
set firewall state-policy established action accept
set firewall state-policy invalid action drop
Define Management IPs
Next, create an address group that contains all of the IPs that you will be managing your Vyatta appliance from.
set firewall group address-group MANAGEMENT-IP address 7.7.7.7
set firewall group address-group MANAGEMENT-IP address 8.8.8.8
Create Firewall Policy
Next, create a firewall policy. The policy below allows all traffic from the management IPs, all traffic from the Vyatta itself and also VPN traffic (IKE/ESP/NAT-T/L2TP).
All dropped traffic is then also logged and can be view by running the command ‘show log firewall name MANAGEMENT’
set firewall name MANAGEMENT rule 10 action accept
set firewall name MANAGEMENT rule 10 source group address-group MANAGEMENT-IP
set firewall name MANAGEMENT rule 20 action accept
set firewall name MANAGEMENT rule 20 source address <MANAGEMENT IP OF VYATTA APPLIANCE>
set firewall name MANAGEMENT rule 30 action 'accept'
set firewall name MANAGEMENT rule 30 protocol esp
set firewall name MANAGEMENT rule 40 action 'accept'
set firewall name MANAGEMENT rule 40 protocol udp
set firewall name MANAGEMENT rule 40 destination port 500
set firewall name MANAGEMENT rule 50 action 'accept'
set firewall name MANAGEMENT rule 50 destination port '1701'
set firewall name MANAGEMENT rule 50 ipsec 'match-ipsec'
set firewall name MANAGEMENT rule 50 protocol 'udp'
set firewall name MANAGEMENT rule 60 action 'accept'
set firewall name MANAGEMENT rule 60 destination port '4500'
set firewall name MANAGEMENT rule 60 protocol 'udp'
set firewall name MANAGEMENT rule 70 action 'drop'
set firewall name MANAGEMENT rule 70 log 'enable'
Assign Policy
Finally the policy is assigned to the management interface.
set interfaces ethernet eth3 firewall local name MANAGEMENT
- How to Configure a BIND Server on Ubuntu - March 15, 2018
- What is a BGP Confederation? - March 6, 2018
- Cisco – What is BGP ORF (Outbound Route Filtering)? - March 5, 2018
Want to become a networking expert?
Here is our hand-picked selection of the best courses you can find online:
Cisco CCNA 200-301 Certification Gold Bootcamp
Complete Cyber Security Course – Network Security
Internet Security Deep Dive course
Python Pro Bootcamp
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial