Descripción de la Implementación de la Nueva Topología de Red de la Empresa KARAS Project (Parte III)

Saludos nuevamente.

En la parte anterior vimos una parte de la configuración del PC-Router y nos quedamos en la definición de los grupos de direciones IP que serán usados en los conjuntos de reglas que veremos aquí.

Conjuntos de reglas

Tráfico de red entre la VLAN de Administradores del Nodo de la Empresa KARAS Project y las otras subredes:

set firewall name admines-firewall default-action drop
set firewall name admines-firewall description “Filtrar trafico saliente desde las estaciones de trabajo de Gestion del Equipamiento de Red del Nodo de la Empresa KARAS Project hacia el PC-Router/Cortafuegos”

set firewall name admines-firewall rule 1 action accept
set firewall name admines-firewall rule 1 description “Permitir trafico ICMP (ping)”
set firewall name admines-firewall rule 1 icmp type-name any
set firewall name admines-firewall rule 1 protocol icmp

set firewall name admines-firewall rule 2 action accept
set firewall name admines-firewall rule 2 description “Permitir conexiones TCP en estados ESTABLISHED y RELATED”
set firewall name admines-firewall rule 2 state established enable
set firewall name admines-firewall rule 2 state related enable

set firewall name admines-firewall rule 3 action drop
set firewall name admines-firewall rule 3 description “Descartar todos los paquetes marcados como invalidos”
set firewall name admines-firewall rule 3 log enable
set firewall name admines-firewall rule 3 state invalid enable

set firewall name admines-firewall rule 150 action accept
set firewall name admines-firewall rule 150 description “Permitir trafico saliente hacia servidores de archivos o Controladores de Dominio internos de la Empresa KARAS Project (puertos 137/udp)”
set firewall name admines-firewall rule 150 destination port netbios-ns
set firewall name admines-firewall rule 150 log enable
set firewall name admines-firewall rule 150 protocol udp
set firewall name admines-firewall rule 150 source group address-group equipos_admines
set firewall name admines-firewall rule 150 source port netbios-ns

set firewall name admines-firewall rule 160 action accept
set firewall name admines-firewall rule 160 description “Permitir trafico saliente hacia servidores de archivos o Controladores de Dominio internos de la Empresa KARAS Project (puertos 138/udp)”
set firewall name admines-firewall rule 160 destination port netbios-dgm
set firewall name admines-firewall rule 160 log enable
set firewall name admines-firewall rule 160 protocol udp
set firewall name admines-firewall rule 160 source group address-group equipos_admines
set firewall name admines-firewall rule 160 source port netbios-dgm

NOTA: Las dos reglas anteriores es para permitir el tráfico broadcast del SMB (puertos 137/udp y 138/udp).

set firewall name admines-firewall rule 200 action accept
set firewall name admines-firewall rule 200 description “Permitir trafico saliente hacia el Router/Cortafuegos interno de la Empresa KARAS Project para gestionarlo mediante CLI a través del protocolo SSH”
set firewall name admines-firewall rule 200 destination port ssh,40497
set firewall name admines-firewall rule 200 log enable
set firewall name admines-firewall rule 200 protocol tcp
set firewall name admines-firewall rule 200 source group address-group equipos_gestion_routers
set firewall name admines-firewall rule 200 source port 1024-65535

NOTA 1: La regla anterior es para permitir la gestión del PC-Router desde las estaciones de trabajo de gestión de los componentes o equipos de red (normalmente las estaciones de trabajo designadas a tal efecto), ya sea por el puerto clásico de SSH (22/tcp) o por el puerto escogido (en este caso 40497/tcp). Esto se hace de manera similar en otros conjuntos de reglas que se verán más adelante.

NOTA 2 (¡¡¡IMPORTANTE!!!): Dichas estaciones de trabajo de gestión deben estar en una subred aparte y no deben ser usadas para acceder a servicios de red. En este caso, como el Administrador de la Red no dispone de muchos recursos, su única estación de trabajo también se usa para todas las tareas de gestión, pero hay que luchar porque no sea así (sé que eso es difícil de lograr actualmente en muchas empresas del país).

set firewall name admines-firewall rule 9999 action drop
set firewall name admines-firewall rule 9999 description “Registrar eventos de todo lo que no coincida con las reglas anteriores (propositos de monitoreo del cortafuegos)”
set firewall name admines-firewall rule 9999 log enable

———————————————————————————–

set firewall name admines-netdevs default-action drop
set firewall name admines-netdevs description “Filtrar trafico saliente desde las estaciones de trabajo de Gestion del Equipamiento de Red del Nodo de la Empresa KARAS Project hacia los Equipos de Internetworking internos ”

set firewall name admines-netdevs rule 1 action accept
set firewall name admines-netdevs rule 1 description “Permitir trafico ICMP (ping)”
set firewall name admines-netdevs rule 1 icmp type-name any
set firewall name admines-netdevs rule 1 protocol icmp

set firewall name admines-netdevs rule 2 action accept
set firewall name admines-netdevs rule 2 description “Permitir conexiones TCP en estados ESTABLISHED y RELATED”
set firewall name admines-netdevs rule 2 state established enable
set firewall name admines-netdevs rule 2 state related enable

set firewall name admines-netdevs rule 3 action drop
set firewall name admines-netdevs rule 3 description “Descartar todos los paquetes marcados como invalidos”
set firewall name admines-netdevs rule 3 log enable
set firewall name admines-netdevs rule 3 state invalid enable

set firewall name admines-netdevs rule 90 action accept
set firewall name admines-netdevs rule 90 description “Permitir trafico saliente hacia los Equipos de Internetworking internos de la Empresa KARAS Project para gestionarlos mediante su interfaz WEB”
set firewall name admines-netdevs rule 90 destination group network-group red_equiposred
set firewall name admines-netdevs rule 90 destination port http,https
set firewall name admines-netdevs rule 90 log enable
set firewall name admines-netdevs rule 90 protocol tcp
set firewall name admines-netdevs rule 90 source group address-group equipos_gestion_routers
set firewall name admines-netdevs rule 90 source port 1024-65535

set firewall name admines-netdevs rule 200 action accept
set firewall name admines-netdevs rule 200 description “Permitir trafico saliente hacia los Equipos de Internetworking internos de la Empresa KARAS Project para gestionarlos mediante CLI a través del protocolo SSH”
set firewall name admines-netdevs rule 200 destination group network-group red_equiposred
set firewall name admines-netdevs rule 200 destination port ssh,40497
set firewall name admines-netdevs rule 200 log enable
set firewall name admines-netdevs rule 200 protocol tcp
set firewall name admines-netdevs rule 200 source group address-group equipos_gestion_routers
set firewall name admines-netdevs rule 200 source port 1024-65535

set firewall name admines-netdevs rule 210 action accept
set firewall name admines-netdevs rule 210 description “Permitir trafico saliente hacia el Router/Cortafuegos interno de la Empresa KARAS Project para gestionarlo mediante CLI a través del protocolo Telnet”
set firewall name admines-netdevs rule 210 destination port telnet
set firewall name admines-netdevs rule 210 log enable
set firewall name admines-netdevs rule 210 protocol tcp
set firewall name admines-netdevs rule 210 source group address-group equipos_gestion_routers
set firewall name admines-netdevs rule 210 source port 1024-65535

set firewall name admines-netdevs rule 9999 action drop
set firewall name admines-netdevs rule 9999 description “Registrar eventos de todo lo que no coincida con las reglas anteriores (propositos de monitoreo del cortafuegos)”
set firewall name admines-netdevs rule 9999 log enable

———————————————————————————–

set firewall name admines-hiperv default-action drop
set firewall name admines-hiperv description “Filtrar trafico saliente desde las estaciones de trabajo de Gestion de los Hipervisores de Red del Nodo de la Empresa KARAS Project hacia los Hipervisores (Nodos de Maquinas Virtuales) internos ”

set firewall name admines-hiperv rule 1 action accept
set firewall name admines-hiperv rule 1 description “Permitir trafico ICMP (ping)”
set firewall name admines-hiperv rule 1 icmp type-name any
set firewall name admines-hiperv rule 1 protocol icmp

set firewall name admines-hiperv rule 2 action accept
set firewall name admines-hiperv rule 2 description “Permitir conexiones TCP en estados ESTABLISHED y RELATED”
set firewall name admines-hiperv rule 2 state established enable
set firewall name admines-hiperv rule 2 state related enable

set firewall name admines-hiperv rule 3 action drop
set firewall name admines-hiperv rule 3 description “Descartar todos los paquetes marcados como invalidos”
set firewall name admines-hiperv rule 3 log enable
set firewall name admines-hiperv rule 3 state invalid enable

set firewall name admines-hiperv rule 90 action accept
set firewall name admines-hiperv rule 90 description “Permitir trafico saliente hacia los Hipervisores internos de la Empresa KARAS Project para acceso al servicio WEB adicional que se tenga instalado”
set firewall name admines-hiperv rule 90 destination group network-group red_hipervisores
set firewall name admines-hiperv rule 90 destination port http,https
set firewall name admines-hiperv rule 90 log enable
set firewall name admines-hiperv rule 90 protocol tcp
set firewall name admines-hiperv rule 90 source group address-group equipos_gestion_hiperv
set firewall name admines-hiperv rule 90 source port 1024-65535

set firewall name admines-hiperv rule 200 action accept
set firewall name admines-hiperv rule 200 description “Permitir trafico saliente hacia los Hipervisores (Nodos de Maquinas Virtuales) internos de la Empresa KARAS Project para gestionarlos mediante CLI a través del protocolo SSH”
set firewall name admines-hiperv rule 200 destination group network-group red_hipervisores
set firewall name admines-hiperv rule 200 destination port ssh,40497
set firewall name admines-hiperv rule 200 log enable
set firewall name admines-hiperv rule 200 protocol tcp
set firewall name admines-hiperv rule 200 source group address-group equipos_gestion_hiperv
set firewall name admines-hiperv rule 200 source port 1024-65535

set firewall name admines-hiperv rule 240 action accept
set firewall name admines-hiperv rule 240 description “Permitir trafico saliente hacia los Hipervisores (Nodos de Maquinas Virtuales) internos de la Empresa KARAS Project para gestionarlos mediante su interfaz WEB”
set firewall name admines-hiperv rule 240 destination group network-group red_hipervisores
set firewall name admines-hiperv rule 240 destination port 5900-5999,8006
set firewall name admines-hiperv rule 240 log enable
set firewall name admines-hiperv rule 240 protocol tcp
set firewall name admines-hiperv rule 240 source group address-group equipos_gestion_hiperv
set firewall name admines-hiperv rule 240 source port 1024-65535

set firewall name admines-hiperv rule 9999 action drop
set firewall name admines-hiperv rule 9999 description “Registrar eventos de todo lo que no coincida con las reglas anteriores (propositos de monitoreo del cortafuegos)”
set firewall name admines-hiperv rule 9999 log enable

———————————————————————————–

set firewall name admines-lan default-action drop
set firewall name admines-lan description “Filtrar trafico saliente desde las estaciones de trabajo de los Administradores del Nodo de la Empresa KARAS Project hacia las estaciones de trabajo de la Red LAN ”

set firewall name admines-lan rule 1 action accept
set firewall name admines-lan rule 1 description “Permitir trafico ICMP (ping)”
set firewall name admines-lan rule 1 icmp type-name any
set firewall name admines-lan rule 1 protocol icmp

set firewall name admines-lan rule 2 action accept
set firewall name admines-lan rule 2 description “Permitir conexiones TCP en estados ESTABLISHED y RELATED”
set firewall name admines-lan rule 2 state established enable
set firewall name admines-lan rule 2 state related enable

set firewall name admines-lan rule 3 action drop
set firewall name admines-lan rule 3 description “Descartar todos los paquetes marcados como invalidos”
set firewall name admines-lan rule 3 log enable
set firewall name admines-lan rule 3 state invalid enable

set firewall name admines-lan rule 150 action accept
set firewall name admines-lan rule 150 description “Permitir trafico saliente hacia las estaciones de trabajo de la Red LAN (puertos 137/udp) de la Empresa KARAS Project”
set firewall name admines-lan rule 150 destination group network-group red_lan
set firewall name admines-lan rule 150 destination port netbios-ns
set firewall name admines-lan rule 150 log enable
set firewall name admines-lan rule 150 protocol udp
set firewall name admines-lan rule 150 source group address-group equipos_admines

set firewall name admines-lan rule 160 action accept
set firewall name admines-lan rule 160 description “Permitir trafico saliente hacia las estaciones de trabajo de la Red LAN (puertos 138/udp) de la Empresa KARAS Project”
set firewall name admines-lan rule 160 destination group network-group red_lan
set firewall name admines-lan rule 160 destination port netbios-dgm
set firewall name admines-lan rule 160 log enable
set firewall name admines-lan rule 160 protocol udp
set firewall name admines-lan rule 160 source group address-group equipos_admines

set firewall name admines-lan rule 170 action accept
set firewall name admines-lan rule 170 description “Permitir trafico saliente hacia las estaciones de trabajo de la Red LAN (puertos 139/tcp) de la Empresa KARAS Project”
set firewall name admines-lan rule 170 destination group network-group red_lan
set firewall name admines-lan rule 170 destination port netbios-ssn
set firewall name admines-lan rule 170 log enable
set firewall name admines-lan rule 170 protocol tcp
set firewall name admines-lan rule 170 source group address-group equipos_admines
set firewall name admines-lan rule 170 source port 1024-65535

set firewall name admines-lan rule 180 action accept
set firewall name admines-lan rule 180 description “Permitir trafico saliente hacia las estaciones de trabajo de la Red LAN (puertos 445/tcp) de la Empresa KARAS Project”
set firewall name admines-lan rule 180 destination group network-group red_lan
set firewall name admines-lan rule 180 destination port microsoft-ds
set firewall name admines-lan rule 180 log enable
set firewall name admines-lan rule 180 protocol tcp
set firewall name admines-lan rule 180 source group address-group equipos_admines
set firewall name admines-lan rule 180 source port 1024-65535

set firewall name admines-lan rule 200 action accept
set firewall name admines-lan rule 200 description “Permitir trafico saliente hacia los Controladores de Dominio internos (basados en Samba 4 de Sernet) de la Empresa KARAS Project para gestionarlos mediante CLI”
set firewall name admines-lan rule 200 destination group address-group svrs_pdc_lan
set firewall name admines-lan rule 200 destination port ssh,40497
set firewall name admines-lan rule 200 log enable
set firewall name admines-lan rule 200 protocol tcp
set firewall name admines-lan rule 200 source group address-group equipos_gestion_internos
set firewall name admines-lan rule 200 source port 1024-65535

set firewall name admines-lan rule 310 action accept
set firewall name admines-lan rule 310 description “Permitir trafico saliente hacia los servidores LDAP internos o el servicio LDAP del Controlador Primario/Secundario de Dominio Active Directory interno de la Empresa KARAS Project a través del protocolo LDAP [PLAIN]”
set firewall name admines-lan rule 310 destination group address-group svrs_pdc_lan
set firewall name admines-lan rule 310 destination port ldap
set firewall name admines-lan rule 310 log enable
set firewall name admines-lan rule 310 protocol tcp_udp
set firewall name admines-lan rule 310 source group address-group equipos_admines

set firewall name admines-lan rule 320 action accept
set firewall name admines-lan rule 320 description “Permitir trafico saliente hacia los servidores LDAP internos o el servicio LDAP del Controlador Primario/Secundario de Dominio Active Directory interno de la Empresa KARAS Project a través del protocolo LDAP seguro [SSL]”
set firewall name admines-lan rule 320 destination group address-group svrs_pdc_lan
set firewall name admines-lan rule 320 destination port ldaps
set firewall name admines-lan rule 320 log enable
set firewall name admines-lan rule 320 protocol tcp
set firewall name admines-lan rule 320 source group address-group equipos_admines

set firewall name admines-lan rule 330 action accept
set firewall name admines-lan rule 330 description “Permitir trafico saliente hacia los servidores LDAP internos o el servicio LDAP del Controlador Primerio/Secundario de Dominio Active Directory interno de la Empresa KARAS Project para uso del Catalogo Global mediante protocolo inseguro [PLAIN]”
set firewall name admines-lan rule 330 destination group address-group svrs_pdc_lan
set firewall name admines-lan rule 330 destination port 3268
set firewall name admines-lan rule 330 log enable
set firewall name admines-lan rule 330 protocol tcp
set firewall name admines-lan rule 330 source group address-group equipos_admines

set firewall name admines-lan rule 340 action accept
set firewall name admines-lan rule 340 description “Permitir trafico saliente hacia los servidores LDAP internos o el servicio LDAP del Controlador Primerio/Secundario de Dominio Active Directory interno de la Empresa KARAS Project para uso del Catalogo Global mediante protocolo seguro [SSL]”
set firewall name admines-lan rule 340 destination group address-group svrs_pdc_lan
set firewall name admines-lan rule 340 destination port 3269
set firewall name admines-lan rule 340 log enable
set firewall name admines-lan rule 340 protocol tcp
set firewall name admines-lan rule 340 source group address-group equipos_admines

set firewall name admines-lan rule 350 action accept
set firewall name admines-lan rule 350 description “Permitir trafico saliente hacia el servicio Kerberos del Controlador Primerio/Secundario de Dominio Active Directory interno de la Empresa KARAS Project para autenticacion”
set firewall name admines-lan rule 350 destination group address-group svrs_pdc_lan
set firewall name admines-lan rule 350 destination port 88
set firewall name admines-lan rule 350 log enable
set firewall name admines-lan rule 350 protocol tcp_udp
set firewall name admines-lan rule 350 source group address-group equipos_admines

set firewall name admines-lan rule 360 action accept
set firewall name admines-lan rule 360 description “Permitir trafico saliente hacia el servicio Kerberos del Controlador Primerio/Secundario de Dominio Active Directory interno de la Empresa KARAS Project para establecimiento/cambio de contrasenas”
set firewall name admines-lan rule 360 destination group address-group svrs_pdc_lan
set firewall name admines-lan rule 360 destination port 464
set firewall name admines-lan rule 360 log enable
set firewall name admines-lan rule 360 protocol tcp_udp
set firewall name admines-lan rule 360 source group address-group equipos_admines

set firewall name admines-lan rule 370 action accept
set firewall name admines-lan rule 370 description “Permitir trafico saliente hacia el servicio RPC del Controlador Primerio/Secundario de Dominio Active Directory interno de la Empresa KARAS Project”
set firewall name admines-lan rule 370 destination group address-group svrs_pdc_lan
set firewall name admines-lan rule 370 destination port 135
set firewall name admines-lan rule 370 log enable
set firewall name admines-lan rule 370 protocol tcp
set firewall name admines-lan rule 370 source group address-group equipos_admines

set firewall name admines-lan rule 380 action accept
set firewall name admines-lan rule 380 description “Permitir trafico saliente hacia el servicio de Replicacion de Archivos (RPC, DFSR [Sysvol]) del Controlador Primerio/Secundario de Dominio Active Directory interno de la Empresa KARAS Project”
set firewall name admines-lan rule 380 destination group address-group svrs_pdc_lan
set firewall name admines-lan rule 380 destination port 5722
set firewall name admines-lan rule 380 log enable
set firewall name admines-lan rule 380 protocol tcp
set firewall name admines-lan rule 380 source group address-group equipos_admines

set firewall name admines-lan rule 390 action accept
set firewall name admines-lan rule 390 description “Permitir trafico saliente hacia los Servicios de Directorio de Microsoft (RPC, DCOM, EPM, DRSUAPI, NetLogonR, SamR, FRS) del Controlador Primerio/Secundario de Dominio Active Directory interno de la Empresa KARAS Project”
set firewall name admines-lan rule 390 destination group address-group svrs_pdc_lan
set firewall name admines-lan rule 390 destination port 1024-65535
set firewall name admines-lan rule 390 log enable
set firewall name admines-lan rule 390 protocol tcp_udp
set firewall name admines-lan rule 390 source group address-group equipos_admines

NOTA: Las reglas anteriores (150-180: Tráfico SMB/CIFS; 310-390: Tráfico de Controlador de Dominio basado en Directorio Activo) permiten el tráfico de red entre la estación de trabajo de los Administradores de Red hacia el Controlador Primario de Dominio , el cual está ubicado en la subred donde están las estaciones de trabajo de la Red LAN .

set firewall name admines-lan rule 9999 action drop
set firewall name admines-lan rule 9999 description “Registrar eventos de todo lo que no coincida con las reglas anteriores (propositos de monitoreo del cortafuegos)”
set firewall name admines-lan rule 9999 log enable

———————————————————————————–

set firewall name admines-servidores default-action drop
set firewall name admines-servidores description “Filtrar trafico saliente desde las estaciones de trabajo de los Administradores del Nodo de la Empresa KARAS Project hacia los servidores internos ”

set firewall name admines-servidores rule 1 action accept
set firewall name admines-servidores rule 1 description “Permitir trafico ICMP (ping)”
set firewall name admines-servidores rule 1 icmp type-name any
set firewall name admines-servidores rule 1 protocol icmp

set firewall name admines-servidores rule 2 action accept
set firewall name admines-servidores rule 2 description “Permitir conexiones TCP en estados ESTABLISHED y RELATED”
set firewall name admines-servidores rule 2 state established enable
set firewall name admines-servidores rule 2 state related enable

set firewall name admines-servidores rule 3 action drop
set firewall name admines-servidores rule 3 description “Descartar todos los paquetes marcados como invalidos”
set firewall name admines-servidores rule 3 log enable
set firewall name admines-servidores rule 3 state invalid enable

set firewall name admines-servidores rule 10 action accept
set firewall name admines-servidores rule 10 description “Permitir trafico saliente hacia los servidores DNS internos de la Empresa KARAS Project”
set firewall name admines-servidores rule 10 destination group address-group svrs_dns_internos
set firewall name admines-servidores rule 10 destination port domain
set firewall name admines-servidores rule 10 log enable
set firewall name admines-servidores rule 10 protocol tcp_udp
set firewall name admines-servidores rule 10 source group address-group equipos_admines

set firewall name admines-servidores rule 20 action accept
set firewall name admines-servidores rule 20 description “Permitir trafico saliente hacia los servidores de correo internos de la Empresa KARAS Project para transferencia de mensajes mediante SMTP [PLAIN]”
set firewall name admines-servidores rule 20 destination group address-group svrs_correo_internos
set firewall name admines-servidores rule 20 destination port smtp
set firewall name admines-servidores rule 20 log enable
set firewall name admines-servidores rule 20 protocol tcp
set firewall name admines-servidores rule 20 source group address-group equipos_admines
set firewall name admines-servidores rule 20 source port 1024-65535

set firewall name admines-servidores rule 30 action accept
set firewall name admines-servidores rule 30 description “Permitir trafico saliente hacia los servidores de correo internos de la Empresa KARAS Project para transferencia de mensajes mediante SMTP seguro [SSL/TLS]”
set firewall name admines-servidores rule 30 destination group address-group svrs_correo_internos
set firewall name admines-servidores rule 30 destination port smtps
set firewall name admines-servidores rule 30 log enable
set firewall name admines-servidores rule 30 protocol tcp
set firewall name admines-servidores rule 30 source group address-group equipos_admines
set firewall name admines-servidores rule 30 source port 1024-65535

set firewall name admines-servidores rule 40 action accept
set firewall name admines-servidores rule 40 description “Permitir trafico saliente hacia los servidores de correo internos de la Empresa KARAS Project para transferencia de mensajes mediante SUBMISSION [SSL/TLS]”
set firewall name admines-servidores rule 40 destination group address-group svrs_correo_internos
set firewall name admines-servidores rule 40 destination port submission
set firewall name admines-servidores rule 40 log enable
set firewall name admines-servidores rule 40 protocol tcp
set firewall name admines-servidores rule 40 source group address-group equipos_admines
set firewall name admines-servidores rule 40 source port 1024-65535

set firewall name admines-servidores rule 50 action accept
set firewall name admines-servidores rule 50 description “Permitir trafico saliente hacia los servidores de correo internos de la Empresa KARAS Project para gestion de buzones mediante IMAP [PLAIN]”
set firewall name admines-servidores rule 50 destination group address-group svrs_correo_internos
set firewall name admines-servidores rule 50 destination port imap
set firewall name admines-servidores rule 50 log enable
set firewall name admines-servidores rule 50 protocol tcp
set firewall name admines-servidores rule 50 source group address-group equipos_admines
set firewall name admines-servidores rule 50 source port 1024-65535

set firewall name admines-servidores rule 60 action accept
set firewall name admines-servidores rule 60 description “Permitir trafico saliente hacia los servidores de correo internos de la Empresa KARAS Project para gestion de buzones mediante IMAP [SSL]”
set firewall name admines-servidores rule 60 destination group address-group svrs_correo_internos
set firewall name admines-servidores rule 60 destination port imaps
set firewall name admines-servidores rule 60 log enable
set firewall name admines-servidores rule 60 protocol tcp
set firewall name admines-servidores rule 60 source group address-group equipos_admines
set firewall name admines-servidores rule 60 source port 1024-65535

set firewall name admines-servidores rule 70 action accept
set firewall name admines-servidores rule 70 description “Permitir trafico saliente hacia los servidores de correo internos de la Empresa KARAS Project para gestion de buzones mediate POP3 [PLAIN]”
set firewall name admines-servidores rule 70 destination group address-group svrs_correo_internos
set firewall name admines-servidores rule 70 destination port pop3
set firewall name admines-servidores rule 70 log enable
set firewall name admines-servidores rule 70 protocol tcp
set firewall name admines-servidores rule 70 source group address-group equipos_admines
set firewall name admines-servidores rule 70 source port 1024-65535

set firewall name admines-servidores rule 80 action accept
set firewall name admines-servidores rule 80 description “Permitir trafico saliente hacia los servidores de correo internos de la Empresa KARAS Project para gestion de buzones mediante POP3 [SSL]”
set firewall name admines-servidores rule 80 destination group address-group svrs_correo_internos
set firewall name admines-servidores rule 80 destination port pop3s
set firewall name admines-servidores rule 80 log enable
set firewall name admines-servidores rule 80 protocol tcp
set firewall name admines-servidores rule 80 source group address-group equipos_admines
set firewall name admines-servidores rule 80 source port 1024-65535

set firewall name admines-servidores rule 90 action accept
set firewall name admines-servidores rule 90 description “Permitir trafico saliente hacia el servidor WEB interno de la Empresa KARAS Project”
set firewall name admines-servidores rule 90 destination group address-group svr_web_interno
set firewall name admines-servidores rule 90 destination port http,https
set firewall name admines-servidores rule 90 log enable
set firewall name admines-servidores rule 90 protocol tcp
set firewall name admines-servidores rule 90 source group address-group equipos_admines
set firewall name admines-servidores rule 90 source port 1024-65535

set firewall name admines-servidores rule 100 action accept
set firewall name admines-servidores rule 100 description “Permitir trafico saliente hacia el servidor FTP interno de la Empresa KARAS Project”
set firewall name admines-servidores rule 100 destination group address-group svr_ftp_interno
set firewall name admines-servidores rule 100 destination port ftp
set firewall name admines-servidores rule 100 log enable
set firewall name admines-servidores rule 100 protocol tcp
set firewall name admines-servidores rule 100 source group address-group equipos_admines
set firewall name admines-servidores rule 100 source port 1024-65535

set firewall name admines-servidores rule 110 action accept
set firewall name admines-servidores rule 110 description “Permitir trafico saliente hacia el servidor Proxy interno de la Empresa KARAS Project”
set firewall name admines-servidores rule 110 destination group address-group svr_proxy_interno
set firewall name admines-servidores rule 110 destination port 3128
set firewall name admines-servidores rule 110 log enable
set firewall name admines-servidores rule 110 protocol tcp
set firewall name admines-servidores rule 110 source group address-group equipos_admines
set firewall name admines-servidores rule 110 source port 1024-65535

set firewall name admines-servidores rule 120 action accept
set firewall name admines-servidores rule 120 description “Permitir trafico saliente hacia el servidor de Mensajeria Instantanea interno de la Empresa KARAS Project mediante conexiones inseguras”
set firewall name admines-servidores rule 120 destination group address-group svr_jabber_interno
set firewall name admines-servidores rule 120 destination port 5222
set firewall name admines-servidores rule 120 log enable
set firewall name admines-servidores rule 120 protocol tcp
set firewall name admines-servidores rule 120 source group address-group equipos_admines
set firewall name admines-servidores rule 120 source port 1024-65535

set firewall name admines-servidores rule 130 action accept
set firewall name admines-servidores rule 130 description “Permitir trafico saliente hacia el servidor de Mensajeria Instantanea interno de la Empresa KARAS Project mediante conexiones seguras (SSL)”
set firewall name admines-servidores rule 130 destination group address-group svr_jabber_interno
set firewall name admines-servidores rule 130 destination port 5223
set firewall name admines-servidores rule 130 log enable
set firewall name admines-servidores rule 130 protocol tcp
set firewall name admines-servidores rule 130 source group address-group equipos_admines
set firewall name admines-servidores rule 130 source port 1024-65535

set firewall name admines-servidores rule 150 action accept
set firewall name admines-servidores rule 150 description “Permitir trafico saliente hacia servidores de archivos o Controladores de Dominio internos de la Empresa KARAS Project (puertos 137/udp)”
set firewall name admines-servidores rule 150 destination group network-group red_servidores_internos
set firewall name admines-servidores rule 150 destination port netbios-ns
set firewall name admines-servidores rule 150 log enable
set firewall name admines-servidores rule 150 protocol udp
set firewall name admines-servidores rule 150 source group address-group equipos_admines
set firewall name admines-servidores rule 150 source port netbios-ns

set firewall name admines-servidores rule 160 action accept
set firewall name admines-servidores rule 160 description “Permitir trafico saliente hacia servidores de archivos o Controladores de Dominio internos de la Empresa KARAS Project (puertos 138/udp)”
set firewall name admines-servidores rule 160 destination group network-group red_servidores_internos
set firewall name admines-servidores rule 160 destination port netbios-dgm
set firewall name admines-servidores rule 160 log enable
set firewall name admines-servidores rule 160 protocol udp
set firewall name admines-servidores rule 160 source group address-group equipos_admines
set firewall name admines-servidores rule 160 source port netbios-dgm

set firewall name admines-servidores rule 170 action accept
set firewall name admines-servidores rule 170 description “Permitir trafico saliente hacia servidores de archivos o Controladores de Dominio internos de la Empresa KARAS Project (puertos 139/tcp)”
set firewall name admines-servidores rule 170 destination group network-group red_servidores_internos
set firewall name admines-servidores rule 170 destination port netbios-ssn
set firewall name admines-servidores rule 170 log enable
set firewall name admines-servidores rule 170 protocol tcp
set firewall name admines-servidores rule 170 source group address-group equipos_admines
set firewall name admines-servidores rule 170 source port 1024-65535

set firewall name admines-servidores rule 180 action accept
set firewall name admines-servidores rule 180 description “Permitir trafico saliente hacia servidores de archivos o Controladores de Dominio internos de la Empresa KARAS Project (puertos 445/tcp)”
set firewall name admines-servidores rule 180 destination group network-group red_servidores_internos
set firewall name admines-servidores rule 180 destination port microsoft-ds
set firewall name admines-servidores rule 180 log enable
set firewall name admines-servidores rule 180 protocol tcp
set firewall name admines-servidores rule 180 source group address-group equipos_admines
set firewall name admines-servidores rule 180 source port 1024-65535

set firewall name admines-servidores rule 190 action accept
set firewall name admines-servidores rule 190 description “Permitir trafico saliente hacia los servidores de hora (puertos 123/udp) internos de la Empresa KARAS Project”
set firewall name admines-servidores rule 190 destination group address-group svrs_hora_internos
set firewall name admines-servidores rule 190 destination port ntp
set firewall name admines-servidores rule 190 log enable
set firewall name admines-servidores rule 190 protocol udp
set firewall name admines-servidores rule 190 source group address-group equipos_admines

set firewall name admines-servidores rule 200 action accept
set firewall name admines-servidores rule 200 description “Permitir trafico saliente hacia los servidores internos de la Empresa KARAS Project para gestionarlos mediante CLI”
set firewall name admines-servidores rule 200 destination group network-group red_servidores_internos
set firewall name admines-servidores rule 200 destination port ssh,40497
set firewall name admines-servidores rule 200 log enable
set firewall name admines-servidores rule 200 protocol tcp
set firewall name admines-servidores rule 200 source group address-group equipos_gestion_internos
set firewall name admines-servidores rule 200 source port 1024-65535

set firewall name admines-servidores rule 250 action accept
set firewall name admines-servidores rule 250 description “Permitir trafico saliente hacia la gestion del servidor Jabber OpenFire interno de la Empresa KARAS Project”
set firewall name admines-servidores rule 250 destination group address-group svr_jabber_interno
set firewall name admines-servidores rule 250 destination port 9090,9091
set firewall name admines-servidores rule 250 log enable
set firewall name admines-servidores rule 250 protocol tcp
set firewall name admines-servidores rule 250 source group address-group equipos_gestion_internos
set firewall name admines-servidores rule 250 source port 1024-65535

set firewall name admines-servidores rule 260 action accept
set firewall name admines-servidores rule 260 description “Permitir trafico saliente hacia los servidores Windows internos de la Empresa KARAS Project para gestionarlos mediante Protocolo de Escritorio Remoto (RDP)”
set firewall name admines-servidores rule 260 destination group address-group svrs_windows_internos
set firewall name admines-servidores rule 260 destination port 3389
set firewall name admines-servidores rule 260 log enable
set firewall name admines-servidores rule 260 protocol tcp
set firewall name admines-servidores rule 260 source group address-group equipos_gestion_internos
set firewall name admines-servidores rule 260 source port 1024-65535

set firewall name admines-servidores rule 280 action accept
set firewall name admines-servidores rule 280 description “Permitir trafico saliente hacia los servidores de monitoreo internos de la Empresa KARAS Project para gestionarlos remotamente (puerto 8080/tcp)”
set firewall name admines-servidores rule 280 destination group address-group svrs_monitoreo_internos
set firewall name admines-servidores rule 280 destination port 8080
set firewall name admines-servidores rule 280 log enable
set firewall name admines-servidores rule 280 protocol tcp
set firewall name admines-servidores rule 280 source group address-group equipos_gestion_internos
set firewall name admines-servidores rule 280 source port 1024-65535

set firewall name admines-servidores rule 290 action accept
set firewall name admines-servidores rule 290 description “Permitir trafico saliente hacia los servidores de bases de datos MS SQL Server 2000 (puertos 1433/tcp) internos de la Empresa KARAS Project”
set firewall name admines-servidores rule 290 destination group address-group svr_bases_datos_interno
set firewall name admines-servidores rule 290 destination port 1433
set firewall name admines-servidores rule 290 log enable
set firewall name admines-servidores rule 290 protocol tcp
set firewall name admines-servidores rule 290 source group address-group equipos_gestion_internos

set firewall name admines-servidores rule 300 action accept
set firewall name admines-servidores rule 300 description “Permitir trafico saliente hacia los servidores de bases de datos MS SQL Server 2000 (puertos 1434/{tcp|udp}) internos de la Empresa KARAS Project”
set firewall name admines-servidores rule 300 destination group address-group svr_bases_datos_interno
set firewall name admines-servidores rule 300 destination port 1434
set firewall name admines-servidores rule 300 log enable
set firewall name admines-servidores rule 300 protocol tcp_udp
set firewall name admines-servidores rule 300 source group address-group equipos_gestion_internos

set firewall name admines-servidores rule 310 action accept
set firewall name admines-servidores rule 310 description “Permitir trafico saliente hacia los servidores LDAP internos o el servicio LDAP del Controlador Primario/Secundario de Dominio Active Directory interno de la Empresa KARAS Project a través del protocolo LDAP [PLAIN]”
set firewall name admines-servidores rule 310 destination group address-group svrs_pdc_internos
set firewall name admines-servidores rule 310 destination port ldap
set firewall name admines-servidores rule 310 log enable
set firewall name admines-servidores rule 310 protocol tcp_udp
set firewall name admines-servidores rule 310 source group address-group equipos_admines

set firewall name admines-servidores rule 320 action accept
set firewall name admines-servidores rule 320 description “Permitir trafico saliente hacia los servidores LDAP internos o el servicio LDAP del Controlador Primario/Secundario de Dominio Active Directory interno de la Empresa KARAS Project a través del protocolo LDAP seguro [SSL]”
set firewall name admines-servidores rule 320 destination group address-group svrs_pdc_internos
set firewall name admines-servidores rule 320 destination port ldaps
set firewall name admines-servidores rule 320 log enable
set firewall name admines-servidores rule 320 protocol tcp
set firewall name admines-servidores rule 320 source group address-group equipos_admines

set firewall name admines-servidores rule 330 action accept
set firewall name admines-servidores rule 330 description “Permitir trafico saliente hacia los servidores LDAP internos o el servicio LDAP del Controlador Primerio/Secundario de Dominio Active Directory interno de la Empresa KARAS Project para uso del Catalogo Global mediante protocolo inseguro [PLAIN]”
set firewall name admines-servidores rule 330 destination group address-group svrs_pdc_internos
set firewall name admines-servidores rule 330 destination port 3268
set firewall name admines-servidores rule 330 log enable
set firewall name admines-servidores rule 330 protocol tcp
set firewall name admines-servidores rule 330 source group address-group equipos_admines

set firewall name admines-servidores rule 340 action accept
set firewall name admines-servidores rule 340 description “Permitir trafico saliente hacia los servidores LDAP internos o el servicio LDAP del Controlador Primerio/Secundario de Dominio Active Directory interno de la Empresa KARAS Project para uso del Catalogo Global mediante protocolo seguro [SSL]”
set firewall name admines-servidores rule 340 destination group address-group svrs_pdc_internos
set firewall name admines-servidores rule 340 destination port 3269
set firewall name admines-servidores rule 340 log enable
set firewall name admines-servidores rule 340 protocol tcp
set firewall name admines-servidores rule 340 source group address-group equipos_admines

set firewall name admines-servidores rule 350 action accept
set firewall name admines-servidores rule 350 description “Permitir trafico saliente hacia el servicio Kerberos del Controlador Primerio/Secundario de Dominio Active Directory interno de la Empresa KARAS Project para autenticacion”
set firewall name admines-servidores rule 350 destination group address-group svrs_pdc_internos
set firewall name admines-servidores rule 350 destination port 88
set firewall name admines-servidores rule 350 log enable
set firewall name admines-servidores rule 350 protocol tcp_udp
set firewall name admines-servidores rule 350 source group address-group equipos_admines

set firewall name admines-servidores rule 360 action accept
set firewall name admines-servidores rule 360 description “Permitir trafico saliente hacia el servicio Kerberos del Controlador Primerio/Secundario de Dominio Active Directory interno de la Empresa KARAS Project para establecimiento/cambio de contrasenas”
set firewall name admines-servidores rule 360 destination group address-group svrs_pdc_internos
set firewall name admines-servidores rule 360 destination port 464
set firewall name admines-servidores rule 360 log enable
set firewall name admines-servidores rule 360 protocol tcp_udp
set firewall name admines-servidores rule 360 source group address-group equipos_admines

set firewall name admines-servidores rule 370 action accept
set firewall name admines-servidores rule 370 description “Permitir trafico saliente hacia el servicio RPC del Controlador Primerio/Secundario de Dominio Active Directory interno de la Empresa KARAS Project”
set firewall name admines-servidores rule 370 destination group address-group svrs_pdc_internos
set firewall name admines-servidores rule 370 destination port 135
set firewall name admines-servidores rule 370 log enable
set firewall name admines-servidores rule 370 protocol tcp
set firewall name admines-servidores rule 370 source group address-group equipos_admines

set firewall name admines-servidores rule 380 action accept
set firewall name admines-servidores rule 380 description “Permitir trafico saliente hacia el servicio de Replicacion de Archivos (RPC, DFSR [Sysvol]) del Controlador Primerio/Secundario de Dominio Active Directory interno de la Empresa KARAS Project”
set firewall name admines-servidores rule 380 destination group address-group svrs_pdc_internos
set firewall name admines-servidores rule 380 destination port 5722
set firewall name admines-servidores rule 380 log enable
set firewall name admines-servidores rule 380 protocol tcp
set firewall name admines-servidores rule 380 source group address-group equipos_admines

set firewall name admines-servidores rule 390 action accept
set firewall name admines-servidores rule 390 description “Permitir trafico saliente hacia los Servicios de Directorio de Microsoft (RPC, DCOM, EPM, DRSUAPI, NetLogonR, SamR, FRS) del Controlador Primerio/Secundario de Dominio Active Directory interno de la Empresa KARAS Project”
set firewall name admines-servidores rule 390 destination group address-group svrs_pdc_internos
set firewall name admines-servidores rule 390 destination port 1024-65535
set firewall name admines-servidores rule 390 log enable
set firewall name admines-servidores rule 390 protocol tcp_udp
set firewall name admines-servidores rule 390 source group address-group equipos_admines

set firewall name admines-servidores rule 9999 action drop
set firewall name admines-servidores rule 9999 description “Registrar eventos de todo lo que no coincida con las reglas anteriores (propositos de monitoreo del cortafuegos)”
set firewall name admines-servidores rule 9999 log enable

———————————————————————————–

set firewall name admines-wan default-action drop
set firewall name admines-wan description “Filtrar trafico saliente desde las estaciones de trabajo de los Administradores del Nodo de la Empresa KARAS Project hacia la red externa (Red CUBA)”

set firewall name admines-wan rule 9999 action drop
set firewall name admines-wan rule 9999 description “Registrar eventos de todo lo que no coincida con las reglas anteriores (propositos de monitoreo del cortafuegos)”
set firewall name admines-wan rule 9999 log enable

———————————————————————————–

Tráfico de red entre el Cortafuegos y las otras subredes:

set firewall name firewall-admines default-action drop
set firewall name firewall-admines description “Filtrar trafico saliente desde el PC-Router/Cortafuegos interno de la Empresa KARAS Project hacia la subred de estaciones de trabajo de los Administradores del Nodo”

set firewall name firewall-admines rule 1 action accept
set firewall name firewall-admines rule 1 description “Permitir trafico ICMP (ping)”
set firewall name firewall-admines rule 1 icmp type-name any
set firewall name firewall-admines rule 1 protocol icmp

set firewall name firewall-admines rule 2 action accept
set firewall name firewall-admines rule 2 description “Permitir conexiones TCP en estados ESTABLISHED y RELATED”
set firewall name firewall-admines rule 2 state established enable
set firewall name firewall-admines rule 2 state related enable

set firewall name firewall-admines rule 3 action drop
set firewall name firewall-admines rule 3 description “Descartar todos los paquetes marcados como invalidos”
set firewall name firewall-admines rule 3 log enable
set firewall name firewall-admines rule 3 state invalid enable

set firewall name firewall-admines rule 9999 action drop
set firewall name firewall-admines rule 9999 description “Registrar eventos de todo lo que no coincida con las reglas anteriores (propositos de monitoreo del cortafuegos)”
set firewall name firewall-admines rule 9999 log enable

———————————————————————————–

set firewall name firewall-netdevs default-action drop
set firewall name firewall-netdevs description “Filtrar trafico saliente desde el PC-Router/Cortafuegos interno de la Empresa KARAS Project hacia la subred de Equipos de Internetworking”

set firewall name firewall-netdevs rule 1 action accept
set firewall name firewall-netdevs rule 1 description “Permitir trafico ICMP (ping)”
set firewall name firewall-netdevs rule 1 icmp type-name any
set firewall name firewall-netdevs rule 1 protocol icmp

set firewall name firewall-netdevs rule 2 action accept
set firewall name firewall-netdevs rule 2 description “Permitir conexiones TCP en estados ESTABLISHED y RELATED”
set firewall name firewall-netdevs rule 2 state established enable
set firewall name firewall-netdevs rule 2 state related enable

set firewall name firewall-netdevs rule 3 action drop
set firewall name firewall-netdevs rule 3 description “Descartar todos los paquetes marcados como invalidos”
set firewall name firewall-netdevs rule 3 log enable
set firewall name firewall-netdevs rule 3 state invalid enable

set firewall name firewall-netdevs rule 9999 action drop
set firewall name firewall-netdevs rule 9999 description “Registrar eventos de todo lo que no coincida con las reglas anteriores (propositos de monitoreo del cortafuegos)”
set firewall name firewall-netdevs rule 9999 log enable

———————————————————————————–

set firewall name firewall-hiperv default-action drop
set firewall name firewall-hiperv description “Filtrar trafico saliente desde el PC-Router/Cortafuegos interno de la Empresa KARAS Project hacia los Hipervisores (Nodos de Maquinas Virtuales) internos”

set firewall name firewall-hiperv rule 1 action accept
set firewall name firewall-hiperv rule 1 description “Permitir trafico ICMP (ping)”
set firewall name firewall-hiperv rule 1 icmp type-name any
set firewall name firewall-hiperv rule 1 protocol icmp

set firewall name firewall-hiperv rule 2 action accept
set firewall name firewall-hiperv rule 2 description “Permitir conexiones TCP en estados ESTABLISHED y RELATED”
set firewall name firewall-hiperv rule 2 state established enable
set firewall name firewall-hiperv rule 2 state related enable

set firewall name firewall-hiperv rule 3 action drop
set firewall name firewall-hiperv rule 3 description “Descartar todos los paquetes marcados como invalidos”
set firewall name firewall-hiperv rule 3 log enable
set firewall name firewall-hiperv rule 3 state invalid enable

set firewall name firewall-hiperv rule 200 action accept
set firewall name firewall-hiperv rule 200 description “Permitir trafico saliente hacia los Hipervisores (Nodos de Maquinas Virtuales) internos de la Empresa KARAS Project para gestionarlos mediante CLI a través del protocolo SSH”
set firewall name firewall-hiperv rule 200 destination group network-group red_hipervisores
set firewall name firewall-hiperv rule 200 destination port ssh,40497
set firewall name firewall-hiperv rule 200 log enable
set firewall name firewall-hiperv rule 200 protocol tcp
set firewall name firewall-hiperv rule 200 source port 1024-65535

set firewall name firewall-hiperv rule 9999 action drop
set firewall name firewall-hiperv rule 9999 description “Registrar eventos de todo lo que no coincida con las reglas anteriores (propositos de monitoreo del cortafuegos)”
set firewall name firewall-hiperv rule 9999 log enable

———————————————————————————–

set firewall name firewall-lan default-action drop
set firewall name firewall-lan description “Filtrar trafico saliente desde el PC-Router/Cortafuegos interno de la Empresa KARAS Project hacia la subred de estaciones de trabajo de la Red LAN”

set firewall name firewall-lan rule 1 action accept
set firewall name firewall-lan rule 1 description “Permitir trafico ICMP (ping)”
set firewall name firewall-lan rule 1 icmp type-name any
set firewall name firewall-lan rule 1 protocol icmp

set firewall name firewall-lan rule 2 action accept
set firewall name firewall-lan rule 2 description “Permitir conexiones TCP en estados ESTABLISHED y RELATED”
set firewall name firewall-lan rule 2 state established enable
set firewall name firewall-lan rule 2 state related enable

set firewall name firewall-lan rule 3 action drop
set firewall name firewall-lan rule 3 description “Descartar todos los paquetes marcados como invalidos”
set firewall name firewall-lan rule 3 log enable
set firewall name firewall-lan rule 3 state invalid enable

set firewall name firewall-lan rule 200 action accept
set firewall name firewall-lan rule 200 description “Permitir trafico saliente hacia los Controladores de Dominio (DCs) internos de la Empresa KARAS Project para gestionarlos mediante CLI”
set firewall name firewall-lan rule 200 destination group address-group svrs_pdc_internos
set firewall name firewall-lan rule 200 destination port ssh,40497
set firewall name firewall-lan rule 200 log enable
set firewall name firewall-lan rule 200 protocol tcp
set firewall name firewall-lan rule 200 source port 1024-65535

set firewall name firewall-lan rule 9999 action drop
set firewall name firewall-lan rule 9999 description “Registrar eventos de todo lo que no coincida con las reglas anteriores (propositos de monitoreo del cortafuegos)”
set firewall name firewall-lan rule 9999 log enable

———————————————————————————–

set firewall name firewall-servidores default-action drop
set firewall name firewall-servidores description “Filtrar trafico saliente desde el PC-Router/Cortafuegos interno de la Empresa KARAS Project hacia los servidores internos”

set firewall name firewall-servidores rule 1 action accept
set firewall name firewall-servidores rule 1 description “Permitir trafico ICMP (ping)”
set firewall name firewall-servidores rule 1 icmp type-name any
set firewall name firewall-servidores rule 1 protocol icmp

set firewall name firewall-servidores rule 2 action accept
set firewall name firewall-servidores rule 2 description “Permitir conexiones TCP en estados ESTABLISHED y RELATED”
set firewall name firewall-servidores rule 2 state established enable
set firewall name firewall-servidores rule 2 state related enable

set firewall name firewall-servidores rule 3 action drop
set firewall name firewall-servidores rule 3 description “Descartar todos los paquetes marcados como invalidos”
set firewall name firewall-servidores rule 3 log enable
set firewall name firewall-servidores rule 3 state invalid enable

set firewall name firewall-servidores rule 10 action accept
set firewall name firewall-servidores rule 10 description “Permitir trafico saliente hacia los servidores DNS internos de la Empresa KARAS Project”
set firewall name firewall-servidores rule 10 destination group address-group svrs_dns_internos
set firewall name firewall-servidores rule 10 destination port domain
set firewall name firewall-servidores rule 10 log enable
set firewall name firewall-servidores rule 10 protocol tcp_udp

set firewall name firewall-servidores rule 20 action accept
set firewall name firewall-servidores rule 20 description “Permitir trafico saliente hacia los servidores de correo internos de la Empresa KARAS Project para transferencia de mensajes mediante SMTP [PLAIN]”
set firewall name firewall-servidores rule 20 destination group address-group svrs_correo_internos
set firewall name firewall-servidores rule 20 destination port smtp
set firewall name firewall-servidores rule 20 log enable
set firewall name firewall-servidores rule 20 protocol tcp
set firewall name firewall-servidores rule 20 source port 1024-65535

set firewall name firewall-servidores rule 30 action accept
set firewall name firewall-servidores rule 30 description “Permitir trafico saliente hacia los servidores de correo internos de la Empresa KARAS Project para transferencia de mensajes mediante SMTP seguro [SSL/TLS]”
set firewall name firewall-servidores rule 30 destination group address-group svrs_correo_internos
set firewall name firewall-servidores rule 30 destination port smtps
set firewall name firewall-servidores rule 30 log enable
set firewall name firewall-servidores rule 30 protocol tcp
set firewall name firewall-servidores rule 30 source port 1024-65535

set firewall name firewall-servidores rule 40 action accept
set firewall name firewall-servidores rule 40 description “Permitir trafico saliente hacia los servidores de correo internos de la Empresa KARAS Project para transferencia de mensajes mediante SUBMISSION [SSL/TLS]”
set firewall name firewall-servidores rule 40 destination group address-group svrs_correo_internos
set firewall name firewall-servidores rule 40 destination port submission
set firewall name firewall-servidores rule 40 log enable
set firewall name firewall-servidores rule 40 protocol tcp
set firewall name firewall-servidores rule 40 source port 1024-65535

set firewall name firewall-servidores rule 90 action accept
set firewall name firewall-servidores rule 90 description “Permitir trafico saliente hacia el servidor WEB interno de la Empresa KARAS Project”
set firewall name firewall-servidores rule 90 destination group address-group svr_web_interno
set firewall name firewall-servidores rule 90 destination port http,https
set firewall name firewall-servidores rule 90 log enable
set firewall name firewall-servidores rule 90 protocol tcp
set firewall name firewall-servidores rule 90 source port 1024-65535

set firewall name firewall-servidores rule 100 action accept
set firewall name firewall-servidores rule 100 description “Permitir trafico saliente hacia el servidor FTP interno de la Empresa KARAS Project”
set firewall name firewall-servidores rule 100 destination group address-group svr_ftp_interno
set firewall name firewall-servidores rule 100 destination port ftp
set firewall name firewall-servidores rule 100 log enable
set firewall name firewall-servidores rule 100 protocol tcp
set firewall name firewall-servidores rule 100 source port 1024-65535

set firewall name firewall-servidores rule 110 action accept
set firewall name firewall-servidores rule 110 description “Permitir trafico saliente hacia el servidor Proxy interno de la Empresa KARAS Project”
set firewall name firewall-servidores rule 110 destination group address-group svr_proxy_interno
set firewall name firewall-servidores rule 110 destination port 3128
set firewall name firewall-servidores rule 110 log enable
set firewall name firewall-servidores rule 110 protocol tcp
set firewall name firewall-servidores rule 110 source port 1024-65535

set firewall name firewall-servidores rule 190 action accept
set firewall name firewall-servidores rule 190 description “Permitir trafico saliente hacia los servidores de hora (puertos 123/udp) internos de la Empresa KARAS Project”
set firewall name firewall-servidores rule 190 destination group address-group svrs_hora_internos
set firewall name firewall-servidores rule 190 destination port ntp
set firewall name firewall-servidores rule 190 log enable
set firewall name firewall-servidores rule 190 protocol udp

set firewall name firewall-servidores rule 200 action accept
set firewall name firewall-servidores rule 200 description “Permitir trafico saliente hacia los servidores internos de la Empresa KARAS Project para gestionarlos mediante CLI”
set firewall name firewall-servidores rule 200 destination group network-group red_servidores_internos
set firewall name firewall-servidores rule 200 destination port ssh,40497
set firewall name firewall-servidores rule 200 log enable
set firewall name firewall-servidores rule 200 protocol tcp
set firewall name firewall-servidores rule 200 source port 1024-65535

set firewall name firewall-servidores rule 9999 action drop
set firewall name firewall-servidores rule 9999 description “Registrar eventos de todo lo que no coincida con las reglas anteriores (propositos de monitoreo del cortafuegos)”
set firewall name firewall-servidores rule 9999 log enable

———————————————————————————–

set firewall name firewall-wan default-action drop
set firewall name firewall-wan description “Filtrar trafico saliente desde el PC-Router/Cortafuegos interno de la Empresa KARAS Project hacia la red externa (Red CUBA)”

set firewall name firewall-wan rule 1 action accept
set firewall name firewall-wan rule 1 description “Permitir trafico ICMP (ping)”
set firewall name firewall-wan rule 1 icmp type-name any
set firewall name firewall-wan rule 1 protocol icmp

set firewall name firewall-wan rule 2 action accept
set firewall name firewall-wan rule 2 description “Permitir conexiones TCP en estados ESTABLISHED y RELATED”
set firewall name firewall-wan rule 2 state established enable
set firewall name firewall-wan rule 2 state related enable

set firewall name firewall-wan rule 3 action drop
set firewall name firewall-wan rule 3 description “Descartar todos los paquetes marcados como invalidos”
set firewall name firewall-wan rule 3 log enable
set firewall name firewall-wan rule 3 state invalid enable

set firewall name firewall-wan rule 10 action accept
set firewall name firewall-wan rule 10 description “Permitir trafico saliente hacia los servidores DNS de la red externa (Red CUBA)”
set firewall name firewall-wan rule 10 destination address 0.0.0.0/0
set firewall name firewall-wan rule 10 destination port domain
set firewall name firewall-wan rule 10 log enable
set firewall name firewall-wan rule 10 protocol tcp_udp

set firewall name firewall-wan rule 20 action accept
set firewall name firewall-wan rule 20 description “Permitir trafico saliente hacia los servidores de correo de la red externa (Red CUBA) para transferencia de mensajes mediante SMTP [PLAIN]”
set firewall name firewall-wan rule 20 destination address 0.0.0.0/0
set firewall name firewall-wan rule 20 destination port smtp
set firewall name firewall-wan rule 20 log enable
set firewall name firewall-wan rule 20 protocol tcp
set firewall name firewall-wan rule 20 source port 1024-65535

set firewall name firewall-wan rule 30 action accept
set firewall name firewall-wan rule 30 description “Permitir trafico saliente hacia los servidores de correo de la red externa (Red CUBA) para transferencia de mensajes mediante SMTP seguro [SSL/TLS]”
set firewall name firewall-wan rule 30 destination address 0.0.0.0/0
set firewall name firewall-wan rule 30 destination port smtps
set firewall name firewall-wan rule 30 log enable
set firewall name firewall-wan rule 30 protocol tcp
set firewall name firewall-wan rule 30 source port 1024-65535

set firewall name firewall-wan rule 40 action accept
set firewall name firewall-wan rule 40 description “Permitir trafico saliente hacia los servidores de correo internos de la red externa (Red CUBA) para transferencia de mensajes mediante SUBMISSION [SSL/TLS]”
set firewall name firewall-wan rule 40 destination address 0.0.0.0/0
set firewall name firewall-wan rule 40 destination port submission
set firewall name firewall-wan rule 40 log enable
set firewall name firewall-wan rule 40 protocol tcp
set firewall name firewall-wan rule 40 source port 1024-65535

set firewall name firewall-wan rule 90 action accept
set firewall name firewall-wan rule 90 description “Permitir trafico saliente hacia servidores WEB de la red externa (Red CUBA)”
set firewall name firewall-wan rule 90 destination address 0.0.0.0/0
set firewall name firewall-wan rule 90 destination port http,https
set firewall name firewall-wan rule 90 log enable
set firewall name firewall-wan rule 90 protocol tcp
set firewall name firewall-wan rule 90 source port 1024-65535

set firewall name firewall-wan rule 100 action accept
set firewall name firewall-wan rule 100 description “Permitir trafico saliente hacia los servidores FTP de la red externa (Red CUBA)”
set firewall name firewall-wan rule 100 destination address 0.0.0.0/0
set firewall name firewall-wan rule 100 destination port ftp
set firewall name firewall-wan rule 100 log enable
set firewall name firewall-wan rule 100 protocol tcp
set firewall name firewall-wan rule 100 source port 1024-65535

set firewall name firewall-wan rule 190 action accept
set firewall name firewall-wan rule 190 description “Permitir trafico saliente hacia los servidores de hora (puertos 123/udp) de la red externa (Red CUBA) [si existen]”
set firewall name firewall-wan rule 190 destination address 0.0.0.0/0
set firewall name firewall-wan rule 190 destination port ntp
set firewall name firewall-wan rule 190 log enable
set firewall name firewall-wan rule 190 protocol udp

set firewall name firewall-wan rule 9999 action drop
set firewall name firewall-wan rule 9999 description “Registrar eventos de todo lo que no coincida con las reglas anteriores (propositos de monitoreo del cortafuegos)”
set firewall name firewall-wan rule 9999 log enable

———————————————————————————–

Tráfico de red entre la VLAN de Equipos de Conectividad y las otras subredes:

set firewall name netdevs-admines default-action drop
set firewall name netdevs-admines description “Filtrar trafico saliente desde los Equipos de Internetworking internos de la empresa hacia las estaciones de trabajo de los Administradores del Nodo de la Empresa KARAS Project”

set firewall name netdevs-admines rule 1 action accept
set firewall name netdevs-admines rule 1 description “Permitir trafico ICMP (ping)”
set firewall name netdevs-admines rule 1 icmp type-name any
set firewall name netdevs-admines rule 1 protocol icmp

set firewall name netdevs-admines rule 2 action accept
set firewall name netdevs-admines rule 2 description “Permitir conexiones TCP en estados ESTABLISHED y RELATED”
set firewall name netdevs-admines rule 2 state established enable
set firewall name netdevs-admines rule 2 state related enable

set firewall name netdevs-admines rule 3 action drop
set firewall name netdevs-admines rule 3 description “Descartar todos los paquetes marcados como invalidos”
set firewall name netdevs-admines rule 3 log enable
set firewall name netdevs-admines rule 3 state invalid enable

set firewall name netdevs-admines rule 9999 action drop
set firewall name netdevs-admines rule 9999 description “Registrar eventos de todo lo que no coincida con las reglas anteriores (propositos de monitoreo del cortafuegos)”
set firewall name netdevs-admines rule 9999 log enable

———————————————————————————–

set firewall name netdevs-firewall default-action drop
set firewall name netdevs-firewall description “Filtrar trafico saliente desde los Equipos de Internetworking internos de la empresa hacia el PC-Router/Cortafuegos interno”

set firewall name netdevs-firewall rule 1 action accept
set firewall name netdevs-firewall rule 1 description “Permitir trafico ICMP (ping)”
set firewall name netdevs-firewall rule 1 icmp type-name any
set firewall name netdevs-firewall rule 1 protocol icmp

set firewall name netdevs-firewall rule 9999 action drop
set firewall name netdevs-firewall rule 9999 description “Registrar eventos de todo lo que no coincida con las reglas anteriores (propositos de monitoreo del cortafuegos)”
set firewall name netdevs-firewall rule 9999 log enable

———————————————————————————–

set firewall name netdevs-hiperv default-action drop
set firewall name netdevs-hiperv description “Filtrar trafico saliente desde los Equipos de Internetworking internos de la empresa hacia los Hipervisores (Nodos de Maquinas Virtuales) internos”

set firewall name netdevs-hiperv rule 9999 action drop
set firewall name netdevs-hiperv rule 9999 description “Registrar eventos de todo lo que no coincida con las reglas anteriores (propositos de monitoreo del cortafuegos)”
set firewall name netdevs-hiperv rule 9999 log enable

———————————————————————————–

set firewall name netdevs-lan default-action drop
set firewall name netdevs-lan description “Filtrar trafico saliente desde los Equipos de Internetworking internos de la empresa hacia las estaciones de trabajo de la Red LAN”

set firewall name netdevs-lan rule 9999 action drop
set firewall name netdevs-lan rule 9999 description “Registrar eventos de todo lo que no coincida con las reglas anteriores (propositos de monitoreo del cortafuegos)”
set firewall name netdevs-lan rule 9999 log enable

———————————————————————————–

set firewall name netdevs-servidores default-action drop
set firewall name netdevs-servidores description “Filtrar trafico saliente desde los Equipos de Internetworking internos de la Empresa KARAS Project hacia los servidores internos”

set firewall name netdevs-servidores rule 1 action accept
set firewall name netdevs-servidores rule 1 description “Permitir trafico ICMP (ping)”
set firewall name netdevs-servidores rule 1 icmp type-name any
set firewall name netdevs-servidores rule 1 protocol icmp

set firewall name netdevs-servidores rule 2 action accept
set firewall name netdevs-servidores rule 2 description “Permitir conexiones TCP en estados ESTABLISHED y RELATED”
set firewall name netdevs-servidores rule 2 state established enable
set firewall name netdevs-servidores rule 2 state related enable

set firewall name netdevs-servidores rule 3 action drop
set firewall name netdevs-servidores rule 3 description “Descartar todos los paquetes marcados como invalidos”
set firewall name netdevs-servidores rule 3 log enable
set firewall name netdevs-servidores rule 3 state invalid enable

set firewall name netdevs-servidores rule 10 action accept
set firewall name netdevs-servidores rule 10 description “Permitir trafico saliente hacia los servidores DNS internos de la Empresa KARAS Project”
set firewall name netdevs-servidores rule 10 destination group address-group svrs_dns_internos
set firewall name netdevs-servidores rule 10 destination port domain
set firewall name netdevs-servidores rule 10 log enable
set firewall name netdevs-servidores rule 10 protocol tcp_udp
set firewall name netdevs-servidores rule 10 source group network-group red_equiposred

set firewall name netdevs-servidores rule 20 action accept
set firewall name netdevs-servidores rule 20 description “Permitir trafico saliente hacia los servidores de correo internos de la Empresa KARAS Project para transferencia de mensajes mediante SMTP [PLAIN]”
set firewall name netdevs-servidores rule 20 destination group address-group svrs_correo_internos
set firewall name netdevs-servidores rule 20 destination port smtp
set firewall name netdevs-servidores rule 20 log enable
set firewall name netdevs-servidores rule 20 protocol tcp
set firewall name netdevs-servidores rule 20 source group network-group red_equiposred
set firewall name netdevs-servidores rule 20 source port 1024-65535

set firewall name netdevs-servidores rule 30 action accept
set firewall name netdevs-servidores rule 30 description “Permitir trafico saliente hacia los servidores de correo internos de la Empresa KARAS Project para transferencia de mensajes mediante SMTP seguro [SSL/TLS]”
set firewall name netdevs-servidores rule 30 destination group address-group svrs_correo_internos
set firewall name netdevs-servidores rule 30 destination port smtps
set firewall name netdevs-servidores rule 30 log enable
set firewall name netdevs-servidores rule 30 protocol tcp
set firewall name netdevs-servidores rule 30 source group network-group red_equiposred
set firewall name netdevs-servidores rule 30 source port 1024-65535

set firewall name netdevs-servidores rule 40 action accept
set firewall name netdevs-servidores rule 40 description “Permitir trafico saliente hacia los servidores de correo internos de la Empresa KARAS Project para transferencia de mensajes mediante SUBMISSION [SSL/TLS]”
set firewall name netdevs-servidores rule 40 destination group address-group svrs_correo_internos
set firewall name netdevs-servidores rule 40 destination port submission
set firewall name netdevs-servidores rule 40 log enable
set firewall name netdevs-servidores rule 40 protocol tcp
set firewall name netdevs-servidores rule 40 source group network-group red_equiposred
set firewall name netdevs-servidores rule 40 source port 1024-65535

set firewall name netdevs-servidores rule 90 action accept
set firewall name netdevs-servidores rule 90 description “Permitir trafico saliente hacia el servidor WEB interno de la Empresa KARAS Project”
set firewall name netdevs-servidores rule 90 destination group address-group svr_web_interno
set firewall name netdevs-servidores rule 90 destination port http,https
set firewall name netdevs-servidores rule 90 log enable
set firewall name netdevs-servidores rule 90 protocol tcp
set firewall name netdevs-servidores rule 90 source group network-group red_equiposred
set firewall name netdevs-servidores rule 90 source port 1024-65535

set firewall name netdevs-servidores rule 100 action accept
set firewall name netdevs-servidores rule 100 description “Permitir trafico saliente hacia el servidor FTP interno de la Empresa KARAS Project”
set firewall name netdevs-servidores rule 100 destination group address-group svr_ftp_interno
set firewall name netdevs-servidores rule 100 destination port ftp
set firewall name netdevs-servidores rule 100 log enable
set firewall name netdevs-servidores rule 100 protocol tcp
set firewall name netdevs-servidores rule 100 source group network-group red_equiposred
set firewall name netdevs-servidores rule 100 source port 1024-65535

set firewall name netdevs-servidores rule 190 action accept
set firewall name netdevs-servidores rule 190 description “Permitir trafico saliente hacia los servidores de hora (puertos 123/udp) internos de la Empresa KARAS Project”
set firewall name netdevs-servidores rule 190 destination group address-group svrs_hora_internos
set firewall name netdevs-servidores rule 190 destination port ntp
set firewall name netdevs-servidores rule 190 log enable
set firewall name netdevs-servidores rule 190 protocol udp
set firewall name netdevs-servidores rule 190 source group network-group red_equiposred

set firewall name netdevs-servidores rule 270 action accept
set firewall name netdevs-servidores rule 270 description “Permitir trafico saliente hacia los servidores de monitoreo internos de la Empresa KARAS Project para envio de paquetes Flows (puerto 9996/udp)”
set firewall name netdevs-servidores rule 270 destination group address-group svrs_monitoreo_internos
set firewall name netdevs-servidores rule 270 destination port 9996
set firewall name netdevs-servidores rule 270 log enable
set firewall name netdevs-servidores rule 270 protocol udp
set firewall name netdevs-servidores rule 270 source group network-group red_equiposred

set firewall name netdevs-servidores rule 9999 action drop
set firewall name netdevs-servidores rule 9999 description “Registrar eventos de todo lo que no coincida con las reglas anteriores (propositos de monitoreo del cortafuegos)”
set firewall name netdevs-servidores rule 9999 log enable

———————————————————————————–

set firewall name netdevs-wan default-action drop
set firewall name netdevs-wan description “Filtrar trafico saliente desde los Equipos de Internetworking internos de la empresa hacia la red externa (Red CUBA)”

set firewall name netdevs-wan rule 9999 action drop
set firewall name netdevs-wan rule 9999 description “Registrar eventos de todo lo que no coincida con las reglas anteriores (propositos de monitoreo del cortafuegos)”
set firewall name netdevs-wan rule 9999 log enable

———————————————————————————–

Tráfico de red entre la VLAN de Gestión de los Hipervisores Proxmox y las otras subredes:

set firewall name hiperv-admines default-action drop
set firewall name hiperv-admines description “Filtrar trafico saliente desde los Hipervisores (Nodos de Maquinas Virtuales) internos de la Empresa KARAS Project hacia las estaciones de trabajo de los Administradores del Nodo”

set firewall name hiperv-admines rule 1 action accept
set firewall name hiperv-admines rule 1 description “Permitir trafico ICMP (ping)”
set firewall name hiperv-admines rule 1 icmp type-name any
set firewall name hiperv-admines rule 1 protocol icmp

set firewall name hiperv-admines rule 2 action accept
set firewall name hiperv-admines rule 2 description “Permitir conexiones TCP en estados ESTABLISHED y RELATED”
set firewall name hiperv-admines rule 2 state established enable
set firewall name hiperv-admines rule 2 state related enable

set firewall name hiperv-admines rule 3 action drop
set firewall name hiperv-admines rule 3 description “Descartar todos los paquetes marcados como invalidos”
set firewall name hiperv-admines rule 3 log enable
set firewall name hiperv-admines rule 3 state invalid enable

set firewall name hiperv-admines rule 9999 action drop
set firewall name hiperv-admines rule 9999 description “Registrar eventos de todo lo que no coincida con las reglas anteriores (propositos de monitoreo del cortafuegos)”
set firewall name hiperv-admines rule 9999 log enable

———————————————————————————–

set firewall name hiperv-firewall default-action drop
set firewall name hiperv-firewall description “Filtrar trafico saliente desde los Hipervisores (Nodos de Maquinas Virtuales) internos de la Empresa KARAS Project hacia el PC-Router/Cortafuegos interno”

set firewall name hiperv-firewall rule 1 action accept
set firewall name hiperv-firewall rule 1 description “Permitir trafico ICMP (ping)”
set firewall name hiperv-firewall rule 1 icmp type-name any
set firewall name hiperv-firewall rule 1 protocol icmp

set firewall name hiperv-firewall rule 2 action accept
set firewall name hiperv-firewall rule 2 description “Permitir conexiones TCP en estados ESTABLISHED y RELATED”
set firewall name hiperv-firewall rule 2 state established enable
set firewall name hiperv-firewall rule 2 state related enable

set firewall name hiperv-firewall rule 3 action drop
set firewall name hiperv-firewall rule 3 description “Descartar todos los paquetes marcados como invalidos”
set firewall name hiperv-firewall rule 3 log enable
set firewall name hiperv-firewall rule 3 state invalid enable

set firewall name hiperv-firewall rule 9999 action drop
set firewall name hiperv-firewall rule 9999 description “Registrar eventos de todo lo que no coincida con las reglas anteriores (propositos de monitoreo del cortafuegos)”
set firewall name hiperv-firewall rule 9999 log enable

———————————————————————————–

set firewall name hiperv-netdevs default-action drop
set firewall name hiperv-netdevs description “Filtrar trafico saliente desde los Hipervisores (Nodos de Maquinas Virtuales) internos de la empresa hacia los Equipos de Internetworking internos”

set firewall name hiperv-netdevs rule 9999 action drop
set firewall name hiperv-netdevs rule 9999 description “Registrar eventos de todo lo que no coincida con las reglas anteriores (propositos de monitoreo del cortafuegos)”
set firewall name hiperv-netdevs rule 9999 log enable

———————————————————————————–

set firewall name hiperv-lan default-action drop
set firewall name hiperv-lan description “Filtrar trafico saliente desde los Hipervisores (Nodos de Maquinas Virtuales) internos de la Empresa KARAS Project hacia las estaciones de trabajo de la Red LAN”

set firewall name hiperv-lan rule 1 action accept
set firewall name hiperv-lan rule 1 description “Permitir trafico ICMP (ping)”
set firewall name hiperv-lan rule 1 icmp type-name any
set firewall name hiperv-lan rule 1 protocol icmp

set firewall name hiperv-lan rule 2 action accept
set firewall name hiperv-lan rule 2 description “Permitir conexiones TCP en estados ESTABLISHED y RELATED”
set firewall name hiperv-lan rule 2 state established enable
set firewall name hiperv-lan rule 2 state related enable

set firewall name hiperv-lan rule 3 action drop
set firewall name hiperv-lan rule 3 description “Descartar todos los paquetes marcados como invalidos”
set firewall name hiperv-lan rule 3 log enable
set firewall name hiperv-lan rule 3 state invalid enable

set firewall name hiperv-lan rule 9999 action drop
set firewall name hiperv-lan rule 9999 description “Registrar eventos de todo lo que no coincida con las reglas anteriores (propositos de monitoreo del cortafuegos)”
set firewall name hiperv-lan rule 9999 log enable

———————————————————————————–

set firewall name hiperv-servidores default-action drop
set firewall name hiperv-servidores description “Filtrar trafico saliente desde los Hipervisores (Nodos de Maquinas Virtuales) internos de la Empresa KARAS Project hacia los servidores internos”

set firewall name hiperv-servidores rule 1 action accept
set firewall name hiperv-servidores rule 1 description “Permitir trafico ICMP (ping)”
set firewall name hiperv-servidores rule 1 icmp type-name any
set firewall name hiperv-servidores rule 1 protocol icmp

set firewall name hiperv-servidores rule 2 action accept
set firewall name hiperv-servidores rule 2 description “Permitir conexiones TCP en estados ESTABLISHED y RELATED”
set firewall name hiperv-servidores rule 2 state established enable
set firewall name hiperv-servidores rule 2 state related enable

set firewall name hiperv-servidores rule 3 action drop
set firewall name hiperv-servidores rule 3 description “Descartar todos los paquetes marcados como invalidos”
set firewall name hiperv-servidores rule 3 log enable
set firewall name hiperv-servidores rule 3 state invalid enable

set firewall name hiperv-servidores rule 10 action accept
set firewall name hiperv-servidores rule 10 description “Permitir trafico saliente hacia los servidores DNS internos de la Empresa KARAS Project”
set firewall name hiperv-servidores rule 10 destination group address-group svrs_dns_internos
set firewall name hiperv-servidores rule 10 destination port domain
set firewall name hiperv-servidores rule 10 log enable
set firewall name hiperv-servidores rule 10 protocol tcp_udp
set firewall name hiperv-servidores rule 10 source group network-group red_hipervisores

set firewall name hiperv-servidores rule 20 action accept
set firewall name hiperv-servidores rule 20 description “Permitir trafico saliente hacia los servidores de correo internos de la Empresa KARAS Project para transferencia de mensajes mediante SMTP [PLAIN]”
set firewall name hiperv-servidores rule 20 destination group address-group svrs_correo_internos
set firewall name hiperv-servidores rule 20 destination port smtp
set firewall name hiperv-servidores rule 20 log enable
set firewall name hiperv-servidores rule 20 protocol tcp
set firewall name hiperv-servidores rule 20 source group network-group red_hipervisores
set firewall name hiperv-servidores rule 20 source port 1024-65535

set firewall name hiperv-servidores rule 30 action accept
set firewall name hiperv-servidores rule 30 description “Permitir trafico saliente hacia los servidores de correo internos de la Empresa KARAS Project para transferencia de mensajes mediante SMTP seguro [SSL/TLS]”
set firewall name hiperv-servidores rule 30 destination group address-group svrs_correo_internos
set firewall name hiperv-servidores rule 30 destination port smtps
set firewall name hiperv-servidores rule 30 log enable
set firewall name hiperv-servidores rule 30 protocol tcp
set firewall name hiperv-servidores rule 30 source group network-group red_hipervisores
set firewall name hiperv-servidores rule 30 source port 1024-65535

set firewall name hiperv-servidores rule 40 action accept
set firewall name hiperv-servidores rule 40 description “Permitir trafico saliente hacia los servidores de correo internos de la Empresa KARAS Project para transferencia de mensajes mediante SUBMISSION [SSL/TLS]”
set firewall name hiperv-servidores rule 40 destination group address-group svrs_correo_internos
set firewall name hiperv-servidores rule 40 destination port submission
set firewall name hiperv-servidores rule 40 log enable
set firewall name hiperv-servidores rule 40 protocol tcp
set firewall name hiperv-servidores rule 40 source group network-group red_hipervisores
set firewall name hiperv-servidores rule 40 source port 1024-65535

set firewall name hiperv-servidores rule 90 action accept
set firewall name hiperv-servidores rule 90 description “Permitir trafico saliente hacia el servidor WEB interno de la Empresa KARAS Project”
set firewall name hiperv-servidores rule 90 destination group address-group svr_web_interno
set firewall name hiperv-servidores rule 90 destination port http,https
set firewall name hiperv-servidores rule 90 log enable
set firewall name hiperv-servidores rule 90 protocol tcp
set firewall name hiperv-servidores rule 90 source group network-group red_hipervisores
set firewall name hiperv-servidores rule 90 source port 1024-65535

set firewall name hiperv-servidores rule 100 action accept
set firewall name hiperv-servidores rule 100 description “Permitir trafico saliente hacia el servidor FTP interno de la Empresa KARAS Project”
set firewall name hiperv-servidores rule 100 destination group address-group svr_ftp_interno
set firewall name hiperv-servidores rule 100 destination port ftp
set firewall name hiperv-servidores rule 100 log enable
set firewall name hiperv-servidores rule 100 protocol tcp
set firewall name hiperv-servidores rule 100 source group network-group red_hipervisores
set firewall name hiperv-servidores rule 100 source port 1024-65535

set firewall name hiperv-servidores rule 190 action accept
set firewall name hiperv-servidores rule 190 description “Permitir trafico saliente hacia los servidores de hora (puertos 123/udp) internos de la Empresa KARAS Project”
set firewall name hiperv-servidores rule 190 destination group address-group svrs_hora_internos
set firewall name hiperv-servidores rule 190 destination port ntp
set firewall name hiperv-servidores rule 190 log enable
set firewall name hiperv-servidores rule 190 protocol udp
set firewall name hiperv-servidores rule 190 source group network-group red_hipervisores

set firewall name hiperv-servidores rule 9999 action drop
set firewall name hiperv-servidores rule 9999 description “Registrar eventos de todo lo que no coincida con las reglas anteriores (propositos de monitoreo del cortafuegos)”
set firewall name hiperv-servidores rule 9999 log enable

———————————————————————————–

set firewall name hiperv-wan default-action drop
set firewall name hiperv-wan description “Filtrar trafico saliente desde los Hipervisores (Nodos de Maquinas Virtuales) internos de la empresa hacia la red externa (Red CUBA)”

set firewall name hiperv-wan rule 9999 action drop
set firewall name hiperv-wan rule 9999 description “Registrar eventos de todo lo que no coincida con las reglas anteriores (propositos de monitoreo del cortafuegos)”
set firewall name hiperv-wan rule 9999 log enable

———————————————————————————–

Tráfico de red entre la VLAN de las Estaciones de Trabajo de la Red LAN y las otras subredes:

set firewall name lan-admines default-action drop
set firewall name lan-admines description “Filtrar trafico saliente desde las estaciones de trabajo de la Red LAN de la Empresa KARAS Project hacia las estaciones de trabajo de los Administradores del Nodo”

set firewall name lan-admines rule 1 action accept
set firewall name lan-admines rule 1 description “Permitir trafico ICMP (ping)”
set firewall name lan-admines rule 1 icmp type-name any
set firewall name lan-admines rule 1 protocol icmp

set firewall name lan-admines rule 2 action accept
set firewall name lan-admines rule 2 description “Permitir conexiones TCP en estados ESTABLISHED y RELATED”
set firewall name lan-admines rule 2 state established enable
set firewall name lan-admines rule 2 state related enable

set firewall name lan-admines rule 3 action drop
set firewall name lan-admines rule 3 description “Descartar todos los paquetes marcados como invalidos”
set firewall name lan-admines rule 3 log enable
set firewall name lan-admines rule 3 state invalid enable

set firewall name lan-admines rule 150 action accept
set firewall name lan-admines rule 150 description “Permitir trafico saliente hacia las estaciones de trabajo de la Red LAN (puertos 137/udp) de la Empresa KARAS Project”
set firewall name lan-admines rule 150 destination group network-group red_lan
set firewall name lan-admines rule 150 destination port netbios-ns
set firewall name lan-admines rule 150 log enable
set firewall name lan-admines rule 150 protocol udp
set firewall name lan-admines rule 150 source group network-group red_lan

set firewall name lan-admines rule 160 action accept
set firewall name lan-admines rule 160 description “Permitir trafico saliente hacia las estaciones de trabajo de la Red LAN (puertos 138/udp) de la Empresa KARAS Project”
set firewall name lan-admines rule 160 destination group network-group red_lan
set firewall name lan-admines rule 160 destination port netbios-dgm
set firewall name lan-admines rule 160 log enable
set firewall name lan-admines rule 160 protocol udp
set firewall name lan-admines rule 160 source group network-group red_lan

set firewall name lan-admines rule 9999 action drop
set firewall name lan-admines rule 9999 description “Registrar eventos de todo lo que no coincida con las reglas anteriores (propositos de monitoreo del cortafuegos)”
set firewall name lan-admines rule 9999 log enable

———————————————————————————–

set firewall name lan-firewall default-action drop
set firewall name lan-firewall description “Filtrar trafico saliente desde las estaciones de trabajo de la Red LAN internas de la Empresa KARAS Project hacia el PC-Router/Cortafuegos interno”

set firewall name lan-firewall rule 1 action accept
set firewall name lan-firewall rule 1 description “Permitir trafico ICMP (ping)”
set firewall name lan-firewall rule 1 icmp type-name any
set firewall name lan-firewall rule 1 protocol icmp

set firewall name lan-firewall rule 2 action accept
set firewall name lan-firewall rule 2 description “Permitir conexiones TCP en estados ESTABLISHED y RELATED”
set firewall name lan-firewall rule 2 state established enable
set firewall name lan-firewall rule 2 state related enable

set firewall name lan-firewall rule 3 action drop
set firewall name lan-firewall rule 3 description “Descartar todos los paquetes marcados como invalidos”
set firewall name lan-firewall rule 3 log enable
set firewall name lan-firewall rule 3 state invalid enable

set firewall name lan-firewall rule 150 action accept
set firewall name lan-firewall rule 150 description “Permitir trafico saliente hacia servidores de archivos o Controladores de Dominio internos de la Empresa KARAS Project (puertos 137/udp)”
set firewall name lan-firewall rule 150 destination port netbios-ns
set firewall name lan-firewall rule 150 log enable
set firewall name lan-firewall rule 150 protocol udp
set firewall name lan-firewall rule 150 source group address-group equipos_admines
set firewall name lan-firewall rule 150 source port netbios-ns

set firewall name lan-firewall rule 160 action accept
set firewall name lan-firewall rule 160 description “Permitir trafico saliente hacia servidores de archivos o Controladores de Dominio internos de la Empresa KARAS Project (puertos 138/udp)”
set firewall name lan-firewall rule 160 destination port netbios-dgm
set firewall name lan-firewall rule 160 log enable
set firewall name lan-firewall rule 160 protocol udp
set firewall name lan-firewall rule 160 source group address-group equipos_admines
set firewall name lan-firewall rule 160 source port netbios-dgm

set firewall name lan-firewall rule 9999 action drop
set firewall name lan-firewall rule 9999 description “Registrar eventos de todo lo que no coincida con las reglas anteriores (propositos de monitoreo del cortafuegos)”
set firewall name lan-firewall rule 9999 log enable

———————————————————————————–

set firewall name lan-netdevs default-action drop
set firewall name lan-netdevs description “Filtrar trafico saliente desde las estaciones de trabajo de la Red LAN de la Empresa KARAS Project hacia los Equipos de Internetworking internos”

set firewall name lan-netdevs rule 9999 action drop
set firewall name lan-netdevs rule 9999 description “Registrar eventos de todo lo que no coincida con las reglas anteriores (propositos de monitoreo del cortafuegos)”
set firewall name lan-netdevs rule 9999 log enable

———————————————————————————–

set firewall name lan-hiperv default-action drop
set firewall name lan-hiperv description “Filtrar trafico saliente desde las estaciones de trabajo de la Red LAN de la Empresa KARAS Project hacia los Hipervisores (Nodos de Maquinas Virtuales) internos”

set firewall name lan-hiperv rule 1 action accept
set firewall name lan-hiperv rule 1 description “Permitir trafico ICMP (ping)”
set firewall name lan-hiperv rule 1 icmp type-name any
set firewall name lan-hiperv rule 1 protocol icmp

set firewall name lan-hiperv rule 2 action accept
set firewall name lan-hiperv rule 2 description “Permitir conexiones TCP en estados ESTABLISHED y RELATED”
set firewall name lan-hiperv rule 2 state established enable
set firewall name lan-hiperv rule 2 state related enable

set firewall name lan-hiperv rule 3 action drop
set firewall name lan-hiperv rule 3 description “Descartar todos los paquetes marcados como invalidos”
set firewall name lan-hiperv rule 3 log enable
set firewall name lan-hiperv rule 3 state invalid enable

set firewall name lan-hiperv rule 90 action accept
set firewall name lan-hiperv rule 90 description “Permitir trafico saliente hacia el servidor de Repositorios Temporal ubicado en uno de los Hipervisores internos de la Empresa KARAS Project”
set firewall name lan-hiperv rule 90 destination group network-group red_hipervisores
set firewall name lan-hiperv rule 90 destination port http
set firewall name lan-hiperv rule 90 log enable
set firewall name lan-hiperv rule 90 protocol tcp
set firewall name lan-hiperv rule 90 source group network-group red_lan
set firewall name lan-hiperv rule 90 source port 1024-65535

set firewall name lan-hiperv rule 190 action accept
set firewall name lan-hiperv rule 190 description “Permitir trafico saliente hacia los servidores de hora (puertos 123/udp) internos de la Empresa KARAS Project”
set firewall name lan-hiperv rule 190 destination group network-group red_hipervisores
set firewall name lan-hiperv rule 190 destination port ntp
set firewall name lan-hiperv rule 190 log enable
set firewall name lan-hiperv rule 190 protocol udp
set firewall name lan-hiperv rule 190 source group network-group red_lan

set firewall name lan-hiperv rule 9999 action drop
set firewall name lan-hiperv rule 9999 description “Registrar eventos de todo lo que no coincida con las reglas anteriores (propositos de monitoreo del cortafuegos)”
set firewall name lan-hiperv rule 9999 log enable

———————————————————————————–

set firewall name lan-servidores default-action drop
set firewall name lan-servidores description “Filtrar trafico saliente desde las estaciones de trabajo de la Red LAN de la Empresa KARAS Project hacia los servidores internos”

set firewall name lan-servidores rule 1 action accept
set firewall name lan-servidores rule 1 description “Permitir trafico ICMP (ping)”
set firewall name lan-servidores rule 1 icmp type-name any
set firewall name lan-servidores rule 1 protocol icmp

set firewall name lan-servidores rule 2 action accept
set firewall name lan-servidores rule 2 description “Permitir conexiones TCP en estados ESTABLISHED y RELATED”
set firewall name lan-servidores rule 2 state established enable
set firewall name lan-servidores rule 2 state related enable

set firewall name lan-servidores rule 3 action drop
set firewall name lan-servidores rule 3 description “Descartar todos los paquetes marcados como invalidos”
set firewall name lan-servidores rule 3 log enable
set firewall name lan-servidores rule 3 state invalid enable

set firewall name lan-servidores rule 10 action accept
set firewall name lan-servidores rule 10 description “Permitir trafico saliente hacia los servidores DNS internos de la Empresa KARAS Project”
set firewall name lan-servidores rule 10 destination group address-group svrs_dns_internos
set firewall name lan-servidores rule 10 destination port domain
set firewall name lan-servidores rule 10 log enable
set firewall name lan-servidores rule 10 protocol tcp_udp
set firewall name lan-servidores rule 10 source group network-group red_lan

set firewall name lan-servidores rule 20 action accept
set firewall name lan-servidores rule 20 description “Permitir trafico saliente hacia los servidores de correo internos de la Empresa KARAS Project para transferencia de mensajes mediante SMTP [PLAIN]”
set firewall name lan-servidores rule 20 destination group address-group svrs_correo_internos
set firewall name lan-servidores rule 20 destination port smtp
set firewall name lan-servidores rule 20 log enable
set firewall name lan-servidores rule 20 protocol tcp
set firewall name lan-servidores rule 20 source group network-group red_lan
set firewall name lan-servidores rule 20 source port 1024-65535

set firewall name lan-servidores rule 30 action accept
set firewall name lan-servidores rule 30 description “Permitir trafico saliente hacia los servidores de correo internos de la Empresa KARAS Project para transferencia de mensajes mediante SMTP seguro [SSL/TLS]”
set firewall name lan-servidores rule 30 destination group address-group svrs_correo_internos
set firewall name lan-servidores rule 30 destination port smtps
set firewall name lan-servidores rule 30 log enable
set firewall name lan-servidores rule 30 protocol tcp
set firewall name lan-servidores rule 30 source group network-group red_lan
set firewall name lan-servidores rule 30 source port 1024-65535

set firewall name lan-servidores rule 40 action accept
set firewall name lan-servidores rule 40 description “Permitir trafico saliente hacia los servidores de correo internos de la Empresa KARAS Project para transferencia de mensajes mediante SUBMISSION [SSL/TLS]”
set firewall name lan-servidores rule 40 destination group address-group svrs_correo_internos
set firewall name lan-servidores rule 40 destination port submission
set firewall name lan-servidores rule 40 log enable
set firewall name lan-servidores rule 40 protocol tcp
set firewall name lan-servidores rule 40 source group network-group red_lan
set firewall name lan-servidores rule 40 source port 1024-65535

set firewall name lan-servidores rule 50 action accept
set firewall name lan-servidores rule 50 description “Permitir trafico saliente hacia los servidores de correo internos de la Empresa KARAS Project para gestion de buzones mediante IMAP [PLAIN]”
set firewall name lan-servidores rule 50 destination group address-group svrs_correo_internos
set firewall name lan-servidores rule 50 destination port imap
set firewall name lan-servidores rule 50 log enable
set firewall name lan-servidores rule 50 protocol tcp
set firewall name lan-servidores rule 50 source group network-group red_lan
set firewall name lan-servidores rule 50 source port 1024-65535

set firewall name lan-servidores rule 60 action accept
set firewall name lan-servidores rule 60 description “Permitir trafico saliente hacia los servidores de correo internos de la Empresa KARAS Project para gestion de buzones mediante IMAP [SSL]”
set firewall name lan-servidores rule 60 destination group address-group svrs_correo_internos
set firewall name lan-servidores rule 60 destination port imaps
set firewall name lan-servidores rule 60 log enable
set firewall name lan-servidores rule 60 protocol tcp
set firewall name lan-servidores rule 60 source group network-group red_lan
set firewall name lan-servidores rule 60 source port 1024-65535

set firewall name lan-servidores rule 70 action accept
set firewall name lan-servidores rule 70 description “Permitir trafico saliente hacia los servidores de correo internos de la Empresa KARAS Project para gestion de buzones mediate POP3 [PLAIN]”
set firewall name lan-servidores rule 70 destination group address-group svrs_correo_internos
set firewall name lan-servidores rule 70 destination port pop3
set firewall name lan-servidores rule 70 log enable
set firewall name lan-servidores rule 70 protocol tcp
set firewall name lan-servidores rule 70 source group network-group red_lan
set firewall name lan-servidores rule 70 source port 1024-65535

set firewall name lan-servidores rule 80 action accept
set firewall name lan-servidores rule 80 description “Permitir trafico saliente hacia los servidores de correo internos de la Empresa KARAS Project para gestion de buzones mediante POP3 [SSL]”
set firewall name lan-servidores rule 80 destination group address-group svrs_correo_internos
set firewall name lan-servidores rule 80 destination port pop3s
set firewall name lan-servidores rule 80 log enable
set firewall name lan-servidores rule 80 protocol tcp
set firewall name lan-servidores rule 80 source group network-group red_lan
set firewall name lan-servidores rule 80 source port 1024-65535

set firewall name lan-servidores rule 90 action accept
set firewall name lan-servidores rule 90 description “Permitir trafico saliente hacia el servidor WEB interno de la Empresa KARAS Project”
set firewall name lan-servidores rule 90 destination group address-group svr_web_interno
set firewall name lan-servidores rule 90 destination port http,https
set firewall name lan-servidores rule 90 log enable
set firewall name lan-servidores rule 90 protocol tcp
set firewall name lan-servidores rule 90 source group network-group red_lan
set firewall name lan-servidores rule 90 source port 1024-65535

set firewall name lan-servidores rule 100 action accept
set firewall name lan-servidores rule 100 description “Permitir trafico saliente hacia el servidor FTP interno de la Empresa KARAS Project”
set firewall name lan-servidores rule 100 destination group address-group svr_ftp_interno
set firewall name lan-servidores rule 100 destination port ftp
set firewall name lan-servidores rule 100 log enable
set firewall name lan-servidores rule 100 protocol tcp
set firewall name lan-servidores rule 100 source group network-group red_lan
set firewall name lan-servidores rule 100 source port 1024-65535

set firewall name lan-servidores rule 110 action accept
set firewall name lan-servidores rule 110 description “Permitir trafico saliente hacia el servidor Proxy interno de la Empresa KARAS Project”
set firewall name lan-servidores rule 110 destination group address-group svr_proxy_interno
set firewall name lan-servidores rule 110 destination port 3128
set firewall name lan-servidores rule 110 log enable
set firewall name lan-servidores rule 110 protocol tcp
set firewall name lan-servidores rule 110 source group network-group red_lan
set firewall name lan-servidores rule 110 source port 1024-65535

set firewall name lan-servidores rule 120 action accept
set firewall name lan-servidores rule 120 description “Permitir trafico saliente hacia el servidor de Mensajeria Instantanea interno de la Empresa KARAS Project mediante conexiones inseguras”
set firewall name lan-servidores rule 120 destination group address-group svr_jabber_interno
set firewall name lan-servidores rule 120 destination port 5222
set firewall name lan-servidores rule 120 log enable
set firewall name lan-servidores rule 120 protocol tcp
set firewall name lan-servidores rule 120 source group network-group red_lan
set firewall name lan-servidores rule 120 source port 1024-65535

set firewall name lan-servidores rule 130 action accept
set firewall name lan-servidores rule 130 description “Permitir trafico saliente hacia el servidor de Mensajeria Instantanea interno de la Empresa KARAS Project mediante conexiones seguras (SSL)”
set firewall name lan-servidores rule 130 destination group address-group svr_jabber_interno
set firewall name lan-servidores rule 130 destination port 5223
set firewall name lan-servidores rule 130 log enable
set firewall name lan-servidores rule 130 protocol tcp
set firewall name lan-servidores rule 130 source group network-group red_lan
set firewall name lan-servidores rule 130 source port 1024-65535

set firewall name lan-servidores rule 150 action accept
set firewall name lan-servidores rule 150 description “Permitir trafico saliente hacia servidores de archivos o Controladores de Dominio internos de la Empresa KARAS Project (puertos 137/udp)”
set firewall name lan-servidores rule 150 destination group network-group red_servidores_internos
set firewall name lan-servidores rule 150 destination port netbios-ns
set firewall name lan-servidores rule 150 log enable
set firewall name lan-servidores rule 150 protocol udp
set firewall name lan-servidores rule 150 source group network-group red_lan
set firewall name lan-servidores rule 150 source port netbios-ns

set firewall name lan-servidores rule 160 action accept
set firewall name lan-servidores rule 160 description “Permitir trafico saliente hacia servidores de archivos o Controladores de Dominio internos de la Empresa KARAS Project (puertos 138/udp)”
set firewall name lan-servidores rule 160 destination group network-group red_servidores_internos
set firewall name lan-servidores rule 160 destination port netbios-dgm
set firewall name lan-servidores rule 160 log enable
set firewall name lan-servidores rule 160 protocol udp
set firewall name lan-servidores rule 160 source group network-group red_lan
set firewall name lan-servidores rule 160 source port netbios-dgm

set firewall name lan-servidores rule 170 action accept
set firewall name lan-servidores rule 170 description “Permitir trafico saliente hacia servidores de archivos internos o Controladores de Dominio de la Empresa KARAS Project (puertos 139/tcp)”
set firewall name lan-servidores rule 170 destination group network-group red_servidores_internos
set firewall name lan-servidores rule 170 destination port netbios-ssn
set firewall name lan-servidores rule 170 log enable
set firewall name lan-servidores rule 170 protocol tcp
set firewall name lan-servidores rule 170 source group network-group red_lan
set firewall name lan-servidores rule 170 source port 1024-65535

set firewall name lan-servidores rule 180 action accept
set firewall name lan-servidores rule 180 description “Permitir trafico saliente hacia servidores de archivos o Controladores de Dominio internos de la Empresa KARAS Project (puertos 445/tcp)”
set firewall name lan-servidores rule 180 destination group network-group red_servidores_internos
set firewall name lan-servidores rule 180 destination port microsoft-ds
set firewall name lan-servidores rule 180 log enable
set firewall name lan-servidores rule 180 protocol tcp
set firewall name lan-servidores rule 180 source group network-group red_lan
set firewall name lan-servidores rule 180 source port 1024-65535

set firewall name lan-servidores rule 190 action accept
set firewall name lan-servidores rule 190 description “Permitir trafico saliente hacia los servidores de hora (puertos 123/udp) internos de la Empresa KARAS Project”
set firewall name lan-servidores rule 190 destination group address-group svrs_hora_internos
set firewall name lan-servidores rule 190 destination port ntp
set firewall name lan-servidores rule 190 log enable
set firewall name lan-servidores rule 190 protocol udp
set firewall name lan-servidores rule 190 source group network-group red_lan

set firewall name lan-servidores rule 290 action accept
set firewall name lan-servidores rule 290 description “Permitir trafico saliente hacia los servidores de bases de datos MS SQL Server 2000 (puertos 1433/tcp) internos de la Empresa KARAS Project”
set firewall name lan-servidores rule 290 destination group address-group svr_bases_datos_interno
set firewall name lan-servidores rule 290 destination port 1433
set firewall name lan-servidores rule 290 log enable
set firewall name lan-servidores rule 290 protocol tcp
set firewall name lan-servidores rule 290 source group network-group red_lan

set firewall name lan-servidores rule 300 action accept
set firewall name lan-servidores rule 300 description “Permitir trafico saliente hacia los servidores de bases de datos MS SQL Server 2000 (puertos 1434/{tcp|udp}) internos de la Empresa KARAS Project”
set firewall name lan-servidores rule 300 destination group address-group svr_bases_datos_interno
set firewall name lan-servidores rule 300 destination port 1434
set firewall name lan-servidores rule 300 log enable
set firewall name lan-servidores rule 300 protocol tcp_udp
set firewall name lan-servidores rule 300 source group network-group red_lan

set firewall name lan-servidores rule 310 action accept
set firewall name lan-servidores rule 310 description “Permitir trafico saliente hacia los servidores LDAP internos o el servicio LDAP del Controlador Primario/Secundario de Dominio Active Directory interno de la Empresa KARAS Project a través del protocolo LDAP [PLAIN]”
set firewall name lan-servidores rule 310 destination group address-group svrs_pdc_internos
set firewall name lan-servidores rule 310 destination port ldap
set firewall name lan-servidores rule 310 log enable
set firewall name lan-servidores rule 310 protocol tcp_udp
set firewall name lan-servidores rule 310 source group network-group red_lan

set firewall name lan-servidores rule 320 action accept
set firewall name lan-servidores rule 320 description “Permitir trafico saliente hacia los servidores LDAP internos o el servicio LDAP del Controlador Primario/Secundario de Dominio Active Directory interno de la Empresa KARAS Project a través del protocolo LDAP seguro [SSL]”
set firewall name lan-servidores rule 320 destination group address-group svrs_pdc_internos
set firewall name lan-servidores rule 320 destination port ldaps
set firewall name lan-servidores rule 320 log enable
set firewall name lan-servidores rule 320 protocol tcp
set firewall name lan-servidores rule 320 source group network-group red_lan

set firewall name lan-servidores rule 330 action accept
set firewall name lan-servidores rule 330 description “Permitir trafico saliente hacia los servidores LDAP internos o el servicio LDAP del Controlador Primerio/Secundario de Dominio Active Directory interno de la Empresa KARAS Project para uso del Catalogo Global mediante protocolo inseguro [PLAIN]”
set firewall name lan-servidores rule 330 destination group address-group svrs_pdc_internos
set firewall name lan-servidores rule 330 destination port 3268
set firewall name lan-servidores rule 330 log enable
set firewall name lan-servidores rule 330 protocol tcp
set firewall name lan-servidores rule 330 source group network-group red_lan

set firewall name lan-servidores rule 340 action accept
set firewall name lan-servidores rule 340 description “Permitir trafico saliente hacia los servidores LDAP internos o el servicio LDAP del Controlador Primerio/Secundario de Dominio Active Directory interno de la Empresa KARAS Project para uso del Catalogo Global mediante protocolo seguro [SSL]”
set firewall name lan-servidores rule 340 destination group address-group svrs_pdc_internos
set firewall name lan-servidores rule 340 destination port 3269
set firewall name lan-servidores rule 340 log enable
set firewall name lan-servidores rule 340 protocol tcp
set firewall name lan-servidores rule 340 source group network-group red_lan

set firewall name lan-servidores rule 350 action accept
set firewall name lan-servidores rule 350 description “Permitir trafico saliente hacia el servicio Kerberos del Controlador Primerio/Secundario de Dominio Active Directory interno de la Empresa KARAS Project para autenticacion”
set firewall name lan-servidores rule 350 destination group address-group svrs_pdc_internos
set firewall name lan-servidores rule 350 destination port 88
set firewall name lan-servidores rule 350 log enable
set firewall name lan-servidores rule 350 protocol tcp_udp
set firewall name lan-servidores rule 350 source group network-group red_lan

set firewall name lan-servidores rule 360 action accept
set firewall name lan-servidores rule 360 description “Permitir trafico saliente hacia el servicio Kerberos del Controlador Primerio/Secundario de Dominio Active Directory interno de la Empresa KARAS Project para establecimiento/cambio de contrasenas”
set firewall name lan-servidores rule 360 destination group address-group svrs_pdc_internos
set firewall name lan-servidores rule 360 destination port 464
set firewall name lan-servidores rule 360 log enable
set firewall name lan-servidores rule 360 protocol tcp_udp
set firewall name lan-servidores rule 360 source group network-group red_lan

set firewall name lan-servidores rule 370 action accept
set firewall name lan-servidores rule 370 description “Permitir trafico saliente hacia el servicio RPC del Controlador Primerio/Secundario de Dominio Active Directory interno de la Empresa KARAS Project”
set firewall name lan-servidores rule 370 destination group address-group svrs_pdc_internos
set firewall name lan-servidores rule 370 destination port 135
set firewall name lan-servidores rule 370 log enable
set firewall name lan-servidores rule 370 protocol tcp
set firewall name lan-servidores rule 370 source group network-group red_lan

set firewall name lan-servidores rule 380 action accept
set firewall name lan-servidores rule 380 description “Permitir trafico saliente hacia el servicio de Replicacion de Archivos (RPC, DFSR [Sysvol]) del Controlador Primerio/Secundario de Dominio Active Directory interno de la Empresa KARAS Project”
set firewall name lan-servidores rule 380 destination group address-group svrs_pdc_internos
set firewall name lan-servidores rule 380 destination port 5722
set firewall name lan-servidores rule 380 log enable
set firewall name lan-servidores rule 380 protocol tcp
set firewall name lan-servidores rule 380 source group network-group red_lan

set firewall name lan-servidores rule 390 action accept
set firewall name lan-servidores rule 390 description “Permitir trafico saliente hacia los Servicios de Directorio de Microsoft (RPC, DCOM, EPM, DRSUAPI, NetLogonR, SamR, FRS) del Controlador Primerio/Secundario de Dominio Active Directory interno de la Empresa KARAS Project”
set firewall name lan-servidores rule 390 destination group address-group svrs_pdc_internos
set firewall name lan-servidores rule 390 destination port 1024-65535
set firewall name lan-servidores rule 390 log enable
set firewall name lan-servidores rule 390 protocol tcp_udp
set firewall name lan-servidores rule 390 source group network-group red_lan

set firewall name lan-servidores rule 9999 action drop
set firewall name lan-servidores rule 9999 description “Registrar eventos de todo lo que no coincida con las reglas anteriores (propositos de monitoreo del cortafuegos)”
set firewall name lan-servidores rule 9999 log enable

———————————————————————————–

set firewall name lan-wan default-action drop
set firewall name lan-wan description “Filtrar trafico saliente desde las estaciones de trabajo de la Red LAN de la Empresa KARAS Project hacia la red externa (Red CUBA)”

set firewall name lan-wan rule 9999 action drop
set firewall name lan-wan rule 9999 description “Registrar eventos de todo lo que no coincida con las reglas anteriores (propositos de monitoreo del cortafuegos)”
set firewall name lan-wan rule 9999 log enable

———————————————————————————–

Tráfico de red entre la VLAN de los Servidores de Red y las otras subredes:

set firewall name servidores-admines default-action drop
set firewall name servidores-admines description “Filtrar trafico saliente desde los servidores internos de la Empresa KARAS Project hacia las estaciones de trabajo de los Administradores del Nodo”

set firewall name servidores-admines rule 1 action accept
set firewall name servidores-admines rule 1 description “Permitir trafico ICMP (ping)”
set firewall name servidores-admines rule 1 icmp type-name any
set firewall name servidores-admines rule 1 protocol icmp

set firewall name servidores-admines rule 2 action accept
set firewall name servidores-admines rule 2 description “Permitir conexiones TCP en estados ESTABLISHED y RELATED”
set firewall name servidores-admines rule 2 state established enable
set firewall name servidores-admines rule 2 state related enable

set firewall name servidores-admines rule 3 action drop
set firewall name servidores-admines rule 3 description “Descartar todos los paquetes marcados como invalidos”
set firewall name servidores-admines rule 3 log enable
set firewall name servidores-admines rule 3 state invalid enable

set firewall name servidores-admines rule 9999 action drop
set firewall name servidores-admines rule 9999 description “Registrar eventos de todo lo que no coincida con las reglas anteriores (propositos de monitoreo del cortafuegos)”
set firewall name servidores-admines rule 9999 log enable

———————————————————————————–

set firewall name servidores-firewall default-action drop
set firewall name servidores-firewall description “Filtrar trafico saliente desde los servidores internos de la Empresa KARAS Project hacia el PC-Router/Cortafuegos interno”

set firewall name servidores-firewall rule 1 action accept
set firewall name servidores-firewall rule 1 description “Permitir trafico ICMP (ping)”
set firewall name servidores-firewall rule 1 icmp type-name any
set firewall name servidores-firewall rule 1 protocol icmp

set firewall name servidores-firewall rule 2 action accept
set firewall name servidores-firewall rule 2 description “Permitir conexiones TCP en estados ESTABLISHED y RELATED”
set firewall name servidores-firewall rule 2 state established enable
set firewall name servidores-firewall rule 2 state related enable

set firewall name servidores-firewall rule 3 action drop
set firewall name servidores-firewall rule 3 description “Descartar todos los paquetes marcados como invalidos”
set firewall name servidores-firewall rule 3 log enable
set firewall name servidores-firewall rule 3 state invalid enable

set firewall name servidores-firewall rule 150 action accept
set firewall name servidores-firewall rule 150 description “Permitir trafico saliente hacia servidores de archivos o Controladores de Dominio internos de la Empresa KARAS Project (puertos 137/udp)”
set firewall name servidores-firewall rule 150 destination port netbios-ns
set firewall name servidores-firewall rule 150 log enable
set firewall name servidores-firewall rule 150 protocol udp
set firewall name servidores-firewall rule 150 source group address-group svrs_pdc_internos
set firewall name servidores-firewall rule 150 source port netbios-ns

set firewall name servidores-firewall rule 160 action accept
set firewall name servidores-firewall rule 160 description “Permitir trafico saliente hacia servidores de archivos o Controladores de Dominio internos de la Empresa KARAS Project (puertos 138/udp)”
set firewall name servidores-firewall rule 160 destination port netbios-dgm
set firewall name servidores-firewall rule 160 log enable
set firewall name servidores-firewall rule 160 protocol udp
set firewall name servidores-firewall rule 160 source group address-group svrs_pdc_internos
set firewall name servidores-firewall rule 160 source port netbios-dgm

set firewall name servidores-firewall rule 9999 action drop
set firewall name servidores-firewall rule 9999 description “Registrar eventos de todo lo que no coincida con las reglas anteriores (propositos de monitoreo del cortafuegos)”
set firewall name servidores-firewall rule 9999 log enable

———————————————————————————–

set firewall name servidores-netdevs default-action drop
set firewall name servidores-netdevs description “Filtrar trafico saliente desde los servidores internos de la Empresa KARAS Project hacia los Equipos de Internetworking internos”

set firewall name servidores-netdevs rule 1 action accept
set firewall name servidores-netdevs rule 1 description “Permitir trafico ICMP (ping)”
set firewall name servidores-netdevs rule 1 icmp type-name any
set firewall name servidores-netdevs rule 1 protocol icmp

set firewall name servidores-netdevs rule 2 action accept
set firewall name servidores-netdevs rule 2 description “Permitir conexiones TCP en estados ESTABLISHED y RELATED”
set firewall name servidores-netdevs rule 2 state established enable
set firewall name servidores-netdevs rule 2 state related enable

set firewall name servidores-netdevs rule 3 action drop
set firewall name servidores-netdevs rule 3 description “Descartar todos los paquetes marcados como invalidos”
set firewall name servidores-netdevs rule 3 log enable
set firewall name servidores-netdevs rule 3 state invalid enable

set firewall name servidores-netdevs rule 9999 action drop
set firewall name servidores-netdevs rule 9999 description “Registrar eventos de todo lo que no coincida con las reglas anteriores (propositos de monitoreo del cortafuegos)”
set firewall name servidores-netdevs rule 9999 log enable

———————————————————————————–

set firewall name servidores-hiperv default-action drop
set firewall name servidores-hiperv description “Filtrar trafico saliente desde los servidores internos de la Empresa KARAS Project hacia los Hipervisores (Nodos de Maquinas Virtuales) internos”

set firewall name servidores-hiperv rule 1 action accept
set firewall name servidores-hiperv rule 1 description “Permitir trafico ICMP (ping)”
set firewall name servidores-hiperv rule 1 icmp type-name any
set firewall name servidores-hiperv rule 1 protocol icmp

set firewall name servidores-hiperv rule 2 action accept
set firewall name servidores-hiperv rule 2 description “Permitir conexiones TCP en estados ESTABLISHED y RELATED”
set firewall name servidores-hiperv rule 2 state established enable
set firewall name servidores-hiperv rule 2 state related enable

set firewall name servidores-hiperv rule 3 action drop
set firewall name servidores-hiperv rule 3 description “Descartar todos los paquetes marcados como invalidos”
set firewall name servidores-hiperv rule 3 log enable
set firewall name servidores-hiperv rule 3 state invalid enable

set firewall name servidores-hiperv rule 90 action accept
set firewall name servidores-hiperv rule 90 description “Permitir trafico saliente hacia el servidor de Repositorios Temporal ubicado en uno de los Hipervisores internos de la Empresa KARAS Project”
set firewall name servidores-hiperv rule 90 destination group network-group red_hipervisores
set firewall name servidores-hiperv rule 90 destination port http
set firewall name servidores-hiperv rule 90 log enable
set firewall name servidores-hiperv rule 90 protocol tcp
set firewall name servidores-hiperv rule 90 source group network-group red_servidores_internos
set firewall name servidores-hiperv rule 90 source port 1024-65535

set firewall name servidores-hiperv rule 190 action accept
set firewall name servidores-hiperv rule 190 description “Permitir trafico saliente hacia los servidores de hora (puertos 123/udp) internos de la Empresa KARAS Project”
set firewall name servidores-hiperv rule 190 destination group network-group red_hipervisores
set firewall name servidores-hiperv rule 190 destination port ntp
set firewall name servidores-hiperv rule 190 log enable
set firewall name servidores-hiperv rule 190 protocol udp
set firewall name servidores-hiperv rule 190 source group network-group red_servidores_internos

set firewall name servidores-hiperv rule 9999 action drop
set firewall name servidores-hiperv rule 9999 description “Registrar eventos de todo lo que no coincida con las reglas anteriores (propositos de monitoreo del cortafuegos)”
set firewall name servidores-hiperv rule 9999 log enable

———————————————————————————–

set firewall name servidores-lan default-action drop
set firewall name servidores-lan description “Filtrar trafico saliente desde los servidores internos de la Empresa KARAS Project hacia las estaciones de trabajo de la Red LAN internas”

set firewall name servidores-lan rule 1 action accept
set firewall name servidores-lan rule 1 description “Permitir trafico ICMP (ping)”
set firewall name servidores-lan rule 1 icmp type-name any
set firewall name servidores-lan rule 1 protocol icmp

set firewall name servidores-lan rule 2 action accept
set firewall name servidores-lan rule 2 description “Permitir conexiones TCP en estados ESTABLISHED y RELATED”
set firewall name servidores-lan rule 2 state established enable
set firewall name servidores-lan rule 2 state related enable

set firewall name servidores-lan rule 3 action drop
set firewall name servidores-lan rule 3 description “Descartar todos los paquetes marcados como invalidos”
set firewall name servidores-lan rule 3 log enable
set firewall name servidores-lan rule 3 state invalid enable

set firewall name servidores-lan rule 10 action accept
set firewall name servidores-lan rule 10 description “Permitir trafico saliente hacia el servicio DNS de los Controladores de Dominio ubicados en la Subred LAN de la Empresa KARAS Project”
set firewall name servidores-lan rule 10 destination group address-group svrs_pdc_lan
set firewall name servidores-lan rule 10 destination port domain
set firewall name servidores-lan rule 10 log enable
set firewall name servidores-lan rule 10 protocol tcp_udp
set firewall name servidores-lan rule 10 source group address-group svrs_pdc_internos

set firewall name servidores-lan rule 150 action accept
set firewall name servidores-lan rule 150 description “Permitir trafico saliente hacia servidores de archivos o Controladores de Dominio internos de la Empresa KARAS Project (puertos 137/udp)”
set firewall name servidores-lan rule 150 destination group address-group svrs_pdc_lan
set firewall name servidores-lan rule 150 destination port netbios-ns
set firewall name servidores-lan rule 150 log enable
set firewall name servidores-lan rule 150 protocol udp
set firewall name servidores-lan rule 150 source group address-group svrs_pdc_internos
set firewall name servidores-lan rule 150 source port netbios-ns

set firewall name servidores-lan rule 160 action accept
set firewall name servidores-lan rule 160 description “Permitir trafico saliente hacia servidores de archivos o Controladores de Dominio internos de la Empresa KARAS Project (puertos 138/udp)”
set firewall name servidores-lan rule 160 destination group address-group svrs_pdc_lan
set firewall name servidores-lan rule 160 destination port netbios-dgm
set firewall name servidores-lan rule 160 log enable
set firewall name servidores-lan rule 160 protocol udp
set firewall name servidores-lan rule 160 source group address-group svrs_pdc_internos
set firewall name servidores-lan rule 160 source port netbios-dgm

set firewall name servidores-lan rule 170 action accept
set firewall name servidores-lan rule 170 description “Permitir trafico saliente hacia servidores de archivos internos o Controladores de Dominio de la Empresa KARAS Project (puertos 139/tcp)”
set firewall name servidores-lan rule 170 destination group address-group svrs_pdc_lan
set firewall name servidores-lan rule 170 destination port netbios-ssn
set firewall name servidores-lan rule 170 log enable
set firewall name servidores-lan rule 170 protocol tcp
set firewall name servidores-lan rule 170 source group address-group svrs_pdc_internos
set firewall name servidores-lan rule 170 source port 1024-65535

set firewall name servidores-lan rule 180 action accept
set firewall name servidores-lan rule 180 description “Permitir trafico saliente hacia servidores de archivos o Controladores de Dominio internos de la Empresa KARAS Project (puertos 445/tcp)”
set firewall name servidores-lan rule 180 destination group address-group svrs_pdc_lan
set firewall name servidores-lan rule 180 destination port microsoft-ds
set firewall name servidores-lan rule 180 log enable
set firewall name servidores-lan rule 180 protocol tcp
set firewall name servidores-lan rule 180 source group address-group svrs_pdc_internos
set firewall name servidores-lan rule 180 source port 1024-65535

set firewall name servidores-lan rule 310 action accept
set firewall name servidores-lan rule 310 description “Permitir trafico saliente hacia los servidores LDAP internos o el servicio LDAP del Controlador Primario/Secundario de Dominio Active Directory interno de la Empresa KARAS Project a través del protocolo LDAP [PLAIN]”
set firewall name servidores-lan rule 310 destination group address-group svrs_pdc_lan
set firewall name servidores-lan rule 310 destination port ldap
set firewall name servidores-lan rule 310 log enable
set firewall name servidores-lan rule 310 protocol tcp_udp
set firewall name servidores-lan rule 310 source group address-group svrs_pdc_internos
set firewall name servidores-lan rule 310 source port 1024-65535

set firewall name servidores-lan rule 320 action accept
set firewall name servidores-lan rule 320 description “Permitir trafico saliente hacia los servidores LDAP internos o el servicio LDAP del Controlador Primario/Secundario de Dominio Active Directory interno de la Empresa KARAS Project a través del protocolo LDAP seguro [SSL]”
set firewall name servidores-lan rule 320 destination group address-group svrs_pdc_lan
set firewall name servidores-lan rule 320 destination port ldaps
set firewall name servidores-lan rule 320 log enable
set firewall name servidores-lan rule 320 protocol tcp_udp
set firewall name servidores-lan rule 320 source group address-group svrs_pdc_internos
set firewall name servidores-lan rule 320 source port 1024-65535

set firewall name servidores-lan rule 330 action accept
set firewall name servidores-lan rule 330 description “Permitir trafico saliente hacia los servidores LDAP internos o el servicio LDAP del Controlador Primerio/Secundario de Dominio Active Directory interno de la Empresa KARAS Project para uso del Catalogo Global mediante protocolo inseguro [PLAIN]”
set firewall name servidores-lan rule 330 destination group address-group svrs_pdc_lan
set firewall name servidores-lan rule 330 destination port 3268
set firewall name servidores-lan rule 330 log enable
set firewall name servidores-lan rule 330 protocol tcp
set firewall name servidores-lan rule 330 source group address-group svrs_pdc_internos
set firewall name servidores-lan rule 330 source port 1024-65535

set firewall name servidores-lan rule 340 action accept
set firewall name servidores-lan rule 340 description “Permitir trafico saliente hacia los servidores LDAP internos o el servicio LDAP del Controlador Primerio/Secundario de Dominio Active Directory interno de la Empresa KARAS Project para uso del Catalogo Global mediante protocolo seguro [SSL]”
set firewall name servidores-lan rule 340 destination group address-group svrs_pdc_lan
set firewall name servidores-lan rule 340 destination port 3269
set firewall name servidores-lan rule 340 log enable
set firewall name servidores-lan rule 340 protocol tcp
set firewall name servidores-lan rule 340 source group address-group svrs_pdc_internos
set firewall name servidores-lan rule 340 source port 1024-65535

set firewall name servidores-lan rule 350 action accept
set firewall name servidores-lan rule 350 description “Permitir trafico saliente hacia el servicio Kerberos del Controlador Primerio/Secundario de Dominio Active Directory interno de la Empresa KARAS Project para autenticacion”
set firewall name servidores-lan rule 350 destination group address-group svrs_pdc_lan
set firewall name servidores-lan rule 350 destination port 88
set firewall name servidores-lan rule 350 log enable
set firewall name servidores-lan rule 350 protocol tcp_udp
set firewall name servidores-lan rule 350 source group address-group svrs_pdc_internos
set firewall name servidores-lan rule 350 source port 1024-65535

set firewall name servidores-lan rule 360 action accept
set firewall name servidores-lan rule 360 description “Permitir trafico saliente hacia el servicio Kerberos del Controlador Primerio/Secundario de Dominio Active Directory interno de la Empresa KARAS Project para establecimiento/cambio de contrasenas”
set firewall name servidores-lan rule 360 destination group address-group svrs_pdc_lan
set firewall name servidores-lan rule 360 destination port 464
set firewall name servidores-lan rule 360 log enable
set firewall name servidores-lan rule 360 protocol tcp_udp
set firewall name servidores-lan rule 360 source group address-group svrs_pdc_internos
set firewall name servidores-lan rule 360 source port 1024-65535

set firewall name servidores-lan rule 370 action accept
set firewall name servidores-lan rule 370 description “Permitir trafico saliente hacia el servicio RPC del Controlador Primerio/Secundario de Dominio Active Directory interno de la Empresa KARAS Project”
set firewall name servidores-lan rule 370 destination group address-group svrs_pdc_lan
set firewall name servidores-lan rule 370 destination port 135
set firewall name servidores-lan rule 370 log enable
set firewall name servidores-lan rule 370 protocol tcp
set firewall name servidores-lan rule 370 source group address-group svrs_pdc_internos
set firewall name servidores-lan rule 370 source port 1024-65535

set firewall name servidores-lan rule 380 action accept
set firewall name servidores-lan rule 380 description “Permitir trafico saliente hacia el servicio de Replicacion de Archivos (RPC, DFSR [Sysvol]) del Controlador Primerio/Secundario de Dominio Active Directory interno de la Empresa KARAS Project”
set firewall name servidores-lan rule 380 destination group address-group svrs_pdc_lan
set firewall name servidores-lan rule 380 destination port 5722
set firewall name servidores-lan rule 380 log enable
set firewall name servidores-lan rule 380 protocol tcp
set firewall name servidores-lan rule 380 source group address-group svrs_pdc_internos
set firewall name servidores-lan rule 380 source port 1024-65535

set firewall name servidores-lan rule 390 action accept
set firewall name servidores-lan rule 390 description “Permitir trafico saliente hacia los Servicios de Directorio de Microsoft (RPC, DCOM, EPM, DRSUAPI, NetLogonR, SamR, FRS) del Controlador Primerio/Secundario de Dominio Active Directory interno de la Empresa KARAS Project”
set firewall name servidores-lan rule 390 destination group address-group svrs_pdc_lan
set firewall name servidores-lan rule 390 destination port 1024-65535
set firewall name servidores-lan rule 390 log enable
set firewall name servidores-lan rule 390 protocol tcp_udp
set firewall name servidores-lan rule 390 source group address-group svrs_pdc_internos
set firewall name servidores-lan rule 390 source port 1024-65535

set firewall name servidores-lan rule 9999 action drop
set firewall name servidores-lan rule 9999 description “Registrar eventos de todo lo que no coincida con las reglas anteriores (propositos de monitoreo del cortafuegos)”
set firewall name servidores-lan rule 9999 log enable

———————————————————————————–

set firewall name servidores-wan default-action drop
set firewall name servidores-wan description “Filtrar trafico saliente desde los servidores internos de la Empresa KARAS Project hacia la red externa (Red CUBA)”

set firewall name servidores-wan rule 1 action accept
set firewall name servidores-wan rule 1 description “Permitir trafico ICMP (ping)”
set firewall name servidores-wan rule 1 icmp type-name any
set firewall name servidores-wan rule 1 protocol icmp

set firewall name servidores-wan rule 2 action accept
set firewall name servidores-wan rule 2 description “Permitir conexiones TCP en estados ESTABLISHED y RELATED”
set firewall name servidores-wan rule 2 state established enable
set firewall name servidores-wan rule 2 state related enable

set firewall name servidores-wan rule 3 action drop
set firewall name servidores-wan rule 3 description “Descartar todos los paquetes marcados como invalidos”
set firewall name servidores-wan rule 3 log enable
set firewall name servidores-wan rule 3 state invalid enable

set firewall name servidores-wan rule 10 action accept
set firewall name servidores-wan rule 10 description “Permitir trafico saliente hacia los servidores DNS de la red externa (Red CUBA)”
set firewall name servidores-wan rule 10 destination address 0.0.0.0/0
set firewall name servidores-wan rule 10 destination port domain
set firewall name servidores-wan rule 10 log enable
set firewall name servidores-wan rule 10 protocol tcp_udp
set firewall name servidores-wan rule 10 source group address-group svrs_dns_internos

set firewall name servidores-wan rule 20 action accept
set firewall name servidores-wan rule 20 description “Permitir trafico saliente hacia los servidores de correo de la red externa (Red CUBA) para transferencia de mensajes mediante SMTP [PLAIN]”
set firewall name servidores-wan rule 20 destination address 0.0.0.0/0
set firewall name servidores-wan rule 20 destination port smtp
set firewall name servidores-wan rule 20 log enable
set firewall name servidores-wan rule 20 protocol tcp
set firewall name servidores-wan rule 20 source group address-group svrs_correo_internos
set firewall name servidores-wan rule 20 source port 1024-65535

set firewall name servidores-wan rule 30 action accept
set firewall name servidores-wan rule 30 description “Permitir trafico saliente hacia los servidores de correo de la red externa (Red CUBA) para transferencia de mensajes mediante SMTP seguro [SSL/TLS]”
set firewall name servidores-wan rule 30 destination address 0.0.0.0/0
set firewall name servidores-wan rule 30 destination port smtps
set firewall name servidores-wan rule 30 log enable
set firewall name servidores-wan rule 30 protocol tcp
set firewall name servidores-wan rule 30 source group address-group svrs_correo_internos
set firewall name servidores-wan rule 30 source port 1024-65535

set firewall name servidores-wan rule 40 action accept
set firewall name servidores-wan rule 40 description “Permitir trafico saliente hacia los servidores de correo de la red externa (Red CUBA) para transferencia de mensajes mediante SUBMISSION [SSL/TLS]”
set firewall name servidores-wan rule 40 destination address 0.0.0.0/0
set firewall name servidores-wan rule 40 destination port submission
set firewall name servidores-wan rule 40 log enable
set firewall name servidores-wan rule 40 protocol tcp
set firewall name servidores-wan rule 40 source group address-group svrs_correo_internos
set firewall name servidores-wan rule 40 source port 1024-65535

set firewall name servidores-wan rule 90 action accept
set firewall name servidores-wan rule 90 description “Permitir trafico saliente de navegación en la Intranet CUBA”
set firewall name servidores-wan rule 90 destination address 0.0.0.0/0
set firewall name servidores-wan rule 90 destination port http,https
set firewall name servidores-wan rule 90 log enable
set firewall name servidores-wan rule 90 protocol tcp
set firewall name servidores-wan rule 90 source group address-group svr_proxy_interno
set firewall name servidores-wan rule 90 source port 1024-65535

set firewall name servidores-wan rule 100 action accept
set firewall name servidores-wan rule 100 description “Permitir trafico saliente de navegación en la Intranet CUBA”
set firewall name servidores-wan rule 100 destination address 0.0.0.0/0
set firewall name servidores-wan rule 100 destination port ftp
set firewall name servidores-wan rule 100 log enable
set firewall name servidores-wan rule 100 protocol tcp
set firewall name servidores-wan rule 100 source group address-group svr_proxy_interno
set firewall name servidores-wan rule 100 source port 1024-65535

set firewall name servidores-wan rule 120 action accept
set firewall name servidores-wan rule 120 description “Permitir trafico saliente hacia el servidor de Mensajeria Instantanea de la red externa (Red CUBA) mediante conexiones inseguras”
set firewall name servidores-wan rule 120 destination address 0.0.0.0/0
set firewall name servidores-wan rule 120 destination port 5222
set firewall name servidores-wan rule 120 log enable
set firewall name servidores-wan rule 120 protocol tcp
set firewall name servidores-wan rule 120 source group address-group svr_jabber_interno
set firewall name servidores-wan rule 120 source port 1024-65535

set firewall name servidores-wan rule 130 action accept
set firewall name servidores-wan rule 130 description “Permitir trafico saliente hacia el servidor de Mensajeria Instantanea de la red externa (Red CUBA) mediante conexiones seguras (SSL)”
set firewall name servidores-wan rule 130 destination address 0.0.0.0/0
set firewall name servidores-wan rule 130 destination port 5223
set firewall name servidores-wan rule 130 log enable
set firewall name servidores-wan rule 130 protocol tcp
set firewall name servidores-wan rule 130 source group address-group svr_jabber_interno
set firewall name servidores-wan rule 130 source port 1024-65535

set firewall name servidores-wan rule 140 action accept
set firewall name servidores-wan rule 140 description “Permitir trafico saliente hacia el servidor de Mensajeria Instantanea de la red externa (Red CUBA) mediante conexiones Servidor a Servidor”
set firewall name servidores-wan rule 140 destination address 0.0.0.0/0
set firewall name servidores-wan rule 140 destination port 5269
set firewall name servidores-wan rule 140 log enable
set firewall name servidores-wan rule 140 protocol tcp
set firewall name servidores-wan rule 140 source group address-group svr_jabber_interno

set firewall name servidores-wan rule 190 action accept
set firewall name servidores-wan rule 190 description “Permitir trafico saliente hacia los servidores de hora (puertos 123/udp) internos de la Empresa KARAS Project”
set firewall name servidores-wan rule 190 destination address 0.0.0.0/0
set firewall name servidores-wan rule 190 destination port ntp
set firewall name servidores-wan rule 190 log enable
set firewall name servidores-wan rule 190 protocol udp
set firewall name servidores-wan rule 190 source group address-group svrs_hora_internos

set firewall name servidores-wan rule 9999 action drop
set firewall name servidores-wan rule 9999 description “Registrar eventos de todo lo que no coincida con las reglas anteriores (propositos de monitoreo del cortafuegos)”
set firewall name servidores-wan rule 9999 log enable

———————————————————————————–

Tráfico de red entre la VLAN de la Red Externa (Red CUBA) y las otras subredes:

set firewall name wan-admines default-action drop
set firewall name wan-admines description “Filtrar trafico saliente desde la red externa (Red CUBA) hacia las estaciones de trabajo de los Administradores del Nodo de la Empresa KARAS Project”

set firewall name wan-admines rule 9999 action drop
set firewall name wan-admines rule 9999 description “Registrar eventos de todo lo que no coincida con las reglas anteriores (propositos de monitoreo del cortafuegos)”
set firewall name wan-admines rule 9999 log enable

———————————————————————————–

set firewall name wan-firewall default-action drop
set firewall name wan-firewall description “Filtrar trafico saliente desde la red externa (Red CUBA) hacia el PC-Router/Cortafuegos interno de la Empresa KARAS Project”

set firewall name wan-firewall rule 1 action accept
set firewall name wan-firewall rule 1 description “Permitir trafico ICMP (ping)”
set firewall name wan-firewall rule 1 icmp type-name any
set firewall name wan-firewall rule 1 protocol icmp

set firewall name wan-firewall rule 2 action accept
set firewall name wan-firewall rule 2 description “Permitir conexiones TCP en estados ESTABLISHED y RELATED”
set firewall name wan-firewall rule 2 state established enable
set firewall name wan-firewall rule 2 state related enable

set firewall name wan-firewall rule 3 action drop
set firewall name wan-firewall rule 3 description “Descartar todos los paquetes marcados como invalidos”
set firewall name wan-firewall rule 3 log enable
set firewall name wan-firewall rule 3 state invalid enable

set firewall name wan-firewall rule 200 action accept
set firewall name wan-firewall rule 200 description “Permitir trafico saliente hacia el Router/Cortafuegos interno de la Empresa KARAS Project para gestionarlo mediante CLI a través del protocolo SSH desde el rango externo de la Empresa KARAS Project”
set firewall name wan-firewall rule 200 destination port ssh,40497
set firewall name wan-firewall rule 200 log enable
set firewall name wan-firewall rule 200 protocol tcp
set firewall name wan-firewall rule 200 source group address-group red_externa_karas
set firewall name wan-firewall rule 200 source port 1024-65535

set firewall name wan-firewall rule 9999 action drop
set firewall name wan-firewall rule 9999 description “Registrar eventos de todo lo que no coincida con las reglas anteriores (propositos de monitoreo del cortafuegos)”
set firewall name wan-firewall rule 9999 log enable

———————————————————————————–

set firewall name wan-netdevs default-action drop
set firewall name wan-netdevs description “Filtrar trafico saliente desde la red externa (Red CUBA) hacia los Equipos de Internetworking internos de la Empresa KARAS Project”

set firewall name wan-netdevs rule 9999 action drop
set firewall name wan-netdevs rule 9999 description “Registrar eventos de todo lo que no coincida con las reglas anteriores (propositos de monitoreo del cortafuegos)”
set firewall name wan-netdevs rule 9999 log enable

———————————————————————————–

set firewall name wan-hiperv default-action drop
set firewall name wan-hiperv description “Filtrar trafico saliente desde la red externa (Red CUBA) hacia los Hipervisores (Nodos de Maquinas Virtuales) internos de la Empresa KARAS Project”

set firewall name wan-hiperv rule 9999 action drop
set firewall name wan-hiperv rule 9999 description “Registrar eventos de todo lo que no coincida con las reglas anteriores (propositos de monitoreo del cortafuegos)”
set firewall name wan-hiperv rule 9999 log enable

———————————————————————————–

set firewall name wan-lan default-action drop
set firewall name wan-lan description “Filtrar trafico saliente desde la red externa (Red CUBA) hacia las estaciones de trabajo de la Red LAN internas de la Empresa KARAS Project”

set firewall name wan-lan rule 9999 action drop
set firewall name wan-lan rule 9999 description “Registrar eventos de todo lo que no coincida con las reglas anteriores (propositos de monitoreo del cortafuegos)”
set firewall name wan-lan rule 9999 log enable

———————————————————————————–

set firewall name wan-servidores default-action drop
set firewall name wan-servidores description “Filtrar trafico saliente desde la red externa (Red CUBA) hacia los servidores internos de la Empresa KARAS Project”

set firewall name wan-servidores rule 1 action accept
set firewall name wan-servidores rule 1 description “Permitir trafico ICMP (ping)”
set firewall name wan-servidores rule 1 icmp type-name any
set firewall name wan-servidores rule 1 protocol icmp

set firewall name wan-servidores rule 2 action accept
set firewall name wan-servidores rule 2 description “Permitir conexiones TCP en estados ESTABLISHED y RELATED”
set firewall name wan-servidores rule 2 state established enable
set firewall name wan-servidores rule 2 state related enable

set firewall name wan-servidores rule 3 action drop
set firewall name wan-servidores rule 3 description “Descartar todos los paquetes marcados como invalidos”
set firewall name wan-servidores rule 3 log enable
set firewall name wan-servidores rule 3 state invalid enable

set firewall name wan-servidores rule 10 action accept
set firewall name wan-servidores rule 10 description “Permitir trafico saliente desde los servidores DNS de la red externa (Red CUBA)”
set firewall name wan-servidores rule 10 destination group address-group svrs_dns_internos
set firewall name wan-servidores rule 10 destination port domain
set firewall name wan-servidores rule 10 log enable
set firewall name wan-servidores rule 10 protocol tcp_udp
set firewall name wan-servidores rule 10 source address 0.0.0.0/0

set firewall name wan-servidores rule 20 action accept
set firewall name wan-servidores rule 20 description “Permitir trafico saliente desde los servidores de correo de la red externa (Red CUBA) para transferencia de mensajes mediante SMTP [PLAIN]”
set firewall name wan-servidores rule 20 destination group address-group svrs_correo_internos
set firewall name wan-servidores rule 20 destination port smtp
set firewall name wan-servidores rule 20 log enable
set firewall name wan-servidores rule 20 protocol tcp
set firewall name wan-servidores rule 20 source address 0.0.0.0/0
set firewall name wan-servidores rule 20 source port 1024-65535

set firewall name wan-servidores rule 30 action accept
set firewall name wan-servidores rule 30 description “Permitir trafico saliente desde los servidores de correo de la red externa (Red CUBA) para transferencia de mensajes mediante SMTP seguro [SSL/TLS]”
set firewall name wan-servidores rule 30 destination group address-group svrs_correo_internos
set firewall name wan-servidores rule 30 destination port smtps
set firewall name wan-servidores rule 30 log enable
set firewall name wan-servidores rule 30 protocol tcp
set firewall name wan-servidores rule 30 source address 0.0.0.0/0
set firewall name wan-servidores rule 30 source port 1024-65535

set firewall name wan-servidores rule 40 action accept
set firewall name wan-servidores rule 40 description “Permitir trafico saliente desde los servidores de correo de la red externa (Red CUBA) para transferencia de mensajes mediante SUBMISSION [SSL/TLS]”
set firewall name wan-servidores rule 40 destination group address-group svrs_correo_internos
set firewall name wan-servidores rule 40 destination port submission
set firewall name wan-servidores rule 40 log enable
set firewall name wan-servidores rule 40 protocol tcp
set firewall name wan-servidores rule 40 source address 0.0.0.0/0
set firewall name wan-servidores rule 40 source port 1024-65535

set firewall name wan-servidores rule 120 action accept
set firewall name wan-servidores rule 120 description “Permitir trafico saliente desde el servidor de Mensajeria Instantanea de la red externa (Red CUBA) mediante conexiones inseguras”
set firewall name wan-servidores rule 120 destination group address-group svr_jabber_interno
set firewall name wan-servidores rule 120 destination port 5222
set firewall name wan-servidores rule 120 log enable
set firewall name wan-servidores rule 120 protocol tcp
set firewall name wan-servidores rule 120 source address 0.0.0.0/0
set firewall name wan-servidores rule 120 source port 1024-65535

set firewall name wan-servidores rule 130 action accept
set firewall name wan-servidores rule 130 description “Permitir trafico saliente desde el servidor de Mensajeria Instantanea de la red externa (Red CUBA) mediante conexiones seguras (SSL)”
set firewall name wan-servidores rule 130 destination group address-group svr_jabber_interno
set firewall name wan-servidores rule 130 destination port 5223
set firewall name wan-servidores rule 130 log enable
set firewall name wan-servidores rule 130 protocol tcp
set firewall name wan-servidores rule 130 source address 0.0.0.0/0
set firewall name wan-servidores rule 130 source port 1024-65535

set firewall name wan-servidores rule 140 action accept
set firewall name wan-servidores rule 140 description “Permitir trafico saliente hacia el servidor de Mensajeria Instantanea de la red externa (Red CUBA) mediante conexiones Servidor a Servidor”
set firewall name wan-servidores rule 140 destination address 0.0.0.0/0
set firewall name wan-servidores rule 140 destination port 5269
set firewall name wan-servidores rule 140 log enable
set firewall name wan-servidores rule 140 protocol tcp
set firewall name wan-servidores rule 140 source group address-group svr_jabber_interno

set firewall name wan-servidores rule 190 action accept
set firewall name wan-servidores rule 190 description “Permitir trafico saliente desde los servidores de hora (puertos 123/udp) internos de la Empresa KARAS Project”
set firewall name wan-servidores rule 190 destination group address-group svrs_hora_internos
set firewall name wan-servidores rule 190 destination port ntp
set firewall name wan-servidores rule 190 log enable
set firewall name wan-servidores rule 190 protocol udp
set firewall name wan-servidores rule 190 source address 0.0.0.0/0

set firewall name wan-servidores rule 9999 action drop
set firewall name wan-servidores rule 9999 description “Registrar eventos de todo lo que no coincida con las reglas anteriores (propositos de monitoreo del cortafuegos)”
set firewall name wan-servidores rule 9999 log enable

———————————————————————————–

set zone-policy zone netdevs default-action drop
set zone-policy zone netdevs description “Politica de acceso a la VLAN de los Equipos de Internetworking”
set zone-policy zone netdevs interface eth0.1

set zone-policy zone hiperv default-action drop
set zone-policy zone hiperv description “Politica de acceso a la VLAN de Gestion de los Hipervisores”
set zone-policy zone hiperv interface eth0.2

set zone-policy zone admines default-action drop
set zone-policy zone admines description “Politica de acceso a la VLAN de los Administradores de Red”
set zone-policy zone admines interface eth0.10

set zone-policy zone servidores default-action drop
set zone-policy zone servidores description “Politica de acceso a la VLAN de los Servidores Internos de la Empresa KARAS Project”
set zone-policy zone servidores interface eth0.11

set zone-policy zone dmz default-action drop
set zone-policy zone dmz description “Politica de acceso a la VLAN de los Servidores Externos (DMZ) de la Empresa KARAS Project”
set zone-policy zone dmz interface eth0.12

set zone-policy zone lan default-action drop
set zone-policy zone lan description “Politica de acceso a la VLAN de la Red LAN de la Empresa KARAS Project”
set zone-policy zone lan interface eth0.13

set zone-policy zone wan default-action drop
set zone-policy zone wan description “Politica de acceso a la VLAN de la Red WAN – Red CUBA”
set zone-policy zone wan interface eth0.14

set zone-policy zone vpn default-action drop
set zone-policy zone vpn description “Politica de acceso a la VLAN de la VPN Local IP-MPLS de la Empresa KARAS Project”
set zone-policy zone vpn interface eth0.15

set zone-policy zone firewall default-action drop
set zone-policy zone firewall description “Politica de acceso al propio PC-Router/Cortafuegos”
set zone-policy zone firewall local-zone

set zone-policy zone netdevs from hiperv firewall name hiperv-netdevs
set zone-policy zone netdevs from admines firewall name admines-netdevs
set zone-policy zone netdevs from servidores firewall name servidores-netdevs
set zone-policy zone netdevs from dmz firewall name dmz-netdevs
set zone-policy zone netdevs from lan firewall name lan-netdevs
set zone-policy zone netdevs from wan firewall name wan-netdevs
set zone-policy zone netdevs from vpn firewall name vpn-netdevs
set zone-policy zone netdevs from firewall firewall name firewall-netdevs

set zone-policy zone hiperv from netdevs firewall name netdevs-hiperv
set zone-policy zone hiperv from admines firewall name admines-hiperv
set zone-policy zone hiperv from servidores firewall name servidores-hiperv
set zone-policy zone hiperv from dmz firewall name dmz-hiperv
set zone-policy zone hiperv from lan firewall name lan-hiperv
set zone-policy zone hiperv from wan firewall name wan-hiperv
set zone-policy zone hiperv from vpn firewall name vpn-hiperv
set zone-policy zone hiperv from firewall firewall name firewall-hiperv

set zone-policy zone admines from netdevs firewall name netdevs-admines
set zone-policy zone admines from hiperv firewall name hiperv-admines
set zone-policy zone admines from servidores firewall name servidores-admines
set zone-policy zone admines from dmz firewall name dmz-admines
set zone-policy zone admines from lan firewall name lan-admines
set zone-policy zone admines from wan firewall name wan-admines
set zone-policy zone admines from vpn firewall name vpn-admines
set zone-policy zone admines from firewall firewall name firewall-admines

set zone-policy zone servidores from netdevs firewall name netdevs-servidores
set zone-policy zone servidores from hiperv firewall name hiperv-servidores
set zone-policy zone servidores from admines firewall name admines-servidores
set zone-policy zone servidores from dmz firewall name dmz-servidores
set zone-policy zone servidores from lan firewall name lan-servidores
set zone-policy zone servidores from wan firewall name wan-servidores
set zone-policy zone servidores from vpn firewall name vpn-servidores
set zone-policy zone servidores from firewall firewall name firewall-servidores

set zone-policy zone dmz from netdevs firewall name netdevs-dmz
set zone-policy zone dmz from hiperv firewall name hiperv-dmz
set zone-policy zone dmz from admines firewall name admines-dmz
set zone-policy zone dmz from servidores firewall name servidores-dmz
set zone-policy zone dmz from lan firewall name lan-dmz
set zone-policy zone dmz from wan firewall name wan-dmz
set zone-policy zone dmz from vpn firewall name vpn-dmz
set zone-policy zone dmz from firewall firewall name firewall-dmz

set zone-policy zone lan from netdevs firewall name netdevs-lan
set zone-policy zone lan from hiperv firewall name hiperv-lan
set zone-policy zone lan from admines firewall name admines-lan
set zone-policy zone lan from servidores firewall name servidores-lan
set zone-policy zone lan from dmz firewall name dmz-lan
set zone-policy zone lan from wan firewall name wan-lan
set zone-policy zone lan from vpn firewall name vpn-lan
set zone-policy zone lan from firewall firewall name firewall-lan

set zone-policy zone wan from netdevs firewall name netdevs-wan
set zone-policy zone wan from hiperv firewall name hiperv-wan
set zone-policy zone wan from admines firewall name admines-wan
set zone-policy zone wan from servidores firewall name servidores-wan
set zone-policy zone wan from dmz firewall name dmz-wan
set zone-policy zone wan from lan firewall name lan-wan
set zone-policy zone wan from vpn firewall name vpn-wan
set zone-policy zone wan from firewall firewall name firewall-wan

set zone-policy zone firewall from netdevs firewall name netdevs-firewall
set zone-policy zone firewall from hiperv firewall name hiperv-firewall
set zone-policy zone firewall from admines firewall name admines-firewall
set zone-policy zone firewall from servidores firewall name servidores-firewall
set zone-policy zone firewall from dmz firewall name dmz-firewall
set zone-policy zone firewall from lan firewall name lan-firewall
set zone-policy zone firewall from wan firewall name wan-firewall
set zone-policy zone firewall from vpn firewall name vpn-firewall

———————————————————————————–

Hasta aquí una buena parte del código de la configuración del PC-Router. Ahora bien, una de las cosas iniciales que hay que analizar es la configuración del cortafuegos, dado que puede suceder que el tráfico se interrumpa de manera parcial o total entre algunas o todas las subredes si no se hace con cuidado. Esto se puede ver mirando los logs del sistema mediante el comando:

sudo tailf /var/log/messages

Preferí el tailf por sobre el comando clásico del CLI de Vyatta/VyOS porque este actualiza el contenido de la vista automáticamente. Ahora bien, este log muestra una inmensa cantidad de datos y muy rápidamente, tanto que no da tiempo a ver la cadena de caracteres que interesa. Por eso, es mejor ejecutar el comando anterior, pero especificando lo que se desea ver:

sudo tailf /var/log/messages | grep <Cadena de caracteres a buscar>

Las líneas del log tienen aspecto similar a esto:

VyOS - Log - 1

VyOS - Log - 2

NOTA: A medida que se fueron corrigiendo las reglas de cortafuegos, se tuvieron que acortar los nombres de las zonas y los conjuntos de reglas para evitar que el sistema los truncara en el log.

Como se ve en las imágenes, en las líneas del log del cortafuegos (que realmente son las reglas en las que coinciden los paquetes entrantes y/o salientes) aparecen varios datos. Estos son:

  • wan-firewall-200-A / wan-firewall-9999-D

 

Esta cadena de caracteres indica el nombre del conjunto de reglas (wan-firewall), el número de la regla cumplida dentro del conjunto (200/9999) y la acción realizada (A – accept, D –  drop) al paquete.

  •  IN=eth5

 

Esta cadena de caracteres indica la interfaz de entrada por donde viene el paquete, en este caso la interfaz de red eth5. En nuestro caso sería la subinterfaz eth0.15.

  • OUT=

 

Esta cadena de caracteres indica la interfaz de salida hacia donde va el paquete, en este caso no aparece valor. Si no aparece valor alguno, indica que el paquete va hacia el propio cortafuegos.

  • SRC=192.168.137.1

 

Esta cadena de caracteres indica la dirección IP de origen del paquete.

  •  DST=192.168.137.122

 

Esta cadena de caracteres indica la dirección IP destino del paquete, en nuestro caso la dirección IP externa sería otra, por supuesto.

  • PROTO=TCP

 

Esta cadena de caracteres indica el protocolo de red del paquete. Estos pueden ser ICMP, TCP, UDP, etc.

  • SPT=53987

 

Esta cadena de caracteres indica el puerto origen del paquete, en este caso  está en el rango 1024-65535.

  • DPT=40497

 

Esta cadena de caracteres indica el puerto destino del paquete, en este caso es el puerto escogido para el servicio SSH del cortafuegos.

NOTA: Como se dijo anteriormente, cada conjunto de reglas del cortafuegos termina con la regla 9999. El objetivo principal de esto está en que, para cualquier conjunto de reglas, si el paquete no cumple con ninguna regla dentro del mismo (sí, las reglas se evalúan secuencialmente :-)), pues, caerá en el hueco negro y se registrará automáticamente. Esto es inmensamente útil para saber si hace falta añadir o quitar reglas en un determinado conjunto.

Y hasta aquí la descripción de la nueva estrctura de la red y configuración del PC-Router/Cortafuegos de la Empresa KARAS Project. A medida que vayan apareciendo errores y estos vayan siendo corregidos, así como nuevos servicios que se quieran incorporar, se irá modificando esta parte del manual.

🙂

Acerca de Hector Suarez Planas

Es Licenciado en Ciencia de la Computación (3 de julio de 2002). Ha sido Administrador de Red en varias organizaciones, Programador y Analista de Sistemas. Actualmente se desempeña como Administrador de Red del Telecentro Tele Turquino de Santiago de Cuba. Tiene experiencia con sistemas Windows y GNU/Linux, Infraestructura de Redes (Cisco, AlliedTelesis, Netgear y HP ProCurve, Vyatta/VyOS), Servidores tanto físicos como virtuales (plataformas VMWare, Proxmox VE y Xen), Sistemas de Seguridad Informática (Snort/Suricata IDS, appliances AlienVault OSSIM), programador (Delphi, C++ Builder, Perl [poco], Python [algo]), entre otras cosas. Actualmente estoy incursionando en todo lo que tiene relación con Cloud Computing (OpenStack) y Centros de Datos. :-)
Esta entrada fue publicada en Cortafuegos, Debian, Firewall, IOS, Routing, Seguridad, VLAN, VPN, Vyatta/VyOS/EdgeOS. Guarda el enlace permanente.

Deja un comentario

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *