Please read Script Templates section in Lighthouse manual https://ftp.opengear.com/download/documentation/manual/current/lighthouse/ and the following article as it explains Script Templates usage, how to upload and apply to specific nodes.
https://opengear.zendesk.com/hc/en-us/articles/115004747366-Configuration-Templating-on-Lighthouse-5
Note: Use the freely available Notepad++ which allows you to save the script with Unix (LF) line endings, not DOS (CRLF) line endings. Ensure any 'single' and "double" quotation marks have not been converted into curly “smart quotes”. Applying scripts with DOS (CRLF) line endings will break node configuration.
The firewall configuration is separated into Port/Protocol Forwarding, Firewall Rules and Forwarding & Masquerading.
Writing the configuration rules from scratch is difficult as parameters can be integers or specific keywords (lan/wan/tcp/udp...etc). The CLI will accept incorrect syntax/spelling and silently break firewall rules. Easier to setup rules from the GUI then export the configuration to be applied on other systems.
Port/Protocol Forwarding
Use the command below to export the rule.
echo "config -d config.firewall.portforwards \\" ; config -g config.firewall.portforwards | sed -e 's/ /=\'\''/' -e 's/$/'\'' \\/' -e 's/^/-s /'; echo "-a"
Here is the output. The first line deletes all existing rules to be replaced with the output below. It's best to delete all rules from the target before adding new rules.
config -d config.firewall.portforwards \
-s config.firewall.portforwards.portforward1.in_interface='lan' \
-s config.firewall.portforwards.portforward1.in_ports='8443' \
-s config.firewall.portforwards.portforward1.name='Dell iDRAC' \
-s config.firewall.portforwards.portforward1.out_address='172.16.123.2' \
-s config.firewall.portforwards.portforward1.out_ports='443' \
-s config.firewall.portforwards.portforward1.protocol='tcp' \
-s config.firewall.portforwards.total='1' \
-a
To add another rule follow the syntax and increment to "config.firewall.portwards.potforward2" and don't forget increment config.firewall.portforwards.total='2'
config \
-s config.firewall.portforwards.portforward1.in_interface='lan' \
-s config.firewall.portforwards.portforward1.in_ports='8443' \
-s config.firewall.portforwards.portforward1.name='Dell iDRAC' \
-s config.firewall.portforwards.portforward1.out_address='172.16.123.2' \
-s config.firewall.portforwards.portforward1.out_ports='443' \
-s config.firewall.portforwards.portforward1.protocol='tcp' \
-s config.firewall.portforwards.portforward2.in_interface='lan' \
-s config.firewall.portforwards.portforward2.in_ports='2222' \
-s config.firewall.portforwards.portforward2.name='Linux SSH' \
-s config.firewall.portforwards.portforward2.out_address='172.16.123.3' \
-s config.firewall.portforwards.portforward2.out_ports='22' \
-s config.firewall.portforwards.portforward2.protocol='tcp' \
-s config.firewall.portforwards.total='2' \
-a
The "portforwards.total" defines how many rules are active. Eg if there are five rules but portforwards.total=2 then the last three rules are not active.
Firewall (Port)Rules
Use the command below to export the rule.
echo "config -d config.firewall.portrules \\" ; config -g config.firewall.portrules | sed -e 's/ /=\'\''/' -e 's/$/'\'' \\/' -e 's/^/-s /'; echo "-a"
Here is the output. The first line deletes all existing rules to be replaced with the output below. It's best to delete all rules from the target before adding new rules.
config -d config.firewall.portrules \
-s config.firewall.portrules.portrule1.action='accept' \
-s config.firewall.portrules.portrule1.direction='ingress' \
-s config.firewall.portrules.portrule1.interface='dialout' \
-s config.firewall.portrules.portrule1.ipversion='ipv4' \
-s config.firewall.portrules.portrule1.name='Office Network' \
-s config.firewall.portrules.portrule1.protocol='any' \
-s config.firewall.portrules.portrule1.src_ip='60.241.24.90' \
-s config.firewall.portrules.portrule1.state='any' \
-s config.firewall.portrules.total='1' \
-a
To add another rule follow the syntax and increment to "config.firewall.portrules.portrule2" and don't forget increment config.firewall.portrules.total='2'
config \
-d config.firewall.portrules \
-s config.firewall.portrules.portrule1.action='accept' \
-s config.firewall.portrules.portrule1.direction='ingress' \
-s config.firewall.portrules.portrule1.interface='dialout' \
-s config.firewall.portrules.portrule1.ipversion='ipv4' \
-s config.firewall.portrules.portrule1.name='Office Network' \
-s config.firewall.portrules.portrule1.protocol='any' \
-s config.firewall.portrules.portrule1.src_ip='60.241.24.90' \
-s config.firewall.portrules.portrule1.state='any' \
-s config.firewall.portrules.portrule2.action='accept' \
-s config.firewall.portrules.portrule2.direction='ingress' \
-s config.firewall.portrules.portrule2.interface='dialout' \
-s config.firewall.portrules.portrule2.ipversion='ipv4' \
-s config.firewall.portrules.portrule2.name='Remote Site' \
-s config.firewall.portrules.portrule2.ports='3001-3008' \
-s config.firewall.portrules.portrule2.protocol='tcp' \
-s config.firewall.portrules.portrule2.src_ip='1.2.3.4' \
-s config.firewall.portrules.portrule2.state='any' \
-s config.firewall.portrules.total='2' \
-a
The "portrules.total" defines how many rules are active. Eg if there are five rules but portrules.total=2 then the last three rules are not active.
Forwarding & Masquerading
The forwarding & masquerading page is separated into interface configuration sections. The script below exports all interfaces inside the forwarding & masquerading page.
- config.firewall.dialin
- config.firewall.dialout
- config.firewall.lan
- config.firewall.vpn
- config.firewall.wan
- config.firewall.wlan
for val in {dialin,dialout,lan,vpn,wan,wlan}; do echo "config -d config.firewall.$val \\" ; config -g config.firewall.$val | sed -e 's/ /=\'\''/' -e 's/$/'\'' \\/' -e 's/^/-s /'; done; echo "-a"
Here is the output. The first line deletes all existing rules to be replaced with the output below. It's best to delete all rules from the target before adding new rules.
config -d config.firewall.dialin \
config -d config.firewall.dialout \
-s config.firewall.dialout.masquerade.enabled='on' \
config -d config.firewall.lan \
-s config.firewall.lan.forwards.dialout='on' \
-s config.firewall.lan.forwards.wan='on' \
config -d config.firewall.vpn \
config -d config.firewall.wan \
-s config.firewall.wan.masquerade.enabled='on' \
config -d config.firewall.wlan \
-a
Export All Firewall Rules
When performing initial deployment it's easier to export all firewall rule section so it can be applied to other nodes.
echo "config -d config.firewall \\" ; config -g config.firewall | sed -e 's/ /=\'\''/' -e 's/$/'\'' \\/' -e 's/^/-s /'; echo "-a"
Here is the output of combined rules. The first line deletes the entire firewall section to be replaced with the output below.
config -d config.firewall \
-s config.firewall.dialout.masquerade.enabled='on' \
-s config.firewall.lan.forwards.dialout='on' \
-s config.firewall.lan.forwards.wan='on' \
-s config.firewall.portforwards.portforward1.in_interface='lan' \
-s config.firewall.portforwards.portforward1.in_ports='8443' \
-s config.firewall.portforwards.portforward1.name='Dell iDRAC' \
-s config.firewall.portforwards.portforward1.out_address='172.16.123.2' \
-s config.firewall.portforwards.portforward1.out_ports='443' \
-s config.firewall.portforwards.portforward1.protocol='tcp' \
-s config.firewall.portforwards.total='1' \
-s config.firewall.portrules.portrule1.action='accept' \
-s config.firewall.portrules.portrule1.direction='ingress' \
-s config.firewall.portrules.portrule1.interface='dialout' \
-s config.firewall.portrules.portrule1.ipversion='ipv4' \
-s config.firewall.portrules.portrule1.name='Office Network' \
-s config.firewall.portrules.portrule1.protocol='any' \
-s config.firewall.portrules.portrule1.src_ip='60.241.24.90' \
-s config.firewall.portrules.portrule1.state='any' \
-s config.firewall.portrules.total='1' \
-s config.firewall.wan.masquerade.enabled='on' \
-a
The commands can be copied and pasted directly on the Console Server CLI or saved in a file (attached) and deployed via Lighthouse Script Template.
Comments
0 comments
Article is closed for comments.