Updated for vyos 1.4-rc1 firewall rules and apis updated to match.

This commit is contained in:
Joseph Hanson 2024-01-03 15:44:12 -06:00
parent f7b292ba74
commit 1d402a8b6d
8 changed files with 835 additions and 1013 deletions

View file

@ -3,21 +3,6 @@
# Container networks # Container networks
set container network containers prefix '10.5.0.0/24' set container network containers prefix '10.5.0.0/24'
# bind
set container name bind cap-add 'net-bind-service'
set container name bind image 'docker.io/internetsystemsconsortium/bind9:9.19'
set container name bind command '/usr/sbin/named -4 -f -c /etc/bind/named.conf -u bind'
set container name bind memory '0'
set container name bind network containers address '10.5.0.3'
set container name bind restart 'on-failure'
set container name bind shared-memory '0'
set container name bind volume config source '/config/containers/bind/config'
set container name bind volume config destination '/etc/bind'
set container name bind volume config mode 'ro'
set container name bind volume cache source '/tmp/bind/cache'
set container name bind volume cache destination '/var/cache/bind'
set container name bind volume cache mode 'rw'
# haproxy-k8s-api # haproxy-k8s-api
set container name haproxy-k8s-api image 'docker.io/library/haproxy:2.9.0' set container name haproxy-k8s-api image 'docker.io/library/haproxy:2.9.0'
set container name haproxy-k8s-api memory '0' set container name haproxy-k8s-api memory '0'
@ -57,7 +42,7 @@ set container name speedtest-exporter shared-memory '0'
# udp-broadcast-relay-mdns # udp-broadcast-relay-mdns
set container name udp-broadcast-relay-mdns allow-host-networks set container name udp-broadcast-relay-mdns allow-host-networks
set container name udp-broadcast-relay-mdns cap-add 'net-raw' set container name udp-broadcast-relay-mdns cap-add 'net-raw'
set container name udp-broadcast-relay-mdns environment CFG_DEV value 'eth1.20;eth1.40' set container name udp-broadcast-relay-mdns environment CFG_DEV value 'eth4.20;eth4.40'
set container name udp-broadcast-relay-mdns environment CFG_ID value '2' set container name udp-broadcast-relay-mdns environment CFG_ID value '2'
set container name udp-broadcast-relay-mdns environment CFG_MULTICAST value '224.0.0.251' set container name udp-broadcast-relay-mdns environment CFG_MULTICAST value '224.0.0.251'
set container name udp-broadcast-relay-mdns environment CFG_PORT value '5353' set container name udp-broadcast-relay-mdns environment CFG_PORT value '5353'
@ -70,7 +55,7 @@ set container name udp-broadcast-relay-mdns shared-memory '0'
# udp-broadcast-relay-sonos # udp-broadcast-relay-sonos
set container name udp-broadcast-relay-sonos allow-host-networks set container name udp-broadcast-relay-sonos allow-host-networks
set container name udp-broadcast-relay-sonos cap-add 'net-raw' set container name udp-broadcast-relay-sonos cap-add 'net-raw'
set container name udp-broadcast-relay-sonos environment CFG_DEV value 'eth1.20;eth1.40' set container name udp-broadcast-relay-sonos environment CFG_DEV value 'eth4.20;eth4.40'
set container name udp-broadcast-relay-sonos environment CFG_ID value '1' set container name udp-broadcast-relay-sonos environment CFG_ID value '1'
set container name udp-broadcast-relay-sonos environment CFG_MULTICAST value '239.255.255.250' set container name udp-broadcast-relay-sonos environment CFG_MULTICAST value '239.255.255.250'
set container name udp-broadcast-relay-sonos environment CFG_PORT value '1900' set container name udp-broadcast-relay-sonos environment CFG_PORT value '1900'

View file

@ -0,0 +1,760 @@
#!/bin/vbash
# From IOT to LAN
set firewall ipv4 name iot-lan default-action 'drop'
set firewall ipv4 name iot-lan description 'From IOT to LAN'
set firewall ipv4 name iot-lan enable-default-log
set firewall ipv4 name iot-lan rule 999 action 'drop'
set firewall ipv4 name iot-lan rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name iot-lan rule 999 state invalid
set firewall ipv4 name iot-lan rule 999 log
# From IOT to LOCAL
set firewall ipv4 name iot-local default-action 'drop'
set firewall ipv4 name iot-local description 'From IOT to LOCAL'
set firewall ipv4 name iot-local enable-default-log
set firewall ipv4 name iot-local rule 50 action 'accept'
set firewall ipv4 name iot-local rule 50 description 'Rule: accept_dhcp'
set firewall ipv4 name iot-local rule 50 destination port '67,68'
set firewall ipv4 name iot-local rule 50 protocol 'udp'
set firewall ipv4 name iot-local rule 50 source port '67,68'
set firewall ipv4 name iot-local rule 60 action 'accept'
set firewall ipv4 name iot-local rule 60 description 'Rule: accept_ntp'
set firewall ipv4 name iot-local rule 60 destination port 'ntp'
set firewall ipv4 name iot-local rule 60 protocol 'udp'
set firewall ipv4 name iot-local rule 100 action 'accept'
set firewall ipv4 name iot-local rule 100 description 'Rule: accept_igmp'
set firewall ipv4 name iot-local rule 100 protocol '2'
set firewall ipv4 name iot-local rule 110 action 'accept'
set firewall ipv4 name iot-local rule 110 description 'Rule: accept_mdns'
set firewall ipv4 name iot-local rule 110 destination port 'mdns'
set firewall ipv4 name iot-local rule 110 protocol 'udp'
set firewall ipv4 name iot-local rule 110 source port 'mdns'
set firewall ipv4 name iot-local rule 120 action 'accept'
set firewall ipv4 name iot-local rule 120 description 'Rule: accept_dns'
set firewall ipv4 name iot-local rule 120 destination port 'domain,domain-s'
set firewall ipv4 name iot-local rule 120 protocol 'tcp_udp'
set firewall ipv4 name iot-local rule 200 action 'accept'
set firewall ipv4 name iot-local rule 200 description 'Rule: accept_discovery_from_sonos_players'
set firewall ipv4 name iot-local rule 200 destination group port-group sonos-discovery
set firewall ipv4 name iot-local rule 200 protocol 'udp'
set firewall ipv4 name iot-local rule 200 source group address-group 'sonos_players'
set firewall ipv4 name iot-local rule 999 action 'drop'
set firewall ipv4 name iot-local rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name iot-local rule 999 state invalid
set firewall ipv4 name iot-local rule 999 log
# From IOT to SERVERS
set firewall ipv4 name iot-servers default-action 'drop'
set firewall ipv4 name iot-servers description 'From IOT to SERVERS'
set firewall ipv4 name iot-servers enable-default-log
set firewall ipv4 name iot-servers rule 100 action 'accept'
set firewall ipv4 name iot-servers rule 100 description 'Rule: accept_nas_smb_from_scanners'
set firewall ipv4 name iot-servers rule 100 destination group address-group 'nas'
set firewall ipv4 name iot-servers rule 100 destination port 'microsoft-ds'
set firewall ipv4 name iot-servers rule 100 protocol 'tcp'
set firewall ipv4 name iot-servers rule 100 source group address-group 'scanners'
set firewall ipv4 name iot-servers rule 200 action 'accept'
set firewall ipv4 name iot-servers rule 200 description 'Rule: accept_plex_from_plex_clients'
set firewall ipv4 name iot-servers rule 200 destination group address-group 'k8s_plex'
set firewall ipv4 name iot-servers rule 200 destination port '32400'
set firewall ipv4 name iot-servers rule 200 protocol 'tcp'
set firewall ipv4 name iot-servers rule 200 source group address-group 'plex_clients'
set firewall ipv4 name iot-servers rule 300 action 'accept'
set firewall ipv4 name iot-servers rule 300 description 'Rule: accept_mqtt_from_mqtt_clients'
set firewall ipv4 name iot-servers rule 300 destination group address-group 'k8s_mqtt'
set firewall ipv4 name iot-servers rule 300 destination port '1883'
set firewall ipv4 name iot-servers rule 300 protocol 'tcp'
set firewall ipv4 name iot-servers rule 300 source group address-group 'mqtt_clients'
set firewall ipv4 name iot-servers rule 400 action 'accept'
set firewall ipv4 name iot-servers rule 400 description 'Rule: accept_k8s_ingress_from_sonos_players'
set firewall ipv4 name iot-servers rule 400 destination group address-group 'k8s_ingress'
set firewall ipv4 name iot-servers rule 400 destination port 'http,https'
set firewall ipv4 name iot-servers rule 400 protocol 'tcp'
set firewall ipv4 name iot-servers rule 400 source group address-group 'sonos_players'
set firewall ipv4 name iot-servers rule 410 action 'accept'
set firewall ipv4 name iot-servers rule 410 description 'Rule: accept_k8s_ingress_from_allowed_devices'
set firewall ipv4 name iot-servers rule 410 destination group address-group 'k8s_ingress'
set firewall ipv4 name iot-servers rule 410 destination port 'http,https'
set firewall ipv4 name iot-servers rule 410 protocol 'tcp'
set firewall ipv4 name iot-servers rule 410 source group address-group 'k8s_ingress_allowed'
set firewall ipv4 name iot-servers rule 999 action 'drop'
set firewall ipv4 name iot-servers rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name iot-servers rule 999 state invalid
set firewall ipv4 name iot-servers rule 999 log
# From IOT to CONTAINERS
set firewall ipv4 name iot-containers default-action 'accept'
set firewall ipv4 name iot-containers description 'From IOT to CONTAINERS'
set firewall ipv4 name iot-containers rule 40 action 'accept'
set firewall ipv4 name iot-containers rule 40 description 'Rule: accept_dns'
set firewall ipv4 name iot-containers rule 40 destination port 'domain,domain-s'
set firewall ipv4 name iot-containers rule 40 protocol 'tcp_udp'
set firewall ipv4 name iot-containers rule 999 action 'drop'
set firewall ipv4 name iot-containers rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name iot-containers rule 999 state invalid
set firewall ipv4 name iot-containers rule 999 log
# From IOT to TRUSTED
set firewall ipv4 name iot-trusted default-action 'drop'
set firewall ipv4 name iot-trusted description 'From IOT to TRUSTED'
set firewall ipv4 name iot-trusted enable-default-log
set firewall ipv4 name iot-trusted rule 100 action 'accept'
set firewall ipv4 name iot-trusted rule 100 description 'Rule: accept_udp_from_sonos_players_to_sonos_controllers'
set firewall ipv4 name iot-trusted rule 100 destination group address-group 'sonos_controllers'
set firewall ipv4 name iot-trusted rule 100 destination port '319,320,30000-65535'
set firewall ipv4 name iot-trusted rule 100 protocol 'udp'
set firewall ipv4 name iot-trusted rule 100 source group address-group 'sonos_players'
set firewall ipv4 name iot-trusted rule 110 action 'accept'
set firewall ipv4 name iot-trusted rule 110 description 'Rule: accept_tcp_from_sonos_players_to_sonos_controllers'
set firewall ipv4 name iot-trusted rule 110 destination group address-group 'sonos_controllers'
set firewall ipv4 name iot-trusted rule 110 destination port '1400,3400,3401,3500,30000-65535'
set firewall ipv4 name iot-trusted rule 110 protocol 'tcp'
set firewall ipv4 name iot-trusted rule 110 source group address-group 'sonos_players'
set firewall ipv4 name iot-trusted rule 999 action 'drop'
set firewall ipv4 name iot-trusted rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name iot-trusted rule 999 state invalid
set firewall ipv4 name iot-trusted rule 999 log
# From IOT to VIDEO
set firewall ipv4 name iot-video default-action 'drop'
set firewall ipv4 name iot-video description 'From IOT to VIDEO'
set firewall ipv4 name iot-video enable-default-log
set firewall ipv4 name iot-video rule 100 action 'accept'
set firewall ipv4 name iot-video rule 100 description 'Rule: accept_k8s_nodes'
set firewall ipv4 name iot-video rule 100 protocol 'tcp'
set firewall ipv4 name iot-video rule 100 source group address-group 'k8s_nodes'
set firewall ipv4 name iot-video rule 999 action 'drop'
set firewall ipv4 name iot-video rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name iot-video rule 999 state invalid
set firewall ipv4 name iot-video rule 999 log
# From IOT to WAN
set firewall ipv4 name iot-wan default-action 'accept'
set firewall ipv4 name iot-wan description 'From IOT to WAN'
# From LAN to IoT
set firewall ipv4 name lan-iot default-action 'drop'
set firewall ipv4 name lan-iot description 'From LAN to IOT'
set firewall ipv4 name lan-iot enable-default-log
set firewall ipv4 name lan-iot rule 999 action 'drop'
set firewall ipv4 name lan-iot rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name lan-iot rule 999 state invalid
set firewall ipv4 name lan-iot rule 999 log
# From LAN to LOCAL
set firewall ipv4 name lan-local default-action 'drop'
set firewall ipv4 name lan-local description 'From LAN to LOCAL'
set firewall ipv4 name lan-local enable-default-log
set firewall ipv4 name lan-local rule 40 action 'accept'
set firewall ipv4 name lan-local rule 40 description 'Rule: accept_dns'
set firewall ipv4 name lan-local rule 40 destination port 'domain,domain-s'
set firewall ipv4 name lan-local rule 40 protocol 'tcp_udp'
set firewall ipv4 name lan-local rule 50 action 'accept'
set firewall ipv4 name lan-local rule 50 description 'Rule: accept_dhcp'
set firewall ipv4 name lan-local rule 50 destination port '67,68'
set firewall ipv4 name lan-local rule 50 protocol 'udp'
set firewall ipv4 name lan-local rule 50 source port '67,68'
set firewall ipv4 name lan-local rule 60 action 'accept'
set firewall ipv4 name lan-local rule 60 description 'Rule: accept_ntp'
set firewall ipv4 name lan-local rule 60 destination port 'ntp'
set firewall ipv4 name lan-local rule 60 protocol 'udp'
set firewall ipv4 name lan-local rule 70 action 'accept'
set firewall ipv4 name lan-local rule 70 description 'Rule: accept_node_speed_exporter'
set firewall ipv4 name lan-local rule 70 destination port '9798,9100'
set firewall ipv4 name lan-local rule 70 protocol 'tcp'
set firewall ipv4 name lan-local rule 80 action 'accept'
set firewall ipv4 name lan-local rule 80 description 'Rule: accept perfmon3'
set firewall ipv4 name lan-local rule 80 destination port '5201'
set firewall ipv4 name lan-local rule 80 protocol 'tcp'
set firewall ipv4 name lan-local rule 999 action 'drop'
set firewall ipv4 name lan-local rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name lan-local rule 999 state invalid
set firewall ipv4 name lan-local rule 999 log
# From LAN to SERVERS
set firewall ipv4 name lan-servers default-action 'drop'
set firewall ipv4 name lan-servers description 'From LAN to SERVERS'
set firewall ipv4 name lan-servers enable-default-log
set firewall ipv4 name lan-servers rule 999 action 'drop'
set firewall ipv4 name lan-servers rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name lan-servers rule 999 state invalid
set firewall ipv4 name lan-servers rule 999 log
# From LAN to CONTAINERS
set firewall ipv4 name lan-containers default-action 'accept'
set firewall ipv4 name lan-containers description 'From LAN to CONTAINERS'
set firewall ipv4 name lan-containers rule 40 action 'accept'
set firewall ipv4 name lan-containers rule 40 description 'Rule: accept_dns'
set firewall ipv4 name lan-containers rule 40 destination port 'domain,domain-s'
set firewall ipv4 name lan-containers rule 40 protocol 'tcp_udp'
set firewall ipv4 name lan-containers rule 999 action 'drop'
set firewall ipv4 name lan-containers rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name lan-containers rule 999 state invalid
set firewall ipv4 name lan-containers rule 999 log
# From LAN to TRUSTED
set firewall ipv4 name lan-trusted default-action 'drop'
set firewall ipv4 name lan-trusted description 'From LAN to TRUSTED'
set firewall ipv4 name lan-trusted enable-default-log
set firewall ipv4 name lan-trusted rule 999 action 'drop'
set firewall ipv4 name lan-trusted rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name lan-trusted rule 999 state invalid
set firewall ipv4 name lan-trusted rule 999 log
# From LAN to VIDEO
set firewall ipv4 name lan-video default-action 'drop'
set firewall ipv4 name lan-video description 'From LAN to VIDEO'
set firewall ipv4 name lan-video enable-default-log
set firewall ipv4 name lan-video rule 999 action 'drop'
set firewall ipv4 name lan-video rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name lan-video rule 999 state invalid
set firewall ipv4 name lan-video rule 999 log
# From LAN to WAN
set firewall ipv4 name lan-wan default-action 'accept'
set firewall ipv4 name lan-wan description 'From LAN to WAN'
# From LOCAL to IOT
set firewall ipv4 name local-iot default-action 'drop'
set firewall ipv4 name local-iot description 'From LOCAL to IOT'
set firewall ipv4 name local-iot enable-default-log
set firewall ipv4 name local-iot rule 100 action 'accept'
set firewall ipv4 name local-iot rule 100 description 'Rule: accept_igmp'
set firewall ipv4 name local-iot rule 100 protocol '2'
set firewall ipv4 name local-iot rule 110 action 'accept'
set firewall ipv4 name local-iot rule 110 description 'Rule: accept_mdns'
set firewall ipv4 name local-iot rule 110 destination port 'mdns'
set firewall ipv4 name local-iot rule 110 protocol 'udp'
set firewall ipv4 name local-iot rule 110 source port 'mdns'
set firewall ipv4 name local-iot rule 200 action 'accept'
set firewall ipv4 name local-iot rule 200 description 'Rule: accept_discovery_from_sonos_controllers'
set firewall ipv4 name local-iot rule 200 destination group port-group sonos-discovery
set firewall ipv4 name local-iot rule 200 protocol 'udp'
set firewall ipv4 name local-iot rule 200 source group address-group 'sonos_controllers'
set firewall ipv4 name local-iot rule 999 action 'drop'
set firewall ipv4 name local-iot rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name local-iot rule 999 state invalid
set firewall ipv4 name local-iot rule 999 log
# From LOCAL to LAN
set firewall ipv4 name local-lan default-action 'drop'
set firewall ipv4 name local-lan description 'From LOCAL to LAN'
set firewall ipv4 name local-lan enable-default-log
set firewall ipv4 name local-lan rule 999 action 'drop'
set firewall ipv4 name local-lan rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name local-lan rule 999 state invalid
set firewall ipv4 name local-lan rule 999 log
# From LOCAL to SERVERS
set firewall ipv4 name local-servers default-action 'drop'
set firewall ipv4 name local-servers description 'From LOCAL to SERVERS'
set firewall ipv4 name local-servers enable-default-log
set firewall ipv4 name local-servers rule 40 action 'accept'
set firewall ipv4 name local-servers rule 40 description 'Rule: accept_dns'
set firewall ipv4 name local-servers rule 40 destination port 'domain,domain-s'
set firewall ipv4 name local-servers rule 40 protocol 'tcp_udp'
set firewall ipv4 name local-servers rule 70 action 'accept'
set firewall ipv4 name local-servers rule 70 description 'Rule: accept_bgp'
set firewall ipv4 name local-servers rule 70 destination port 'bgp'
set firewall ipv4 name local-servers rule 70 protocol 'tcp'
set firewall ipv4 name local-servers rule 100 action 'accept'
set firewall ipv4 name local-servers rule 100 description 'Rule: accept_k8s_api'
set firewall ipv4 name local-servers rule 100 destination port '6443'
set firewall ipv4 name local-servers rule 100 protocol 'tcp'
set firewall ipv4 name local-servers rule 200 action 'accept'
set firewall ipv4 name local-servers rule 200 description 'Rule: accept_vector_syslog'
set firewall ipv4 name local-servers rule 200 destination group address-group 'k8s_vector_aggregator'
set firewall ipv4 name local-servers rule 200 destination port '6001'
set firewall ipv4 name local-servers rule 200 protocol 'tcp'
set firewall ipv4 name local-servers rule 999 action 'drop'
set firewall ipv4 name local-servers rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name local-servers rule 999 state invalid
set firewall ipv4 name local-servers rule 999 log
# From LOCAL to CONTAINERS
set firewall ipv4 name local-containers default-action 'accept'
set firewall ipv4 name local-containers description 'From LOCAL to CONTAINERS'
set firewall ipv4 name local-containers rule 40 action 'accept'
set firewall ipv4 name local-containers rule 40 description 'Rule: accept_dns'
set firewall ipv4 name local-containers rule 40 destination port 'domain,domain-s'
set firewall ipv4 name local-containers rule 40 protocol 'tcp_udp'
set firewall ipv4 name local-containers rule 999 action 'drop'
set firewall ipv4 name local-containers rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name local-containers rule 999 state invalid
set firewall ipv4 name local-containers rule 999 log
# From LOCAL to TRUSTED
set firewall ipv4 name local-trusted default-action 'drop'
set firewall ipv4 name local-trusted description 'From LOCAL to TRUSTED'
set firewall ipv4 name local-trusted enable-default-log
set firewall ipv4 name local-trusted rule 100 action 'accept'
set firewall ipv4 name local-trusted rule 100 description 'Rule: accept_igmp'
set firewall ipv4 name local-trusted rule 100 protocol '2'
set firewall ipv4 name local-trusted rule 110 action 'accept'
set firewall ipv4 name local-trusted rule 110 description 'Rule: accept_mdns'
set firewall ipv4 name local-trusted rule 110 destination port 'mdns'
set firewall ipv4 name local-trusted rule 110 protocol 'udp'
set firewall ipv4 name local-trusted rule 110 source port 'mdns'
set firewall ipv4 name local-trusted rule 200 action 'accept'
set firewall ipv4 name local-trusted rule 200 description 'Rule: accept_discovery_from_sonos_players'
set firewall ipv4 name local-trusted rule 200 destination group port-group sonos-discovery
set firewall ipv4 name local-trusted rule 200 protocol 'udp'
set firewall ipv4 name local-trusted rule 200 source group address-group 'sonos_players'
set firewall ipv4 name local-trusted rule 400 action 'accept'
set firewall ipv4 name local-trusted rule 400 description 'Rule: accept_wireguard'
set firewall ipv4 name local-trusted rule 400 source port '51820'
set firewall ipv4 name local-trusted rule 400 protocol 'udp'
set firewall ipv4 name local-trusted rule 999 action 'drop'
set firewall ipv4 name local-trusted rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name local-trusted rule 999 state invalid
set firewall ipv4 name local-trusted rule 999 log
# From LOCAL to VIDEO
set firewall ipv4 name local-video default-action 'drop'
set firewall ipv4 name local-video description 'From LOCAL to VIDEO'
set firewall ipv4 name local-video enable-default-log
set firewall ipv4 name local-video rule 999 action 'drop'
set firewall ipv4 name local-video rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name local-video rule 999 state invalid
set firewall ipv4 name local-video rule 999 log
# From LOCAL to WAN
set firewall ipv4 name local-wan default-action 'accept'
set firewall ipv4 name local-wan description 'From LOCAL to WAN'
# From SERVERS to IOT
set firewall ipv4 name servers-iot default-action 'drop'
set firewall ipv4 name servers-iot description 'From SERVERS to IOT'
set firewall ipv4 name servers-iot enable-default-log
set firewall ipv4 name servers-iot rule 100 action 'accept'
set firewall ipv4 name servers-iot rule 100 description 'Rule: accept_k8s_nodes'
set firewall ipv4 name servers-iot rule 100 protocol 'tcp'
set firewall ipv4 name servers-iot rule 100 source group address-group 'k8s_nodes'
set firewall ipv4 name servers-iot rule 110 action 'accept'
set firewall ipv4 name servers-iot rule 110 description 'Rule: accept_k8s_nodes'
set firewall ipv4 name servers-iot rule 110 protocol 'icmp'
set firewall ipv4 name servers-iot rule 110 source group address-group 'k8s_nodes'
set firewall ipv4 name servers-iot rule 999 action 'drop'
set firewall ipv4 name servers-iot rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name servers-iot rule 999 state invalid
set firewall ipv4 name servers-iot rule 999 log
# From SERVERS to LAN
set firewall ipv4 name servers-lan default-action 'drop'
set firewall ipv4 name servers-lan description 'From SERVERS to LAN'
set firewall ipv4 name servers-lan enable-default-log
set firewall ipv4 name servers-lan rule 999 action 'drop'
set firewall ipv4 name servers-lan rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name servers-lan rule 999 state invalid
set firewall ipv4 name servers-lan rule 999 log
# From SERVERS to LOCAL
set firewall ipv4 name servers-local default-action 'drop'
set firewall ipv4 name servers-local description 'From SERVERS to LOCAL'
set firewall ipv4 name servers-local enable-default-log
set firewall ipv4 name servers-local rule 50 action 'accept'
set firewall ipv4 name servers-local rule 50 description 'Rule: accept_dhcp'
set firewall ipv4 name servers-local rule 50 destination port '67,68'
set firewall ipv4 name servers-local rule 50 protocol 'udp'
set firewall ipv4 name servers-local rule 50 source port '67,68'
set firewall ipv4 name servers-local rule 60 action 'accept'
set firewall ipv4 name servers-local rule 60 description 'Rule: accept_ntp'
set firewall ipv4 name servers-local rule 60 destination port 'ntp'
set firewall ipv4 name servers-local rule 60 protocol 'udp'
set firewall ipv4 name servers-local rule 70 action 'accept'
set firewall ipv4 name servers-local rule 70 description 'Rule: accept_bgp'
set firewall ipv4 name servers-local rule 70 destination port 'bgp'
set firewall ipv4 name servers-local rule 70 protocol 'tcp'
set firewall ipv4 name servers-local rule 80 action 'accept'
set firewall ipv4 name servers-local rule 80 description 'Rule: accept_tftp'
set firewall ipv4 name servers-local rule 80 destination port '69'
set firewall ipv4 name servers-local rule 80 protocol 'udp'
set firewall ipv4 name servers-local rule 90 action 'accept'
set firewall ipv4 name servers-local rule 90 description 'Rule: accept_dns'
set firewall ipv4 name servers-local rule 90 destination port 'domain,domain-s'
set firewall ipv4 name servers-local rule 90 protocol 'tcp_udp'
set firewall ipv4 name servers-local rule 100 action 'accept'
set firewall ipv4 name servers-local rule 100 description 'Rule: accept_node_exporter_from_k8s_nodes'
set firewall ipv4 name servers-local rule 100 destination port '9100'
set firewall ipv4 name servers-local rule 100 protocol 'tcp'
set firewall ipv4 name servers-local rule 100 source group address-group 'k8s_nodes'
set firewall ipv4 name servers-local rule 110 action 'accept'
set firewall ipv4 name servers-local rule 110 description 'Rule: accept_speedtest_exporter_from_k8s_nodes'
set firewall ipv4 name servers-local rule 110 destination port '9798'
set firewall ipv4 name servers-local rule 110 protocol 'tcp'
set firewall ipv4 name servers-local rule 110 source group address-group 'k8s_nodes'
set firewall ipv4 name servers-local rule 999 action 'drop'
set firewall ipv4 name servers-local rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name servers-local rule 999 state invalid
set firewall ipv4 name servers-local rule 999 log
# From SERVERS to CONTAINERS
set firewall ipv4 name servers-containers default-action 'accept'
set firewall ipv4 name servers-containers description 'From SERVERS to CONTAINERS'
set firewall ipv4 name servers-containers enable-default-log
set firewall ipv4 name servers-containers rule 40 action 'accept'
set firewall ipv4 name servers-containers rule 40 description 'Rule: accept_dns'
set firewall ipv4 name servers-containers rule 40 destination port 'domain,domain-s'
set firewall ipv4 name servers-containers rule 40 protocol 'tcp_udp'
set firewall ipv4 name servers-containers rule 100 action 'accept'
set firewall ipv4 name servers-containers rule 100 description 'Rule: accept_k8s_nodes'
set firewall ipv4 name servers-containers rule 100 protocol 'tcp'
set firewall ipv4 name servers-containers rule 100 source group address-group 'k8s_nodes'
set firewall ipv4 name servers-containers rule 999 action 'drop'
set firewall ipv4 name servers-containers rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name servers-containers rule 999 state invalid
set firewall ipv4 name servers-containers rule 999 log
# From SERVERS to TRUSTED
set firewall ipv4 name servers-trusted default-action 'drop'
set firewall ipv4 name servers-trusted description 'From SERVERS to TRUSTED'
set firewall ipv4 name servers-trusted enable-default-log
set firewall ipv4 name servers-trusted rule 999 action 'drop'
set firewall ipv4 name servers-trusted rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name servers-trusted rule 999 state invalid
set firewall ipv4 name servers-trusted rule 999 log
# From SERVERS to VIDEO
set firewall ipv4 name servers-video default-action 'drop'
set firewall ipv4 name servers-video description 'From SERVERS to VIDEO'
set firewall ipv4 name servers-video enable-default-log
set firewall ipv4 name servers-video rule 100 action 'accept'
set firewall ipv4 name servers-video rule 100 description 'Rule: accept_k8s_nodes'
set firewall ipv4 name servers-video rule 100 protocol 'tcp_udp'
set firewall ipv4 name servers-video rule 100 source group address-group 'k8s_nodes'
set firewall ipv4 name servers-video rule 999 action 'drop'
set firewall ipv4 name servers-video rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name servers-video rule 999 state invalid
set firewall ipv4 name servers-video rule 999 log
# From SERVERS to WAN
set firewall ipv4 name servers-wan default-action 'accept'
set firewall ipv4 name servers-wan description 'From SERVERS to WAN'
# From CONTAINERS to IOT
set firewall ipv4 name containers-iot default-action 'drop'
set firewall ipv4 name containers-iot description 'From CONTAINERS to IOT'
set firewall ipv4 name containers-iot enable-default-log
set firewall ipv4 name containers-iot rule 999 action 'drop'
set firewall ipv4 name containers-iot rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name containers-iot rule 999 state invalid
set firewall ipv4 name containers-iot rule 999 log
# From CONTAINERS to LAN
set firewall ipv4 name containers-lan default-action 'drop'
set firewall ipv4 name containers-lan description 'From CONTAINERS to LAN'
set firewall ipv4 name containers-lan enable-default-log
set firewall ipv4 name containers-lan rule 999 action 'drop'
set firewall ipv4 name containers-lan rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name containers-lan rule 999 state invalid
set firewall ipv4 name containers-lan rule 999 log
# From CONTAINERS to LOCAL
set firewall ipv4 name containers-local default-action 'drop'
set firewall ipv4 name containers-local description 'From CONTAINERS to LOCAL'
set firewall ipv4 name containers-local enable-default-log
set firewall ipv4 name containers-local rule 50 action 'accept'
set firewall ipv4 name containers-local rule 50 description 'Rule: accept_dhcp'
set firewall ipv4 name containers-local rule 50 destination port '67,68'
set firewall ipv4 name containers-local rule 50 protocol 'udp'
set firewall ipv4 name containers-local rule 50 source port '67,68'
set firewall ipv4 name containers-local rule 60 action 'accept'
set firewall ipv4 name containers-local rule 60 description 'Rule: accept_ntp'
set firewall ipv4 name containers-local rule 60 destination port 'ntp'
set firewall ipv4 name containers-local rule 60 protocol 'udp'
set firewall ipv4 name containers-local rule 999 action 'drop'
set firewall ipv4 name containers-local rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name containers-local rule 999 state invalid
set firewall ipv4 name containers-local rule 999 log
# From CONTAINERS to SERVERS
set firewall ipv4 name containers-servers default-action 'accept'
set firewall ipv4 name containers-servers description 'From CONTAINERS to SERVERS'
set firewall ipv4 name containers-servers rule 999 action 'drop'
set firewall ipv4 name containers-servers rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name containers-servers rule 999 state invalid
set firewall ipv4 name containers-servers rule 999 log
# From CONTAINERS to TRUSTED
set firewall ipv4 name containers-trusted default-action 'drop'
set firewall ipv4 name containers-trusted description 'From CONTAINERS to TRUSTED'
set firewall ipv4 name containers-trusted enable-default-log
set firewall ipv4 name containers-trusted rule 999 action 'drop'
set firewall ipv4 name containers-trusted rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name containers-trusted rule 999 state invalid
set firewall ipv4 name containers-trusted rule 999 log
# From CONTAINERS to VIDEO
set firewall ipv4 name containers-video default-action 'drop'
set firewall ipv4 name containers-video description 'From CONTAINERS to VIDEO'
set firewall ipv4 name containers-video enable-default-log
set firewall ipv4 name containers-video rule 999 action 'drop'
set firewall ipv4 name containers-video rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name containers-video rule 999 state invalid
set firewall ipv4 name containers-video rule 999 log
# From CONTAINERS to WAN
set firewall ipv4 name containers-wan default-action 'accept'
set firewall ipv4 name containers-wan description 'From CONTAINERS to WAN'
# From TRUSTED to IOT
set firewall ipv4 name trusted-iot default-action 'accept'
set firewall ipv4 name trusted-iot description 'From TRUSTED to IOT'
set firewall ipv4 name trusted-iot rule 110 action 'accept'
set firewall ipv4 name trusted-iot rule 110 description 'Rule: accept_tcp_from_sonos_controllers_to_sonos_players'
set firewall ipv4 name trusted-iot rule 110 destination port '1400,1443,4444,7000,30000-65535'
set firewall ipv4 name trusted-iot rule 110 protocol 'tcp'
set firewall ipv4 name trusted-iot rule 110 source group address-group 'sonos_controllers'
set firewall ipv4 name trusted-iot rule 111 action 'accept'
set firewall ipv4 name trusted-iot rule 111 description 'Rule: accept_udp_from_sonos_controllers_to_sonos_players'
set firewall ipv4 name trusted-iot rule 111 destination port '319,320,30000-65535'
set firewall ipv4 name trusted-iot rule 111 protocol 'udp'
set firewall ipv4 name trusted-iot rule 111 source group address-group 'sonos_controllers'
set firewall ipv4 name trusted-iot rule 999 action 'drop'
set firewall ipv4 name trusted-iot rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name trusted-iot rule 999 state invalid
set firewall ipv4 name trusted-iot rule 999 log
# From TRUSTED to LAN
set firewall ipv4 name trusted-lan default-action 'accept'
set firewall ipv4 name trusted-lan description 'From TRUSTED to LAN'
set firewall ipv4 name trusted-lan rule 999 action 'drop'
set firewall ipv4 name trusted-lan rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name trusted-lan rule 999 state invalid
set firewall ipv4 name trusted-lan rule 999 log
# From TRUSTED to LOCAL
set firewall ipv4 name trusted-local default-action 'drop'
set firewall ipv4 name trusted-local description 'From TRUSTED to LOCAL'
set firewall ipv4 name trusted-local enable-default-log
set firewall ipv4 name trusted-local rule 50 action 'accept'
set firewall ipv4 name trusted-local rule 50 description 'Rule: accept_dhcp'
set firewall ipv4 name trusted-local rule 50 destination port '67,68'
set firewall ipv4 name trusted-local rule 50 protocol 'udp'
set firewall ipv4 name trusted-local rule 50 source port '67,68'
set firewall ipv4 name trusted-local rule 60 action 'accept'
set firewall ipv4 name trusted-local rule 60 description 'Rule: accept_ntp'
set firewall ipv4 name trusted-local rule 60 destination port 'ntp'
set firewall ipv4 name trusted-local rule 60 protocol 'udp'
set firewall ipv4 name trusted-local rule 100 action 'accept'
set firewall ipv4 name trusted-local rule 100 description 'Rule: accept_igmp'
set firewall ipv4 name trusted-local rule 100 protocol '2'
set firewall ipv4 name trusted-local rule 110 action 'accept'
set firewall ipv4 name trusted-local rule 110 description 'Rule: accept_mdns'
set firewall ipv4 name trusted-local rule 110 destination port 'mdns'
set firewall ipv4 name trusted-local rule 110 protocol 'udp'
set firewall ipv4 name trusted-local rule 110 source port 'mdns'
set firewall ipv4 name trusted-local rule 120 action 'accept'
set firewall ipv4 name trusted-local rule 120 description 'Rule: accept_dns'
set firewall ipv4 name trusted-local rule 120 destination port 'domain,domain-s'
set firewall ipv4 name trusted-local rule 120 protocol 'tcp_udp'
set firewall ipv4 name trusted-local rule 210 action 'accept'
set firewall ipv4 name trusted-local rule 210 description 'Rule: accept_discovery_from_sonos_controllers'
set firewall ipv4 name trusted-local rule 210 destination group port-group sonos-discovery
set firewall ipv4 name trusted-local rule 210 protocol 'udp'
set firewall ipv4 name trusted-local rule 210 source group address-group 'sonos_controllers'
set firewall ipv4 name trusted-local rule 211 action 'accept'
set firewall ipv4 name trusted-local rule 211 description 'Rule: accept_discovery_from_sonos_players'
set firewall ipv4 name trusted-local rule 211 destination group port-group sonos-discovery
set firewall ipv4 name trusted-local rule 211 protocol 'udp'
set firewall ipv4 name trusted-local rule 211 source group address-group 'sonos_players'
set firewall ipv4 name trusted-local rule 400 action 'accept'
set firewall ipv4 name trusted-local rule 400 description 'Rule: accept_ssh'
set firewall ipv4 name trusted-local rule 400 destination port 'ssh'
set firewall ipv4 name trusted-local rule 400 protocol 'tcp'
set firewall ipv4 name trusted-local rule 410 action 'accept'
set firewall ipv4 name trusted-local rule 410 description 'Rule: accept_vyos_api'
set firewall ipv4 name trusted-local rule 410 destination port '8443'
set firewall ipv4 name trusted-local rule 410 protocol 'tcp'
set firewall ipv4 name trusted-local rule 420 action 'accept'
set firewall ipv4 name trusted-local rule 420 description 'Rule: accept_wireguard'
set firewall ipv4 name trusted-local rule 420 destination port '51820'
set firewall ipv4 name trusted-local rule 420 protocol 'udp'
set firewall ipv4 name trusted-local rule 999 action 'drop'
set firewall ipv4 name trusted-local rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name trusted-local rule 999 state invalid
set firewall ipv4 name trusted-local rule 999 log
# From TRUSTED to SERVERS
set firewall ipv4 name trusted-servers default-action 'accept'
set firewall ipv4 name trusted-servers description 'From TRUSTED to SERVERS'
set firewall ipv4 name trusted-servers rule 999 action 'drop'
set firewall ipv4 name trusted-servers rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name trusted-servers rule 999 state invalid
set firewall ipv4 name trusted-servers rule 999 log
# From TRUSTED to CONTAINERS
set firewall ipv4 name trusted-containers default-action 'accept'
set firewall ipv4 name trusted-containers description 'From TRUSTED to CONTAINERS'
set firewall ipv4 name trusted-containers rule 40 action 'accept'
set firewall ipv4 name trusted-containers rule 40 description 'Rule: accept_dns'
set firewall ipv4 name trusted-containers rule 40 destination port 'domain,domain-s'
set firewall ipv4 name trusted-containers rule 40 protocol 'tcp_udp'
set firewall ipv4 name trusted-containers rule 999 action 'drop'
set firewall ipv4 name trusted-containers rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name trusted-containers rule 999 state invalid
set firewall ipv4 name trusted-containers rule 999 log
# From TRUSTED to VIDEO
set firewall ipv4 name trusted-video default-action 'accept'
set firewall ipv4 name trusted-video description 'From TRUSTED to VIDEO'
set firewall ipv4 name trusted-video rule 999 action 'drop'
set firewall ipv4 name trusted-video rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name trusted-video rule 999 state invalid
set firewall ipv4 name trusted-video rule 999 log
# From TRUSTED to WAN
set firewall ipv4 name trusted-wan default-action 'accept'
set firewall ipv4 name trusted-wan description 'From TRUSTED to WAN'
# From VIDEO to IOT
set firewall ipv4 name video-iot default-action 'drop'
set firewall ipv4 name video-iot description 'From VIDEO to IOT'
set firewall ipv4 name video-iot enable-default-log
set firewall ipv4 name video-iot rule 100 action 'accept'
set firewall ipv4 name video-iot rule 100 description 'Rule: allow connecting to hass'
set firewall ipv4 name video-iot rule 100 protocol 'tcp'
set firewall ipv4 name video-iot rule 100 destination group address-group 'k8s_hass'
set firewall ipv4 name video-iot rule 100 destination port '8123'
set firewall ipv4 name video-iot rule 999 action 'drop'
set firewall ipv4 name video-iot rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name video-iot rule 999 state invalid
set firewall ipv4 name video-iot rule 999 log
# From VIDEO to LAN
set firewall ipv4 name video-lan default-action 'drop'
set firewall ipv4 name video-lan description 'From VIDEO to LAN'
set firewall ipv4 name video-lan enable-default-log
set firewall ipv4 name video-lan rule 999 action 'drop'
set firewall ipv4 name video-lan rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name video-lan rule 999 state invalid
set firewall ipv4 name video-lan rule 999 log
# From VIDEO to LOCAL
set firewall ipv4 name video-local default-action 'drop'
set firewall ipv4 name video-local description 'From VIDEO to LOCAL'
set firewall ipv4 name video-local enable-default-log
set firewall ipv4 name video-local rule 50 action 'accept'
set firewall ipv4 name video-local rule 50 description 'Rule: accept_dhcp'
set firewall ipv4 name video-local rule 50 destination port '67,68'
set firewall ipv4 name video-local rule 50 protocol 'udp'
set firewall ipv4 name video-local rule 50 source port '67,68'
set firewall ipv4 name video-local rule 60 action 'accept'
set firewall ipv4 name video-local rule 60 description 'Rule: accept_ntp'
set firewall ipv4 name video-local rule 60 destination port 'ntp'
set firewall ipv4 name video-local rule 60 protocol 'udp'
set firewall ipv4 name video-local rule 999 action 'drop'
set firewall ipv4 name video-local rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name video-local rule 999 state invalid
set firewall ipv4 name video-local rule 999 log
# From VIDEO to SERVERS
set firewall ipv4 name video-servers default-action 'drop'
set firewall ipv4 name video-servers description 'From VIDEO to SERVERS'
set firewall ipv4 name video-servers enable-default-log
set firewall ipv4 name video-servers rule 100 action 'accept'
set firewall ipv4 name video-servers rule 100 description 'Rule: accept_k8s_nodes'
set firewall ipv4 name video-servers rule 100 protocol 'udp'
set firewall ipv4 name video-servers rule 100 destination group address-group 'k8s_nodes'
set firewall ipv4 name video-servers rule 100 source port '6987-6989'
set firewall ipv4 name video-servers rule 999 action 'drop'
set firewall ipv4 name video-servers rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name video-servers rule 999 state invalid
set firewall ipv4 name video-servers rule 999 log
# From VIDEO to CONTAINERS
set firewall ipv4 name video-containers default-action 'accept'
set firewall ipv4 name video-containers description 'From VIDEO to CONTAINERS'
set firewall ipv4 name video-containers rule 40 action 'accept'
set firewall ipv4 name video-containers rule 40 description 'Rule: accept_dns'
set firewall ipv4 name video-containers rule 40 destination port 'domain,domain-s'
set firewall ipv4 name video-containers rule 40 protocol 'tcp_udp'
set firewall ipv4 name video-containers rule 999 action 'drop'
set firewall ipv4 name video-containers rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name video-containers rule 999 state invalid
set firewall ipv4 name video-containers rule 999 log
# From VIDEO to TRUSTED
set firewall ipv4 name video-trusted default-action 'drop'
set firewall ipv4 name video-trusted description 'From VIDEO to TRUSTED'
set firewall ipv4 name video-trusted enable-default-log
set firewall ipv4 name video-trusted rule 999 action 'drop'
set firewall ipv4 name video-trusted rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name video-trusted rule 999 state invalid
set firewall ipv4 name video-trusted rule 999 log
# From VIDEO to WAN
set firewall ipv4 name video-wan default-action 'drop'
set firewall ipv4 name video-wan description 'From VIDEO to WAN'
# From WAN to IOT
set firewall ipv4 name wan-iot default-action 'drop'
set firewall ipv4 name wan-iot description 'From WAN to IOT'
set firewall ipv4 name wan-iot enable-default-log
set firewall ipv4 name wan-iot rule 999 action 'drop'
set firewall ipv4 name wan-iot rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name wan-iot rule 999 state invalid
set firewall ipv4 name wan-iot rule 999 log
# From WAN to LAN
set firewall ipv4 name wan-lan default-action 'drop'
set firewall ipv4 name wan-lan description 'From WAN to LAN'
set firewall ipv4 name wan-lan enable-default-log
set firewall ipv4 name wan-lan rule 999 action 'drop'
set firewall ipv4 name wan-lan rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name wan-lan rule 999 state invalid
set firewall ipv4 name wan-lan rule 999 log
# From WAN to LOCAL
set firewall ipv4 name wan-local default-action 'drop'
set firewall ipv4 name wan-local description 'From WAN to LOCAL'
set firewall ipv4 name wan-local enable-default-log
set firewall ipv4 name wan-local rule 1 action 'drop'
set firewall ipv4 name wan-local rule 1 description 'Rule: drop_invalid'
set firewall ipv4 name wan-local rule 1 state invalid
set firewall ipv4 name wan-local rule 1 log
set firewall ipv4 name wan-local rule 100 action 'accept'
set firewall ipv4 name wan-local rule 100 description 'Rule: accept_wireguard'
set firewall ipv4 name wan-local rule 100 destination port '51820'
set firewall ipv4 name wan-local rule 100 protocol 'udp'
# From WAN to SERVERS
set firewall ipv4 name wan-servers default-action 'drop'
set firewall ipv4 name wan-servers description 'From WAN to SERVERS'
set firewall ipv4 name wan-servers enable-default-log
set firewall ipv4 name wan-servers rule 100 action 'accept'
set firewall ipv4 name wan-servers rule 100 destination port 32400
set firewall ipv4 name wan-servers rule 100 protocol 'tcp'
set firewall ipv4 name wan-servers rule 100 destination address 10.1.1.12
set firewall ipv4 name wan-servers rule 999 action 'drop'
set firewall ipv4 name wan-servers rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name wan-servers rule 999 state invalid
set firewall ipv4 name wan-servers rule 999 log
# From WAN to CONTAINERS
set firewall ipv4 name wan-containers default-action 'drop'
set firewall ipv4 name wan-containers description 'From WAN to CONTAINERS'
set firewall ipv4 name wan-containers enable-default-log
set firewall ipv4 name wan-containers rule 999 action 'drop'
set firewall ipv4 name wan-containers rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name wan-containers rule 999 state invalid
set firewall ipv4 name wan-containers rule 999 log
# From WAN to TRUSTED
set firewall ipv4 name wan-trusted default-action 'drop'
set firewall ipv4 name wan-trusted description 'From WAN to TRUSTED'
set firewall ipv4 name wan-trusted enable-default-log
set firewall ipv4 name wan-trusted rule 999 action 'drop'
set firewall ipv4 name wan-trusted rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name wan-trusted rule 999 state invalid
set firewall ipv4 name wan-trusted rule 999 log
# From WAN to VIDEO
set firewall ipv4 name wan-video default-action 'drop'
set firewall ipv4 name wan-video description 'From WAN to VIDEO'
set firewall ipv4 name wan-video enable-default-log
set firewall ipv4 name wan-video rule 999 action 'drop'
set firewall ipv4 name wan-video rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name wan-video rule 999 state invalid
set firewall ipv4 name wan-video rule 999 log

View file

@ -1,778 +0,0 @@
#!/bin/vbash
# From LOCAL to IOT
set firewall name local-iot default-action 'drop'
set firewall name local-iot description 'From LOCAL to IOT'
set firewall name local-iot enable-default-log
set firewall name local-iot rule 100 action 'accept'
set firewall name local-iot rule 100 description 'Rule: accept_igmp'
set firewall name local-iot rule 100 protocol '2'
set firewall name local-iot rule 110 action 'accept'
set firewall name local-iot rule 110 description 'Rule: accept_mdns'
set firewall name local-iot rule 110 destination port 'mdns'
set firewall name local-iot rule 110 protocol 'udp'
set firewall name local-iot rule 110 source port 'mdns'
set firewall name local-iot rule 200 action 'accept'
set firewall name local-iot rule 200 description 'Rule: accept_discovery_from_sonos_controllers'
set firewall name local-iot rule 200 destination port '1900,1901,1902,57621'
set firewall name local-iot rule 200 protocol 'udp'
set firewall name local-iot rule 200 source group address-group 'sonos_controllers'
set firewall name local-iot rule 999 action 'drop'
set firewall name local-iot rule 999 description 'Rule: drop_invalid'
set firewall name local-iot rule 999 state invalid 'enable'
set firewall name local-iot rule 999 log 'enable'
# From LOCAL to LAN
set firewall name local-lan default-action 'drop'
set firewall name local-lan description 'From LOCAL to LAN'
set firewall name local-lan enable-default-log
set firewall name local-lan rule 999 action 'drop'
set firewall name local-lan rule 999 description 'Rule: drop_invalid'
set firewall name local-lan rule 999 state invalid 'enable'
set firewall name local-lan rule 999 log 'enable'
# From LOCAL to SERVERS
set firewall name local-servers default-action 'drop'
set firewall name local-servers description 'From LOCAL to SERVERS'
set firewall name local-servers enable-default-log
set firewall name local-servers rule 40 action 'accept'
set firewall name local-servers rule 40 description 'Rule: accept_dns'
set firewall name local-servers rule 40 destination port 'domain,domain-s'
set firewall name local-servers rule 40 protocol 'tcp_udp'
set firewall name local-servers rule 70 action 'accept'
set firewall name local-servers rule 70 description 'Rule: accept_bgp'
set firewall name local-servers rule 70 destination port 'bgp'
set firewall name local-servers rule 70 protocol 'tcp'
set firewall name local-servers rule 100 action 'accept'
set firewall name local-servers rule 100 description 'Rule: accept_k8s_api'
set firewall name local-servers rule 100 destination port '6443'
set firewall name local-servers rule 100 protocol 'tcp'
set firewall name local-servers rule 200 action 'accept'
set firewall name local-servers rule 200 description 'Rule: accept_vector_syslog'
set firewall name local-servers rule 200 destination group address-group 'k8s_vector_aggregator'
set firewall name local-servers rule 200 destination port '6001'
set firewall name local-servers rule 200 protocol 'tcp'
set firewall name local-servers rule 999 action 'drop'
set firewall name local-servers rule 999 description 'Rule: drop_invalid'
set firewall name local-servers rule 999 state invalid 'enable'
set firewall name local-servers rule 999 log 'enable'
# From LOCAL to CONTAINERS
set firewall name local-containers default-action 'accept'
set firewall name local-containers description 'From LOCAL to CONTAINERS'
set firewall name local-containers rule 40 action 'accept'
set firewall name local-containers rule 40 description 'Rule: accept_dns'
set firewall name local-containers rule 40 destination port 'domain,domain-s'
set firewall name local-containers rule 40 protocol 'tcp_udp'
set firewall name local-containers rule 999 action 'drop'
set firewall name local-containers rule 999 description 'Rule: drop_invalid'
set firewall name local-containers rule 999 state invalid 'enable'
set firewall name local-containers rule 999 log 'enable'
# From LOCAL to TRUSTED
set firewall name local-trusted default-action 'drop'
set firewall name local-trusted description 'From LOCAL to TRUSTED'
set firewall name local-trusted enable-default-log
set firewall name local-trusted rule 100 action 'accept'
set firewall name local-trusted rule 100 description 'Rule: accept_igmp'
set firewall name local-trusted rule 100 protocol '2'
set firewall name local-trusted rule 110 action 'accept'
set firewall name local-trusted rule 110 description 'Rule: accept_mdns'
set firewall name local-trusted rule 110 destination port 'mdns'
set firewall name local-trusted rule 110 protocol 'udp'
set firewall name local-trusted rule 110 source port 'mdns'
set firewall name local-trusted rule 200 action 'accept'
set firewall name local-trusted rule 200 description 'Rule: accept_discovery_from_sonos_players'
set firewall name local-trusted rule 200 destination port '1900,1901,1902'
set firewall name local-trusted rule 200 protocol 'udp'
set firewall name local-trusted rule 200 source group address-group 'sonos_players'
set firewall name local-trusted rule 300 action 'accept'
set firewall name local-trusted rule 300 description 'Rule: accept_wireguard'
set firewall name local-trusted rule 300 source port '51820'
set firewall name local-trusted rule 300 protocol 'udp'
set firewall name local-trusted rule 999 action 'drop'
set firewall name local-trusted rule 999 description 'Rule: drop_invalid'
set firewall name local-trusted rule 999 state invalid 'enable'
set firewall name local-trusted rule 999 log 'enable'
# From LOCAL to VIDEO
set firewall name local-video default-action 'drop'
set firewall name local-video description 'From LOCAL to VIDEO'
set firewall name local-video enable-default-log
set firewall name local-video rule 999 action 'drop'
set firewall name local-video rule 999 description 'Rule: drop_invalid'
set firewall name local-video rule 999 state invalid 'enable'
set firewall name local-video rule 999 log 'enable'
# From LOCAL to WAN
set firewall name local-wan default-action 'accept'
set firewall name local-wan description 'From LOCAL to WAN'
# From WAN to IOT
set firewall name wan-iot default-action 'drop'
set firewall name wan-iot description 'From WAN to IOT'
set firewall name wan-iot enable-default-log
set firewall name wan-iot rule 999 action 'drop'
set firewall name wan-iot rule 999 description 'Rule: drop_invalid'
set firewall name wan-iot rule 999 state invalid 'enable'
set firewall name wan-iot rule 999 log 'enable'
# From WAN to LAN
set firewall name wan-lan default-action 'drop'
set firewall name wan-lan description 'From WAN to LAN'
set firewall name wan-lan enable-default-log
set firewall name wan-lan rule 999 action 'drop'
set firewall name wan-lan rule 999 description 'Rule: drop_invalid'
set firewall name wan-lan rule 999 state invalid 'enable'
set firewall name wan-lan rule 999 log 'enable'
# From WAN to LOCAL
set firewall name wan-local default-action 'drop'
set firewall name wan-local description 'From WAN to LOCAL'
set firewall name wan-local enable-default-log
set firewall name wan-local rule 1 action 'drop'
set firewall name wan-local rule 1 description 'Rule: drop_invalid'
set firewall name wan-local rule 1 state invalid 'enable'
set firewall name wan-local rule 1 log 'enable'
set firewall name wan-local rule 100 action 'accept'
set firewall name wan-local rule 100 description 'Rule: accept_wireguard'
set firewall name wan-local rule 100 destination port '51820'
set firewall name wan-local rule 100 protocol 'udp'
# From WAN to SERVERS
set firewall name wan-servers default-action 'drop'
set firewall name wan-servers description 'From WAN to SERVERS'
set firewall name wan-servers enable-default-log
set firewall name wan-servers rule 100 action 'accept'
set firewall name wan-servers rule 100 destination port 32400
set firewall name wan-servers rule 100 protocol 'tcp'
set firewall name wan-servers rule 100 destination address 10.1.1.12
set firewall name wan-servers rule 999 action 'drop'
set firewall name wan-servers rule 999 description 'Rule: drop_invalid'
set firewall name wan-servers rule 999 state invalid 'enable'
set firewall name wan-servers rule 999 log 'enable'
# From WAN to CONTAINERS
set firewall name wan-containers default-action 'drop'
set firewall name wan-containers description 'From WAN to CONTAINERS'
set firewall name wan-containers enable-default-log
set firewall name wan-containers rule 999 action 'drop'
set firewall name wan-containers rule 999 description 'Rule: drop_invalid'
set firewall name wan-containers rule 999 state invalid 'enable'
set firewall name wan-containers rule 999 log 'enable'
# From WAN to TRUSTED
set firewall name wan-trusted default-action 'drop'
set firewall name wan-trusted description 'From WAN to TRUSTED'
set firewall name wan-trusted enable-default-log
set firewall name wan-trusted rule 999 action 'drop'
set firewall name wan-trusted rule 999 description 'Rule: drop_invalid'
set firewall name wan-trusted rule 999 state invalid 'enable'
set firewall name wan-trusted rule 999 log 'enable'
# From WAN to VIDEO
set firewall name wan-video default-action 'drop'
set firewall name wan-video description 'From WAN to VIDEO'
set firewall name wan-video enable-default-log
set firewall name wan-video rule 999 action 'drop'
set firewall name wan-video rule 999 description 'Rule: drop_invalid'
set firewall name wan-video rule 999 state invalid 'enable'
set firewall name wan-video rule 999 log 'enable'
# From LAN to IoT
set firewall name lan-iot default-action 'drop'
set firewall name lan-iot description 'From LAN to IOT'
set firewall name lan-iot enable-default-log
set firewall name lan-iot rule 999 action 'drop'
set firewall name lan-iot rule 999 description 'Rule: drop_invalid'
set firewall name lan-iot rule 999 state invalid 'enable'
set firewall name lan-iot rule 999 log 'enable'
# From LAN to LOCAL
set firewall name lan-local default-action 'drop'
set firewall name lan-local description 'From LAN to LOCAL'
set firewall name lan-local enable-default-log
set firewall name lan-local rule 40 action 'accept'
set firewall name lan-local rule 40 description 'Rule: accept_dns'
set firewall name lan-local rule 40 destination port 'domain,domain-s'
set firewall name lan-local rule 40 protocol 'tcp_udp'
set firewall name lan-local rule 50 action 'accept'
set firewall name lan-local rule 50 description 'Rule: accept_dhcp'
set firewall name lan-local rule 50 destination port '67,68'
set firewall name lan-local rule 50 protocol 'udp'
set firewall name lan-local rule 50 source port '67,68'
set firewall name lan-local rule 60 action 'accept'
set firewall name lan-local rule 60 description 'Rule: accept_ntp'
set firewall name lan-local rule 60 destination port 'ntp'
set firewall name lan-local rule 60 protocol 'udp'
set firewall name lan-local rule 70 action 'accept'
set firewall name lan-local rule 70 description 'Rule: accept_node_speed_exporter'
set firewall name lan-local rule 70 destination port '9798,9100'
set firewall name lan-local rule 70 protocol 'tcp'
set firewall name lan-local rule 80 action 'accept'
set firewall name lan-local rule 80 description 'Rule: accept perfmon3'
set firewall name lan-local rule 80 destination port '5201'
set firewall name lan-local rule 80 protocol 'tcp'
set firewall name lan-local rule 999 action 'drop'
set firewall name lan-local rule 999 description 'Rule: drop_invalid'
set firewall name lan-local rule 999 state invalid 'enable'
set firewall name lan-local rule 999 log 'enable'
# From LAN to SERVERS
set firewall name lan-servers default-action 'drop'
set firewall name lan-servers description 'From LAN to SERVERS'
set firewall name lan-servers enable-default-log
set firewall name lan-servers rule 999 action 'drop'
set firewall name lan-servers rule 999 description 'Rule: drop_invalid'
set firewall name lan-servers rule 999 state invalid 'enable'
set firewall name lan-servers rule 999 log 'enable'
# From LAN to CONTAINERS
set firewall name lan-containers default-action 'accept'
set firewall name lan-containers description 'From LAN to CONTAINERS'
set firewall name lan-containers rule 40 action 'accept'
set firewall name lan-containers rule 40 description 'Rule: accept_dns'
set firewall name lan-containers rule 40 destination port 'domain,domain-s'
set firewall name lan-containers rule 40 protocol 'tcp_udp'
set firewall name lan-containers rule 999 action 'drop'
set firewall name lan-containers rule 999 description 'Rule: drop_invalid'
set firewall name lan-containers rule 999 state invalid 'enable'
set firewall name lan-containers rule 999 log 'enable'
# From LAN to TRUSTED
set firewall name lan-trusted default-action 'drop'
set firewall name lan-trusted description 'From LAN to TRUSTED'
set firewall name lan-trusted enable-default-log
set firewall name lan-trusted rule 999 action 'drop'
set firewall name lan-trusted rule 999 description 'Rule: drop_invalid'
set firewall name lan-trusted rule 999 state invalid 'enable'
set firewall name lan-trusted rule 999 log 'enable'
# From LAN to VIDEO
set firewall name lan-video default-action 'drop'
set firewall name lan-video description 'From LAN to VIDEO'
set firewall name lan-video enable-default-log
set firewall name lan-video rule 999 action 'drop'
set firewall name lan-video rule 999 description 'Rule: drop_invalid'
set firewall name lan-video rule 999 state invalid 'enable'
set firewall name lan-video rule 999 log 'enable'
# From LAN to WAN
set firewall name lan-wan default-action 'accept'
set firewall name lan-wan description 'From LAN to WAN'
# From SERVERS to IOT
set firewall name servers-iot default-action 'drop'
set firewall name servers-iot description 'From SERVERS to IOT'
set firewall name servers-iot enable-default-log
set firewall name servers-iot rule 100 action 'accept'
set firewall name servers-iot rule 100 description 'Rule: accept_k8s_nodes'
set firewall name servers-iot rule 100 protocol 'tcp'
set firewall name servers-iot rule 100 source group address-group 'k8s_nodes'
set firewall name servers-iot rule 110 action 'accept'
set firewall name servers-iot rule 110 description 'Rule: accept_k8s_nodes'
set firewall name servers-iot rule 110 protocol 'icmp'
set firewall name servers-iot rule 110 source group address-group 'k8s_nodes'
set firewall name servers-iot rule 999 action 'drop'
set firewall name servers-iot rule 999 description 'Rule: drop_invalid'
set firewall name servers-iot rule 999 state invalid 'enable'
set firewall name servers-iot rule 999 log 'enable'
# From SERVERS to LAN
set firewall name servers-lan default-action 'drop'
set firewall name servers-lan description 'From SERVERS to LAN'
set firewall name servers-lan enable-default-log
set firewall name servers-lan rule 999 action 'drop'
set firewall name servers-lan rule 999 description 'Rule: drop_invalid'
set firewall name servers-lan rule 999 state invalid 'enable'
set firewall name servers-lan rule 999 log 'enable'
# From SERVERS to LOCAL
set firewall name servers-local default-action 'drop'
set firewall name servers-local description 'From SERVERS to LOCAL'
set firewall name servers-local enable-default-log
set firewall name servers-local rule 50 action 'accept'
set firewall name servers-local rule 50 description 'Rule: accept_dhcp'
set firewall name servers-local rule 50 destination port '67,68'
set firewall name servers-local rule 50 protocol 'udp'
set firewall name servers-local rule 50 source port '67,68'
set firewall name servers-local rule 60 action 'accept'
set firewall name servers-local rule 60 description 'Rule: accept_ntp'
set firewall name servers-local rule 60 destination port 'ntp'
set firewall name servers-local rule 60 protocol 'udp'
set firewall name servers-local rule 70 action 'accept'
set firewall name servers-local rule 70 description 'Rule: accept_bgp'
set firewall name servers-local rule 70 destination port 'bgp'
set firewall name servers-local rule 70 protocol 'tcp'
set firewall name servers-local rule 80 action 'accept'
set firewall name servers-local rule 80 description 'Rule: accept_tftp'
set firewall name servers-local rule 80 destination port '69'
set firewall name servers-local rule 80 protocol 'udp'
set firewall name servers-local rule 90 action 'accept'
set firewall name servers-local rule 90 description 'Rule: accept_dns'
set firewall name servers-local rule 90 destination port 'domain,domain-s'
set firewall name servers-local rule 90 protocol 'tcp_udp'
set firewall name servers-local rule 100 action 'accept'
set firewall name servers-local rule 100 description 'Rule: accept_node_exporter_from_k8s_nodes'
set firewall name servers-local rule 100 destination port '9100'
set firewall name servers-local rule 100 protocol 'tcp'
set firewall name servers-local rule 100 source group address-group 'k8s_nodes'
set firewall name servers-local rule 110 action 'accept'
set firewall name servers-local rule 110 description 'Rule: accept_speedtest_exporter_from_k8s_nodes'
set firewall name servers-local rule 110 destination port '9798'
set firewall name servers-local rule 110 protocol 'tcp'
set firewall name servers-local rule 110 source group address-group 'k8s_nodes'
set firewall name servers-local rule 999 action 'drop'
set firewall name servers-local rule 999 description 'Rule: drop_invalid'
set firewall name servers-local rule 999 state invalid 'enable'
set firewall name servers-local rule 999 log 'enable'
# From SERVERS to CONTAINERS
set firewall name servers-containers default-action 'accept'
set firewall name servers-containers description 'From SERVERS to CONTAINERS'
set firewall name servers-containers enable-default-log
set firewall name servers-containers rule 40 action 'accept'
set firewall name servers-containers rule 40 description 'Rule: accept_dns'
set firewall name servers-containers rule 40 destination port 'domain,domain-s'
set firewall name servers-containers rule 40 protocol 'tcp_udp'
set firewall name servers-containers rule 100 action 'accept'
set firewall name servers-containers rule 100 description 'Rule: accept_k8s_nodes'
set firewall name servers-containers rule 100 protocol 'tcp'
set firewall name servers-containers rule 100 source group address-group 'k8s_nodes'
set firewall name servers-containers rule 999 action 'drop'
set firewall name servers-containers rule 999 description 'Rule: drop_invalid'
set firewall name servers-containers rule 999 state invalid 'enable'
set firewall name servers-containers rule 999 log 'enable'
# From SERVERS to TRUSTED
set firewall name servers-trusted default-action 'drop'
set firewall name servers-trusted description 'From SERVERS to TRUSTED'
set firewall name servers-trusted enable-default-log
set firewall name servers-trusted rule 999 action 'drop'
set firewall name servers-trusted rule 999 description 'Rule: drop_invalid'
set firewall name servers-trusted rule 999 state invalid 'enable'
set firewall name servers-trusted rule 999 log 'enable'
# From SERVERS to VIDEO
set firewall name servers-video default-action 'drop'
set firewall name servers-video description 'From SERVERS to VIDEO'
set firewall name servers-video enable-default-log
set firewall name servers-video rule 100 action 'accept'
set firewall name servers-video rule 100 description 'Rule: accept_k8s_nodes'
set firewall name servers-video rule 100 protocol 'tcp_udp'
set firewall name servers-video rule 100 source group address-group 'k8s_nodes'
set firewall name servers-video rule 999 action 'drop'
set firewall name servers-video rule 999 description 'Rule: drop_invalid'
set firewall name servers-video rule 999 state invalid 'enable'
set firewall name servers-video rule 999 log 'enable'
# From SERVERS to WAN
set firewall name servers-wan default-action 'accept'
set firewall name servers-wan description 'From SERVERS to WAN'
# From CONTAINERS to IOT
set firewall name containers-iot default-action 'drop'
set firewall name containers-iot description 'From CONTAINERS to IOT'
set firewall name containers-iot enable-default-log
set firewall name containers-iot rule 999 action 'drop'
set firewall name containers-iot rule 999 description 'Rule: drop_invalid'
set firewall name containers-iot rule 999 state invalid 'enable'
set firewall name containers-iot rule 999 log 'enable'
# From CONTAINERS to LAN
set firewall name containers-lan default-action 'drop'
set firewall name containers-lan description 'From CONTAINERS to LAN'
set firewall name containers-lan enable-default-log
set firewall name containers-lan rule 999 action 'drop'
set firewall name containers-lan rule 999 description 'Rule: drop_invalid'
set firewall name containers-lan rule 999 state invalid 'enable'
set firewall name containers-lan rule 999 log 'enable'
# From CONTAINERS to LOCAL
set firewall name containers-local default-action 'drop'
set firewall name containers-local description 'From CONTAINERS to LOCAL'
set firewall name containers-local enable-default-log
set firewall name containers-local rule 50 action 'accept'
set firewall name containers-local rule 50 description 'Rule: accept_dhcp'
set firewall name containers-local rule 50 destination port '67,68'
set firewall name containers-local rule 50 protocol 'udp'
set firewall name containers-local rule 50 source port '67,68'
set firewall name containers-local rule 60 action 'accept'
set firewall name containers-local rule 60 description 'Rule: accept_ntp'
set firewall name containers-local rule 60 destination port 'ntp'
set firewall name containers-local rule 60 protocol 'udp'
set firewall name containers-local rule 999 action 'drop'
set firewall name containers-local rule 999 description 'Rule: drop_invalid'
set firewall name containers-local rule 999 state invalid 'enable'
set firewall name containers-local rule 999 log 'enable'
# From CONTAINERS to SERVERS
set firewall name containers-servers default-action 'accept'
set firewall name containers-servers description 'From CONTAINERS to SERVERS'
set firewall name containers-servers rule 999 action 'drop'
set firewall name containers-servers rule 999 description 'Rule: drop_invalid'
set firewall name containers-servers rule 999 state invalid 'enable'
set firewall name containers-servers rule 999 log 'enable'
# From CONTAINERS to TRUSTED
set firewall name containers-trusted default-action 'drop'
set firewall name containers-trusted description 'From CONTAINERS to TRUSTED'
set firewall name containers-trusted enable-default-log
set firewall name containers-trusted rule 999 action 'drop'
set firewall name containers-trusted rule 999 description 'Rule: drop_invalid'
set firewall name containers-trusted rule 999 state invalid 'enable'
set firewall name containers-trusted rule 999 log 'enable'
# From CONTAINERS to VIDEO
set firewall name containers-video default-action 'drop'
set firewall name containers-video description 'From CONTAINERS to VIDEO'
set firewall name containers-video enable-default-log
set firewall name containers-video rule 999 action 'drop'
set firewall name containers-video rule 999 description 'Rule: drop_invalid'
set firewall name containers-video rule 999 state invalid 'enable'
set firewall name containers-video rule 999 log 'enable'
# From CONTAINERS to WAN
set firewall name containers-wan default-action 'accept'
set firewall name containers-wan description 'From CONTAINERS to WAN'
# From TRUSTED to IOT
set firewall name trusted-iot default-action 'accept'
set firewall name trusted-iot description 'From TRUSTED to IOT'
set firewall name trusted-iot rule 100 action 'accept'
set firewall name trusted-iot rule 100 description 'Rule: accept_app_control_from_sonos_controllers_tcp'
set firewall name trusted-iot rule 100 destination port '80,443,445,1400,3400,3401,3500,4070,4444'
set firewall name trusted-iot rule 100 protocol 'tcp'
set firewall name trusted-iot rule 100 source group address-group 'sonos_controllers'
set firewall name trusted-iot rule 110 action 'accept'
set firewall name trusted-iot rule 110 description 'Rule: accept_app_control_from_sonos_controllers_udp'
set firewall name trusted-iot rule 110 destination port '136-139,1900-1901,2869,10243,10280-10284,5353,6969'
set firewall name trusted-iot rule 110 protocol 'udp'
set firewall name trusted-iot rule 110 source group address-group 'sonos_controllers'
set firewall name trusted-iot rule 999 action 'drop'
set firewall name trusted-iot rule 999 description 'Rule: drop_invalid'
set firewall name trusted-iot rule 999 state invalid 'enable'
set firewall name trusted-iot rule 999 log 'enable'
# From TRUSTED to LAN
set firewall name trusted-lan default-action 'accept'
set firewall name trusted-lan description 'From TRUSTED to LAN'
set firewall name trusted-lan rule 999 action 'drop'
set firewall name trusted-lan rule 999 description 'Rule: drop_invalid'
set firewall name trusted-lan rule 999 state invalid 'enable'
set firewall name trusted-lan rule 999 log 'enable'
# From TRUSTED to LOCAL
set firewall name trusted-local default-action 'drop'
set firewall name trusted-local description 'From TRUSTED to LOCAL'
set firewall name trusted-local enable-default-log
set firewall name trusted-local rule 50 action 'accept'
set firewall name trusted-local rule 50 description 'Rule: accept_dhcp'
set firewall name trusted-local rule 50 destination port '67,68'
set firewall name trusted-local rule 50 protocol 'udp'
set firewall name trusted-local rule 50 source port '67,68'
set firewall name trusted-local rule 60 action 'accept'
set firewall name trusted-local rule 60 description 'Rule: accept_ntp'
set firewall name trusted-local rule 60 destination port 'ntp'
set firewall name trusted-local rule 60 protocol 'udp'
set firewall name trusted-local rule 100 action 'accept'
set firewall name trusted-local rule 100 description 'Rule: accept_igmp'
set firewall name trusted-local rule 100 protocol '2'
set firewall name trusted-local rule 110 action 'accept'
set firewall name trusted-local rule 110 description 'Rule: accept_mdns'
set firewall name trusted-local rule 110 destination port 'mdns'
set firewall name trusted-local rule 110 protocol 'udp'
set firewall name trusted-local rule 110 source port 'mdns'
set firewall name trusted-local rule 120 action 'accept'
set firewall name trusted-local rule 120 description 'Rule: accept_dns'
set firewall name trusted-local rule 120 destination port 'domain,domain-s'
set firewall name trusted-local rule 120 protocol 'tcp_udp'
set firewall name trusted-local rule 200 action 'accept'
set firewall name trusted-local rule 200 description 'Rule: accept_ssh'
set firewall name trusted-local rule 200 destination port 'ssh'
set firewall name trusted-local rule 200 protocol 'tcp'
set firewall name trusted-local rule 210 action 'accept'
set firewall name trusted-local rule 210 description 'Rule: accept_vyos_api'
set firewall name trusted-local rule 210 destination port '8443'
set firewall name trusted-local rule 210 protocol 'tcp'
set firewall name trusted-local rule 220 action 'accept'
set firewall name trusted-local rule 220 description 'Rule: accept_wireguard'
set firewall name trusted-local rule 220 destination port '51820'
set firewall name trusted-local rule 220 protocol 'udp'
set firewall name trusted-local rule 300 action 'accept'
set firewall name trusted-local rule 300 description 'Rule: accept_discovery_from_sonos_players'
set firewall name trusted-local rule 300 destination port '1900,1901,1902'
set firewall name trusted-local rule 300 protocol 'udp'
set firewall name trusted-local rule 300 source group address-group 'sonos_players'
set firewall name trusted-local rule 310 action 'accept'
set firewall name trusted-local rule 310 description 'Rule: accept_discovery_from_sonos_controllers'
set firewall name trusted-local rule 310 destination port '1900,1901,1902,57621'
set firewall name trusted-local rule 310 protocol 'udp'
set firewall name trusted-local rule 310 source group address-group 'sonos_controllers'
set firewall name trusted-local rule 999 action 'drop'
set firewall name trusted-local rule 999 description 'Rule: drop_invalid'
set firewall name trusted-local rule 999 state invalid 'enable'
set firewall name trusted-local rule 999 log 'enable'
# From TRUSTED to SERVERS
set firewall name trusted-servers default-action 'accept'
set firewall name trusted-servers description 'From TRUSTED to SERVERS'
set firewall name trusted-servers rule 999 action 'drop'
set firewall name trusted-servers rule 999 description 'Rule: drop_invalid'
set firewall name trusted-servers rule 999 state invalid 'enable'
set firewall name trusted-servers rule 999 log 'enable'
# From TRUSTED to CONTAINERS
set firewall name trusted-containers default-action 'accept'
set firewall name trusted-containers description 'From TRUSTED to CONTAINERS'
set firewall name trusted-containers rule 40 action 'accept'
set firewall name trusted-containers rule 40 description 'Rule: accept_dns'
set firewall name trusted-containers rule 40 destination port 'domain,domain-s'
set firewall name trusted-containers rule 40 protocol 'tcp_udp'
set firewall name trusted-containers rule 999 action 'drop'
set firewall name trusted-containers rule 999 description 'Rule: drop_invalid'
set firewall name trusted-containers rule 999 state invalid 'enable'
set firewall name trusted-containers rule 999 log 'enable'
# From TRUSTED to VIDEO
set firewall name trusted-video default-action 'accept'
set firewall name trusted-video description 'From TRUSTED to VIDEO'
set firewall name trusted-video rule 999 action 'drop'
set firewall name trusted-video rule 999 description 'Rule: drop_invalid'
set firewall name trusted-video rule 999 state invalid 'enable'
set firewall name trusted-video rule 999 log 'enable'
# From TRUSTED to WAN
set firewall name trusted-wan default-action 'accept'
set firewall name trusted-wan description 'From TRUSTED to WAN'
# From IOT to LAN
set firewall name iot-lan default-action 'drop'
set firewall name iot-lan description 'From IOT to LAN'
set firewall name iot-lan enable-default-log
set firewall name iot-lan rule 999 action 'drop'
set firewall name iot-lan rule 999 description 'Rule: drop_invalid'
set firewall name iot-lan rule 999 state invalid 'enable'
set firewall name iot-lan rule 999 log 'enable'
# From IOT to LOCAL
set firewall name iot-local default-action 'drop'
set firewall name iot-local description 'From IOT to LOCAL'
set firewall name iot-local enable-default-log
set firewall name iot-local rule 50 action 'accept'
set firewall name iot-local rule 50 description 'Rule: accept_dhcp'
set firewall name iot-local rule 50 destination port '67,68'
set firewall name iot-local rule 50 protocol 'udp'
set firewall name iot-local rule 50 source port '67,68'
set firewall name iot-local rule 60 action 'accept'
set firewall name iot-local rule 60 description 'Rule: accept_ntp'
set firewall name iot-local rule 60 destination port 'ntp'
set firewall name iot-local rule 60 protocol 'udp'
set firewall name iot-local rule 100 action 'accept'
set firewall name iot-local rule 100 description 'Rule: accept_igmp'
set firewall name iot-local rule 100 protocol '2'
set firewall name iot-local rule 110 action 'accept'
set firewall name iot-local rule 110 description 'Rule: accept_mdns'
set firewall name iot-local rule 110 destination port 'mdns'
set firewall name iot-local rule 110 protocol 'udp'
set firewall name iot-local rule 110 source port 'mdns'
set firewall name iot-local rule 120 action 'accept'
set firewall name iot-local rule 120 description 'Rule: accept_dns'
set firewall name iot-local rule 120 destination port 'domain,domain-s'
set firewall name iot-local rule 120 protocol 'tcp_udp'
set firewall name iot-local rule 200 action 'accept'
set firewall name iot-local rule 200 description 'Rule: accept_discovery_from_sonos_players'
set firewall name iot-local rule 200 destination port '1900,1901,1902'
set firewall name iot-local rule 200 protocol 'udp'
set firewall name iot-local rule 200 source group address-group 'sonos_players'
set firewall name iot-local rule 210 action 'accept'
set firewall name iot-local rule 210 description 'Rule: accept_discovery_from_sonos_controllers'
set firewall name iot-local rule 210 destination port '1900,1901,1902,57621'
set firewall name iot-local rule 210 protocol 'udp'
set firewall name iot-local rule 210 source group address-group 'sonos_controllers'
set firewall name iot-local rule 999 action 'drop'
set firewall name iot-local rule 999 description 'Rule: drop_invalid'
set firewall name iot-local rule 999 state invalid 'enable'
set firewall name iot-local rule 999 log 'enable'
# From IOT to SERVERS
set firewall name iot-servers default-action 'drop'
set firewall name iot-servers description 'From IOT to SERVERS'
set firewall name iot-servers enable-default-log
set firewall name iot-servers rule 100 action 'accept'
set firewall name iot-servers rule 100 description 'Rule: accept_nas_smb_from_scanners'
set firewall name iot-servers rule 100 destination group address-group 'nas'
set firewall name iot-servers rule 100 destination port 'microsoft-ds'
set firewall name iot-servers rule 100 protocol 'tcp'
set firewall name iot-servers rule 100 source group address-group 'scanners'
set firewall name iot-servers rule 200 action 'accept'
set firewall name iot-servers rule 200 description 'Rule: accept_plex_from_plex_clients'
set firewall name iot-servers rule 200 destination group address-group 'k8s_plex'
set firewall name iot-servers rule 200 destination port '32400'
set firewall name iot-servers rule 200 protocol 'tcp'
set firewall name iot-servers rule 200 source group address-group 'plex_clients'
set firewall name iot-servers rule 210 action 'accept'
set firewall name iot-servers rule 300 action 'accept'
set firewall name iot-servers rule 300 description 'Rule: accept_mqtt_from_mqtt_clients'
set firewall name iot-servers rule 300 destination group address-group 'k8s_mqtt'
set firewall name iot-servers rule 300 destination port '1883'
set firewall name iot-servers rule 300 protocol 'tcp'
set firewall name iot-servers rule 300 source group address-group 'mqtt_clients'
set firewall name iot-servers rule 310 action 'accept'
set firewall name iot-servers rule 310 description 'Rule: accept_mqtt_from_esp'
set firewall name iot-servers rule 310 destination group address-group 'k8s_mqtt'
set firewall name iot-servers rule 310 destination port '1883'
set firewall name iot-servers rule 310 protocol 'tcp'
set firewall name iot-servers rule 310 source group address-group 'esp'
set firewall name iot-servers rule 400 action 'accept'
set firewall name iot-servers rule 400 description 'Rule: accept_k8s_ingress_from_sonos_players'
set firewall name iot-servers rule 400 destination group address-group 'k8s_ingress'
set firewall name iot-servers rule 400 destination port 'http,https'
set firewall name iot-servers rule 400 protocol 'tcp'
set firewall name iot-servers rule 400 source group address-group 'sonos_players'
set firewall name iot-servers rule 420 action 'accept'
set firewall name iot-servers rule 420 description 'Rule: accept_k8s_ingress_from_allowed_devices'
set firewall name iot-servers rule 420 destination group address-group 'k8s_ingress'
set firewall name iot-servers rule 420 destination port 'http,https'
set firewall name iot-servers rule 420 protocol 'tcp'
set firewall name iot-servers rule 420 source group address-group 'k8s_ingress_allowed'
set firewall name iot-servers rule 500 action 'accept'
set firewall name iot-servers rule 500 description 'Rule: accept_vector_journald_from_allowed_devices'
set firewall name iot-servers rule 500 destination group address-group 'k8s_vector_aggregator'
set firewall name iot-servers rule 500 destination port '6002'
set firewall name iot-servers rule 500 protocol 'tcp'
set firewall name iot-servers rule 500 source group address-group 'vector_journald_allowed'
set firewall name iot-servers rule 999 action 'drop'
set firewall name iot-servers rule 999 description 'Rule: drop_invalid'
set firewall name iot-servers rule 999 state invalid 'enable'
set firewall name iot-servers rule 999 log 'enable'
# From IOT to CONTAINERS
set firewall name iot-containers default-action 'accept'
set firewall name iot-containers description 'From IOT to CONTAINERS'
set firewall name iot-containers rule 40 action 'accept'
set firewall name iot-containers rule 40 description 'Rule: accept_dns'
set firewall name iot-containers rule 40 destination port 'domain,domain-s'
set firewall name iot-containers rule 40 protocol 'tcp_udp'
set firewall name iot-containers rule 999 action 'drop'
set firewall name iot-containers rule 999 description 'Rule: drop_invalid'
set firewall name iot-containers rule 999 state invalid 'enable'
set firewall name iot-containers rule 999 log 'enable'
# From IOT to TRUSTED
set firewall name iot-trusted default-action 'drop'
set firewall name iot-trusted description 'From IOT to TRUSTED'
set firewall name iot-trusted enable-default-log
set firewall name iot-trusted rule 100 action 'accept'
set firewall name iot-trusted rule 100 description 'Rule: accept_udp_from_sonos_players_to_sonos_controllers'
set firewall name iot-trusted rule 100 destination group address-group 'sonos_controllers'
set firewall name iot-trusted rule 100 destination port '30000-65535'
set firewall name iot-trusted rule 100 protocol 'udp'
set firewall name iot-trusted rule 100 source group address-group 'sonos_players'
set firewall name iot-trusted rule 110 action 'accept'
set firewall name iot-trusted rule 110 description 'Rule: accept_tcp_from_sonos_players_to_sonos_controllers'
set firewall name iot-trusted rule 110 destination group address-group 'sonos_controllers'
set firewall name iot-trusted rule 110 destination port '1400,3400,3401,3500,30000-65535'
set firewall name iot-trusted rule 110 protocol 'tcp'
set firewall name iot-trusted rule 110 source group address-group 'sonos_players'
set firewall name iot-trusted rule 999 action 'drop'
set firewall name iot-trusted rule 999 description 'Rule: drop_invalid'
set firewall name iot-trusted rule 999 state invalid 'enable'
set firewall name iot-trusted rule 999 log 'enable'
# From IOT to VIDEO
set firewall name iot-video default-action 'drop'
set firewall name iot-video description 'From IOT to VIDEO'
set firewall name iot-video enable-default-log
set firewall name iot-video rule 100 action 'accept'
set firewall name iot-video rule 100 description 'Rule: accept_k8s_nodes'
set firewall name iot-video rule 100 protocol 'tcp'
set firewall name iot-video rule 100 source group address-group 'k8s_nodes'
set firewall name iot-video rule 999 action 'drop'
set firewall name iot-video rule 999 description 'Rule: drop_invalid'
set firewall name iot-video rule 999 state invalid 'enable'
set firewall name iot-video rule 999 log 'enable'
# From IOT to WAN
set firewall name iot-wan default-action 'accept'
set firewall name iot-wan description 'From IOT to WAN'
# From VIDEO to IOT
set firewall name video-iot default-action 'drop'
set firewall name video-iot description 'From VIDEO to IOT'
set firewall name video-iot enable-default-log
set firewall name video-iot rule 100 action 'accept'
set firewall name video-iot rule 100 description 'Rule: allow connecting to hass'
set firewall name video-iot rule 100 protocol 'tcp'
set firewall name video-iot rule 100 destination group address-group 'k8s_hass'
set firewall name video-iot rule 100 destination port '8123'
set firewall name video-iot rule 999 action 'drop'
set firewall name video-iot rule 999 description 'Rule: drop_invalid'
set firewall name video-iot rule 999 state invalid 'enable'
set firewall name video-iot rule 999 log 'enable'
# From VIDEO to LAN
set firewall name video-lan default-action 'drop'
set firewall name video-lan description 'From VIDEO to LAN'
set firewall name video-lan enable-default-log
set firewall name video-lan rule 999 action 'drop'
set firewall name video-lan rule 999 description 'Rule: drop_invalid'
set firewall name video-lan rule 999 state invalid 'enable'
set firewall name video-lan rule 999 log 'enable'
# From VIDEO to LOCAL
set firewall name video-local default-action 'drop'
set firewall name video-local description 'From VIDEO to LOCAL'
set firewall name video-local enable-default-log
set firewall name video-local rule 50 action 'accept'
set firewall name video-local rule 50 description 'Rule: accept_dhcp'
set firewall name video-local rule 50 destination port '67,68'
set firewall name video-local rule 50 protocol 'udp'
set firewall name video-local rule 50 source port '67,68'
set firewall name video-local rule 60 action 'accept'
set firewall name video-local rule 60 description 'Rule: accept_ntp'
set firewall name video-local rule 60 destination port 'ntp'
set firewall name video-local rule 60 protocol 'udp'
set firewall name video-local rule 999 action 'drop'
set firewall name video-local rule 999 description 'Rule: drop_invalid'
set firewall name video-local rule 999 state invalid 'enable'
set firewall name video-local rule 999 log 'enable'
# From VIDEO to SERVERS
set firewall name video-servers default-action 'drop'
set firewall name video-servers description 'From VIDEO to SERVERS'
set firewall name video-servers enable-default-log
set firewall name video-servers rule 100 action 'accept'
set firewall name video-servers rule 100 description 'Rule: accept_k8s_nodes'
set firewall name video-servers rule 100 protocol 'udp'
set firewall name video-servers rule 100 destination group address-group 'k8s_nodes'
set firewall name video-servers rule 100 source port '6987-6989'
set firewall name video-servers rule 999 action 'drop'
set firewall name video-servers rule 999 description 'Rule: drop_invalid'
set firewall name video-servers rule 999 state invalid 'enable'
set firewall name video-servers rule 999 log 'enable'
# From VIDEO to CONTAINERS
set firewall name video-containers default-action 'accept'
set firewall name video-containers description 'From VIDEO to CONTAINERS'
set firewall name video-containers rule 40 action 'accept'
set firewall name video-containers rule 40 description 'Rule: accept_dns'
set firewall name video-containers rule 40 destination port 'domain,domain-s'
set firewall name video-containers rule 40 protocol 'tcp_udp'
set firewall name video-containers rule 999 action 'drop'
set firewall name video-containers rule 999 description 'Rule: drop_invalid'
set firewall name video-containers rule 999 state invalid 'enable'
set firewall name video-containers rule 999 log 'enable'
# From VIDEO to TRUSTED
set firewall name video-trusted default-action 'drop'
set firewall name video-trusted description 'From VIDEO to TRUSTED'
set firewall name video-trusted enable-default-log
set firewall name video-trusted rule 999 action 'drop'
set firewall name video-trusted rule 999 description 'Rule: drop_invalid'
set firewall name video-trusted rule 999 state invalid 'enable'
set firewall name video-trusted rule 999 log 'enable'
# From VIDEO to WAN
set firewall name video-wan default-action 'drop'
set firewall name video-wan description 'From VIDEO to WAN'

View file

@ -1,5 +1,27 @@
#!/bin/vbash #!/bin/vbash
# iot
set firewall zone iot default-action 'drop'
set firewall zone iot from lan firewall name 'lan-iot'
set firewall zone iot from local firewall name 'local-iot'
set firewall zone iot from servers firewall name 'servers-iot'
set firewall zone iot from containers firewall name 'containers-iot'
set firewall zone iot from trusted firewall name 'trusted-iot'
set firewall zone iot from video firewall name 'video-iot'
set firewall zone iot from wan firewall name 'wan-iot'
set firewall zone iot interface 'eth4.30'
# lan
set firewall zone lan default-action 'drop'
set firewall zone lan from iot firewall name 'iot-lan'
set firewall zone lan from local firewall name 'local-lan'
set firewall zone lan from servers firewall name 'servers-lan'
set firewall zone lan from containers firewall name 'containers-lan'
set firewall zone lan from trusted firewall name 'trusted-lan'
set firewall zone lan from video firewall name 'video-lan'
set firewall zone lan from wan firewall name 'wan-lan'
set firewall zone lan interface 'eth4'
# local # local
set firewall zone local default-action 'drop' set firewall zone local default-action 'drop'
set firewall zone local description 'Local router zone' set firewall zone local description 'Local router zone'
@ -12,26 +34,16 @@ set firewall zone local from video firewall name 'video-local'
set firewall zone local from wan firewall name 'wan-local' set firewall zone local from wan firewall name 'wan-local'
set firewall zone local local-zone set firewall zone local local-zone
# wan # servers
set firewall zone wan from iot firewall name 'iot-wan' set firewall zone servers default-action 'drop'
set firewall zone wan from lan firewall name 'lan-wan' set firewall zone servers from iot firewall name 'iot-servers'
set firewall zone wan from local firewall name 'local-wan' set firewall zone servers from lan firewall name 'lan-servers'
set firewall zone wan from servers firewall name 'servers-wan' set firewall zone servers from local firewall name 'local-servers'
set firewall zone wan from containers firewall name 'containers-wan' set firewall zone servers from containers firewall name 'containers-servers'
set firewall zone wan from trusted firewall name 'trusted-wan' set firewall zone servers from trusted firewall name 'trusted-servers'
set firewall zone wan from video firewall name 'video-wan' set firewall zone servers from video firewall name 'video-servers'
set firewall zone wan interface 'eth0' set firewall zone servers from wan firewall name 'wan-servers'
set firewall zone servers interface 'eth4.10'
# lan
set firewall zone lan default-action 'drop'
set firewall zone lan from iot firewall name 'iot-lan'
set firewall zone lan from local firewall name 'local-lan'
set firewall zone lan from servers firewall name 'servers-lan'
set firewall zone lan from containers firewall name 'containers-lan'
set firewall zone lan from trusted firewall name 'trusted-lan'
set firewall zone lan from video firewall name 'video-lan'
set firewall zone lan from wan firewall name 'wan-lan'
set firewall zone lan interface 'eth1'
# containers # containers
set firewall zone containers default-action 'drop' set firewall zone containers default-action 'drop'
@ -45,17 +57,6 @@ set firewall zone containers from video firewall name 'video-containers'
set firewall zone containers from wan firewall name 'wan-containers' set firewall zone containers from wan firewall name 'wan-containers'
set firewall zone containers interface 'pod-containers' set firewall zone containers interface 'pod-containers'
# servers
set firewall zone servers default-action 'drop'
set firewall zone servers from iot firewall name 'iot-servers'
set firewall zone servers from lan firewall name 'lan-servers'
set firewall zone servers from local firewall name 'local-servers'
set firewall zone servers from containers firewall name 'containers-servers'
set firewall zone servers from trusted firewall name 'trusted-servers'
set firewall zone servers from video firewall name 'video-servers'
set firewall zone servers from wan firewall name 'wan-servers'
set firewall zone servers interface 'eth1.10'
# trusted # trusted
set firewall zone trusted default-action 'drop' set firewall zone trusted default-action 'drop'
set firewall zone trusted from iot firewall name 'iot-trusted' set firewall zone trusted from iot firewall name 'iot-trusted'
@ -65,20 +66,9 @@ set firewall zone trusted from servers firewall name 'servers-trusted'
set firewall zone trusted from containers firewall name 'containers-trusted' set firewall zone trusted from containers firewall name 'containers-trusted'
set firewall zone trusted from video firewall name 'video-trusted' set firewall zone trusted from video firewall name 'video-trusted'
set firewall zone trusted from wan firewall name 'wan-trusted' set firewall zone trusted from wan firewall name 'wan-trusted'
set firewall zone trusted interface 'eth1.20' set firewall zone trusted interface 'eth4.20'
set firewall zone trusted interface 'wg01' set firewall zone trusted interface 'wg01'
# iot
set firewall zone iot default-action 'drop'
set firewall zone iot from lan firewall name 'lan-iot'
set firewall zone iot from local firewall name 'local-iot'
set firewall zone iot from servers firewall name 'servers-iot'
set firewall zone iot from containers firewall name 'containers-iot'
set firewall zone iot from trusted firewall name 'trusted-iot'
set firewall zone iot from video firewall name 'video-iot'
set firewall zone iot from wan firewall name 'wan-iot'
set firewall zone iot interface 'eth1.30'
# video # video
set firewall zone video default-action 'drop' set firewall zone video default-action 'drop'
set firewall zone video from iot firewall name 'iot-video' set firewall zone video from iot firewall name 'iot-video'
@ -88,5 +78,15 @@ set firewall zone video from servers firewall name 'servers-video'
set firewall zone video from containers firewall name 'containers-video' set firewall zone video from containers firewall name 'containers-video'
set firewall zone video from trusted firewall name 'trusted-video' set firewall zone video from trusted firewall name 'trusted-video'
set firewall zone video from wan firewall name 'wan-video' set firewall zone video from wan firewall name 'wan-video'
set firewall zone video interface 'eth1.40' set firewall zone video interface 'eth4.40'
set firewall zone wan default-action 'drop' set firewall zone wan default-action 'drop'
# wan
set firewall zone wan from iot firewall name 'iot-wan'
set firewall zone wan from lan firewall name 'lan-wan'
set firewall zone wan from local firewall name 'local-wan'
set firewall zone wan from servers firewall name 'servers-wan'
set firewall zone wan from containers firewall name 'containers-wan'
set firewall zone wan from trusted firewall name 'trusted-wan'
set firewall zone wan from video firewall name 'video-wan'
set firewall zone wan interface 'eth0'

View file

@ -1,87 +1,20 @@
#!/bin/vbash #!/bin/vbash
# General configuration # General configuration
set firewall state-policy established action 'accept' set firewall global-options state-policy established action 'accept'
set firewall state-policy invalid action 'drop' set firewall global-options state-policy related action 'accept'
set firewall state-policy related action 'accept' set firewall global-options all-ping 'enable'
# Address Groups # Address Groups
set firewall group address-group ios_devices address '10.1.2.31' set firewall group address-group router-addresses address 10.0.0.1
set firewall group address-group ios_devices address '10.1.2.32' set firewall group address-group router-addresses address 127.0.0.1
set firewall group address-group ios_devices address '10.1.2.33' set firewall group address-group k8s_nodes address '10.1.1.61-63' # master nodes
set firewall group address-group ios_devices address '10.1.2.34' set firewall group address-group k8s_nodes address '10.1.1.41-46' # worker nodes
set firewall group address-group ios_devices address '10.1.2.35'
set firewall group address-group ios_devices address '10.1.2.36'
set firewall group address-group esp address '10.1.3.21'
set firewall group address-group k8s_api address '10.5.0.2' set firewall group address-group k8s_api address '10.5.0.2'
set firewall group address-group k8s_ingress address '10.45.0.1' # external nginx
# external nginx set firewall group address-group k8s_ingress address '10.45.0.3' # internal nginx
set firewall group address-group k8s_ingress address '10.45.0.1'
# internal nginx
set firewall group address-group k8s_ingress address '10.45.0.3'
set firewall group address-group k8s_ingress_allowed address '10.1.3.35'
set firewall group address-group k8s_ingress_allowed address '10.1.3.36'
set firewall group address-group k8s_mqtt address '10.45.0.10'
set firewall group address-group k8s_nodes address '10.1.1.41'
set firewall group address-group k8s_nodes address '10.1.1.42'
set firewall group address-group k8s_nodes address '10.1.1.43'
set firewall group address-group k8s_nodes address '10.1.1.44'
set firewall group address-group k8s_nodes address '10.1.1.45'
set firewall group address-group k8s_nodes address '10.1.1.46'
set firewall group address-group k8s_nodes address '10.1.1.61'
set firewall group address-group k8s_nodes address '10.1.1.62'
set firewall group address-group k8s_nodes address '10.1.1.63'
set firewall group address-group k8s_hass address '10.45.0.5'
set firewall group address-group k8s_plex address '10.45.0.20'
set firewall group address-group k8s_vector_aggregator address '10.45.0.2' set firewall group address-group k8s_vector_aggregator address '10.45.0.2'
set firewall group address-group nas address '10.1.1.11-12'
set firewall group address-group mqtt_clients address '10.1.2.21'
set firewall group address-group mqtt_clients address '10.1.2.32'
set firewall group address-group mqtt_clients address '10.1.3.18'
set firewall group address-group mqtt_clients address '10.1.3.22'
set firewall group address-group mqtt_clients address '10.1.3.56'
set firewall group address-group mqtt_clients address '10.1.3.33' # SwitchBot Plug Mini 1
set firewall group address-group mqtt_clients address '10.1.3.34' # SwitchBot Plug Mini 2
set firewall group address-group mqtt_clients address '10.1.3.35' # SwitchBot Plug Mini 3
set firewall group address-group mqtt_clients address '10.1.3.36' # SwitchBot Plug Mini 4
set firewall group address-group hass_clients address '10.1.4.12'
set firewall group address-group nas address '10.1.1.11'
set firewall group address-group plex_clients address '10.1.2.21'
set firewall group address-group plex_clients address '10.1.2.31'
set firewall group address-group plex_clients address '10.1.2.32'
set firewall group address-group plex_clients address '10.1.2.33'
set firewall group address-group plex_clients address '10.1.2.34'
set firewall group address-group plex_clients address '10.1.2.35'
set firewall group address-group plex_clients address '10.1.2.36'
set firewall group address-group plex_clients address '10.1.3.16'
set firewall group address-group printers address '10.1.3.55'
set firewall group address-group printer_allowed address '192.168.2.11'
set firewall group address-group sonos_controllers address '10.1.2.21'
set firewall group address-group sonos_controllers address '10.1.2.31'
set firewall group address-group sonos_controllers address '10.1.2.32'
set firewall group address-group sonos_controllers address '10.1.2.33'
set firewall group address-group sonos_controllers address '10.1.2.34'
set firewall group address-group sonos_controllers address '10.1.2.36'
set firewall group address-group sonos_players address '10.1.3.71'
set firewall group address-group sonos_players address '10.1.3.72'
set firewall group address-group sonos_players address '10.1.3.73'
set firewall group address-group sonos_players address '10.1.3.74'
set firewall group address-group scanners address '10.1.3.55'
set firewall group address-group unifi_devices address '10.1.0.11' set firewall group address-group unifi_devices address '10.1.0.11'
set firewall group address-group unifi_devices address '10.1.0.12' set firewall group address-group unifi_devices address '10.1.0.12'
set firewall group address-group unifi_devices address '10.1.0.13' set firewall group address-group unifi_devices address '10.1.0.13'
@ -89,15 +22,10 @@ set firewall group address-group unifi_devices address '10.1.0.21'
set firewall group address-group unifi_devices address '10.1.0.22' set firewall group address-group unifi_devices address '10.1.0.22'
set firewall group address-group unifi_devices address '10.1.0.23' set firewall group address-group unifi_devices address '10.1.0.23'
set firewall group address-group unifi_devices address '10.1.0.24' set firewall group address-group unifi_devices address '10.1.0.24'
set firewall group address-group vector_journald_allowed address '10.1.3.56'
set firewall group address-group vector_journald_allowed address '10.1.3.60'
set firewall group address-group vyos_coredns address '10.5.0.3'
set firewall group address-group vyos_unifi address '10.5.0.10' set firewall group address-group vyos_unifi address '10.5.0.10'
set firewall group network-group k8s_services network '10.45.0.0/16' set firewall group network-group k8s_services network '10.45.0.0/16'
# Port groups # Port groups
set firewall group port-group wireguard port '51820' set firewall group port-group wireguard port '51820'
set firewall group port-group sonos-discovery port '1900-1902'
set firewall group port-group sonos-discovery port '57621'

View file

@ -1,20 +1,20 @@
#!/bin/vbash #!/bin/vbash
set interfaces ethernet eth0 address 'dhcp' set interfaces ethernet eth5 address 'dhcp'
set interfaces ethernet eth0 description 'WAN' set interfaces ethernet eth5 description 'WAN'
set interfaces ethernet eth0 hw-id 'a0:42:3f:2f:a9:69' set interfaces ethernet eth5 hw-id '80:61:5f:04:88:5b'
set interfaces ethernet eth1 address '10.1.0.1/24' set interfaces ethernet eth4 address '10.1.0.1/24'
set interfaces ethernet eth1 description 'LAN' set interfaces ethernet eth4 description 'LAN'
set interfaces ethernet eth1 hw-id 'a0:42:3f:2f:a9:68' set interfaces ethernet eth4 hw-id '80:61:5f:04:88:5a'
set interfaces ethernet eth1 vif 10 address '10.1.1.1/24' set interfaces ethernet eth4 vif 10 address '10.1.1.1/24'
set interfaces ethernet eth1 vif 10 description 'SERVERS' set interfaces ethernet eth4 vif 10 description 'SERVERS'
set interfaces ethernet eth1 vif 20 address '10.1.2.1/24' set interfaces ethernet eth4 vif 20 address '10.1.2.1/24'
set interfaces ethernet eth1 vif 20 description 'TRUSTED' set interfaces ethernet eth4 vif 20 description 'TRUSTED'
set interfaces ethernet eth1 vif 30 address '10.1.3.1/24' set interfaces ethernet eth4 vif 30 address '10.1.3.1/24'
set interfaces ethernet eth1 vif 30 description 'IOT' set interfaces ethernet eth4 vif 30 description 'IOT'
set interfaces ethernet eth1 vif 40 address '10.1.4.1/24' set interfaces ethernet eth4 vif 40 address '10.1.4.1/24'
set interfaces ethernet eth1 vif 40 description 'VIDEO' set interfaces ethernet eth4 vif 40 description 'VIDEO'
set interfaces wireguard wg01 address '10.0.11.1/24' set interfaces wireguard wg01 address '10.0.11.1/24'
set interfaces wireguard wg01 description 'WIREGUARD' set interfaces wireguard wg01 description 'WIREGUARD'

View file

@ -3,79 +3,13 @@
# Forward Plex to Sting # Forward Plex to Sting
set nat destination rule 110 description 'PLEX' set nat destination rule 110 description 'PLEX'
set nat destination rule 110 destination port '32400' set nat destination rule 110 destination port '32400'
set nat destination rule 110 inbound-interface 'eth0' set nat destination rule 110 inbound-interface 'eth5'
set nat destination rule 110 protocol 'tcp' set nat destination rule 110 protocol 'tcp'
set nat destination rule 110 translation address '10.1.1.12' set nat destination rule 110 translation address '10.1.1.12'
set nat destination rule 110 translation port '32400' set nat destination rule 110 translation port '32400'
# Force DNS
set nat destination rule 102 description 'Force DNS for IoT'
set nat destination rule 102 destination address '!10.1.3.1'
set nat destination rule 102 destination port '53'
set nat destination rule 102 inbound-interface 'eth1.30'
set nat destination rule 102 protocol 'tcp_udp'
set nat destination rule 102 translation address '10.1.3.1'
set nat destination rule 102 translation port '53'
set nat destination rule 103 description 'Force DNS for Video'
set nat destination rule 103 destination address '!10.1.4.1'
set nat destination rule 103 destination port '53'
set nat destination rule 103 inbound-interface 'eth1.40'
set nat destination rule 103 protocol 'tcp_udp'
set nat destination rule 103 translation address '10.1.4.1'
set nat destination rule 103 translation port '53'
set nat destination rule 104 description 'Force NTP for LAN'
set nat destination rule 104 destination address '!10.1.0.1'
set nat destination rule 104 destination port '123'
set nat destination rule 104 inbound-interface 'eth1'
set nat destination rule 104 protocol 'udp'
set nat destination rule 104 translation address '10.1.0.1'
set nat destination rule 104 translation port '123'
# Force NTP
set nat destination rule 105 description 'Force NTP for Servers'
set nat destination rule 105 destination address '!10.1.1.1'
set nat destination rule 105 destination port '123'
set nat destination rule 105 inbound-interface 'eth1.10'
set nat destination rule 105 protocol 'udp'
set nat destination rule 105 translation address '10.1.1.1'
set nat destination rule 105 translation port '123'
set nat destination rule 106 description 'Force NTP for Trusted'
set nat destination rule 106 destination address '!10.1.2.1'
set nat destination rule 106 destination port '123'
set nat destination rule 106 inbound-interface 'eth1.20'
set nat destination rule 106 protocol 'udp'
set nat destination rule 106 translation address '10.1.2.1'
set nat destination rule 106 translation port '123'
set nat destination rule 107 description 'Force NTP for IoT'
set nat destination rule 107 destination address '!10.1.3.1'
set nat destination rule 107 destination port '123'
set nat destination rule 107 inbound-interface 'eth1.30'
set nat destination rule 107 protocol 'udp'
set nat destination rule 107 translation address '10.1.3.1'
set nat destination rule 107 translation port '123'
set nat destination rule 108 description 'Force NTP for Video'
set nat destination rule 108 destination address '!10.1.4.1'
set nat destination rule 108 destination port '123'
set nat destination rule 108 inbound-interface 'eth1.40'
set nat destination rule 108 protocol 'udp'
set nat destination rule 108 translation address '10.1.4.1'
set nat destination rule 108 translation port '123'
set nat destination rule 109 description 'Force NTP for Wireguard Trusted'
set nat destination rule 109 destination address '!10.0.11.1'
set nat destination rule 109 destination port '123'
set nat destination rule 109 inbound-interface 'wg01'
set nat destination rule 109 protocol 'udp'
set nat destination rule 109 translation address '10.0.11.1'
set nat destination rule 109 translation port '123'
# LAN -> WAN masquerade # LAN -> WAN masquerade
set nat source rule 100 description 'LAN -> WAN' set nat source rule 100 description 'LAN -> WAN'
set nat source rule 100 destination address '0.0.0.0/0' set nat source rule 100 destination address '0.0.0.0/0'
set nat source rule 100 outbound-interface 'eth0' set nat source rule 100 outbound-interface name 'eth5'
set nat source rule 100 translation address 'masquerade' set nat source rule 100 translation address 'masquerade'

View file

@ -1,7 +1,7 @@
#!/bin/vbash #!/bin/vbash
set system domain-name 'jahanson.tech' set system domain-name 'jahanson.tech'
set system host-name 'gateway' set system host-name 'gandalf'
set system ipv6 disable-forwarding set system ipv6 disable-forwarding
@ -14,13 +14,6 @@ set system name-server '1.1.1.1'
set system sysctl parameter kernel.pty.max value '24000' set system sysctl parameter kernel.pty.max value '24000'
# Sent to vector syslog server
set system syslog global facility all level info
set system syslog host 10.45.0.2 facility kern level 'warning'
set system syslog host 10.45.0.2 protocol 'tcp'
set system syslog host 10.45.0.2 port '6001'
set system syslog host 10.45.0.2 format 'octet-counted'
# Custom backup # Custom backup
set system task-scheduler task backup-config crontab-spec '30 0 * * *' set system task-scheduler task backup-config crontab-spec '30 0 * * *'
set system task-scheduler task backup-config executable path '/config/scripts/custom-config-backup.sh' set system task-scheduler task backup-config executable path '/config/scripts/custom-config-backup.sh'