diff --git a/config-parts/firewall-ipv4.sh b/config-parts/firewall-ipv4.sh index bd05cda..7576197 100644 --- a/config-parts/firewall-ipv4.sh +++ b/config-parts/firewall-ipv4.sh @@ -2,7 +2,7 @@ # From IOT to LAN set firewall ipv4 name iot-lan default-action 'drop' set firewall ipv4 name iot-lan description 'From IOT to LAN' -set firewall ipv4 name iot-lan enable-default-log +set firewall ipv4 name iot-lan default-log set firewall ipv4 name iot-lan rule 999 action 'drop' set firewall ipv4 name iot-lan rule 999 description 'Rule: drop_invalid' set firewall ipv4 name iot-lan rule 999 state invalid @@ -11,7 +11,7 @@ set firewall ipv4 name iot-lan rule 999 log # From IOT to LOCAL set firewall ipv4 name iot-local default-action 'drop' set firewall ipv4 name iot-local description 'From IOT to LOCAL' -set firewall ipv4 name iot-local enable-default-log +set firewall ipv4 name iot-local default-log set firewall ipv4 name iot-local rule 50 action 'accept' set firewall ipv4 name iot-local rule 50 description 'Rule: accept_dhcp' set firewall ipv4 name iot-local rule 50 destination port '67,68' @@ -46,37 +46,13 @@ set firewall ipv4 name iot-local rule 999 log # From IOT to SERVERS set firewall ipv4 name iot-servers default-action 'drop' set firewall ipv4 name iot-servers description 'From IOT to SERVERS' -set firewall ipv4 name iot-servers enable-default-log -set firewall ipv4 name iot-servers rule 100 action 'accept' -set firewall ipv4 name iot-servers rule 100 description 'Rule: accept_nas_smb_from_scanners' -set firewall ipv4 name iot-servers rule 100 destination group address-group 'nas' -set firewall ipv4 name iot-servers rule 100 destination port 'microsoft-ds' -set firewall ipv4 name iot-servers rule 100 protocol 'tcp' -set firewall ipv4 name iot-servers rule 100 source group address-group 'scanners' -set firewall ipv4 name iot-servers rule 200 action 'accept' -set firewall ipv4 name iot-servers rule 200 description 'Rule: accept_plex_from_plex_clients' -set firewall ipv4 name iot-servers rule 200 destination group address-group 'k8s_plex' -set firewall ipv4 name iot-servers rule 200 destination port '32400' -set firewall ipv4 name iot-servers rule 200 protocol 'tcp' -set firewall ipv4 name iot-servers rule 200 source group address-group 'plex_clients' -set firewall ipv4 name iot-servers rule 300 action 'accept' -set firewall ipv4 name iot-servers rule 300 description 'Rule: accept_mqtt_from_mqtt_clients' -set firewall ipv4 name iot-servers rule 300 destination group address-group 'k8s_mqtt' -set firewall ipv4 name iot-servers rule 300 destination port '1883' -set firewall ipv4 name iot-servers rule 300 protocol 'tcp' -set firewall ipv4 name iot-servers rule 300 source group address-group 'mqtt_clients' +set firewall ipv4 name iot-servers default-log set firewall ipv4 name iot-servers rule 400 action 'accept' set firewall ipv4 name iot-servers rule 400 description 'Rule: accept_k8s_ingress_from_sonos_players' set firewall ipv4 name iot-servers rule 400 destination group address-group 'k8s_ingress' set firewall ipv4 name iot-servers rule 400 destination port 'http,https' set firewall ipv4 name iot-servers rule 400 protocol 'tcp' set firewall ipv4 name iot-servers rule 400 source group address-group 'sonos_players' -set firewall ipv4 name iot-servers rule 410 action 'accept' -set firewall ipv4 name iot-servers rule 410 description 'Rule: accept_k8s_ingress_from_allowed_devices' -set firewall ipv4 name iot-servers rule 410 destination group address-group 'k8s_ingress' -set firewall ipv4 name iot-servers rule 410 destination port 'http,https' -set firewall ipv4 name iot-servers rule 410 protocol 'tcp' -set firewall ipv4 name iot-servers rule 410 source group address-group 'k8s_ingress_allowed' set firewall ipv4 name iot-servers rule 999 action 'drop' set firewall ipv4 name iot-servers rule 999 description 'Rule: drop_invalid' set firewall ipv4 name iot-servers rule 999 state invalid @@ -97,19 +73,7 @@ set firewall ipv4 name iot-containers rule 999 log # From IOT to TRUSTED set firewall ipv4 name iot-trusted default-action 'drop' set firewall ipv4 name iot-trusted description 'From IOT to TRUSTED' -set firewall ipv4 name iot-trusted enable-default-log -set firewall ipv4 name iot-trusted rule 100 action 'accept' -set firewall ipv4 name iot-trusted rule 100 description 'Rule: accept_udp_from_sonos_players_to_sonos_controllers' -set firewall ipv4 name iot-trusted rule 100 destination group address-group 'sonos_controllers' -set firewall ipv4 name iot-trusted rule 100 destination port '319,320,30000-65535' -set firewall ipv4 name iot-trusted rule 100 protocol 'udp' -set firewall ipv4 name iot-trusted rule 100 source group address-group 'sonos_players' -set firewall ipv4 name iot-trusted rule 110 action 'accept' -set firewall ipv4 name iot-trusted rule 110 description 'Rule: accept_tcp_from_sonos_players_to_sonos_controllers' -set firewall ipv4 name iot-trusted rule 110 destination group address-group 'sonos_controllers' -set firewall ipv4 name iot-trusted rule 110 destination port '1400,3400,3401,3500,30000-65535' -set firewall ipv4 name iot-trusted rule 110 protocol 'tcp' -set firewall ipv4 name iot-trusted rule 110 source group address-group 'sonos_players' +set firewall ipv4 name iot-trusted default-log set firewall ipv4 name iot-trusted rule 999 action 'drop' set firewall ipv4 name iot-trusted rule 999 description 'Rule: drop_invalid' set firewall ipv4 name iot-trusted rule 999 state invalid @@ -118,7 +82,7 @@ set firewall ipv4 name iot-trusted rule 999 log # From IOT to VIDEO set firewall ipv4 name iot-video default-action 'drop' set firewall ipv4 name iot-video description 'From IOT to VIDEO' -set firewall ipv4 name iot-video enable-default-log +set firewall ipv4 name iot-video default-log set firewall ipv4 name iot-video rule 100 action 'accept' set firewall ipv4 name iot-video rule 100 description 'Rule: accept_k8s_nodes' set firewall ipv4 name iot-video rule 100 protocol 'tcp' @@ -135,7 +99,7 @@ set firewall ipv4 name iot-wan description 'From IOT to WAN' # From LAN to IoT set firewall ipv4 name lan-iot default-action 'drop' set firewall ipv4 name lan-iot description 'From LAN to IOT' -set firewall ipv4 name lan-iot enable-default-log +set firewall ipv4 name lan-iot default-log set firewall ipv4 name lan-iot rule 999 action 'drop' set firewall ipv4 name lan-iot rule 999 description 'Rule: drop_invalid' set firewall ipv4 name lan-iot rule 999 state invalid @@ -144,7 +108,7 @@ set firewall ipv4 name lan-iot rule 999 log # From LAN to LOCAL set firewall ipv4 name lan-local default-action 'drop' set firewall ipv4 name lan-local description 'From LAN to LOCAL' -set firewall ipv4 name lan-local enable-default-log +set firewall ipv4 name lan-local default-log set firewall ipv4 name lan-local rule 40 action 'accept' set firewall ipv4 name lan-local rule 40 description 'Rule: accept_dns' set firewall ipv4 name lan-local rule 40 destination port 'domain,domain-s' @@ -174,7 +138,7 @@ set firewall ipv4 name lan-local rule 999 log # From LAN to SERVERS set firewall ipv4 name lan-servers default-action 'drop' set firewall ipv4 name lan-servers description 'From LAN to SERVERS' -set firewall ipv4 name lan-servers enable-default-log +set firewall ipv4 name lan-servers default-log set firewall ipv4 name lan-servers rule 999 action 'drop' set firewall ipv4 name lan-servers rule 999 description 'Rule: drop_invalid' set firewall ipv4 name lan-servers rule 999 state invalid @@ -195,7 +159,7 @@ set firewall ipv4 name lan-containers rule 999 log # From LAN to TRUSTED set firewall ipv4 name lan-trusted default-action 'drop' set firewall ipv4 name lan-trusted description 'From LAN to TRUSTED' -set firewall ipv4 name lan-trusted enable-default-log +set firewall ipv4 name lan-trusted default-log set firewall ipv4 name lan-trusted rule 999 action 'drop' set firewall ipv4 name lan-trusted rule 999 description 'Rule: drop_invalid' set firewall ipv4 name lan-trusted rule 999 state invalid @@ -204,7 +168,7 @@ set firewall ipv4 name lan-trusted rule 999 log # From LAN to VIDEO set firewall ipv4 name lan-video default-action 'drop' set firewall ipv4 name lan-video description 'From LAN to VIDEO' -set firewall ipv4 name lan-video enable-default-log +set firewall ipv4 name lan-video default-log set firewall ipv4 name lan-video rule 999 action 'drop' set firewall ipv4 name lan-video rule 999 description 'Rule: drop_invalid' set firewall ipv4 name lan-video rule 999 state invalid @@ -217,7 +181,7 @@ set firewall ipv4 name lan-wan description 'From LAN to WAN' # From LOCAL to IOT set firewall ipv4 name local-iot default-action 'drop' set firewall ipv4 name local-iot description 'From LOCAL to IOT' -set firewall ipv4 name local-iot enable-default-log +set firewall ipv4 name local-iot default-log set firewall ipv4 name local-iot rule 100 action 'accept' set firewall ipv4 name local-iot rule 100 description 'Rule: accept_igmp' set firewall ipv4 name local-iot rule 100 protocol '2' @@ -226,11 +190,6 @@ set firewall ipv4 name local-iot rule 110 description 'Rule: accept_mdns' set firewall ipv4 name local-iot rule 110 destination port 'mdns' set firewall ipv4 name local-iot rule 110 protocol 'udp' set firewall ipv4 name local-iot rule 110 source port 'mdns' -set firewall ipv4 name local-iot rule 200 action 'accept' -set firewall ipv4 name local-iot rule 200 description 'Rule: accept_discovery_from_sonos_controllers' -set firewall ipv4 name local-iot rule 200 destination group port-group sonos-discovery -set firewall ipv4 name local-iot rule 200 protocol 'udp' -set firewall ipv4 name local-iot rule 200 source group address-group 'sonos_controllers' set firewall ipv4 name local-iot rule 999 action 'drop' set firewall ipv4 name local-iot rule 999 description 'Rule: drop_invalid' set firewall ipv4 name local-iot rule 999 state invalid @@ -239,7 +198,7 @@ set firewall ipv4 name local-iot rule 999 log # From LOCAL to LAN set firewall ipv4 name local-lan default-action 'drop' set firewall ipv4 name local-lan description 'From LOCAL to LAN' -set firewall ipv4 name local-lan enable-default-log +set firewall ipv4 name local-lan default-log set firewall ipv4 name local-lan rule 999 action 'drop' set firewall ipv4 name local-lan rule 999 description 'Rule: drop_invalid' set firewall ipv4 name local-lan rule 999 state invalid @@ -248,7 +207,7 @@ set firewall ipv4 name local-lan rule 999 log # From LOCAL to SERVERS set firewall ipv4 name local-servers default-action 'drop' set firewall ipv4 name local-servers description 'From LOCAL to SERVERS' -set firewall ipv4 name local-servers enable-default-log +set firewall ipv4 name local-servers default-log set firewall ipv4 name local-servers rule 40 action 'accept' set firewall ipv4 name local-servers rule 40 description 'Rule: accept_dns' set firewall ipv4 name local-servers rule 40 destination port 'domain,domain-s' @@ -286,7 +245,7 @@ set firewall ipv4 name local-containers rule 999 log # From LOCAL to TRUSTED set firewall ipv4 name local-trusted default-action 'drop' set firewall ipv4 name local-trusted description 'From LOCAL to TRUSTED' -set firewall ipv4 name local-trusted enable-default-log +set firewall ipv4 name local-trusted default-log set firewall ipv4 name local-trusted rule 100 action 'accept' set firewall ipv4 name local-trusted rule 100 description 'Rule: accept_igmp' set firewall ipv4 name local-trusted rule 100 protocol '2' @@ -312,7 +271,7 @@ set firewall ipv4 name local-trusted rule 999 log # From LOCAL to VIDEO set firewall ipv4 name local-video default-action 'drop' set firewall ipv4 name local-video description 'From LOCAL to VIDEO' -set firewall ipv4 name local-video enable-default-log +set firewall ipv4 name local-video default-log set firewall ipv4 name local-video rule 999 action 'drop' set firewall ipv4 name local-video rule 999 description 'Rule: drop_invalid' set firewall ipv4 name local-video rule 999 state invalid @@ -326,7 +285,7 @@ set firewall ipv4 name local-wan description 'From LOCAL to WAN' # From SERVERS to IOT set firewall ipv4 name servers-iot default-action 'drop' set firewall ipv4 name servers-iot description 'From SERVERS to IOT' -set firewall ipv4 name servers-iot enable-default-log +set firewall ipv4 name servers-iot default-log set firewall ipv4 name servers-iot rule 100 action 'accept' set firewall ipv4 name servers-iot rule 100 description 'Rule: accept_k8s_nodes' set firewall ipv4 name servers-iot rule 100 protocol 'tcp' @@ -343,7 +302,7 @@ set firewall ipv4 name servers-iot rule 999 log # From SERVERS to LAN set firewall ipv4 name servers-lan default-action 'drop' set firewall ipv4 name servers-lan description 'From SERVERS to LAN' -set firewall ipv4 name servers-lan enable-default-log +set firewall ipv4 name servers-lan default-log set firewall ipv4 name servers-lan rule 999 action 'drop' set firewall ipv4 name servers-lan rule 999 description 'Rule: drop_invalid' set firewall ipv4 name servers-lan rule 999 state invalid @@ -352,7 +311,7 @@ set firewall ipv4 name servers-lan rule 999 log # From SERVERS to LOCAL set firewall ipv4 name servers-local default-action 'drop' set firewall ipv4 name servers-local description 'From SERVERS to LOCAL' -set firewall ipv4 name servers-local enable-default-log +set firewall ipv4 name servers-local default-log set firewall ipv4 name servers-local rule 50 action 'accept' set firewall ipv4 name servers-local rule 50 description 'Rule: accept_dhcp' set firewall ipv4 name servers-local rule 50 destination port '67,68' @@ -392,7 +351,7 @@ set firewall ipv4 name servers-local rule 999 log # From SERVERS to CONTAINERS set firewall ipv4 name servers-containers default-action 'accept' set firewall ipv4 name servers-containers description 'From SERVERS to CONTAINERS' -set firewall ipv4 name servers-containers enable-default-log +set firewall ipv4 name servers-containers default-log set firewall ipv4 name servers-containers rule 40 action 'accept' set firewall ipv4 name servers-containers rule 40 description 'Rule: accept_dns' set firewall ipv4 name servers-containers rule 40 destination port 'domain,domain-s' @@ -409,7 +368,7 @@ set firewall ipv4 name servers-containers rule 999 log # From SERVERS to TRUSTED set firewall ipv4 name servers-trusted default-action 'drop' set firewall ipv4 name servers-trusted description 'From SERVERS to TRUSTED' -set firewall ipv4 name servers-trusted enable-default-log +set firewall ipv4 name servers-trusted default-log set firewall ipv4 name servers-trusted rule 999 action 'drop' set firewall ipv4 name servers-trusted rule 999 description 'Rule: drop_invalid' set firewall ipv4 name servers-trusted rule 999 state invalid @@ -418,7 +377,7 @@ set firewall ipv4 name servers-trusted rule 999 log # From SERVERS to VIDEO set firewall ipv4 name servers-video default-action 'drop' set firewall ipv4 name servers-video description 'From SERVERS to VIDEO' -set firewall ipv4 name servers-video enable-default-log +set firewall ipv4 name servers-video default-log set firewall ipv4 name servers-video rule 100 action 'accept' set firewall ipv4 name servers-video rule 100 description 'Rule: accept_k8s_nodes' set firewall ipv4 name servers-video rule 100 protocol 'tcp_udp' @@ -435,7 +394,7 @@ set firewall ipv4 name servers-wan description 'From SERVERS to WAN' # From CONTAINERS to IOT set firewall ipv4 name containers-iot default-action 'drop' set firewall ipv4 name containers-iot description 'From CONTAINERS to IOT' -set firewall ipv4 name containers-iot enable-default-log +set firewall ipv4 name containers-iot default-log set firewall ipv4 name containers-iot rule 999 action 'drop' set firewall ipv4 name containers-iot rule 999 description 'Rule: drop_invalid' set firewall ipv4 name containers-iot rule 999 state invalid @@ -444,7 +403,7 @@ set firewall ipv4 name containers-iot rule 999 log # From CONTAINERS to LAN set firewall ipv4 name containers-lan default-action 'drop' set firewall ipv4 name containers-lan description 'From CONTAINERS to LAN' -set firewall ipv4 name containers-lan enable-default-log +set firewall ipv4 name containers-lan default-log set firewall ipv4 name containers-lan rule 999 action 'drop' set firewall ipv4 name containers-lan rule 999 description 'Rule: drop_invalid' set firewall ipv4 name containers-lan rule 999 state invalid @@ -453,7 +412,7 @@ set firewall ipv4 name containers-lan rule 999 log # From CONTAINERS to LOCAL set firewall ipv4 name containers-local default-action 'drop' set firewall ipv4 name containers-local description 'From CONTAINERS to LOCAL' -set firewall ipv4 name containers-local enable-default-log +set firewall ipv4 name containers-local default-log set firewall ipv4 name containers-local rule 50 action 'accept' set firewall ipv4 name containers-local rule 50 description 'Rule: accept_dhcp' set firewall ipv4 name containers-local rule 50 destination port '67,68' @@ -479,7 +438,7 @@ set firewall ipv4 name containers-servers rule 999 log # From CONTAINERS to TRUSTED set firewall ipv4 name containers-trusted default-action 'drop' set firewall ipv4 name containers-trusted description 'From CONTAINERS to TRUSTED' -set firewall ipv4 name containers-trusted enable-default-log +set firewall ipv4 name containers-trusted default-log set firewall ipv4 name containers-trusted rule 999 action 'drop' set firewall ipv4 name containers-trusted rule 999 description 'Rule: drop_invalid' set firewall ipv4 name containers-trusted rule 999 state invalid @@ -488,7 +447,7 @@ set firewall ipv4 name containers-trusted rule 999 log # From CONTAINERS to VIDEO set firewall ipv4 name containers-video default-action 'drop' set firewall ipv4 name containers-video description 'From CONTAINERS to VIDEO' -set firewall ipv4 name containers-video enable-default-log +set firewall ipv4 name containers-video default-log set firewall ipv4 name containers-video rule 999 action 'drop' set firewall ipv4 name containers-video rule 999 description 'Rule: drop_invalid' set firewall ipv4 name containers-video rule 999 state invalid @@ -501,16 +460,6 @@ set firewall ipv4 name containers-wan description 'From CONTAINERS to WAN' # From TRUSTED to IOT set firewall ipv4 name trusted-iot default-action 'accept' set firewall ipv4 name trusted-iot description 'From TRUSTED to IOT' -set firewall ipv4 name trusted-iot rule 110 action 'accept' -set firewall ipv4 name trusted-iot rule 110 description 'Rule: accept_tcp_from_sonos_controllers_to_sonos_players' -set firewall ipv4 name trusted-iot rule 110 destination port '1400,1443,4444,7000,30000-65535' -set firewall ipv4 name trusted-iot rule 110 protocol 'tcp' -set firewall ipv4 name trusted-iot rule 110 source group address-group 'sonos_controllers' -set firewall ipv4 name trusted-iot rule 111 action 'accept' -set firewall ipv4 name trusted-iot rule 111 description 'Rule: accept_udp_from_sonos_controllers_to_sonos_players' -set firewall ipv4 name trusted-iot rule 111 destination port '319,320,30000-65535' -set firewall ipv4 name trusted-iot rule 111 protocol 'udp' -set firewall ipv4 name trusted-iot rule 111 source group address-group 'sonos_controllers' set firewall ipv4 name trusted-iot rule 999 action 'drop' set firewall ipv4 name trusted-iot rule 999 description 'Rule: drop_invalid' set firewall ipv4 name trusted-iot rule 999 state invalid @@ -527,7 +476,7 @@ set firewall ipv4 name trusted-lan rule 999 log # From TRUSTED to LOCAL set firewall ipv4 name trusted-local default-action 'drop' set firewall ipv4 name trusted-local description 'From TRUSTED to LOCAL' -set firewall ipv4 name trusted-local enable-default-log +set firewall ipv4 name trusted-local default-log set firewall ipv4 name trusted-local rule 50 action 'accept' set firewall ipv4 name trusted-local rule 50 description 'Rule: accept_dhcp' set firewall ipv4 name trusted-local rule 50 destination port '67,68' @@ -549,11 +498,6 @@ set firewall ipv4 name trusted-local rule 120 action 'accept' set firewall ipv4 name trusted-local rule 120 description 'Rule: accept_dns' set firewall ipv4 name trusted-local rule 120 destination port 'domain,domain-s' set firewall ipv4 name trusted-local rule 120 protocol 'tcp_udp' -set firewall ipv4 name trusted-local rule 210 action 'accept' -set firewall ipv4 name trusted-local rule 210 description 'Rule: accept_discovery_from_sonos_controllers' -set firewall ipv4 name trusted-local rule 210 destination group port-group sonos-discovery -set firewall ipv4 name trusted-local rule 210 protocol 'udp' -set firewall ipv4 name trusted-local rule 210 source group address-group 'sonos_controllers' set firewall ipv4 name trusted-local rule 211 action 'accept' set firewall ipv4 name trusted-local rule 211 description 'Rule: accept_discovery_from_sonos_players' set firewall ipv4 name trusted-local rule 211 destination group port-group sonos-discovery @@ -612,12 +556,7 @@ set firewall ipv4 name trusted-wan description 'From TRUSTED to WAN' # From VIDEO to IOT set firewall ipv4 name video-iot default-action 'drop' set firewall ipv4 name video-iot description 'From VIDEO to IOT' -set firewall ipv4 name video-iot enable-default-log -set firewall ipv4 name video-iot rule 100 action 'accept' -set firewall ipv4 name video-iot rule 100 description 'Rule: allow connecting to hass' -set firewall ipv4 name video-iot rule 100 protocol 'tcp' -set firewall ipv4 name video-iot rule 100 destination group address-group 'k8s_hass' -set firewall ipv4 name video-iot rule 100 destination port '8123' +set firewall ipv4 name video-iot default-log set firewall ipv4 name video-iot rule 999 action 'drop' set firewall ipv4 name video-iot rule 999 description 'Rule: drop_invalid' set firewall ipv4 name video-iot rule 999 state invalid @@ -626,7 +565,7 @@ set firewall ipv4 name video-iot rule 999 log # From VIDEO to LAN set firewall ipv4 name video-lan default-action 'drop' set firewall ipv4 name video-lan description 'From VIDEO to LAN' -set firewall ipv4 name video-lan enable-default-log +set firewall ipv4 name video-lan default-log set firewall ipv4 name video-lan rule 999 action 'drop' set firewall ipv4 name video-lan rule 999 description 'Rule: drop_invalid' set firewall ipv4 name video-lan rule 999 state invalid @@ -635,7 +574,7 @@ set firewall ipv4 name video-lan rule 999 log # From VIDEO to LOCAL set firewall ipv4 name video-local default-action 'drop' set firewall ipv4 name video-local description 'From VIDEO to LOCAL' -set firewall ipv4 name video-local enable-default-log +set firewall ipv4 name video-local default-log set firewall ipv4 name video-local rule 50 action 'accept' set firewall ipv4 name video-local rule 50 description 'Rule: accept_dhcp' set firewall ipv4 name video-local rule 50 destination port '67,68' @@ -653,7 +592,7 @@ set firewall ipv4 name video-local rule 999 log # From VIDEO to SERVERS set firewall ipv4 name video-servers default-action 'drop' set firewall ipv4 name video-servers description 'From VIDEO to SERVERS' -set firewall ipv4 name video-servers enable-default-log +set firewall ipv4 name video-servers default-log set firewall ipv4 name video-servers rule 100 action 'accept' set firewall ipv4 name video-servers rule 100 description 'Rule: accept_k8s_nodes' set firewall ipv4 name video-servers rule 100 protocol 'udp' @@ -679,7 +618,7 @@ set firewall ipv4 name video-containers rule 999 log # From VIDEO to TRUSTED set firewall ipv4 name video-trusted default-action 'drop' set firewall ipv4 name video-trusted description 'From VIDEO to TRUSTED' -set firewall ipv4 name video-trusted enable-default-log +set firewall ipv4 name video-trusted default-log set firewall ipv4 name video-trusted rule 999 action 'drop' set firewall ipv4 name video-trusted rule 999 description 'Rule: drop_invalid' set firewall ipv4 name video-trusted rule 999 state invalid @@ -691,7 +630,7 @@ set firewall ipv4 name video-wan description 'From VIDEO to WAN' # From WAN to IOT set firewall ipv4 name wan-iot default-action 'drop' set firewall ipv4 name wan-iot description 'From WAN to IOT' -set firewall ipv4 name wan-iot enable-default-log +set firewall ipv4 name wan-iot default-log set firewall ipv4 name wan-iot rule 999 action 'drop' set firewall ipv4 name wan-iot rule 999 description 'Rule: drop_invalid' set firewall ipv4 name wan-iot rule 999 state invalid @@ -700,7 +639,7 @@ set firewall ipv4 name wan-iot rule 999 log # From WAN to LAN set firewall ipv4 name wan-lan default-action 'drop' set firewall ipv4 name wan-lan description 'From WAN to LAN' -set firewall ipv4 name wan-lan enable-default-log +set firewall ipv4 name wan-lan default-log set firewall ipv4 name wan-lan rule 999 action 'drop' set firewall ipv4 name wan-lan rule 999 description 'Rule: drop_invalid' set firewall ipv4 name wan-lan rule 999 state invalid @@ -709,7 +648,7 @@ set firewall ipv4 name wan-lan rule 999 log # From WAN to LOCAL set firewall ipv4 name wan-local default-action 'drop' set firewall ipv4 name wan-local description 'From WAN to LOCAL' -set firewall ipv4 name wan-local enable-default-log +set firewall ipv4 name wan-local default-log set firewall ipv4 name wan-local rule 1 action 'drop' set firewall ipv4 name wan-local rule 1 description 'Rule: drop_invalid' set firewall ipv4 name wan-local rule 1 state invalid @@ -722,7 +661,7 @@ set firewall ipv4 name wan-local rule 100 protocol 'udp' # From WAN to SERVERS set firewall ipv4 name wan-servers default-action 'drop' set firewall ipv4 name wan-servers description 'From WAN to SERVERS' -set firewall ipv4 name wan-servers enable-default-log +set firewall ipv4 name wan-servers default-log set firewall ipv4 name wan-servers rule 100 action 'accept' set firewall ipv4 name wan-servers rule 100 destination port 32400 set firewall ipv4 name wan-servers rule 100 protocol 'tcp' @@ -735,7 +674,7 @@ set firewall ipv4 name wan-servers rule 999 log # From WAN to CONTAINERS set firewall ipv4 name wan-containers default-action 'drop' set firewall ipv4 name wan-containers description 'From WAN to CONTAINERS' -set firewall ipv4 name wan-containers enable-default-log +set firewall ipv4 name wan-containers default-log set firewall ipv4 name wan-containers rule 999 action 'drop' set firewall ipv4 name wan-containers rule 999 description 'Rule: drop_invalid' set firewall ipv4 name wan-containers rule 999 state invalid @@ -744,7 +683,7 @@ set firewall ipv4 name wan-containers rule 999 log # From WAN to TRUSTED set firewall ipv4 name wan-trusted default-action 'drop' set firewall ipv4 name wan-trusted description 'From WAN to TRUSTED' -set firewall ipv4 name wan-trusted enable-default-log +set firewall ipv4 name wan-trusted default-log set firewall ipv4 name wan-trusted rule 999 action 'drop' set firewall ipv4 name wan-trusted rule 999 description 'Rule: drop_invalid' set firewall ipv4 name wan-trusted rule 999 state invalid @@ -753,8 +692,8 @@ set firewall ipv4 name wan-trusted rule 999 log # From WAN to VIDEO set firewall ipv4 name wan-video default-action 'drop' set firewall ipv4 name wan-video description 'From WAN to VIDEO' -set firewall ipv4 name wan-video enable-default-log +set firewall ipv4 name wan-video default-log set firewall ipv4 name wan-video rule 999 action 'drop' set firewall ipv4 name wan-video rule 999 description 'Rule: drop_invalid' set firewall ipv4 name wan-video rule 999 state invalid -set firewall ipv4 name wan-video rule 999 log \ No newline at end of file +set firewall ipv4 name wan-video rule 999 log diff --git a/config-parts/firewall-zone.sh b/config-parts/firewall-zone.sh index 0ec1b97..32cf164 100644 --- a/config-parts/firewall-zone.sh +++ b/config-parts/firewall-zone.sh @@ -67,7 +67,6 @@ set firewall zone trusted from containers firewall name 'containers-trusted' set firewall zone trusted from video firewall name 'video-trusted' set firewall zone trusted from wan firewall name 'wan-trusted' set firewall zone trusted interface 'eth4.20' -set firewall zone trusted interface 'wg01' # video set firewall zone video default-action 'drop' @@ -89,4 +88,4 @@ set firewall zone wan from servers firewall name 'servers-wan' set firewall zone wan from containers firewall name 'containers-wan' set firewall zone wan from trusted firewall name 'trusted-wan' set firewall zone wan from video firewall name 'video-wan' -set firewall zone wan interface 'eth0' \ No newline at end of file +set firewall zone wan interface 'eth5' diff --git a/config-parts/firewall.sh b/config-parts/firewall.sh index c33551a..ab0488f 100644 --- a/config-parts/firewall.sh +++ b/config-parts/firewall.sh @@ -8,13 +8,13 @@ set firewall global-options all-ping 'enable' # Address Groups set firewall group address-group router-addresses address 10.0.0.1 set firewall group address-group router-addresses address 127.0.0.1 -set firewall group address-group k8s_nodes address '10.1.1.61-63' # master nodes -set firewall group address-group k8s_nodes address '10.1.1.41-46' # worker nodes +set firewall group address-group k8s_nodes address '10.1.1.61-10.1.1.63' # master nodes +set firewall group address-group k8s_nodes address '10.1.1.41-10.1.1.46' # worker nodes set firewall group address-group k8s_api address '10.5.0.2' set firewall group address-group k8s_ingress address '10.45.0.1' # external nginx set firewall group address-group k8s_ingress address '10.45.0.3' # internal nginx set firewall group address-group k8s_vector_aggregator address '10.45.0.2' -set firewall group address-group nas address '10.1.1.11-12' +set firewall group address-group nas address '10.1.1.11-10.1.1.12' set firewall group address-group unifi_devices address '10.1.0.11' set firewall group address-group unifi_devices address '10.1.0.12' set firewall group address-group unifi_devices address '10.1.0.13' @@ -24,6 +24,7 @@ set firewall group address-group unifi_devices address '10.1.0.23' set firewall group address-group unifi_devices address '10.1.0.24' set firewall group address-group vyos_unifi address '10.5.0.10' set firewall group network-group k8s_services network '10.45.0.0/16' +set firewall group address-group sonos_players address '10.1.2.31' # Port groups set firewall group port-group wireguard port '51820' diff --git a/config-parts/interfaces.sh b/config-parts/interfaces.sh index 290a5fe..ad741f4 100644 --- a/config-parts/interfaces.sh +++ b/config-parts/interfaces.sh @@ -16,16 +16,3 @@ set interfaces ethernet eth4 vif 30 description 'IOT' set interfaces ethernet eth4 vif 40 address '10.1.4.1/24' set interfaces ethernet eth4 vif 40 description 'VIDEO' -set interfaces wireguard wg01 address '10.0.11.1/24' -set interfaces wireguard wg01 description 'WIREGUARD' -set interfaces wireguard wg01 peer ipad-jahanson allowed-ips '10.0.11.4/32' -set interfaces wireguard wg01 peer ipad-jahanson persistent-keepalive '15' -set interfaces wireguard wg01 peer ipad-jahanson public-key 'jv1XSCkzxGY0kBfLbF79gwLVOCmyCTUmSFd36QcwiWE=' -set interfaces wireguard wg01 peer iphone-jahanson allowed-ips '10.0.11.2/32' -set interfaces wireguard wg01 peer iphone-jahanson persistent-keepalive '15' -set interfaces wireguard wg01 peer iphone-jahanson public-key 'HHBmTzVQH1qt14rVqzxCUATkLRPGu5WisHyY9O4yTkM=' -set interfaces wireguard wg01 peer legion-jahanson allowed-ips '10.0.11.3/32' -set interfaces wireguard wg01 peer legion-jahanson persistent-keepalive '15' -set interfaces wireguard wg01 peer legion-jahanson public-key 'OA8fW79KEJej2lbZZY/Bf7EHcRjeiDowqIBwXGRLZ3A=' -set interfaces wireguard wg01 port '51820' -set interfaces wireguard wg01 private-key "${SECRET_WIREGUARD_PRIVATE_KEY}" diff --git a/config-parts/nat.sh b/config-parts/nat.sh index ed57825..6561a5f 100644 --- a/config-parts/nat.sh +++ b/config-parts/nat.sh @@ -3,7 +3,7 @@ # Forward Plex to Sting set nat destination rule 110 description 'PLEX' set nat destination rule 110 destination port '32400' -set nat destination rule 110 inbound-interface 'eth5' +set nat destination rule 110 inbound-interface name 'eth5' set nat destination rule 110 protocol 'tcp' set nat destination rule 110 translation address '10.1.1.12' set nat destination rule 110 translation port '32400' diff --git a/scripts/vyos-postconfig-bootup.script b/scripts/vyos-postconfig-bootup.script index 40be7bd..d0aa9ac 100755 --- a/scripts/vyos-postconfig-bootup.script +++ b/scripts/vyos-postconfig-bootup.script @@ -17,9 +17,10 @@ END tee -a /home/vyos/.bash_aliases </dev/null export SOPS_AGE_KEY_FILE=/config/secrets/age.key export GIT_SSH_COMMAND="ssh -i /config/secrets/id_ed25519" -export VISUAL=vi -export EDITOR=vi +export VISUAL=vim +export EDITOR=vim alias podman="sudo podman" END # Force X550 NIC to 2.5Gbps autonegotiation. Fixes a Intel driver issue. -ethtool -s eth0 speed 2500 duplex full autoneg on \ No newline at end of file +#ethtool -s eth0 speed 2500 duplex full autoneg on +systemctl start nextdns