From 1d402a8b6d80be6bc6ed6f5f18497b72200c52ed Mon Sep 17 00:00:00 2001
From: Joseph Hanson <joe@veri.dev>
Date: Wed, 3 Jan 2024 15:44:12 -0600
Subject: [PATCH] Updated for vyos 1.4-rc1 firewall rules and apis updated to
 match.

---
 config-parts/container.sh     |  19 +-
 config-parts/firewall-ipv4.sh | 760 +++++++++++++++++++++++++++++++++
 config-parts/firewall-name.sh | 778 ----------------------------------
 config-parts/firewall-zone.sh |  88 ++--
 config-parts/firewall.sh      |  96 +----
 config-parts/interfaces.sh    |  28 +-
 config-parts/nat.sh           |  70 +--
 config-parts/system.sh        |   9 +-
 8 files changed, 835 insertions(+), 1013 deletions(-)
 create mode 100644 config-parts/firewall-ipv4.sh
 delete mode 100644 config-parts/firewall-name.sh

diff --git a/config-parts/container.sh b/config-parts/container.sh
index 3b856bb..dccd281 100644
--- a/config-parts/container.sh
+++ b/config-parts/container.sh
@@ -3,21 +3,6 @@
 # Container networks
 set container network containers prefix '10.5.0.0/24'
 
-# bind
-set container name bind cap-add 'net-bind-service'
-set container name bind image 'docker.io/internetsystemsconsortium/bind9:9.19'
-set container name bind command '/usr/sbin/named -4 -f -c /etc/bind/named.conf -u bind'
-set container name bind memory '0'
-set container name bind network containers address '10.5.0.3'
-set container name bind restart 'on-failure'
-set container name bind shared-memory '0'
-set container name bind volume config source '/config/containers/bind/config'
-set container name bind volume config destination '/etc/bind'
-set container name bind volume config mode 'ro'
-set container name bind volume cache source '/tmp/bind/cache'
-set container name bind volume cache destination '/var/cache/bind'
-set container name bind volume cache mode 'rw'
-
 # haproxy-k8s-api
 set container name haproxy-k8s-api image 'docker.io/library/haproxy:2.9.0'
 set container name haproxy-k8s-api memory '0'
@@ -57,7 +42,7 @@ set container name speedtest-exporter shared-memory '0'
 # udp-broadcast-relay-mdns
 set container name udp-broadcast-relay-mdns allow-host-networks
 set container name udp-broadcast-relay-mdns cap-add 'net-raw'
-set container name udp-broadcast-relay-mdns environment CFG_DEV value 'eth1.20;eth1.40'
+set container name udp-broadcast-relay-mdns environment CFG_DEV value 'eth4.20;eth4.40'
 set container name udp-broadcast-relay-mdns environment CFG_ID value '2'
 set container name udp-broadcast-relay-mdns environment CFG_MULTICAST value '224.0.0.251'
 set container name udp-broadcast-relay-mdns environment CFG_PORT value '5353'
@@ -70,7 +55,7 @@ set container name udp-broadcast-relay-mdns shared-memory '0'
 # udp-broadcast-relay-sonos
 set container name udp-broadcast-relay-sonos allow-host-networks
 set container name udp-broadcast-relay-sonos cap-add 'net-raw'
-set container name udp-broadcast-relay-sonos environment CFG_DEV value 'eth1.20;eth1.40'
+set container name udp-broadcast-relay-sonos environment CFG_DEV value 'eth4.20;eth4.40'
 set container name udp-broadcast-relay-sonos environment CFG_ID value '1'
 set container name udp-broadcast-relay-sonos environment CFG_MULTICAST value '239.255.255.250'
 set container name udp-broadcast-relay-sonos environment CFG_PORT value '1900'
diff --git a/config-parts/firewall-ipv4.sh b/config-parts/firewall-ipv4.sh
new file mode 100644
index 0000000..bd05cda
--- /dev/null
+++ b/config-parts/firewall-ipv4.sh
@@ -0,0 +1,760 @@
+#!/bin/vbash
+# From IOT to LAN
+set firewall ipv4 name iot-lan default-action 'drop'
+set firewall ipv4 name iot-lan description 'From IOT to LAN'
+set firewall ipv4 name iot-lan enable-default-log
+set firewall ipv4 name iot-lan rule 999 action 'drop'
+set firewall ipv4 name iot-lan rule 999 description 'Rule: drop_invalid'
+set firewall ipv4 name iot-lan rule 999 state invalid
+set firewall ipv4 name iot-lan rule 999 log
+
+# From IOT to LOCAL
+set firewall ipv4 name iot-local default-action 'drop'
+set firewall ipv4 name iot-local description 'From IOT to LOCAL'
+set firewall ipv4 name iot-local enable-default-log
+set firewall ipv4 name iot-local rule 50 action 'accept'
+set firewall ipv4 name iot-local rule 50 description 'Rule: accept_dhcp'
+set firewall ipv4 name iot-local rule 50 destination port '67,68'
+set firewall ipv4 name iot-local rule 50 protocol 'udp'
+set firewall ipv4 name iot-local rule 50 source port '67,68'
+set firewall ipv4 name iot-local rule 60 action 'accept'
+set firewall ipv4 name iot-local rule 60 description 'Rule: accept_ntp'
+set firewall ipv4 name iot-local rule 60 destination port 'ntp'
+set firewall ipv4 name iot-local rule 60 protocol 'udp'
+set firewall ipv4 name iot-local rule 100 action 'accept'
+set firewall ipv4 name iot-local rule 100 description 'Rule: accept_igmp'
+set firewall ipv4 name iot-local rule 100 protocol '2'
+set firewall ipv4 name iot-local rule 110 action 'accept'
+set firewall ipv4 name iot-local rule 110 description 'Rule: accept_mdns'
+set firewall ipv4 name iot-local rule 110 destination port 'mdns'
+set firewall ipv4 name iot-local rule 110 protocol 'udp'
+set firewall ipv4 name iot-local rule 110 source port 'mdns'
+set firewall ipv4 name iot-local rule 120 action 'accept'
+set firewall ipv4 name iot-local rule 120 description 'Rule: accept_dns'
+set firewall ipv4 name iot-local rule 120 destination port 'domain,domain-s'
+set firewall ipv4 name iot-local rule 120 protocol 'tcp_udp'
+set firewall ipv4 name iot-local rule 200 action 'accept'
+set firewall ipv4 name iot-local rule 200 description 'Rule: accept_discovery_from_sonos_players'
+set firewall ipv4 name iot-local rule 200 destination group port-group sonos-discovery
+set firewall ipv4 name iot-local rule 200 protocol 'udp'
+set firewall ipv4 name iot-local rule 200 source group address-group 'sonos_players'
+set firewall ipv4 name iot-local rule 999 action 'drop'
+set firewall ipv4 name iot-local rule 999 description 'Rule: drop_invalid'
+set firewall ipv4 name iot-local rule 999 state invalid
+set firewall ipv4 name iot-local rule 999 log
+
+# From IOT to SERVERS
+set firewall ipv4 name iot-servers default-action 'drop'
+set firewall ipv4 name iot-servers description 'From IOT to SERVERS'
+set firewall ipv4 name iot-servers enable-default-log
+set firewall ipv4 name iot-servers rule 100 action 'accept'
+set firewall ipv4 name iot-servers rule 100 description 'Rule: accept_nas_smb_from_scanners'
+set firewall ipv4 name iot-servers rule 100 destination group address-group 'nas'
+set firewall ipv4 name iot-servers rule 100 destination port 'microsoft-ds'
+set firewall ipv4 name iot-servers rule 100 protocol 'tcp'
+set firewall ipv4 name iot-servers rule 100 source group address-group 'scanners'
+set firewall ipv4 name iot-servers rule 200 action 'accept'
+set firewall ipv4 name iot-servers rule 200 description 'Rule: accept_plex_from_plex_clients'
+set firewall ipv4 name iot-servers rule 200 destination group address-group 'k8s_plex'
+set firewall ipv4 name iot-servers rule 200 destination port '32400'
+set firewall ipv4 name iot-servers rule 200 protocol 'tcp'
+set firewall ipv4 name iot-servers rule 200 source group address-group 'plex_clients'
+set firewall ipv4 name iot-servers rule 300 action 'accept'
+set firewall ipv4 name iot-servers rule 300 description 'Rule: accept_mqtt_from_mqtt_clients'
+set firewall ipv4 name iot-servers rule 300 destination group address-group 'k8s_mqtt'
+set firewall ipv4 name iot-servers rule 300 destination port '1883'
+set firewall ipv4 name iot-servers rule 300 protocol 'tcp'
+set firewall ipv4 name iot-servers rule 300 source group address-group 'mqtt_clients'
+set firewall ipv4 name iot-servers rule 400 action 'accept'
+set firewall ipv4 name iot-servers rule 400 description 'Rule: accept_k8s_ingress_from_sonos_players'
+set firewall ipv4 name iot-servers rule 400 destination group address-group 'k8s_ingress'
+set firewall ipv4 name iot-servers rule 400 destination port 'http,https'
+set firewall ipv4 name iot-servers rule 400 protocol 'tcp'
+set firewall ipv4 name iot-servers rule 400 source group address-group 'sonos_players'
+set firewall ipv4 name iot-servers rule 410 action 'accept'
+set firewall ipv4 name iot-servers rule 410 description 'Rule: accept_k8s_ingress_from_allowed_devices'
+set firewall ipv4 name iot-servers rule 410 destination group address-group 'k8s_ingress'
+set firewall ipv4 name iot-servers rule 410 destination port 'http,https'
+set firewall ipv4 name iot-servers rule 410 protocol 'tcp'
+set firewall ipv4 name iot-servers rule 410 source group address-group 'k8s_ingress_allowed'
+set firewall ipv4 name iot-servers rule 999 action 'drop'
+set firewall ipv4 name iot-servers rule 999 description 'Rule: drop_invalid'
+set firewall ipv4 name iot-servers rule 999 state invalid
+set firewall ipv4 name iot-servers rule 999 log
+
+# From IOT to CONTAINERS
+set firewall ipv4 name iot-containers default-action 'accept'
+set firewall ipv4 name iot-containers description 'From IOT to CONTAINERS'
+set firewall ipv4 name iot-containers rule 40 action 'accept'
+set firewall ipv4 name iot-containers rule 40 description 'Rule: accept_dns'
+set firewall ipv4 name iot-containers rule 40 destination port 'domain,domain-s'
+set firewall ipv4 name iot-containers rule 40 protocol 'tcp_udp'
+set firewall ipv4 name iot-containers rule 999 action 'drop'
+set firewall ipv4 name iot-containers rule 999 description 'Rule: drop_invalid'
+set firewall ipv4 name iot-containers rule 999 state invalid
+set firewall ipv4 name iot-containers rule 999 log
+
+# From IOT to TRUSTED
+set firewall ipv4 name iot-trusted default-action 'drop'
+set firewall ipv4 name iot-trusted description 'From IOT to TRUSTED'
+set firewall ipv4 name iot-trusted enable-default-log
+set firewall ipv4 name iot-trusted rule 100 action 'accept'
+set firewall ipv4 name iot-trusted rule 100 description 'Rule: accept_udp_from_sonos_players_to_sonos_controllers'
+set firewall ipv4 name iot-trusted rule 100 destination group address-group 'sonos_controllers'
+set firewall ipv4 name iot-trusted rule 100 destination port '319,320,30000-65535'
+set firewall ipv4 name iot-trusted rule 100 protocol 'udp'
+set firewall ipv4 name iot-trusted rule 100 source group address-group 'sonos_players'
+set firewall ipv4 name iot-trusted rule 110 action 'accept'
+set firewall ipv4 name iot-trusted rule 110 description 'Rule: accept_tcp_from_sonos_players_to_sonos_controllers'
+set firewall ipv4 name iot-trusted rule 110 destination group address-group 'sonos_controllers'
+set firewall ipv4 name iot-trusted rule 110 destination port '1400,3400,3401,3500,30000-65535'
+set firewall ipv4 name iot-trusted rule 110 protocol 'tcp'
+set firewall ipv4 name iot-trusted rule 110 source group address-group 'sonos_players'
+set firewall ipv4 name iot-trusted rule 999 action 'drop'
+set firewall ipv4 name iot-trusted rule 999 description 'Rule: drop_invalid'
+set firewall ipv4 name iot-trusted rule 999 state invalid
+set firewall ipv4 name iot-trusted rule 999 log
+
+# From IOT to VIDEO
+set firewall ipv4 name iot-video default-action 'drop'
+set firewall ipv4 name iot-video description 'From IOT to VIDEO'
+set firewall ipv4 name iot-video enable-default-log
+set firewall ipv4 name iot-video rule 100 action 'accept'
+set firewall ipv4 name iot-video rule 100 description 'Rule: accept_k8s_nodes'
+set firewall ipv4 name iot-video rule 100 protocol 'tcp'
+set firewall ipv4 name iot-video rule 100 source group address-group 'k8s_nodes'
+set firewall ipv4 name iot-video rule 999 action 'drop'
+set firewall ipv4 name iot-video rule 999 description 'Rule: drop_invalid'
+set firewall ipv4 name iot-video rule 999 state invalid
+set firewall ipv4 name iot-video rule 999 log
+
+# From IOT to WAN
+set firewall ipv4 name iot-wan default-action 'accept'
+set firewall ipv4 name iot-wan description 'From IOT to WAN'
+
+# From LAN to IoT
+set firewall ipv4 name lan-iot default-action 'drop'
+set firewall ipv4 name lan-iot description 'From LAN to IOT'
+set firewall ipv4 name lan-iot enable-default-log
+set firewall ipv4 name lan-iot rule 999 action 'drop'
+set firewall ipv4 name lan-iot rule 999 description 'Rule: drop_invalid'
+set firewall ipv4 name lan-iot rule 999 state invalid
+set firewall ipv4 name lan-iot rule 999 log
+
+# From LAN to LOCAL
+set firewall ipv4 name lan-local default-action 'drop'
+set firewall ipv4 name lan-local description 'From LAN to LOCAL'
+set firewall ipv4 name lan-local enable-default-log
+set firewall ipv4 name lan-local rule 40 action 'accept'
+set firewall ipv4 name lan-local rule 40 description 'Rule: accept_dns'
+set firewall ipv4 name lan-local rule 40 destination port 'domain,domain-s'
+set firewall ipv4 name lan-local rule 40 protocol 'tcp_udp'
+set firewall ipv4 name lan-local rule 50 action 'accept'
+set firewall ipv4 name lan-local rule 50 description 'Rule: accept_dhcp'
+set firewall ipv4 name lan-local rule 50 destination port '67,68'
+set firewall ipv4 name lan-local rule 50 protocol 'udp'
+set firewall ipv4 name lan-local rule 50 source port '67,68'
+set firewall ipv4 name lan-local rule 60 action 'accept'
+set firewall ipv4 name lan-local rule 60 description 'Rule: accept_ntp'
+set firewall ipv4 name lan-local rule 60 destination port 'ntp'
+set firewall ipv4 name lan-local rule 60 protocol 'udp'
+set firewall ipv4 name lan-local rule 70 action 'accept'
+set firewall ipv4 name lan-local rule 70 description 'Rule: accept_node_speed_exporter'
+set firewall ipv4 name lan-local rule 70 destination port '9798,9100'
+set firewall ipv4 name lan-local rule 70 protocol 'tcp'
+set firewall ipv4 name lan-local rule 80 action 'accept'
+set firewall ipv4 name lan-local rule 80 description 'Rule: accept perfmon3'
+set firewall ipv4 name lan-local rule 80 destination port '5201'
+set firewall ipv4 name lan-local rule 80 protocol 'tcp'
+set firewall ipv4 name lan-local rule 999 action 'drop'
+set firewall ipv4 name lan-local rule 999 description 'Rule: drop_invalid'
+set firewall ipv4 name lan-local rule 999 state invalid
+set firewall ipv4 name lan-local rule 999 log
+
+# From LAN to SERVERS
+set firewall ipv4 name lan-servers default-action 'drop'
+set firewall ipv4 name lan-servers description 'From LAN to SERVERS'
+set firewall ipv4 name lan-servers enable-default-log
+set firewall ipv4 name lan-servers rule 999 action 'drop'
+set firewall ipv4 name lan-servers rule 999 description 'Rule: drop_invalid'
+set firewall ipv4 name lan-servers rule 999 state invalid
+set firewall ipv4 name lan-servers rule 999 log
+
+# From LAN to CONTAINERS
+set firewall ipv4 name lan-containers default-action 'accept'
+set firewall ipv4 name lan-containers description 'From LAN to CONTAINERS'
+set firewall ipv4 name lan-containers rule 40 action 'accept'
+set firewall ipv4 name lan-containers rule 40 description 'Rule: accept_dns'
+set firewall ipv4 name lan-containers rule 40 destination port 'domain,domain-s'
+set firewall ipv4 name lan-containers rule 40 protocol 'tcp_udp'
+set firewall ipv4 name lan-containers rule 999 action 'drop'
+set firewall ipv4 name lan-containers rule 999 description 'Rule: drop_invalid'
+set firewall ipv4 name lan-containers rule 999 state invalid
+set firewall ipv4 name lan-containers rule 999 log
+
+# From LAN to TRUSTED
+set firewall ipv4 name lan-trusted default-action 'drop'
+set firewall ipv4 name lan-trusted description 'From LAN to TRUSTED'
+set firewall ipv4 name lan-trusted enable-default-log
+set firewall ipv4 name lan-trusted rule 999 action 'drop'
+set firewall ipv4 name lan-trusted rule 999 description 'Rule: drop_invalid'
+set firewall ipv4 name lan-trusted rule 999 state invalid
+set firewall ipv4 name lan-trusted rule 999 log
+
+# From LAN to VIDEO
+set firewall ipv4 name lan-video default-action 'drop'
+set firewall ipv4 name lan-video description 'From LAN to VIDEO'
+set firewall ipv4 name lan-video enable-default-log
+set firewall ipv4 name lan-video rule 999 action 'drop'
+set firewall ipv4 name lan-video rule 999 description 'Rule: drop_invalid'
+set firewall ipv4 name lan-video rule 999 state invalid
+set firewall ipv4 name lan-video rule 999 log
+
+# From LAN to WAN
+set firewall ipv4 name lan-wan default-action 'accept'
+set firewall ipv4 name lan-wan description 'From LAN to WAN'
+
+# From LOCAL to IOT
+set firewall ipv4 name local-iot default-action 'drop'
+set firewall ipv4 name local-iot description 'From LOCAL to IOT'
+set firewall ipv4 name local-iot enable-default-log
+set firewall ipv4 name local-iot rule 100 action 'accept'
+set firewall ipv4 name local-iot rule 100 description 'Rule: accept_igmp'
+set firewall ipv4 name local-iot rule 100 protocol '2'
+set firewall ipv4 name local-iot rule 110 action 'accept'
+set firewall ipv4 name local-iot rule 110 description 'Rule: accept_mdns'
+set firewall ipv4 name local-iot rule 110 destination port 'mdns'
+set firewall ipv4 name local-iot rule 110 protocol 'udp'
+set firewall ipv4 name local-iot rule 110 source port 'mdns'
+set firewall ipv4 name local-iot rule 200 action 'accept'
+set firewall ipv4 name local-iot rule 200 description 'Rule: accept_discovery_from_sonos_controllers'
+set firewall ipv4 name local-iot rule 200 destination group port-group sonos-discovery
+set firewall ipv4 name local-iot rule 200 protocol 'udp'
+set firewall ipv4 name local-iot rule 200 source group address-group 'sonos_controllers'
+set firewall ipv4 name local-iot rule 999 action 'drop'
+set firewall ipv4 name local-iot rule 999 description 'Rule: drop_invalid'
+set firewall ipv4 name local-iot rule 999 state invalid
+set firewall ipv4 name local-iot rule 999 log
+
+# From LOCAL to LAN
+set firewall ipv4 name local-lan default-action 'drop'
+set firewall ipv4 name local-lan description 'From LOCAL to LAN'
+set firewall ipv4 name local-lan enable-default-log
+set firewall ipv4 name local-lan rule 999 action 'drop'
+set firewall ipv4 name local-lan rule 999 description 'Rule: drop_invalid'
+set firewall ipv4 name local-lan rule 999 state invalid
+set firewall ipv4 name local-lan rule 999 log
+
+# From LOCAL to SERVERS
+set firewall ipv4 name local-servers default-action 'drop'
+set firewall ipv4 name local-servers description 'From LOCAL to SERVERS'
+set firewall ipv4 name local-servers enable-default-log
+set firewall ipv4 name local-servers rule 40 action 'accept'
+set firewall ipv4 name local-servers rule 40 description 'Rule: accept_dns'
+set firewall ipv4 name local-servers rule 40 destination port 'domain,domain-s'
+set firewall ipv4 name local-servers rule 40 protocol 'tcp_udp'
+set firewall ipv4 name local-servers rule 70 action 'accept'
+set firewall ipv4 name local-servers rule 70 description 'Rule: accept_bgp'
+set firewall ipv4 name local-servers rule 70 destination port 'bgp'
+set firewall ipv4 name local-servers rule 70 protocol 'tcp'
+set firewall ipv4 name local-servers rule 100 action 'accept'
+set firewall ipv4 name local-servers rule 100 description 'Rule: accept_k8s_api'
+set firewall ipv4 name local-servers rule 100 destination port '6443'
+set firewall ipv4 name local-servers rule 100 protocol 'tcp'
+set firewall ipv4 name local-servers rule 200 action 'accept'
+set firewall ipv4 name local-servers rule 200 description 'Rule: accept_vector_syslog'
+set firewall ipv4 name local-servers rule 200 destination group address-group 'k8s_vector_aggregator'
+set firewall ipv4 name local-servers rule 200 destination port '6001'
+set firewall ipv4 name local-servers rule 200 protocol 'tcp'
+set firewall ipv4 name local-servers rule 999 action 'drop'
+set firewall ipv4 name local-servers rule 999 description 'Rule: drop_invalid'
+set firewall ipv4 name local-servers rule 999 state invalid
+set firewall ipv4 name local-servers rule 999 log
+
+# From LOCAL to CONTAINERS
+set firewall ipv4 name local-containers default-action 'accept'
+set firewall ipv4 name local-containers description 'From LOCAL to CONTAINERS'
+set firewall ipv4 name local-containers rule 40 action 'accept'
+set firewall ipv4 name local-containers rule 40 description 'Rule: accept_dns'
+set firewall ipv4 name local-containers rule 40 destination port 'domain,domain-s'
+set firewall ipv4 name local-containers rule 40 protocol 'tcp_udp'
+set firewall ipv4 name local-containers rule 999 action 'drop'
+set firewall ipv4 name local-containers rule 999 description 'Rule: drop_invalid'
+set firewall ipv4 name local-containers rule 999 state invalid
+set firewall ipv4 name local-containers rule 999 log
+
+# From LOCAL to TRUSTED
+set firewall ipv4 name local-trusted default-action 'drop'
+set firewall ipv4 name local-trusted description 'From LOCAL to TRUSTED'
+set firewall ipv4 name local-trusted enable-default-log
+set firewall ipv4 name local-trusted rule 100 action 'accept'
+set firewall ipv4 name local-trusted rule 100 description 'Rule: accept_igmp'
+set firewall ipv4 name local-trusted rule 100 protocol '2'
+set firewall ipv4 name local-trusted rule 110 action 'accept'
+set firewall ipv4 name local-trusted rule 110 description 'Rule: accept_mdns'
+set firewall ipv4 name local-trusted rule 110 destination port 'mdns'
+set firewall ipv4 name local-trusted rule 110 protocol 'udp'
+set firewall ipv4 name local-trusted rule 110 source port 'mdns'
+set firewall ipv4 name local-trusted rule 200 action 'accept'
+set firewall ipv4 name local-trusted rule 200 description 'Rule: accept_discovery_from_sonos_players'
+set firewall ipv4 name local-trusted rule 200 destination group port-group sonos-discovery
+set firewall ipv4 name local-trusted rule 200 protocol 'udp'
+set firewall ipv4 name local-trusted rule 200 source group address-group 'sonos_players'
+set firewall ipv4 name local-trusted rule 400 action 'accept'
+set firewall ipv4 name local-trusted rule 400 description 'Rule: accept_wireguard'
+set firewall ipv4 name local-trusted rule 400 source port '51820'
+set firewall ipv4 name local-trusted rule 400 protocol 'udp'
+set firewall ipv4 name local-trusted rule 999 action 'drop'
+set firewall ipv4 name local-trusted rule 999 description 'Rule: drop_invalid'
+set firewall ipv4 name local-trusted rule 999 state invalid
+set firewall ipv4 name local-trusted rule 999 log
+
+# From LOCAL to VIDEO
+set firewall ipv4 name local-video default-action 'drop'
+set firewall ipv4 name local-video description 'From LOCAL to VIDEO'
+set firewall ipv4 name local-video enable-default-log
+set firewall ipv4 name local-video rule 999 action 'drop'
+set firewall ipv4 name local-video rule 999 description 'Rule: drop_invalid'
+set firewall ipv4 name local-video rule 999 state invalid
+set firewall ipv4 name local-video rule 999 log
+
+# From LOCAL to WAN
+set firewall ipv4 name local-wan default-action 'accept'
+set firewall ipv4 name local-wan description 'From LOCAL to WAN'
+
+
+# From SERVERS to IOT
+set firewall ipv4 name servers-iot default-action 'drop'
+set firewall ipv4 name servers-iot description 'From SERVERS to IOT'
+set firewall ipv4 name servers-iot enable-default-log
+set firewall ipv4 name servers-iot rule 100 action 'accept'
+set firewall ipv4 name servers-iot rule 100 description 'Rule: accept_k8s_nodes'
+set firewall ipv4 name servers-iot rule 100 protocol 'tcp'
+set firewall ipv4 name servers-iot rule 100 source group address-group 'k8s_nodes'
+set firewall ipv4 name servers-iot rule 110 action 'accept'
+set firewall ipv4 name servers-iot rule 110 description 'Rule: accept_k8s_nodes'
+set firewall ipv4 name servers-iot rule 110 protocol 'icmp'
+set firewall ipv4 name servers-iot rule 110 source group address-group 'k8s_nodes'
+set firewall ipv4 name servers-iot rule 999 action 'drop'
+set firewall ipv4 name servers-iot rule 999 description 'Rule: drop_invalid'
+set firewall ipv4 name servers-iot rule 999 state invalid
+set firewall ipv4 name servers-iot rule 999 log
+
+# From SERVERS to LAN
+set firewall ipv4 name servers-lan default-action 'drop'
+set firewall ipv4 name servers-lan description 'From SERVERS to LAN'
+set firewall ipv4 name servers-lan enable-default-log
+set firewall ipv4 name servers-lan rule 999 action 'drop'
+set firewall ipv4 name servers-lan rule 999 description 'Rule: drop_invalid'
+set firewall ipv4 name servers-lan rule 999 state invalid
+set firewall ipv4 name servers-lan rule 999 log
+
+# From SERVERS to LOCAL
+set firewall ipv4 name servers-local default-action 'drop'
+set firewall ipv4 name servers-local description 'From SERVERS to LOCAL'
+set firewall ipv4 name servers-local enable-default-log
+set firewall ipv4 name servers-local rule 50 action 'accept'
+set firewall ipv4 name servers-local rule 50 description 'Rule: accept_dhcp'
+set firewall ipv4 name servers-local rule 50 destination port '67,68'
+set firewall ipv4 name servers-local rule 50 protocol 'udp'
+set firewall ipv4 name servers-local rule 50 source port '67,68'
+set firewall ipv4 name servers-local rule 60 action 'accept'
+set firewall ipv4 name servers-local rule 60 description 'Rule: accept_ntp'
+set firewall ipv4 name servers-local rule 60 destination port 'ntp'
+set firewall ipv4 name servers-local rule 60 protocol 'udp'
+set firewall ipv4 name servers-local rule 70 action 'accept'
+set firewall ipv4 name servers-local rule 70 description 'Rule: accept_bgp'
+set firewall ipv4 name servers-local rule 70 destination port 'bgp'
+set firewall ipv4 name servers-local rule 70 protocol 'tcp'
+set firewall ipv4 name servers-local rule 80 action 'accept'
+set firewall ipv4 name servers-local rule 80 description 'Rule: accept_tftp'
+set firewall ipv4 name servers-local rule 80 destination port '69'
+set firewall ipv4 name servers-local rule 80 protocol 'udp'
+set firewall ipv4 name servers-local rule 90 action 'accept'
+set firewall ipv4 name servers-local rule 90 description 'Rule: accept_dns'
+set firewall ipv4 name servers-local rule 90 destination port 'domain,domain-s'
+set firewall ipv4 name servers-local rule 90 protocol 'tcp_udp'
+set firewall ipv4 name servers-local rule 100 action 'accept'
+set firewall ipv4 name servers-local rule 100 description 'Rule: accept_node_exporter_from_k8s_nodes'
+set firewall ipv4 name servers-local rule 100 destination port '9100'
+set firewall ipv4 name servers-local rule 100 protocol 'tcp'
+set firewall ipv4 name servers-local rule 100 source group address-group 'k8s_nodes'
+set firewall ipv4 name servers-local rule 110 action 'accept'
+set firewall ipv4 name servers-local rule 110 description 'Rule: accept_speedtest_exporter_from_k8s_nodes'
+set firewall ipv4 name servers-local rule 110 destination port '9798'
+set firewall ipv4 name servers-local rule 110 protocol 'tcp'
+set firewall ipv4 name servers-local rule 110 source group address-group 'k8s_nodes'
+set firewall ipv4 name servers-local rule 999 action 'drop'
+set firewall ipv4 name servers-local rule 999 description 'Rule: drop_invalid'
+set firewall ipv4 name servers-local rule 999 state invalid
+set firewall ipv4 name servers-local rule 999 log
+
+# From SERVERS to CONTAINERS
+set firewall ipv4 name servers-containers default-action 'accept'
+set firewall ipv4 name servers-containers description 'From SERVERS to CONTAINERS'
+set firewall ipv4 name servers-containers enable-default-log
+set firewall ipv4 name servers-containers rule 40 action 'accept'
+set firewall ipv4 name servers-containers rule 40 description 'Rule: accept_dns'
+set firewall ipv4 name servers-containers rule 40 destination port 'domain,domain-s'
+set firewall ipv4 name servers-containers rule 40 protocol 'tcp_udp'
+set firewall ipv4 name servers-containers rule 100 action 'accept'
+set firewall ipv4 name servers-containers rule 100 description 'Rule: accept_k8s_nodes'
+set firewall ipv4 name servers-containers rule 100 protocol 'tcp'
+set firewall ipv4 name servers-containers rule 100 source group address-group 'k8s_nodes'
+set firewall ipv4 name servers-containers rule 999 action 'drop'
+set firewall ipv4 name servers-containers rule 999 description 'Rule: drop_invalid'
+set firewall ipv4 name servers-containers rule 999 state invalid
+set firewall ipv4 name servers-containers rule 999 log
+
+# From SERVERS to TRUSTED
+set firewall ipv4 name servers-trusted default-action 'drop'
+set firewall ipv4 name servers-trusted description 'From SERVERS to TRUSTED'
+set firewall ipv4 name servers-trusted enable-default-log
+set firewall ipv4 name servers-trusted rule 999 action 'drop'
+set firewall ipv4 name servers-trusted rule 999 description 'Rule: drop_invalid'
+set firewall ipv4 name servers-trusted rule 999 state invalid
+set firewall ipv4 name servers-trusted rule 999 log
+
+# From SERVERS to VIDEO
+set firewall ipv4 name servers-video default-action 'drop'
+set firewall ipv4 name servers-video description 'From SERVERS to VIDEO'
+set firewall ipv4 name servers-video enable-default-log
+set firewall ipv4 name servers-video rule 100 action 'accept'
+set firewall ipv4 name servers-video rule 100 description 'Rule: accept_k8s_nodes'
+set firewall ipv4 name servers-video rule 100 protocol 'tcp_udp'
+set firewall ipv4 name servers-video rule 100 source group address-group 'k8s_nodes'
+set firewall ipv4 name servers-video rule 999 action 'drop'
+set firewall ipv4 name servers-video rule 999 description 'Rule: drop_invalid'
+set firewall ipv4 name servers-video rule 999 state invalid
+set firewall ipv4 name servers-video rule 999 log
+
+# From SERVERS to WAN
+set firewall ipv4 name servers-wan default-action 'accept'
+set firewall ipv4 name servers-wan description 'From SERVERS to WAN'
+
+# From CONTAINERS to IOT
+set firewall ipv4 name containers-iot default-action 'drop'
+set firewall ipv4 name containers-iot description 'From CONTAINERS to IOT'
+set firewall ipv4 name containers-iot enable-default-log
+set firewall ipv4 name containers-iot rule 999 action 'drop'
+set firewall ipv4 name containers-iot rule 999 description 'Rule: drop_invalid'
+set firewall ipv4 name containers-iot rule 999 state invalid
+set firewall ipv4 name containers-iot rule 999 log
+
+# From CONTAINERS to LAN
+set firewall ipv4 name containers-lan default-action 'drop'
+set firewall ipv4 name containers-lan description 'From CONTAINERS to LAN'
+set firewall ipv4 name containers-lan enable-default-log
+set firewall ipv4 name containers-lan rule 999 action 'drop'
+set firewall ipv4 name containers-lan rule 999 description 'Rule: drop_invalid'
+set firewall ipv4 name containers-lan rule 999 state invalid
+set firewall ipv4 name containers-lan rule 999 log
+
+# From CONTAINERS to LOCAL
+set firewall ipv4 name containers-local default-action 'drop'
+set firewall ipv4 name containers-local description 'From CONTAINERS to LOCAL'
+set firewall ipv4 name containers-local enable-default-log
+set firewall ipv4 name containers-local rule 50 action 'accept'
+set firewall ipv4 name containers-local rule 50 description 'Rule: accept_dhcp'
+set firewall ipv4 name containers-local rule 50 destination port '67,68'
+set firewall ipv4 name containers-local rule 50 protocol 'udp'
+set firewall ipv4 name containers-local rule 50 source port '67,68'
+set firewall ipv4 name containers-local rule 60 action 'accept'
+set firewall ipv4 name containers-local rule 60 description 'Rule: accept_ntp'
+set firewall ipv4 name containers-local rule 60 destination port 'ntp'
+set firewall ipv4 name containers-local rule 60 protocol 'udp'
+set firewall ipv4 name containers-local rule 999 action 'drop'
+set firewall ipv4 name containers-local rule 999 description 'Rule: drop_invalid'
+set firewall ipv4 name containers-local rule 999 state invalid
+set firewall ipv4 name containers-local rule 999 log
+
+# From CONTAINERS to SERVERS
+set firewall ipv4 name containers-servers default-action 'accept'
+set firewall ipv4 name containers-servers description 'From CONTAINERS to SERVERS'
+set firewall ipv4 name containers-servers rule 999 action 'drop'
+set firewall ipv4 name containers-servers rule 999 description 'Rule: drop_invalid'
+set firewall ipv4 name containers-servers rule 999 state invalid
+set firewall ipv4 name containers-servers rule 999 log
+
+# From CONTAINERS to TRUSTED
+set firewall ipv4 name containers-trusted default-action 'drop'
+set firewall ipv4 name containers-trusted description 'From CONTAINERS to TRUSTED'
+set firewall ipv4 name containers-trusted enable-default-log
+set firewall ipv4 name containers-trusted rule 999 action 'drop'
+set firewall ipv4 name containers-trusted rule 999 description 'Rule: drop_invalid'
+set firewall ipv4 name containers-trusted rule 999 state invalid
+set firewall ipv4 name containers-trusted rule 999 log
+
+# From CONTAINERS to VIDEO
+set firewall ipv4 name containers-video default-action 'drop'
+set firewall ipv4 name containers-video description 'From CONTAINERS to VIDEO'
+set firewall ipv4 name containers-video enable-default-log
+set firewall ipv4 name containers-video rule 999 action 'drop'
+set firewall ipv4 name containers-video rule 999 description 'Rule: drop_invalid'
+set firewall ipv4 name containers-video rule 999 state invalid
+set firewall ipv4 name containers-video rule 999 log
+
+# From CONTAINERS to WAN
+set firewall ipv4 name containers-wan default-action 'accept'
+set firewall ipv4 name containers-wan description 'From CONTAINERS to WAN'
+
+# From TRUSTED to IOT
+set firewall ipv4 name trusted-iot default-action 'accept'
+set firewall ipv4 name trusted-iot description 'From TRUSTED to IOT'
+set firewall ipv4 name trusted-iot rule 110 action 'accept'
+set firewall ipv4 name trusted-iot rule 110 description 'Rule: accept_tcp_from_sonos_controllers_to_sonos_players'
+set firewall ipv4 name trusted-iot rule 110 destination port '1400,1443,4444,7000,30000-65535'
+set firewall ipv4 name trusted-iot rule 110 protocol 'tcp'
+set firewall ipv4 name trusted-iot rule 110 source group address-group 'sonos_controllers'
+set firewall ipv4 name trusted-iot rule 111 action 'accept'
+set firewall ipv4 name trusted-iot rule 111 description 'Rule: accept_udp_from_sonos_controllers_to_sonos_players'
+set firewall ipv4 name trusted-iot rule 111 destination port '319,320,30000-65535'
+set firewall ipv4 name trusted-iot rule 111 protocol 'udp'
+set firewall ipv4 name trusted-iot rule 111 source group address-group 'sonos_controllers'
+set firewall ipv4 name trusted-iot rule 999 action 'drop'
+set firewall ipv4 name trusted-iot rule 999 description 'Rule: drop_invalid'
+set firewall ipv4 name trusted-iot rule 999 state invalid
+set firewall ipv4 name trusted-iot rule 999 log
+
+# From TRUSTED to LAN
+set firewall ipv4 name trusted-lan default-action 'accept'
+set firewall ipv4 name trusted-lan description 'From TRUSTED to LAN'
+set firewall ipv4 name trusted-lan rule 999 action 'drop'
+set firewall ipv4 name trusted-lan rule 999 description 'Rule: drop_invalid'
+set firewall ipv4 name trusted-lan rule 999 state invalid
+set firewall ipv4 name trusted-lan rule 999 log
+
+# From TRUSTED to LOCAL
+set firewall ipv4 name trusted-local default-action 'drop'
+set firewall ipv4 name trusted-local description 'From TRUSTED to LOCAL'
+set firewall ipv4 name trusted-local enable-default-log
+set firewall ipv4 name trusted-local rule 50 action 'accept'
+set firewall ipv4 name trusted-local rule 50 description 'Rule: accept_dhcp'
+set firewall ipv4 name trusted-local rule 50 destination port '67,68'
+set firewall ipv4 name trusted-local rule 50 protocol 'udp'
+set firewall ipv4 name trusted-local rule 50 source port '67,68'
+set firewall ipv4 name trusted-local rule 60 action 'accept'
+set firewall ipv4 name trusted-local rule 60 description 'Rule: accept_ntp'
+set firewall ipv4 name trusted-local rule 60 destination port 'ntp'
+set firewall ipv4 name trusted-local rule 60 protocol 'udp'
+set firewall ipv4 name trusted-local rule 100 action 'accept'
+set firewall ipv4 name trusted-local rule 100 description 'Rule: accept_igmp'
+set firewall ipv4 name trusted-local rule 100 protocol '2'
+set firewall ipv4 name trusted-local rule 110 action 'accept'
+set firewall ipv4 name trusted-local rule 110 description 'Rule: accept_mdns'
+set firewall ipv4 name trusted-local rule 110 destination port 'mdns'
+set firewall ipv4 name trusted-local rule 110 protocol 'udp'
+set firewall ipv4 name trusted-local rule 110 source port 'mdns'
+set firewall ipv4 name trusted-local rule 120 action 'accept'
+set firewall ipv4 name trusted-local rule 120 description 'Rule: accept_dns'
+set firewall ipv4 name trusted-local rule 120 destination port 'domain,domain-s'
+set firewall ipv4 name trusted-local rule 120 protocol 'tcp_udp'
+set firewall ipv4 name trusted-local rule 210 action 'accept'
+set firewall ipv4 name trusted-local rule 210 description 'Rule: accept_discovery_from_sonos_controllers'
+set firewall ipv4 name trusted-local rule 210 destination group port-group sonos-discovery
+set firewall ipv4 name trusted-local rule 210 protocol 'udp'
+set firewall ipv4 name trusted-local rule 210 source group address-group 'sonos_controllers'
+set firewall ipv4 name trusted-local rule 211 action 'accept'
+set firewall ipv4 name trusted-local rule 211 description 'Rule: accept_discovery_from_sonos_players'
+set firewall ipv4 name trusted-local rule 211 destination group port-group sonos-discovery
+set firewall ipv4 name trusted-local rule 211 protocol 'udp'
+set firewall ipv4 name trusted-local rule 211 source group address-group 'sonos_players'
+set firewall ipv4 name trusted-local rule 400 action 'accept'
+set firewall ipv4 name trusted-local rule 400 description 'Rule: accept_ssh'
+set firewall ipv4 name trusted-local rule 400 destination port 'ssh'
+set firewall ipv4 name trusted-local rule 400 protocol 'tcp'
+set firewall ipv4 name trusted-local rule 410 action 'accept'
+set firewall ipv4 name trusted-local rule 410 description 'Rule: accept_vyos_api'
+set firewall ipv4 name trusted-local rule 410 destination port '8443'
+set firewall ipv4 name trusted-local rule 410 protocol 'tcp'
+set firewall ipv4 name trusted-local rule 420 action 'accept'
+set firewall ipv4 name trusted-local rule 420 description 'Rule: accept_wireguard'
+set firewall ipv4 name trusted-local rule 420 destination port '51820'
+set firewall ipv4 name trusted-local rule 420 protocol 'udp'
+set firewall ipv4 name trusted-local rule 999 action 'drop'
+set firewall ipv4 name trusted-local rule 999 description 'Rule: drop_invalid'
+set firewall ipv4 name trusted-local rule 999 state invalid
+set firewall ipv4 name trusted-local rule 999 log
+
+# From TRUSTED to SERVERS
+set firewall ipv4 name trusted-servers default-action 'accept'
+set firewall ipv4 name trusted-servers description 'From TRUSTED to SERVERS'
+set firewall ipv4 name trusted-servers rule 999 action 'drop'
+set firewall ipv4 name trusted-servers rule 999 description 'Rule: drop_invalid'
+set firewall ipv4 name trusted-servers rule 999 state invalid
+set firewall ipv4 name trusted-servers rule 999 log
+
+# From TRUSTED to CONTAINERS
+set firewall ipv4 name trusted-containers default-action 'accept'
+set firewall ipv4 name trusted-containers description 'From TRUSTED to CONTAINERS'
+set firewall ipv4 name trusted-containers rule 40 action 'accept'
+set firewall ipv4 name trusted-containers rule 40 description 'Rule: accept_dns'
+set firewall ipv4 name trusted-containers rule 40 destination port 'domain,domain-s'
+set firewall ipv4 name trusted-containers rule 40 protocol 'tcp_udp'
+set firewall ipv4 name trusted-containers rule 999 action 'drop'
+set firewall ipv4 name trusted-containers rule 999 description 'Rule: drop_invalid'
+set firewall ipv4 name trusted-containers rule 999 state invalid
+set firewall ipv4 name trusted-containers rule 999 log
+
+# From TRUSTED to VIDEO
+set firewall ipv4 name trusted-video default-action 'accept'
+set firewall ipv4 name trusted-video description 'From TRUSTED to VIDEO'
+set firewall ipv4 name trusted-video rule 999 action 'drop'
+set firewall ipv4 name trusted-video rule 999 description 'Rule: drop_invalid'
+set firewall ipv4 name trusted-video rule 999 state invalid
+set firewall ipv4 name trusted-video rule 999 log
+
+# From TRUSTED to WAN
+set firewall ipv4 name trusted-wan default-action 'accept'
+set firewall ipv4 name trusted-wan description 'From TRUSTED to WAN'
+
+
+# From VIDEO to IOT
+set firewall ipv4 name video-iot default-action 'drop'
+set firewall ipv4 name video-iot description 'From VIDEO to IOT'
+set firewall ipv4 name video-iot enable-default-log
+set firewall ipv4 name video-iot rule 100 action 'accept'
+set firewall ipv4 name video-iot rule 100 description 'Rule: allow connecting to hass'
+set firewall ipv4 name video-iot rule 100 protocol 'tcp'
+set firewall ipv4 name video-iot rule 100 destination group address-group 'k8s_hass'
+set firewall ipv4 name video-iot rule 100 destination port '8123'
+set firewall ipv4 name video-iot rule 999 action 'drop'
+set firewall ipv4 name video-iot rule 999 description 'Rule: drop_invalid'
+set firewall ipv4 name video-iot rule 999 state invalid
+set firewall ipv4 name video-iot rule 999 log
+
+# From VIDEO to LAN
+set firewall ipv4 name video-lan default-action 'drop'
+set firewall ipv4 name video-lan description 'From VIDEO to LAN'
+set firewall ipv4 name video-lan enable-default-log
+set firewall ipv4 name video-lan rule 999 action 'drop'
+set firewall ipv4 name video-lan rule 999 description 'Rule: drop_invalid'
+set firewall ipv4 name video-lan rule 999 state invalid
+set firewall ipv4 name video-lan rule 999 log
+
+# From VIDEO to LOCAL
+set firewall ipv4 name video-local default-action 'drop'
+set firewall ipv4 name video-local description 'From VIDEO to LOCAL'
+set firewall ipv4 name video-local enable-default-log
+set firewall ipv4 name video-local rule 50 action 'accept'
+set firewall ipv4 name video-local rule 50 description 'Rule: accept_dhcp'
+set firewall ipv4 name video-local rule 50 destination port '67,68'
+set firewall ipv4 name video-local rule 50 protocol 'udp'
+set firewall ipv4 name video-local rule 50 source port '67,68'
+set firewall ipv4 name video-local rule 60 action 'accept'
+set firewall ipv4 name video-local rule 60 description 'Rule: accept_ntp'
+set firewall ipv4 name video-local rule 60 destination port 'ntp'
+set firewall ipv4 name video-local rule 60 protocol 'udp'
+set firewall ipv4 name video-local rule 999 action 'drop'
+set firewall ipv4 name video-local rule 999 description 'Rule: drop_invalid'
+set firewall ipv4 name video-local rule 999 state invalid
+set firewall ipv4 name video-local rule 999 log
+
+# From VIDEO to SERVERS
+set firewall ipv4 name video-servers default-action 'drop'
+set firewall ipv4 name video-servers description 'From VIDEO to SERVERS'
+set firewall ipv4 name video-servers enable-default-log
+set firewall ipv4 name video-servers rule 100 action 'accept'
+set firewall ipv4 name video-servers rule 100 description 'Rule: accept_k8s_nodes'
+set firewall ipv4 name video-servers rule 100 protocol 'udp'
+set firewall ipv4 name video-servers rule 100 destination group address-group 'k8s_nodes'
+set firewall ipv4 name video-servers rule 100 source port '6987-6989'
+set firewall ipv4 name video-servers rule 999 action 'drop'
+set firewall ipv4 name video-servers rule 999 description 'Rule: drop_invalid'
+set firewall ipv4 name video-servers rule 999 state invalid
+set firewall ipv4 name video-servers rule 999 log
+
+# From VIDEO to CONTAINERS
+set firewall ipv4 name video-containers default-action 'accept'
+set firewall ipv4 name video-containers description 'From VIDEO to CONTAINERS'
+set firewall ipv4 name video-containers rule 40 action 'accept'
+set firewall ipv4 name video-containers rule 40 description 'Rule: accept_dns'
+set firewall ipv4 name video-containers rule 40 destination port 'domain,domain-s'
+set firewall ipv4 name video-containers rule 40 protocol 'tcp_udp'
+set firewall ipv4 name video-containers rule 999 action 'drop'
+set firewall ipv4 name video-containers rule 999 description 'Rule: drop_invalid'
+set firewall ipv4 name video-containers rule 999 state invalid
+set firewall ipv4 name video-containers rule 999 log
+
+# From VIDEO to TRUSTED
+set firewall ipv4 name video-trusted default-action 'drop'
+set firewall ipv4 name video-trusted description 'From VIDEO to TRUSTED'
+set firewall ipv4 name video-trusted enable-default-log
+set firewall ipv4 name video-trusted rule 999 action 'drop'
+set firewall ipv4 name video-trusted rule 999 description 'Rule: drop_invalid'
+set firewall ipv4 name video-trusted rule 999 state invalid
+set firewall ipv4 name video-trusted rule 999 log
+
+# From VIDEO to WAN
+set firewall ipv4 name video-wan default-action 'drop'
+set firewall ipv4 name video-wan description 'From VIDEO to WAN'
+# From WAN to IOT
+set firewall ipv4 name wan-iot default-action 'drop'
+set firewall ipv4 name wan-iot description 'From WAN to IOT'
+set firewall ipv4 name wan-iot enable-default-log
+set firewall ipv4 name wan-iot rule 999 action 'drop'
+set firewall ipv4 name wan-iot rule 999 description 'Rule: drop_invalid'
+set firewall ipv4 name wan-iot rule 999 state invalid
+set firewall ipv4 name wan-iot rule 999 log
+
+# From WAN to LAN
+set firewall ipv4 name wan-lan default-action 'drop'
+set firewall ipv4 name wan-lan description 'From WAN to LAN'
+set firewall ipv4 name wan-lan enable-default-log
+set firewall ipv4 name wan-lan rule 999 action 'drop'
+set firewall ipv4 name wan-lan rule 999 description 'Rule: drop_invalid'
+set firewall ipv4 name wan-lan rule 999 state invalid
+set firewall ipv4 name wan-lan rule 999 log
+
+# From WAN to LOCAL
+set firewall ipv4 name wan-local default-action 'drop'
+set firewall ipv4 name wan-local description 'From WAN to LOCAL'
+set firewall ipv4 name wan-local enable-default-log
+set firewall ipv4 name wan-local rule 1 action 'drop'
+set firewall ipv4 name wan-local rule 1 description 'Rule: drop_invalid'
+set firewall ipv4 name wan-local rule 1 state invalid
+set firewall ipv4 name wan-local rule 1 log
+set firewall ipv4 name wan-local rule 100 action 'accept'
+set firewall ipv4 name wan-local rule 100 description 'Rule: accept_wireguard'
+set firewall ipv4 name wan-local rule 100 destination port '51820'
+set firewall ipv4 name wan-local rule 100 protocol 'udp'
+
+# From WAN to SERVERS
+set firewall ipv4 name wan-servers default-action 'drop'
+set firewall ipv4 name wan-servers description 'From WAN to SERVERS'
+set firewall ipv4 name wan-servers enable-default-log
+set firewall ipv4 name wan-servers rule 100 action 'accept'
+set firewall ipv4 name wan-servers rule 100 destination port 32400
+set firewall ipv4 name wan-servers rule 100 protocol 'tcp'
+set firewall ipv4 name wan-servers rule 100 destination address 10.1.1.12
+set firewall ipv4 name wan-servers rule 999 action 'drop'
+set firewall ipv4 name wan-servers rule 999 description 'Rule: drop_invalid'
+set firewall ipv4 name wan-servers rule 999 state invalid
+set firewall ipv4 name wan-servers rule 999 log
+
+# From WAN to CONTAINERS
+set firewall ipv4 name wan-containers default-action 'drop'
+set firewall ipv4 name wan-containers description 'From WAN to CONTAINERS'
+set firewall ipv4 name wan-containers enable-default-log
+set firewall ipv4 name wan-containers rule 999 action 'drop'
+set firewall ipv4 name wan-containers rule 999 description 'Rule: drop_invalid'
+set firewall ipv4 name wan-containers rule 999 state invalid
+set firewall ipv4 name wan-containers rule 999 log
+
+# From WAN to TRUSTED
+set firewall ipv4 name wan-trusted default-action 'drop'
+set firewall ipv4 name wan-trusted description 'From WAN to TRUSTED'
+set firewall ipv4 name wan-trusted enable-default-log
+set firewall ipv4 name wan-trusted rule 999 action 'drop'
+set firewall ipv4 name wan-trusted rule 999 description 'Rule: drop_invalid'
+set firewall ipv4 name wan-trusted rule 999 state invalid
+set firewall ipv4 name wan-trusted rule 999 log
+
+# From WAN to VIDEO
+set firewall ipv4 name wan-video default-action 'drop'
+set firewall ipv4 name wan-video description 'From WAN to VIDEO'
+set firewall ipv4 name wan-video enable-default-log
+set firewall ipv4 name wan-video rule 999 action 'drop'
+set firewall ipv4 name wan-video rule 999 description 'Rule: drop_invalid'
+set firewall ipv4 name wan-video rule 999 state invalid
+set firewall ipv4 name wan-video rule 999 log
\ No newline at end of file
diff --git a/config-parts/firewall-name.sh b/config-parts/firewall-name.sh
deleted file mode 100644
index 1531782..0000000
--- a/config-parts/firewall-name.sh
+++ /dev/null
@@ -1,778 +0,0 @@
-#!/bin/vbash
-
-# From LOCAL to IOT
-set firewall name local-iot default-action 'drop'
-set firewall name local-iot description 'From LOCAL to IOT'
-set firewall name local-iot enable-default-log
-set firewall name local-iot rule 100 action 'accept'
-set firewall name local-iot rule 100 description 'Rule: accept_igmp'
-set firewall name local-iot rule 100 protocol '2'
-set firewall name local-iot rule 110 action 'accept'
-set firewall name local-iot rule 110 description 'Rule: accept_mdns'
-set firewall name local-iot rule 110 destination port 'mdns'
-set firewall name local-iot rule 110 protocol 'udp'
-set firewall name local-iot rule 110 source port 'mdns'
-set firewall name local-iot rule 200 action 'accept'
-set firewall name local-iot rule 200 description 'Rule: accept_discovery_from_sonos_controllers'
-set firewall name local-iot rule 200 destination port '1900,1901,1902,57621'
-set firewall name local-iot rule 200 protocol 'udp'
-set firewall name local-iot rule 200 source group address-group 'sonos_controllers'
-set firewall name local-iot rule 999 action 'drop'
-set firewall name local-iot rule 999 description 'Rule: drop_invalid'
-set firewall name local-iot rule 999 state invalid 'enable'
-set firewall name local-iot rule 999 log 'enable'
-
-# From LOCAL to LAN
-set firewall name local-lan default-action 'drop'
-set firewall name local-lan description 'From LOCAL to LAN'
-set firewall name local-lan enable-default-log
-set firewall name local-lan rule 999 action 'drop'
-set firewall name local-lan rule 999 description 'Rule: drop_invalid'
-set firewall name local-lan rule 999 state invalid 'enable'
-set firewall name local-lan rule 999 log 'enable'
-
-# From LOCAL to SERVERS
-set firewall name local-servers default-action 'drop'
-set firewall name local-servers description 'From LOCAL to SERVERS'
-set firewall name local-servers enable-default-log
-set firewall name local-servers rule 40 action 'accept'
-set firewall name local-servers rule 40 description 'Rule: accept_dns'
-set firewall name local-servers rule 40 destination port 'domain,domain-s'
-set firewall name local-servers rule 40 protocol 'tcp_udp'
-set firewall name local-servers rule 70 action 'accept'
-set firewall name local-servers rule 70 description 'Rule: accept_bgp'
-set firewall name local-servers rule 70 destination port 'bgp'
-set firewall name local-servers rule 70 protocol 'tcp'
-set firewall name local-servers rule 100 action 'accept'
-set firewall name local-servers rule 100 description 'Rule: accept_k8s_api'
-set firewall name local-servers rule 100 destination port '6443'
-set firewall name local-servers rule 100 protocol 'tcp'
-set firewall name local-servers rule 200 action 'accept'
-set firewall name local-servers rule 200 description 'Rule: accept_vector_syslog'
-set firewall name local-servers rule 200 destination group address-group 'k8s_vector_aggregator'
-set firewall name local-servers rule 200 destination port '6001'
-set firewall name local-servers rule 200 protocol 'tcp'
-set firewall name local-servers rule 999 action 'drop'
-set firewall name local-servers rule 999 description 'Rule: drop_invalid'
-set firewall name local-servers rule 999 state invalid 'enable'
-set firewall name local-servers rule 999 log 'enable'
-
-# From LOCAL to CONTAINERS
-set firewall name local-containers default-action 'accept'
-set firewall name local-containers description 'From LOCAL to CONTAINERS'
-set firewall name local-containers rule 40 action 'accept'
-set firewall name local-containers rule 40 description 'Rule: accept_dns'
-set firewall name local-containers rule 40 destination port 'domain,domain-s'
-set firewall name local-containers rule 40 protocol 'tcp_udp'
-set firewall name local-containers rule 999 action 'drop'
-set firewall name local-containers rule 999 description 'Rule: drop_invalid'
-set firewall name local-containers rule 999 state invalid 'enable'
-set firewall name local-containers rule 999 log 'enable'
-
-# From LOCAL to TRUSTED
-set firewall name local-trusted default-action 'drop'
-set firewall name local-trusted description 'From LOCAL to TRUSTED'
-set firewall name local-trusted enable-default-log
-set firewall name local-trusted rule 100 action 'accept'
-set firewall name local-trusted rule 100 description 'Rule: accept_igmp'
-set firewall name local-trusted rule 100 protocol '2'
-set firewall name local-trusted rule 110 action 'accept'
-set firewall name local-trusted rule 110 description 'Rule: accept_mdns'
-set firewall name local-trusted rule 110 destination port 'mdns'
-set firewall name local-trusted rule 110 protocol 'udp'
-set firewall name local-trusted rule 110 source port 'mdns'
-set firewall name local-trusted rule 200 action 'accept'
-set firewall name local-trusted rule 200 description 'Rule: accept_discovery_from_sonos_players'
-set firewall name local-trusted rule 200 destination port '1900,1901,1902'
-set firewall name local-trusted rule 200 protocol 'udp'
-set firewall name local-trusted rule 200 source group address-group 'sonos_players'
-set firewall name local-trusted rule 300 action 'accept'
-set firewall name local-trusted rule 300 description 'Rule: accept_wireguard'
-set firewall name local-trusted rule 300 source port '51820'
-set firewall name local-trusted rule 300 protocol 'udp'
-set firewall name local-trusted rule 999 action 'drop'
-set firewall name local-trusted rule 999 description 'Rule: drop_invalid'
-set firewall name local-trusted rule 999 state invalid 'enable'
-set firewall name local-trusted rule 999 log 'enable'
-
-# From LOCAL to VIDEO
-set firewall name local-video default-action 'drop'
-set firewall name local-video description 'From LOCAL to VIDEO'
-set firewall name local-video enable-default-log
-set firewall name local-video rule 999 action 'drop'
-set firewall name local-video rule 999 description 'Rule: drop_invalid'
-set firewall name local-video rule 999 state invalid 'enable'
-set firewall name local-video rule 999 log 'enable'
-
-# From LOCAL to WAN
-set firewall name local-wan default-action 'accept'
-set firewall name local-wan description 'From LOCAL to WAN'
-
-# From WAN to IOT
-set firewall name wan-iot default-action 'drop'
-set firewall name wan-iot description 'From WAN to IOT'
-set firewall name wan-iot enable-default-log
-set firewall name wan-iot rule 999 action 'drop'
-set firewall name wan-iot rule 999 description 'Rule: drop_invalid'
-set firewall name wan-iot rule 999 state invalid 'enable'
-set firewall name wan-iot rule 999 log 'enable'
-
-# From WAN to LAN
-set firewall name wan-lan default-action 'drop'
-set firewall name wan-lan description 'From WAN to LAN'
-set firewall name wan-lan enable-default-log
-set firewall name wan-lan rule 999 action 'drop'
-set firewall name wan-lan rule 999 description 'Rule: drop_invalid'
-set firewall name wan-lan rule 999 state invalid 'enable'
-set firewall name wan-lan rule 999 log 'enable'
-
-# From WAN to LOCAL
-set firewall name wan-local default-action 'drop'
-set firewall name wan-local description 'From WAN to LOCAL'
-set firewall name wan-local enable-default-log
-set firewall name wan-local rule 1 action 'drop'
-set firewall name wan-local rule 1 description 'Rule: drop_invalid'
-set firewall name wan-local rule 1 state invalid 'enable'
-set firewall name wan-local rule 1 log 'enable'
-set firewall name wan-local rule 100 action 'accept'
-set firewall name wan-local rule 100 description 'Rule: accept_wireguard'
-set firewall name wan-local rule 100 destination port '51820'
-set firewall name wan-local rule 100 protocol 'udp'
-
-# From WAN to SERVERS
-set firewall name wan-servers default-action 'drop'
-set firewall name wan-servers description 'From WAN to SERVERS'
-set firewall name wan-servers enable-default-log
-set firewall name wan-servers rule 100 action 'accept'
-set firewall name wan-servers rule 100 destination port 32400
-set firewall name wan-servers rule 100 protocol 'tcp'
-set firewall name wan-servers rule 100 destination address 10.1.1.12
-set firewall name wan-servers rule 999 action 'drop'
-set firewall name wan-servers rule 999 description 'Rule: drop_invalid'
-set firewall name wan-servers rule 999 state invalid 'enable'
-set firewall name wan-servers rule 999 log 'enable'
-
-# From WAN to CONTAINERS
-set firewall name wan-containers default-action 'drop'
-set firewall name wan-containers description 'From WAN to CONTAINERS'
-set firewall name wan-containers enable-default-log
-set firewall name wan-containers rule 999 action 'drop'
-set firewall name wan-containers rule 999 description 'Rule: drop_invalid'
-set firewall name wan-containers rule 999 state invalid 'enable'
-set firewall name wan-containers rule 999 log 'enable'
-
-# From WAN to TRUSTED
-set firewall name wan-trusted default-action 'drop'
-set firewall name wan-trusted description 'From WAN to TRUSTED'
-set firewall name wan-trusted enable-default-log
-set firewall name wan-trusted rule 999 action 'drop'
-set firewall name wan-trusted rule 999 description 'Rule: drop_invalid'
-set firewall name wan-trusted rule 999 state invalid 'enable'
-set firewall name wan-trusted rule 999 log 'enable'
-
-# From WAN to VIDEO
-set firewall name wan-video default-action 'drop'
-set firewall name wan-video description 'From WAN to VIDEO'
-set firewall name wan-video enable-default-log
-set firewall name wan-video rule 999 action 'drop'
-set firewall name wan-video rule 999 description 'Rule: drop_invalid'
-set firewall name wan-video rule 999 state invalid 'enable'
-set firewall name wan-video rule 999 log 'enable'
-
-# From LAN to IoT
-set firewall name lan-iot default-action 'drop'
-set firewall name lan-iot description 'From LAN to IOT'
-set firewall name lan-iot enable-default-log
-set firewall name lan-iot rule 999 action 'drop'
-set firewall name lan-iot rule 999 description 'Rule: drop_invalid'
-set firewall name lan-iot rule 999 state invalid 'enable'
-set firewall name lan-iot rule 999 log 'enable'
-
-# From LAN to LOCAL
-set firewall name lan-local default-action 'drop'
-set firewall name lan-local description 'From LAN to LOCAL'
-set firewall name lan-local enable-default-log
-set firewall name lan-local rule 40 action 'accept'
-set firewall name lan-local rule 40 description 'Rule: accept_dns'
-set firewall name lan-local rule 40 destination port 'domain,domain-s'
-set firewall name lan-local rule 40 protocol 'tcp_udp'
-set firewall name lan-local rule 50 action 'accept'
-set firewall name lan-local rule 50 description 'Rule: accept_dhcp'
-set firewall name lan-local rule 50 destination port '67,68'
-set firewall name lan-local rule 50 protocol 'udp'
-set firewall name lan-local rule 50 source port '67,68'
-set firewall name lan-local rule 60 action 'accept'
-set firewall name lan-local rule 60 description 'Rule: accept_ntp'
-set firewall name lan-local rule 60 destination port 'ntp'
-set firewall name lan-local rule 60 protocol 'udp'
-set firewall name lan-local rule 70 action 'accept'
-set firewall name lan-local rule 70 description 'Rule: accept_node_speed_exporter'
-set firewall name lan-local rule 70 destination port '9798,9100'
-set firewall name lan-local rule 70 protocol 'tcp'
-set firewall name lan-local rule 80 action 'accept'
-set firewall name lan-local rule 80 description 'Rule: accept perfmon3'
-set firewall name lan-local rule 80 destination port '5201'
-set firewall name lan-local rule 80 protocol 'tcp'
-set firewall name lan-local rule 999 action 'drop'
-set firewall name lan-local rule 999 description 'Rule: drop_invalid'
-set firewall name lan-local rule 999 state invalid 'enable'
-set firewall name lan-local rule 999 log 'enable'
-
-# From LAN to SERVERS
-set firewall name lan-servers default-action 'drop'
-set firewall name lan-servers description 'From LAN to SERVERS'
-set firewall name lan-servers enable-default-log
-set firewall name lan-servers rule 999 action 'drop'
-set firewall name lan-servers rule 999 description 'Rule: drop_invalid'
-set firewall name lan-servers rule 999 state invalid 'enable'
-set firewall name lan-servers rule 999 log 'enable'
-
-# From LAN to CONTAINERS
-set firewall name lan-containers default-action 'accept'
-set firewall name lan-containers description 'From LAN to CONTAINERS'
-set firewall name lan-containers rule 40 action 'accept'
-set firewall name lan-containers rule 40 description 'Rule: accept_dns'
-set firewall name lan-containers rule 40 destination port 'domain,domain-s'
-set firewall name lan-containers rule 40 protocol 'tcp_udp'
-set firewall name lan-containers rule 999 action 'drop'
-set firewall name lan-containers rule 999 description 'Rule: drop_invalid'
-set firewall name lan-containers rule 999 state invalid 'enable'
-set firewall name lan-containers rule 999 log 'enable'
-
-# From LAN to TRUSTED
-set firewall name lan-trusted default-action 'drop'
-set firewall name lan-trusted description 'From LAN to TRUSTED'
-set firewall name lan-trusted enable-default-log
-set firewall name lan-trusted rule 999 action 'drop'
-set firewall name lan-trusted rule 999 description 'Rule: drop_invalid'
-set firewall name lan-trusted rule 999 state invalid 'enable'
-set firewall name lan-trusted rule 999 log 'enable'
-
-# From LAN to VIDEO
-set firewall name lan-video default-action 'drop'
-set firewall name lan-video description 'From LAN to VIDEO'
-set firewall name lan-video enable-default-log
-set firewall name lan-video rule 999 action 'drop'
-set firewall name lan-video rule 999 description 'Rule: drop_invalid'
-set firewall name lan-video rule 999 state invalid 'enable'
-set firewall name lan-video rule 999 log 'enable'
-
-# From LAN to WAN
-set firewall name lan-wan default-action 'accept'
-set firewall name lan-wan description 'From LAN to WAN'
-
-# From SERVERS to IOT
-set firewall name servers-iot default-action 'drop'
-set firewall name servers-iot description 'From SERVERS to IOT'
-set firewall name servers-iot enable-default-log
-set firewall name servers-iot rule 100 action 'accept'
-set firewall name servers-iot rule 100 description 'Rule: accept_k8s_nodes'
-set firewall name servers-iot rule 100 protocol 'tcp'
-set firewall name servers-iot rule 100 source group address-group 'k8s_nodes'
-set firewall name servers-iot rule 110 action 'accept'
-set firewall name servers-iot rule 110 description 'Rule: accept_k8s_nodes'
-set firewall name servers-iot rule 110 protocol 'icmp'
-set firewall name servers-iot rule 110 source group address-group 'k8s_nodes'
-set firewall name servers-iot rule 999 action 'drop'
-set firewall name servers-iot rule 999 description 'Rule: drop_invalid'
-set firewall name servers-iot rule 999 state invalid 'enable'
-set firewall name servers-iot rule 999 log 'enable'
-
-# From SERVERS to LAN
-set firewall name servers-lan default-action 'drop'
-set firewall name servers-lan description 'From SERVERS to LAN'
-set firewall name servers-lan enable-default-log
-set firewall name servers-lan rule 999 action 'drop'
-set firewall name servers-lan rule 999 description 'Rule: drop_invalid'
-set firewall name servers-lan rule 999 state invalid 'enable'
-set firewall name servers-lan rule 999 log 'enable'
-
-# From SERVERS to LOCAL
-set firewall name servers-local default-action 'drop'
-set firewall name servers-local description 'From SERVERS to LOCAL'
-set firewall name servers-local enable-default-log
-set firewall name servers-local rule 50 action 'accept'
-set firewall name servers-local rule 50 description 'Rule: accept_dhcp'
-set firewall name servers-local rule 50 destination port '67,68'
-set firewall name servers-local rule 50 protocol 'udp'
-set firewall name servers-local rule 50 source port '67,68'
-set firewall name servers-local rule 60 action 'accept'
-set firewall name servers-local rule 60 description 'Rule: accept_ntp'
-set firewall name servers-local rule 60 destination port 'ntp'
-set firewall name servers-local rule 60 protocol 'udp'
-set firewall name servers-local rule 70 action 'accept'
-set firewall name servers-local rule 70 description 'Rule: accept_bgp'
-set firewall name servers-local rule 70 destination port 'bgp'
-set firewall name servers-local rule 70 protocol 'tcp'
-set firewall name servers-local rule 80 action 'accept'
-set firewall name servers-local rule 80 description 'Rule: accept_tftp'
-set firewall name servers-local rule 80 destination port '69'
-set firewall name servers-local rule 80 protocol 'udp'
-set firewall name servers-local rule 90 action 'accept'
-set firewall name servers-local rule 90 description 'Rule: accept_dns'
-set firewall name servers-local rule 90 destination port 'domain,domain-s'
-set firewall name servers-local rule 90 protocol 'tcp_udp'
-set firewall name servers-local rule 100 action 'accept'
-set firewall name servers-local rule 100 description 'Rule: accept_node_exporter_from_k8s_nodes'
-set firewall name servers-local rule 100 destination port '9100'
-set firewall name servers-local rule 100 protocol 'tcp'
-set firewall name servers-local rule 100 source group address-group 'k8s_nodes'
-set firewall name servers-local rule 110 action 'accept'
-set firewall name servers-local rule 110 description 'Rule: accept_speedtest_exporter_from_k8s_nodes'
-set firewall name servers-local rule 110 destination port '9798'
-set firewall name servers-local rule 110 protocol 'tcp'
-set firewall name servers-local rule 110 source group address-group 'k8s_nodes'
-set firewall name servers-local rule 999 action 'drop'
-set firewall name servers-local rule 999 description 'Rule: drop_invalid'
-set firewall name servers-local rule 999 state invalid 'enable'
-set firewall name servers-local rule 999 log 'enable'
-
-# From SERVERS to CONTAINERS
-set firewall name servers-containers default-action 'accept'
-set firewall name servers-containers description 'From SERVERS to CONTAINERS'
-set firewall name servers-containers enable-default-log
-set firewall name servers-containers rule 40 action 'accept'
-set firewall name servers-containers rule 40 description 'Rule: accept_dns'
-set firewall name servers-containers rule 40 destination port 'domain,domain-s'
-set firewall name servers-containers rule 40 protocol 'tcp_udp'
-set firewall name servers-containers rule 100 action 'accept'
-set firewall name servers-containers rule 100 description 'Rule: accept_k8s_nodes'
-set firewall name servers-containers rule 100 protocol 'tcp'
-set firewall name servers-containers rule 100 source group address-group 'k8s_nodes'
-set firewall name servers-containers rule 999 action 'drop'
-set firewall name servers-containers rule 999 description 'Rule: drop_invalid'
-set firewall name servers-containers rule 999 state invalid 'enable'
-set firewall name servers-containers rule 999 log 'enable'
-
-# From SERVERS to TRUSTED
-set firewall name servers-trusted default-action 'drop'
-set firewall name servers-trusted description 'From SERVERS to TRUSTED'
-set firewall name servers-trusted enable-default-log
-set firewall name servers-trusted rule 999 action 'drop'
-set firewall name servers-trusted rule 999 description 'Rule: drop_invalid'
-set firewall name servers-trusted rule 999 state invalid 'enable'
-set firewall name servers-trusted rule 999 log 'enable'
-
-# From SERVERS to VIDEO
-set firewall name servers-video default-action 'drop'
-set firewall name servers-video description 'From SERVERS to VIDEO'
-set firewall name servers-video enable-default-log
-set firewall name servers-video rule 100 action 'accept'
-set firewall name servers-video rule 100 description 'Rule: accept_k8s_nodes'
-set firewall name servers-video rule 100 protocol 'tcp_udp'
-set firewall name servers-video rule 100 source group address-group 'k8s_nodes'
-set firewall name servers-video rule 999 action 'drop'
-set firewall name servers-video rule 999 description 'Rule: drop_invalid'
-set firewall name servers-video rule 999 state invalid 'enable'
-set firewall name servers-video rule 999 log 'enable'
-
-# From SERVERS to WAN
-set firewall name servers-wan default-action 'accept'
-set firewall name servers-wan description 'From SERVERS to WAN'
-
-# From CONTAINERS to IOT
-set firewall name containers-iot default-action 'drop'
-set firewall name containers-iot description 'From CONTAINERS to IOT'
-set firewall name containers-iot enable-default-log
-set firewall name containers-iot rule 999 action 'drop'
-set firewall name containers-iot rule 999 description 'Rule: drop_invalid'
-set firewall name containers-iot rule 999 state invalid 'enable'
-set firewall name containers-iot rule 999 log 'enable'
-
-# From CONTAINERS to LAN
-set firewall name containers-lan default-action 'drop'
-set firewall name containers-lan description 'From CONTAINERS to LAN'
-set firewall name containers-lan enable-default-log
-set firewall name containers-lan rule 999 action 'drop'
-set firewall name containers-lan rule 999 description 'Rule: drop_invalid'
-set firewall name containers-lan rule 999 state invalid 'enable'
-set firewall name containers-lan rule 999 log 'enable'
-
-# From CONTAINERS to LOCAL
-set firewall name containers-local default-action 'drop'
-set firewall name containers-local description 'From CONTAINERS to LOCAL'
-set firewall name containers-local enable-default-log
-set firewall name containers-local rule 50 action 'accept'
-set firewall name containers-local rule 50 description 'Rule: accept_dhcp'
-set firewall name containers-local rule 50 destination port '67,68'
-set firewall name containers-local rule 50 protocol 'udp'
-set firewall name containers-local rule 50 source port '67,68'
-set firewall name containers-local rule 60 action 'accept'
-set firewall name containers-local rule 60 description 'Rule: accept_ntp'
-set firewall name containers-local rule 60 destination port 'ntp'
-set firewall name containers-local rule 60 protocol 'udp'
-set firewall name containers-local rule 999 action 'drop'
-set firewall name containers-local rule 999 description 'Rule: drop_invalid'
-set firewall name containers-local rule 999 state invalid 'enable'
-set firewall name containers-local rule 999 log 'enable'
-
-# From CONTAINERS to SERVERS
-set firewall name containers-servers default-action 'accept'
-set firewall name containers-servers description 'From CONTAINERS to SERVERS'
-set firewall name containers-servers rule 999 action 'drop'
-set firewall name containers-servers rule 999 description 'Rule: drop_invalid'
-set firewall name containers-servers rule 999 state invalid 'enable'
-set firewall name containers-servers rule 999 log 'enable'
-
-# From CONTAINERS to TRUSTED
-set firewall name containers-trusted default-action 'drop'
-set firewall name containers-trusted description 'From CONTAINERS to TRUSTED'
-set firewall name containers-trusted enable-default-log
-set firewall name containers-trusted rule 999 action 'drop'
-set firewall name containers-trusted rule 999 description 'Rule: drop_invalid'
-set firewall name containers-trusted rule 999 state invalid 'enable'
-set firewall name containers-trusted rule 999 log 'enable'
-
-# From CONTAINERS to VIDEO
-set firewall name containers-video default-action 'drop'
-set firewall name containers-video description 'From CONTAINERS to VIDEO'
-set firewall name containers-video enable-default-log
-set firewall name containers-video rule 999 action 'drop'
-set firewall name containers-video rule 999 description 'Rule: drop_invalid'
-set firewall name containers-video rule 999 state invalid 'enable'
-set firewall name containers-video rule 999 log 'enable'
-
-# From CONTAINERS to WAN
-set firewall name containers-wan default-action 'accept'
-set firewall name containers-wan description 'From CONTAINERS to WAN'
-
-# From TRUSTED to IOT
-set firewall name trusted-iot default-action 'accept'
-set firewall name trusted-iot description 'From TRUSTED to IOT'
-set firewall name trusted-iot rule 100 action 'accept'
-set firewall name trusted-iot rule 100 description 'Rule: accept_app_control_from_sonos_controllers_tcp'
-set firewall name trusted-iot rule 100 destination port '80,443,445,1400,3400,3401,3500,4070,4444'
-set firewall name trusted-iot rule 100 protocol 'tcp'
-set firewall name trusted-iot rule 100 source group address-group 'sonos_controllers'
-set firewall name trusted-iot rule 110 action 'accept'
-set firewall name trusted-iot rule 110 description 'Rule: accept_app_control_from_sonos_controllers_udp'
-set firewall name trusted-iot rule 110 destination port '136-139,1900-1901,2869,10243,10280-10284,5353,6969'
-set firewall name trusted-iot rule 110 protocol 'udp'
-set firewall name trusted-iot rule 110 source group address-group 'sonos_controllers'
-set firewall name trusted-iot rule 999 action 'drop'
-set firewall name trusted-iot rule 999 description 'Rule: drop_invalid'
-set firewall name trusted-iot rule 999 state invalid 'enable'
-set firewall name trusted-iot rule 999 log 'enable'
-
-# From TRUSTED to LAN
-set firewall name trusted-lan default-action 'accept'
-set firewall name trusted-lan description 'From TRUSTED to LAN'
-set firewall name trusted-lan rule 999 action 'drop'
-set firewall name trusted-lan rule 999 description 'Rule: drop_invalid'
-set firewall name trusted-lan rule 999 state invalid 'enable'
-set firewall name trusted-lan rule 999 log 'enable'
-
-# From TRUSTED to LOCAL
-set firewall name trusted-local default-action 'drop'
-set firewall name trusted-local description 'From TRUSTED to LOCAL'
-set firewall name trusted-local enable-default-log
-set firewall name trusted-local rule 50 action 'accept'
-set firewall name trusted-local rule 50 description 'Rule: accept_dhcp'
-set firewall name trusted-local rule 50 destination port '67,68'
-set firewall name trusted-local rule 50 protocol 'udp'
-set firewall name trusted-local rule 50 source port '67,68'
-set firewall name trusted-local rule 60 action 'accept'
-set firewall name trusted-local rule 60 description 'Rule: accept_ntp'
-set firewall name trusted-local rule 60 destination port 'ntp'
-set firewall name trusted-local rule 60 protocol 'udp'
-set firewall name trusted-local rule 100 action 'accept'
-set firewall name trusted-local rule 100 description 'Rule: accept_igmp'
-set firewall name trusted-local rule 100 protocol '2'
-set firewall name trusted-local rule 110 action 'accept'
-set firewall name trusted-local rule 110 description 'Rule: accept_mdns'
-set firewall name trusted-local rule 110 destination port 'mdns'
-set firewall name trusted-local rule 110 protocol 'udp'
-set firewall name trusted-local rule 110 source port 'mdns'
-set firewall name trusted-local rule 120 action 'accept'
-set firewall name trusted-local rule 120 description 'Rule: accept_dns'
-set firewall name trusted-local rule 120 destination port 'domain,domain-s'
-set firewall name trusted-local rule 120 protocol 'tcp_udp'
-set firewall name trusted-local rule 200 action 'accept'
-set firewall name trusted-local rule 200 description 'Rule: accept_ssh'
-set firewall name trusted-local rule 200 destination port 'ssh'
-set firewall name trusted-local rule 200 protocol 'tcp'
-set firewall name trusted-local rule 210 action 'accept'
-set firewall name trusted-local rule 210 description 'Rule: accept_vyos_api'
-set firewall name trusted-local rule 210 destination port '8443'
-set firewall name trusted-local rule 210 protocol 'tcp'
-set firewall name trusted-local rule 220 action 'accept'
-set firewall name trusted-local rule 220 description 'Rule: accept_wireguard'
-set firewall name trusted-local rule 220 destination port '51820'
-set firewall name trusted-local rule 220 protocol 'udp'
-set firewall name trusted-local rule 300 action 'accept'
-set firewall name trusted-local rule 300 description 'Rule: accept_discovery_from_sonos_players'
-set firewall name trusted-local rule 300 destination port '1900,1901,1902'
-set firewall name trusted-local rule 300 protocol 'udp'
-set firewall name trusted-local rule 300 source group address-group 'sonos_players'
-set firewall name trusted-local rule 310 action 'accept'
-set firewall name trusted-local rule 310 description 'Rule: accept_discovery_from_sonos_controllers'
-set firewall name trusted-local rule 310 destination port '1900,1901,1902,57621'
-set firewall name trusted-local rule 310 protocol 'udp'
-set firewall name trusted-local rule 310 source group address-group 'sonos_controllers'
-set firewall name trusted-local rule 999 action 'drop'
-set firewall name trusted-local rule 999 description 'Rule: drop_invalid'
-set firewall name trusted-local rule 999 state invalid 'enable'
-set firewall name trusted-local rule 999 log 'enable'
-
-# From TRUSTED to SERVERS
-set firewall name trusted-servers default-action 'accept'
-set firewall name trusted-servers description 'From TRUSTED to SERVERS'
-set firewall name trusted-servers rule 999 action 'drop'
-set firewall name trusted-servers rule 999 description 'Rule: drop_invalid'
-set firewall name trusted-servers rule 999 state invalid 'enable'
-set firewall name trusted-servers rule 999 log 'enable'
-
-# From TRUSTED to CONTAINERS
-set firewall name trusted-containers default-action 'accept'
-set firewall name trusted-containers description 'From TRUSTED to CONTAINERS'
-set firewall name trusted-containers rule 40 action 'accept'
-set firewall name trusted-containers rule 40 description 'Rule: accept_dns'
-set firewall name trusted-containers rule 40 destination port 'domain,domain-s'
-set firewall name trusted-containers rule 40 protocol 'tcp_udp'
-set firewall name trusted-containers rule 999 action 'drop'
-set firewall name trusted-containers rule 999 description 'Rule: drop_invalid'
-set firewall name trusted-containers rule 999 state invalid 'enable'
-set firewall name trusted-containers rule 999 log 'enable'
-
-# From TRUSTED to VIDEO
-set firewall name trusted-video default-action 'accept'
-set firewall name trusted-video description 'From TRUSTED to VIDEO'
-set firewall name trusted-video rule 999 action 'drop'
-set firewall name trusted-video rule 999 description 'Rule: drop_invalid'
-set firewall name trusted-video rule 999 state invalid 'enable'
-set firewall name trusted-video rule 999 log 'enable'
-
-# From TRUSTED to WAN
-set firewall name trusted-wan default-action 'accept'
-set firewall name trusted-wan description 'From TRUSTED to WAN'
-
-# From IOT to LAN
-set firewall name iot-lan default-action 'drop'
-set firewall name iot-lan description 'From IOT to LAN'
-set firewall name iot-lan enable-default-log
-set firewall name iot-lan rule 999 action 'drop'
-set firewall name iot-lan rule 999 description 'Rule: drop_invalid'
-set firewall name iot-lan rule 999 state invalid 'enable'
-set firewall name iot-lan rule 999 log 'enable'
-
-# From IOT to LOCAL
-set firewall name iot-local default-action 'drop'
-set firewall name iot-local description 'From IOT to LOCAL'
-set firewall name iot-local enable-default-log
-set firewall name iot-local rule 50 action 'accept'
-set firewall name iot-local rule 50 description 'Rule: accept_dhcp'
-set firewall name iot-local rule 50 destination port '67,68'
-set firewall name iot-local rule 50 protocol 'udp'
-set firewall name iot-local rule 50 source port '67,68'
-set firewall name iot-local rule 60 action 'accept'
-set firewall name iot-local rule 60 description 'Rule: accept_ntp'
-set firewall name iot-local rule 60 destination port 'ntp'
-set firewall name iot-local rule 60 protocol 'udp'
-set firewall name iot-local rule 100 action 'accept'
-set firewall name iot-local rule 100 description 'Rule: accept_igmp'
-set firewall name iot-local rule 100 protocol '2'
-set firewall name iot-local rule 110 action 'accept'
-set firewall name iot-local rule 110 description 'Rule: accept_mdns'
-set firewall name iot-local rule 110 destination port 'mdns'
-set firewall name iot-local rule 110 protocol 'udp'
-set firewall name iot-local rule 110 source port 'mdns'
-set firewall name iot-local rule 120 action 'accept'
-set firewall name iot-local rule 120 description 'Rule: accept_dns'
-set firewall name iot-local rule 120 destination port 'domain,domain-s'
-set firewall name iot-local rule 120 protocol 'tcp_udp'
-set firewall name iot-local rule 200 action 'accept'
-set firewall name iot-local rule 200 description 'Rule: accept_discovery_from_sonos_players'
-set firewall name iot-local rule 200 destination port '1900,1901,1902'
-set firewall name iot-local rule 200 protocol 'udp'
-set firewall name iot-local rule 200 source group address-group 'sonos_players'
-set firewall name iot-local rule 210 action 'accept'
-set firewall name iot-local rule 210 description 'Rule: accept_discovery_from_sonos_controllers'
-set firewall name iot-local rule 210 destination port '1900,1901,1902,57621'
-set firewall name iot-local rule 210 protocol 'udp'
-set firewall name iot-local rule 210 source group address-group 'sonos_controllers'
-set firewall name iot-local rule 999 action 'drop'
-set firewall name iot-local rule 999 description 'Rule: drop_invalid'
-set firewall name iot-local rule 999 state invalid 'enable'
-set firewall name iot-local rule 999 log 'enable'
-
-# From IOT to SERVERS
-set firewall name iot-servers default-action 'drop'
-set firewall name iot-servers description 'From IOT to SERVERS'
-set firewall name iot-servers enable-default-log
-set firewall name iot-servers rule 100 action 'accept'
-set firewall name iot-servers rule 100 description 'Rule: accept_nas_smb_from_scanners'
-set firewall name iot-servers rule 100 destination group address-group 'nas'
-set firewall name iot-servers rule 100 destination port 'microsoft-ds'
-set firewall name iot-servers rule 100 protocol 'tcp'
-set firewall name iot-servers rule 100 source group address-group 'scanners'
-set firewall name iot-servers rule 200 action 'accept'
-set firewall name iot-servers rule 200 description 'Rule: accept_plex_from_plex_clients'
-set firewall name iot-servers rule 200 destination group address-group 'k8s_plex'
-set firewall name iot-servers rule 200 destination port '32400'
-set firewall name iot-servers rule 200 protocol 'tcp'
-set firewall name iot-servers rule 200 source group address-group 'plex_clients'
-set firewall name iot-servers rule 210 action 'accept'
-set firewall name iot-servers rule 300 action 'accept'
-set firewall name iot-servers rule 300 description 'Rule: accept_mqtt_from_mqtt_clients'
-set firewall name iot-servers rule 300 destination group address-group 'k8s_mqtt'
-set firewall name iot-servers rule 300 destination port '1883'
-set firewall name iot-servers rule 300 protocol 'tcp'
-set firewall name iot-servers rule 300 source group address-group 'mqtt_clients'
-set firewall name iot-servers rule 310 action 'accept'
-set firewall name iot-servers rule 310 description 'Rule: accept_mqtt_from_esp'
-set firewall name iot-servers rule 310 destination group address-group 'k8s_mqtt'
-set firewall name iot-servers rule 310 destination port '1883'
-set firewall name iot-servers rule 310 protocol 'tcp'
-set firewall name iot-servers rule 310 source group address-group 'esp'
-set firewall name iot-servers rule 400 action 'accept'
-set firewall name iot-servers rule 400 description 'Rule: accept_k8s_ingress_from_sonos_players'
-set firewall name iot-servers rule 400 destination group address-group 'k8s_ingress'
-set firewall name iot-servers rule 400 destination port 'http,https'
-set firewall name iot-servers rule 400 protocol 'tcp'
-set firewall name iot-servers rule 400 source group address-group 'sonos_players'
-set firewall name iot-servers rule 420 action 'accept'
-set firewall name iot-servers rule 420 description 'Rule: accept_k8s_ingress_from_allowed_devices'
-set firewall name iot-servers rule 420 destination group address-group 'k8s_ingress'
-set firewall name iot-servers rule 420 destination port 'http,https'
-set firewall name iot-servers rule 420 protocol 'tcp'
-set firewall name iot-servers rule 420 source group address-group 'k8s_ingress_allowed'
-set firewall name iot-servers rule 500 action 'accept'
-set firewall name iot-servers rule 500 description 'Rule: accept_vector_journald_from_allowed_devices'
-set firewall name iot-servers rule 500 destination group address-group 'k8s_vector_aggregator'
-set firewall name iot-servers rule 500 destination port '6002'
-set firewall name iot-servers rule 500 protocol 'tcp'
-set firewall name iot-servers rule 500 source group address-group 'vector_journald_allowed'
-set firewall name iot-servers rule 999 action 'drop'
-set firewall name iot-servers rule 999 description 'Rule: drop_invalid'
-set firewall name iot-servers rule 999 state invalid 'enable'
-set firewall name iot-servers rule 999 log 'enable'
-
-# From IOT to CONTAINERS
-set firewall name iot-containers default-action 'accept'
-set firewall name iot-containers description 'From IOT to CONTAINERS'
-set firewall name iot-containers rule 40 action 'accept'
-set firewall name iot-containers rule 40 description 'Rule: accept_dns'
-set firewall name iot-containers rule 40 destination port 'domain,domain-s'
-set firewall name iot-containers rule 40 protocol 'tcp_udp'
-set firewall name iot-containers rule 999 action 'drop'
-set firewall name iot-containers rule 999 description 'Rule: drop_invalid'
-set firewall name iot-containers rule 999 state invalid 'enable'
-set firewall name iot-containers rule 999 log 'enable'
-
-# From IOT to TRUSTED
-set firewall name iot-trusted default-action 'drop'
-set firewall name iot-trusted description 'From IOT to TRUSTED'
-set firewall name iot-trusted enable-default-log
-set firewall name iot-trusted rule 100 action 'accept'
-set firewall name iot-trusted rule 100 description 'Rule: accept_udp_from_sonos_players_to_sonos_controllers'
-set firewall name iot-trusted rule 100 destination group address-group 'sonos_controllers'
-set firewall name iot-trusted rule 100 destination port '30000-65535'
-set firewall name iot-trusted rule 100 protocol 'udp'
-set firewall name iot-trusted rule 100 source group address-group 'sonos_players'
-set firewall name iot-trusted rule 110 action 'accept'
-set firewall name iot-trusted rule 110 description 'Rule: accept_tcp_from_sonos_players_to_sonos_controllers'
-set firewall name iot-trusted rule 110 destination group address-group 'sonos_controllers'
-set firewall name iot-trusted rule 110 destination port '1400,3400,3401,3500,30000-65535'
-set firewall name iot-trusted rule 110 protocol 'tcp'
-set firewall name iot-trusted rule 110 source group address-group 'sonos_players'
-set firewall name iot-trusted rule 999 action 'drop'
-set firewall name iot-trusted rule 999 description 'Rule: drop_invalid'
-set firewall name iot-trusted rule 999 state invalid 'enable'
-set firewall name iot-trusted rule 999 log 'enable'
-
-# From IOT to VIDEO
-set firewall name iot-video default-action 'drop'
-set firewall name iot-video description 'From IOT to VIDEO'
-set firewall name iot-video enable-default-log
-set firewall name iot-video rule 100 action 'accept'
-set firewall name iot-video rule 100 description 'Rule: accept_k8s_nodes'
-set firewall name iot-video rule 100 protocol 'tcp'
-set firewall name iot-video rule 100 source group address-group 'k8s_nodes'
-set firewall name iot-video rule 999 action 'drop'
-set firewall name iot-video rule 999 description 'Rule: drop_invalid'
-set firewall name iot-video rule 999 state invalid 'enable'
-set firewall name iot-video rule 999 log 'enable'
-
-# From IOT to WAN
-set firewall name iot-wan default-action 'accept'
-set firewall name iot-wan description 'From IOT to WAN'
-
-# From VIDEO to IOT
-set firewall name video-iot default-action 'drop'
-set firewall name video-iot description 'From VIDEO to IOT'
-set firewall name video-iot enable-default-log
-set firewall name video-iot rule 100 action 'accept'
-set firewall name video-iot rule 100 description 'Rule: allow connecting to hass'
-set firewall name video-iot rule 100 protocol 'tcp'
-set firewall name video-iot rule 100 destination group address-group 'k8s_hass'
-set firewall name video-iot rule 100 destination port '8123'
-set firewall name video-iot rule 999 action 'drop'
-set firewall name video-iot rule 999 description 'Rule: drop_invalid'
-set firewall name video-iot rule 999 state invalid 'enable'
-set firewall name video-iot rule 999 log 'enable'
-
-# From VIDEO to LAN
-set firewall name video-lan default-action 'drop'
-set firewall name video-lan description 'From VIDEO to LAN'
-set firewall name video-lan enable-default-log
-set firewall name video-lan rule 999 action 'drop'
-set firewall name video-lan rule 999 description 'Rule: drop_invalid'
-set firewall name video-lan rule 999 state invalid 'enable'
-set firewall name video-lan rule 999 log 'enable'
-
-# From VIDEO to LOCAL
-set firewall name video-local default-action 'drop'
-set firewall name video-local description 'From VIDEO to LOCAL'
-set firewall name video-local enable-default-log
-set firewall name video-local rule 50 action 'accept'
-set firewall name video-local rule 50 description 'Rule: accept_dhcp'
-set firewall name video-local rule 50 destination port '67,68'
-set firewall name video-local rule 50 protocol 'udp'
-set firewall name video-local rule 50 source port '67,68'
-set firewall name video-local rule 60 action 'accept'
-set firewall name video-local rule 60 description 'Rule: accept_ntp'
-set firewall name video-local rule 60 destination port 'ntp'
-set firewall name video-local rule 60 protocol 'udp'
-set firewall name video-local rule 999 action 'drop'
-set firewall name video-local rule 999 description 'Rule: drop_invalid'
-set firewall name video-local rule 999 state invalid 'enable'
-set firewall name video-local rule 999 log 'enable'
-
-# From VIDEO to SERVERS
-set firewall name video-servers default-action 'drop'
-set firewall name video-servers description 'From VIDEO to SERVERS'
-set firewall name video-servers enable-default-log
-set firewall name video-servers rule 100 action 'accept'
-set firewall name video-servers rule 100 description 'Rule: accept_k8s_nodes'
-set firewall name video-servers rule 100 protocol 'udp'
-set firewall name video-servers rule 100 destination group address-group 'k8s_nodes'
-set firewall name video-servers rule 100 source port '6987-6989'
-set firewall name video-servers rule 999 action 'drop'
-set firewall name video-servers rule 999 description 'Rule: drop_invalid'
-set firewall name video-servers rule 999 state invalid 'enable'
-set firewall name video-servers rule 999 log 'enable'
-
-# From VIDEO to CONTAINERS
-set firewall name video-containers default-action 'accept'
-set firewall name video-containers description 'From VIDEO to CONTAINERS'
-set firewall name video-containers rule 40 action 'accept'
-set firewall name video-containers rule 40 description 'Rule: accept_dns'
-set firewall name video-containers rule 40 destination port 'domain,domain-s'
-set firewall name video-containers rule 40 protocol 'tcp_udp'
-set firewall name video-containers rule 999 action 'drop'
-set firewall name video-containers rule 999 description 'Rule: drop_invalid'
-set firewall name video-containers rule 999 state invalid 'enable'
-set firewall name video-containers rule 999 log 'enable'
-
-# From VIDEO to TRUSTED
-set firewall name video-trusted default-action 'drop'
-set firewall name video-trusted description 'From VIDEO to TRUSTED'
-set firewall name video-trusted enable-default-log
-set firewall name video-trusted rule 999 action 'drop'
-set firewall name video-trusted rule 999 description 'Rule: drop_invalid'
-set firewall name video-trusted rule 999 state invalid 'enable'
-set firewall name video-trusted rule 999 log 'enable'
-
-# From VIDEO to WAN
-set firewall name video-wan default-action 'drop'
-set firewall name video-wan description 'From VIDEO to WAN'
diff --git a/config-parts/firewall-zone.sh b/config-parts/firewall-zone.sh
index c42a789..0ec1b97 100644
--- a/config-parts/firewall-zone.sh
+++ b/config-parts/firewall-zone.sh
@@ -1,5 +1,27 @@
 #!/bin/vbash
 
+# iot
+set firewall zone iot default-action 'drop'
+set firewall zone iot from lan firewall name 'lan-iot'
+set firewall zone iot from local firewall name 'local-iot'
+set firewall zone iot from servers firewall name 'servers-iot'
+set firewall zone iot from containers firewall name 'containers-iot'
+set firewall zone iot from trusted firewall name 'trusted-iot'
+set firewall zone iot from video firewall name 'video-iot'
+set firewall zone iot from wan firewall name 'wan-iot'
+set firewall zone iot interface 'eth4.30'
+
+# lan
+set firewall zone lan default-action 'drop'
+set firewall zone lan from iot firewall name 'iot-lan'
+set firewall zone lan from local firewall name 'local-lan'
+set firewall zone lan from servers firewall name 'servers-lan'
+set firewall zone lan from containers firewall name 'containers-lan'
+set firewall zone lan from trusted firewall name 'trusted-lan'
+set firewall zone lan from video firewall name 'video-lan'
+set firewall zone lan from wan firewall name 'wan-lan'
+set firewall zone lan interface 'eth4'
+
 # local
 set firewall zone local default-action 'drop'
 set firewall zone local description 'Local router zone'
@@ -12,26 +34,16 @@ set firewall zone local from video firewall name 'video-local'
 set firewall zone local from wan firewall name 'wan-local'
 set firewall zone local local-zone
 
-# wan
-set firewall zone wan from iot firewall name 'iot-wan'
-set firewall zone wan from lan firewall name 'lan-wan'
-set firewall zone wan from local firewall name 'local-wan'
-set firewall zone wan from servers firewall name 'servers-wan'
-set firewall zone wan from containers firewall name 'containers-wan'
-set firewall zone wan from trusted firewall name 'trusted-wan'
-set firewall zone wan from video firewall name 'video-wan'
-set firewall zone wan interface 'eth0'
-
-# lan
-set firewall zone lan default-action 'drop'
-set firewall zone lan from iot firewall name 'iot-lan'
-set firewall zone lan from local firewall name 'local-lan'
-set firewall zone lan from servers firewall name 'servers-lan'
-set firewall zone lan from containers firewall name 'containers-lan'
-set firewall zone lan from trusted firewall name 'trusted-lan'
-set firewall zone lan from video firewall name 'video-lan'
-set firewall zone lan from wan firewall name 'wan-lan'
-set firewall zone lan interface 'eth1'
+# servers
+set firewall zone servers default-action 'drop'
+set firewall zone servers from iot firewall name 'iot-servers'
+set firewall zone servers from lan firewall name 'lan-servers'
+set firewall zone servers from local firewall name 'local-servers'
+set firewall zone servers from containers firewall name 'containers-servers'
+set firewall zone servers from trusted firewall name 'trusted-servers'
+set firewall zone servers from video firewall name 'video-servers'
+set firewall zone servers from wan firewall name 'wan-servers'
+set firewall zone servers interface 'eth4.10'
 
 # containers
 set firewall zone containers default-action 'drop'
@@ -45,17 +57,6 @@ set firewall zone containers from video firewall name 'video-containers'
 set firewall zone containers from wan firewall name 'wan-containers'
 set firewall zone containers interface 'pod-containers'
 
-# servers
-set firewall zone servers default-action 'drop'
-set firewall zone servers from iot firewall name 'iot-servers'
-set firewall zone servers from lan firewall name 'lan-servers'
-set firewall zone servers from local firewall name 'local-servers'
-set firewall zone servers from containers firewall name 'containers-servers'
-set firewall zone servers from trusted firewall name 'trusted-servers'
-set firewall zone servers from video firewall name 'video-servers'
-set firewall zone servers from wan firewall name 'wan-servers'
-set firewall zone servers interface 'eth1.10'
-
 # trusted
 set firewall zone trusted default-action 'drop'
 set firewall zone trusted from iot firewall name 'iot-trusted'
@@ -65,20 +66,9 @@ set firewall zone trusted from servers firewall name 'servers-trusted'
 set firewall zone trusted from containers firewall name 'containers-trusted'
 set firewall zone trusted from video firewall name 'video-trusted'
 set firewall zone trusted from wan firewall name 'wan-trusted'
-set firewall zone trusted interface 'eth1.20'
+set firewall zone trusted interface 'eth4.20'
 set firewall zone trusted interface 'wg01'
 
-# iot
-set firewall zone iot default-action 'drop'
-set firewall zone iot from lan firewall name 'lan-iot'
-set firewall zone iot from local firewall name 'local-iot'
-set firewall zone iot from servers firewall name 'servers-iot'
-set firewall zone iot from containers firewall name 'containers-iot'
-set firewall zone iot from trusted firewall name 'trusted-iot'
-set firewall zone iot from video firewall name 'video-iot'
-set firewall zone iot from wan firewall name 'wan-iot'
-set firewall zone iot interface 'eth1.30'
-
 # video
 set firewall zone video default-action 'drop'
 set firewall zone video from iot firewall name 'iot-video'
@@ -88,5 +78,15 @@ set firewall zone video from servers firewall name 'servers-video'
 set firewall zone video from containers firewall name 'containers-video'
 set firewall zone video from trusted firewall name 'trusted-video'
 set firewall zone video from wan firewall name 'wan-video'
-set firewall zone video interface 'eth1.40'
+set firewall zone video interface 'eth4.40'
 set firewall zone wan default-action 'drop'
+
+# wan
+set firewall zone wan from iot firewall name 'iot-wan'
+set firewall zone wan from lan firewall name 'lan-wan'
+set firewall zone wan from local firewall name 'local-wan'
+set firewall zone wan from servers firewall name 'servers-wan'
+set firewall zone wan from containers firewall name 'containers-wan'
+set firewall zone wan from trusted firewall name 'trusted-wan'
+set firewall zone wan from video firewall name 'video-wan'
+set firewall zone wan interface 'eth0'
\ No newline at end of file
diff --git a/config-parts/firewall.sh b/config-parts/firewall.sh
index 7a13785..c33551a 100644
--- a/config-parts/firewall.sh
+++ b/config-parts/firewall.sh
@@ -1,87 +1,20 @@
 #!/bin/vbash
 
 # General configuration
-set firewall state-policy established action 'accept'
-set firewall state-policy invalid action 'drop'
-set firewall state-policy related action 'accept'
+set firewall global-options state-policy established action 'accept'
+set firewall global-options state-policy related action 'accept'
+set firewall global-options all-ping 'enable'
 
 # Address Groups
-set firewall group address-group ios_devices address '10.1.2.31'
-set firewall group address-group ios_devices address '10.1.2.32'
-set firewall group address-group ios_devices address '10.1.2.33'
-set firewall group address-group ios_devices address '10.1.2.34'
-set firewall group address-group ios_devices address '10.1.2.35'
-set firewall group address-group ios_devices address '10.1.2.36'
-
-set firewall group address-group esp address '10.1.3.21'
-
+set firewall group address-group router-addresses address 10.0.0.1
+set firewall group address-group router-addresses address 127.0.0.1
+set firewall group address-group k8s_nodes address '10.1.1.61-63' # master nodes
+set firewall group address-group k8s_nodes address '10.1.1.41-46' # worker nodes
 set firewall group address-group k8s_api address '10.5.0.2'
-
-# external nginx
-set firewall group address-group k8s_ingress address '10.45.0.1'
-# internal nginx
-set firewall group address-group k8s_ingress address '10.45.0.3'
-
-set firewall group address-group k8s_ingress_allowed address '10.1.3.35'
-set firewall group address-group k8s_ingress_allowed address '10.1.3.36'
-
-set firewall group address-group k8s_mqtt address '10.45.0.10'
-
-set firewall group address-group k8s_nodes address '10.1.1.41'
-set firewall group address-group k8s_nodes address '10.1.1.42'
-set firewall group address-group k8s_nodes address '10.1.1.43'
-set firewall group address-group k8s_nodes address '10.1.1.44'
-set firewall group address-group k8s_nodes address '10.1.1.45'
-set firewall group address-group k8s_nodes address '10.1.1.46'
-set firewall group address-group k8s_nodes address '10.1.1.61'
-set firewall group address-group k8s_nodes address '10.1.1.62'
-set firewall group address-group k8s_nodes address '10.1.1.63'
-
-set firewall group address-group k8s_hass address '10.45.0.5'
-set firewall group address-group k8s_plex address '10.45.0.20'
+set firewall group address-group k8s_ingress address '10.45.0.1' # external nginx
+set firewall group address-group k8s_ingress address '10.45.0.3' # internal nginx
 set firewall group address-group k8s_vector_aggregator address '10.45.0.2'
-
-set firewall group address-group mqtt_clients address '10.1.2.21'
-set firewall group address-group mqtt_clients address '10.1.2.32'
-set firewall group address-group mqtt_clients address '10.1.3.18'
-set firewall group address-group mqtt_clients address '10.1.3.22'
-set firewall group address-group mqtt_clients address '10.1.3.56'
-set firewall group address-group mqtt_clients address '10.1.3.33' # SwitchBot Plug Mini 1
-set firewall group address-group mqtt_clients address '10.1.3.34' # SwitchBot Plug Mini 2
-set firewall group address-group mqtt_clients address '10.1.3.35' # SwitchBot Plug Mini 3
-set firewall group address-group mqtt_clients address '10.1.3.36' # SwitchBot Plug Mini 4
-
-set firewall group address-group hass_clients address '10.1.4.12'
-
-set firewall group address-group nas address '10.1.1.11'
-
-set firewall group address-group plex_clients address '10.1.2.21'
-set firewall group address-group plex_clients address '10.1.2.31'
-set firewall group address-group plex_clients address '10.1.2.32'
-set firewall group address-group plex_clients address '10.1.2.33'
-set firewall group address-group plex_clients address '10.1.2.34'
-set firewall group address-group plex_clients address '10.1.2.35'
-set firewall group address-group plex_clients address '10.1.2.36'
-set firewall group address-group plex_clients address '10.1.3.16'
-
-set firewall group address-group printers address '10.1.3.55'
-
-set firewall group address-group printer_allowed address '192.168.2.11'
-
-set firewall group address-group sonos_controllers address '10.1.2.21'
-set firewall group address-group sonos_controllers address '10.1.2.31'
-set firewall group address-group sonos_controllers address '10.1.2.32'
-set firewall group address-group sonos_controllers address '10.1.2.33'
-set firewall group address-group sonos_controllers address '10.1.2.34'
-set firewall group address-group sonos_controllers address '10.1.2.36'
-
-set firewall group address-group sonos_players address '10.1.3.71'
-set firewall group address-group sonos_players address '10.1.3.72'
-set firewall group address-group sonos_players address '10.1.3.73'
-set firewall group address-group sonos_players address '10.1.3.74'
-
-set firewall group address-group scanners address '10.1.3.55'
-
+set firewall group address-group nas address '10.1.1.11-12'
 set firewall group address-group unifi_devices address '10.1.0.11'
 set firewall group address-group unifi_devices address '10.1.0.12'
 set firewall group address-group unifi_devices address '10.1.0.13'
@@ -89,15 +22,10 @@ set firewall group address-group unifi_devices address '10.1.0.21'
 set firewall group address-group unifi_devices address '10.1.0.22'
 set firewall group address-group unifi_devices address '10.1.0.23'
 set firewall group address-group unifi_devices address '10.1.0.24'
-
-set firewall group address-group vector_journald_allowed address '10.1.3.56'
-set firewall group address-group vector_journald_allowed address '10.1.3.60'
-
-set firewall group address-group vyos_coredns address '10.5.0.3'
-
 set firewall group address-group vyos_unifi address '10.5.0.10'
-
 set firewall group network-group k8s_services network '10.45.0.0/16'
 
 # Port groups
 set firewall group port-group wireguard port '51820'
+set firewall group port-group sonos-discovery port '1900-1902'
+set firewall group port-group sonos-discovery port '57621'
diff --git a/config-parts/interfaces.sh b/config-parts/interfaces.sh
index bd1e1c8..290a5fe 100644
--- a/config-parts/interfaces.sh
+++ b/config-parts/interfaces.sh
@@ -1,20 +1,20 @@
 #!/bin/vbash
 
-set interfaces ethernet eth0 address 'dhcp'
-set interfaces ethernet eth0 description 'WAN'
-set interfaces ethernet eth0 hw-id 'a0:42:3f:2f:a9:69'
+set interfaces ethernet eth5 address 'dhcp'
+set interfaces ethernet eth5 description 'WAN'
+set interfaces ethernet eth5 hw-id '80:61:5f:04:88:5b'
 
-set interfaces ethernet eth1 address '10.1.0.1/24'
-set interfaces ethernet eth1 description 'LAN'
-set interfaces ethernet eth1 hw-id 'a0:42:3f:2f:a9:68'
-set interfaces ethernet eth1 vif 10 address '10.1.1.1/24'
-set interfaces ethernet eth1 vif 10 description 'SERVERS'
-set interfaces ethernet eth1 vif 20 address '10.1.2.1/24'
-set interfaces ethernet eth1 vif 20 description 'TRUSTED'
-set interfaces ethernet eth1 vif 30 address '10.1.3.1/24'
-set interfaces ethernet eth1 vif 30 description 'IOT'
-set interfaces ethernet eth1 vif 40 address '10.1.4.1/24'
-set interfaces ethernet eth1 vif 40 description 'VIDEO'
+set interfaces ethernet eth4 address '10.1.0.1/24'
+set interfaces ethernet eth4 description 'LAN'
+set interfaces ethernet eth4 hw-id '80:61:5f:04:88:5a'
+set interfaces ethernet eth4 vif 10 address '10.1.1.1/24'
+set interfaces ethernet eth4 vif 10 description 'SERVERS'
+set interfaces ethernet eth4 vif 20 address '10.1.2.1/24'
+set interfaces ethernet eth4 vif 20 description 'TRUSTED'
+set interfaces ethernet eth4 vif 30 address '10.1.3.1/24'
+set interfaces ethernet eth4 vif 30 description 'IOT'
+set interfaces ethernet eth4 vif 40 address '10.1.4.1/24'
+set interfaces ethernet eth4 vif 40 description 'VIDEO'
 
 set interfaces wireguard wg01 address '10.0.11.1/24'
 set interfaces wireguard wg01 description 'WIREGUARD'
diff --git a/config-parts/nat.sh b/config-parts/nat.sh
index 4c5bff1..ed57825 100644
--- a/config-parts/nat.sh
+++ b/config-parts/nat.sh
@@ -3,79 +3,13 @@
 # Forward Plex to Sting
 set nat destination rule 110 description 'PLEX'
 set nat destination rule 110 destination port '32400'
-set nat destination rule 110 inbound-interface 'eth0'
+set nat destination rule 110 inbound-interface 'eth5'
 set nat destination rule 110 protocol 'tcp'
 set nat destination rule 110 translation address '10.1.1.12'
 set nat destination rule 110 translation port '32400'
 
-# Force DNS
-set nat destination rule 102 description 'Force DNS for IoT'
-set nat destination rule 102 destination address '!10.1.3.1'
-set nat destination rule 102 destination port '53'
-set nat destination rule 102 inbound-interface 'eth1.30'
-set nat destination rule 102 protocol 'tcp_udp'
-set nat destination rule 102 translation address '10.1.3.1'
-set nat destination rule 102 translation port '53'
-
-set nat destination rule 103 description 'Force DNS for Video'
-set nat destination rule 103 destination address '!10.1.4.1'
-set nat destination rule 103 destination port '53'
-set nat destination rule 103 inbound-interface 'eth1.40'
-set nat destination rule 103 protocol 'tcp_udp'
-set nat destination rule 103 translation address '10.1.4.1'
-set nat destination rule 103 translation port '53'
-
-set nat destination rule 104 description 'Force NTP for LAN'
-set nat destination rule 104 destination address '!10.1.0.1'
-set nat destination rule 104 destination port '123'
-set nat destination rule 104 inbound-interface 'eth1'
-set nat destination rule 104 protocol 'udp'
-set nat destination rule 104 translation address '10.1.0.1'
-set nat destination rule 104 translation port '123'
-
-# Force NTP
-set nat destination rule 105 description 'Force NTP for Servers'
-set nat destination rule 105 destination address '!10.1.1.1'
-set nat destination rule 105 destination port '123'
-set nat destination rule 105 inbound-interface 'eth1.10'
-set nat destination rule 105 protocol 'udp'
-set nat destination rule 105 translation address '10.1.1.1'
-set nat destination rule 105 translation port '123'
-set nat destination rule 106 description 'Force NTP for Trusted'
-
-set nat destination rule 106 destination address '!10.1.2.1'
-set nat destination rule 106 destination port '123'
-set nat destination rule 106 inbound-interface 'eth1.20'
-set nat destination rule 106 protocol 'udp'
-set nat destination rule 106 translation address '10.1.2.1'
-set nat destination rule 106 translation port '123'
-
-set nat destination rule 107 description 'Force NTP for IoT'
-set nat destination rule 107 destination address '!10.1.3.1'
-set nat destination rule 107 destination port '123'
-set nat destination rule 107 inbound-interface 'eth1.30'
-set nat destination rule 107 protocol 'udp'
-set nat destination rule 107 translation address '10.1.3.1'
-set nat destination rule 107 translation port '123'
-
-set nat destination rule 108 description 'Force NTP for Video'
-set nat destination rule 108 destination address '!10.1.4.1'
-set nat destination rule 108 destination port '123'
-set nat destination rule 108 inbound-interface 'eth1.40'
-set nat destination rule 108 protocol 'udp'
-set nat destination rule 108 translation address '10.1.4.1'
-set nat destination rule 108 translation port '123'
-
-set nat destination rule 109 description 'Force NTP for Wireguard Trusted'
-set nat destination rule 109 destination address '!10.0.11.1'
-set nat destination rule 109 destination port '123'
-set nat destination rule 109 inbound-interface 'wg01'
-set nat destination rule 109 protocol 'udp'
-set nat destination rule 109 translation address '10.0.11.1'
-set nat destination rule 109 translation port '123'
-
 # LAN -> WAN masquerade
 set nat source rule 100 description 'LAN -> WAN'
 set nat source rule 100 destination address '0.0.0.0/0'
-set nat source rule 100 outbound-interface 'eth0'
+set nat source rule 100 outbound-interface name 'eth5'
 set nat source rule 100 translation address 'masquerade'
diff --git a/config-parts/system.sh b/config-parts/system.sh
index 5c878f5..98121c5 100644
--- a/config-parts/system.sh
+++ b/config-parts/system.sh
@@ -1,7 +1,7 @@
 #!/bin/vbash
 
 set system domain-name 'jahanson.tech'
-set system host-name 'gateway'
+set system host-name 'gandalf'
 
 set system ipv6 disable-forwarding
 
@@ -14,13 +14,6 @@ set system name-server '1.1.1.1'
 
 set system sysctl parameter kernel.pty.max value '24000'
 
-# Sent to vector syslog server
-set system syslog global facility all level info
-set system syslog host 10.45.0.2 facility kern level 'warning'
-set system syslog host 10.45.0.2 protocol 'tcp'
-set system syslog host 10.45.0.2 port '6001'
-set system syslog host 10.45.0.2 format 'octet-counted'
-
 # Custom backup
 set system task-scheduler task backup-config crontab-spec '30 0 * * *'
 set system task-scheduler task backup-config executable path '/config/scripts/custom-config-backup.sh'