{"id":1867,"date":"2022-08-04T12:37:36","date_gmt":"2022-08-04T10:37:36","guid":{"rendered":"https:\/\/devpath.pro\/?p=1867"},"modified":"2023-08-29T20:55:40","modified_gmt":"2023-08-29T20:55:40","slug":"server-rack-pet-project-firewall","status":"publish","type":"post","link":"https:\/\/fabiocicerchia.it\/sys-admin\/server-rack-pet-project-firewall","title":{"rendered":"Server Rack Pet-Project: Firewall"},"content":{"rendered":"

What server rack project would it be without a firewall?! I got myself another bargain deal with a WatchGuard Firebox XTM25<\/a>. I should have enough fun with some\u00a0Stateful Packet Inspection and Threat protection (such as DoS attacks, fragmented & malformed packets, blended threats, and more), and if I manage to reactivate a WatchGuard subscription I might even get: IPS, Data Loss Prevention, APT Blocker, and a bunch of other features… \"\"<\/p>\n

\"\"
and here it is, a shiny little red box standing out from the rest.<\/figcaption><\/figure>\n
\"\"
so, after countless reboots and resets<\/a> mostly due to PEBKAC issues, I log in again.<\/figcaption><\/figure>\n
\"\"
so many items to be checked, it’ll take to figure out everything…<\/figcaption><\/figure>\n
\"\"
simple and nice dashboard, pretty quiet so far<\/figcaption><\/figure>\n

I started to play a little with port forwarding, but couldn’t make it work, maybe I was trying to do something not quite right, so I ended up configuring a VPN in order to have access to all the internal resources. \"\"<\/p>\n

\"\"
aand I’m connected!<\/figcaption><\/figure>\n

Here is my simple OpenVPN configuration:<\/p>\n

dev tun\nclient\nproto tcp\nremote-cert-eku \"TLS Web Server Authentication\"\nremote 192.168.1.138 443\npersist-key\npersist-tun\nverb 3\nmute 20\nkeepalive 10 60\ncipher AES-256-CBC\ntls-cipher \"DEFAULT:@SECLEVEL=0\"\nauth SHA512\nfloat\nreneg-sec 3660\nnobind\nmute-replay-warnings\nauth-user-pass\nauth-nocache\n;remember_connection 0\n;auto_reconnect 0\n<ca>\n-----BEGIN CERTIFICATE-----\nOMITTED\n-----END CERTIFICATE-----\n<\/ca>\n<cert>\n-----BEGIN CERTIFICATE-----\nOMITTED\n-----END CERTIFICATE-----\n<\/cert>\n<key>\n-----BEGIN PRIVATE KEY-----\nOMITTED\n-----END PRIVATE KEY-----\n<\/key>\n<\/pre>\n
Once connected, only internal traffic (10.0.1.0\/24<\/code>) is routed into the tunnel (which is super great because I believe<\/em> I made a split-tunnel<\/a>):<\/p>\n
$ ip route\ndefault via 192.168.1.254 dev wlan0 proto dhcp metric 600\n10.0.1.0\/24 via 10.0.2.1 dev tun0\n10.0.2.0\/24 dev tun0 proto kernel scope link src 10.0.2.2\n192.168.1.0\/24 dev wlan0 proto kernel scope link src 192.168.1.164 metric 600 \n[...]<\/pre>\n
The next steps are configuring the firewall to shield the NAS properly. And, hopefully in the near future shield a Kubernetes cluster as well.<\/p>\n
\"\"
creating a new policy for controlling NFS access (2049\/tcp and 2049\/udp) for the NAS<\/figcaption><\/figure>\n
\"\"
denying access from anywhere to the NAS IP address<\/figcaption><\/figure>\n
\"\"
allowing access from any trusted source (ie 10.0.1.0\/24<\/code> and\u00a010.0.2.0\/24<\/code>) to the NAS IP address<\/figcaption><\/figure>\n
So now, I finally have a NAS, protected by my new firewall, that is accessible only from the trusted range of IP addresses (either a VPN use or a VM running in the rack). The next post will be about networking cables, and how I learned how to make one. I made lots of discoveries during this pet project!<\/p>\n","protected":false},"excerpt":{"rendered":"
What server rack project would it be without a firewall?! I got myself another bargain deal with a WatchGuard Firebox XTM25. I should have enough fun with some\u00a0Stateful Packet Inspection and Threat protection (such as DoS attacks, fragmented & malformed packets, blended threats, and more), and if I manage to reactivate a WatchGuard subscription I […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"advgb_blocks_editor_width":"","advgb_blocks_columns_visual_guide":"","footnotes":""},"categories":[6],"tags":[],"aioseo_notices":[],"author_meta":{"display_name":"fabio","author_link":"https:\/\/fabiocicerchia.it\/author\/fabio"},"featured_img":null,"coauthors":[],"tax_additional":{"categories":{"linked":["Sys Admin<\/a>"],"unlinked":["Sys Admin<\/span>"]}},"comment_count":"0","relative_dates":{"created":"Posted 2 years ago","modified":"Updated 7 months ago"},"absolute_dates":{"created":"Posted on August 4, 2022","modified":"Updated on August 29, 2023"},"absolute_dates_time":{"created":"Posted on August 4, 2022 12:37 pm","modified":"Updated on August 29, 2023 8:55 pm"},"featured_img_caption":"","series_order":"","_links":{"self":[{"href":"https:\/\/fabiocicerchia.it\/wp-json\/wp\/v2\/posts\/1867"}],"collection":[{"href":"https:\/\/fabiocicerchia.it\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fabiocicerchia.it\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fabiocicerchia.it\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fabiocicerchia.it\/wp-json\/wp\/v2\/comments?post=1867"}],"version-history":[{"count":1,"href":"https:\/\/fabiocicerchia.it\/wp-json\/wp\/v2\/posts\/1867\/revisions"}],"predecessor-version":[{"id":2138,"href":"https:\/\/fabiocicerchia.it\/wp-json\/wp\/v2\/posts\/1867\/revisions\/2138"}],"wp:attachment":[{"href":"https:\/\/fabiocicerchia.it\/wp-json\/wp\/v2\/media?parent=1867"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fabiocicerchia.it\/wp-json\/wp\/v2\/categories?post=1867"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fabiocicerchia.it\/wp-json\/wp\/v2\/tags?post=1867"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}