From 47aa54672ac02f27f4a59363ca727933092b7d91 Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Sat, 29 Jul 2023 06:50:41 -0500 Subject: [PATCH] re-building firewall rules. --- .envrc | 1 + .gitignore | 1 + apply-config.sh | 83 +- config-parts/container.sh | 25 - config-parts/firewall-name.sh | 1394 ++++++++++++------------ config-parts/firewall-zone.sh | 105 +- config-parts/firewall.sh | 45 +- config-parts/interfaces.sh | 10 +- config-parts/nat.sh | 16 +- config-parts/service-dhcp_server.sh | 108 +- config-parts/system.sh | 2 + containers/dnsdist/.gitignore | 9 - containers/dnsdist/config/dnsdist.conf | 93 -- 13 files changed, 880 insertions(+), 1012 deletions(-) create mode 100644 .envrc delete mode 100644 containers/dnsdist/.gitignore delete mode 100644 containers/dnsdist/config/dnsdist.conf diff --git a/.envrc b/.envrc new file mode 100644 index 0000000..b2b9b57 --- /dev/null +++ b/.envrc @@ -0,0 +1 @@ +export SOPS_AGE_KEY_FILE=$(expand_path ~/.config/sops/age/vyos.agekey) \ No newline at end of file diff --git a/.gitignore b/.gitignore index 21fc007..022604e 100644 --- a/.gitignore +++ b/.gitignore @@ -5,6 +5,7 @@ !.gitignore !.gitattributes !.sops.yaml +!.envrc !apply-config.sh !secret.sops.env diff --git a/apply-config.sh b/apply-config.sh index 5463ba6..e84e721 100755 --- a/apply-config.sh +++ b/apply-config.sh @@ -1,21 +1,23 @@ #!/bin/vbash # shellcheck shell=bash # shellcheck source=/dev/null -dry_run=false +dry_run=true if [ "$(id -g -n)" != 'vyattacfg' ] ; then - exec sg vyattacfg -c "/bin/vbash $(readlink -f "$0") $@" + exec sg vyattacfg -c "/bin/vbash $(readlink -f "$0") $*" fi -while getopts "d" options; do +while getopts "c" options; do case "${options}" in - d) - dry_run=true - ;; - *) - echo 'error in command line parsing' >&2 - exit 1 - ;; + # -c Commit changes - default is dry-run + c) + echo 'Will commit changes' + dry_run=false + ;; + *) + echo 'error in command line parsing' >&2 + exit 1 + ;; esac done @@ -24,15 +26,39 @@ if [ -f "/config/secrets.sops.env" ]; then export SOPS_AGE_KEY_FILE=/config/secrets/age.key mapfile environmentAsArray < <( - sops --decrypt "/config/secrets.sops.env" \ - | grep --invert-match '^#' \ - | grep --invert-match '^\s*$' + sops --decrypt "/config/secrets.sops.env" | + grep --invert-match '^#' | + grep --invert-match '^\s*$' ) # Uses grep to remove commented and blank lines for variableDeclaration in "${environmentAsArray[@]}"; do - export "${variableDeclaration//[$'\r\n']}" # The substitution removes the line breaks + export "${variableDeclaration//[$'\r\n']/}" # The substitution removes the line breaks done fi +# Apply environment to container (configuration) files +restart_containers="" +while IFS= read -r -d '' file +do + cfgfile="${file%.tmpl}" + + shafile=$file.sha256 + if ! test -e "$shafile"; then + echo "rebuild" >"$shafile" + fi + + newsha=$(envsubst <"$file" | shasum -a 256 | awk '{print $1}') + oldsha=$(cat "$shafile") + + if ! test "$newsha" == "$oldsha"; then + echo "Configuration changed for $file" + if ! "$dry_run"; then + envsubst <"$file" >"$cfgfile" + echo "$newsha" >"$shafile" + restart_containers="$restart_containers $(echo "$file" | awk -F / '{print $1}')" + fi + fi +done < <(find containers -type f -name "*.tmpl" -print0) + # Include VyOS specific functions and aliases source /opt/vyatta/etc/functions/script-template @@ -40,8 +66,7 @@ source /opt/vyatta/etc/functions/script-template load /opt/vyatta/etc/config.boot.default # Load all config files -for f in /config/config-parts/*.sh -do +for f in /config/config-parts/*.sh; do if [ -f "${f}" ]; then echo "Processing ${f}" source "${f}" @@ -53,12 +78,11 @@ if "$dry_run"; then compare else # Pull new container images - AVAILABLE_IMAGES=($(run show container image | awk '{ if ( NR > 1 ) { print $1 ":" $2} }')) - CONFIG_IMAGES=($(sed -nr "s/set container name .* image '(.*)'/\1/p" /config/config-parts/* | uniq)) + mapfile -t AVAILABLE_IMAGES < <(run show container image | awk '{ if ( NR > 1 ) { print $1 ":" $2} }') + mapfile -t CONFIG_IMAGES < <(sed -nr "s/set container name .* image '(.*)'/\1/p" /config/config-parts/* | uniq) - for image in "${CONFIG_IMAGES[@]}" - do - if [[ ! " ${AVAILABLE_IMAGES[*]} " =~ " ${image} " ]]; then + for image in "${CONFIG_IMAGES[@]}"; do + if [[ ! " ${AVAILABLE_IMAGES[*]} " =~ \ ${image}\ ]]; then echo "Pulling image ${image}" run add container image "${image}" fi @@ -71,20 +95,25 @@ else # Clean obsolete container images IFS=$'\n' read -rd '' -a AVAILABLE_IMAGES <<<"$(run show container image | tail -n +2)" - for image in "${AVAILABLE_IMAGES[@]}" - do + for image in "${AVAILABLE_IMAGES[@]}"; do image_name=$(echo "${image}" | awk '{ print $1 }') image_tag=$(echo "${image}" | awk '{ print $2 }') image_id=$(echo "${image}" | awk '{ print $3 }') image_name_tag="${image_name}:${image_tag}" - if [[ ! " ${CONFIG_IMAGES[*]} " =~ " ${image_name_tag} " ]]; then + if [[ ! " ${CONFIG_IMAGES[*]} " =~ \ ${image_name_tag}\ ]]; then echo "Removing container ${image_name_tag}" run delete container image "${image_id}" fi done - # Clean annoying overlay* folders - sudo find "/config" -name "overlay*" -type d -prune -exec rm -rf "{}" \; + + # Restart containers + for container in $restart_containers; do + run restart container "$container" + done fi -exit +# Clean annoying overlay* folders +sudo find "/config" -name "overlay*" -type d -prune -exec rm -rf "{}" \; + +exit \ No newline at end of file diff --git a/config-parts/container.sh b/config-parts/container.sh index 6f2f1a2..ea260df 100644 --- a/config-parts/container.sh +++ b/config-parts/container.sh @@ -3,19 +3,6 @@ # Container networks set container network containers prefix '10.5.0.0/24' -# cloudflare-ddns -set container name cloudflare-ddns allow-host-networks -set container name cloudflare-ddns environment CF_API_TOKEN value "${SECRET_CLOUDFLARE_DYNDNS_TOKEN}" -set container name cloudflare-ddns environment DOMAINS value 'ipv4.jahanson.tech,ipv4.hsn.dev' -set container name cloudflare-ddns environment IP6_PROVIDER value "none" -set container name cloudflare-ddns environment TZ value 'America/Chicago' -set container name cloudflare-ddns environment PGID value "1000" -set container name cloudflare-ddns environment PUID value "1000" -set container name cloudflare-ddns image 'docker.io/favonia/cloudflare-ddns:1.9.4' -set container name cloudflare-ddns memory '0' -set container name cloudflare-ddns restart 'on-failure' -set container name cloudflare-ddns shared-memory '0' - # bind set container name bind cap-add 'net-bind-service' set container name bind image 'docker.io/internetsystemsconsortium/bind9:9.19' @@ -31,18 +18,6 @@ set container name bind volume cache source '/tmp/bind/cache' set container name bind volume cache destination '/var/cache/bind' set container name bind volume cache mode 'rw' -# dnsdist -set container name dnsdist cap-add 'net-bind-service' -set container name dnsdist environment TZ value 'America/Chicago' -set container name dnsdist image 'docker.io/powerdns/dnsdist-17:1.7.4' -set container name dnsdist memory '0' -set container name dnsdist network containers address '10.5.0.4' -set container name dnsdist restart 'on-failure' -set container name dnsdist shared-memory '0' -set container name dnsdist volume config source '/config/containers/dnsdist/config/dnsdist.conf' -set container name dnsdist volume config destination '/etc/dnsdist/dnsdist.conf' -set container name dnsdist volume config mode 'ro' - # haproxy-k8s-api set container name haproxy-k8s-api image 'docker.io/library/haproxy:2.8.1' set container name haproxy-k8s-api memory '0' diff --git a/config-parts/firewall-name.sh b/config-parts/firewall-name.sh index 932b9b9..4d3d90d 100644 --- a/config-parts/firewall-name.sh +++ b/config-parts/firewall-name.sh @@ -1,750 +1,780 @@ #!/bin/vbash -# From GUEST to IOT -set firewall name guest-iot default-action 'drop' -set firewall name guest-iot description 'From GUEST to IOT' -set firewall name guest-iot enable-default-log -set firewall name guest-iot rule 1 action 'accept' -set firewall name guest-iot rule 1 description 'Rule: accept_tcp_printer_from_allowed_devices' -set firewall name guest-iot rule 1 destination group address-group 'printers' -set firewall name guest-iot rule 1 destination port 'http,9100' -set firewall name guest-iot rule 1 protocol 'tcp' -set firewall name guest-iot rule 1 source group address-group 'printer_allowed' -set firewall name guest-iot rule 2 action 'accept' -set firewall name guest-iot rule 2 description 'Rule: accept_udp_printer_from_allowed_devices' -set firewall name guest-iot rule 2 destination group address-group 'printers' -set firewall name guest-iot rule 2 destination port '161' -set firewall name guest-iot rule 2 protocol 'udp' -set firewall name guest-iot rule 2 source group address-group 'printer_allowed' - -# From GUEST to LAN -set firewall name guest-lan default-action 'drop' -set firewall name guest-lan description 'From GUEST to LAN' -set firewall name guest-lan enable-default-log - -# From GUEST to LOCAL -set firewall name guest-local default-action 'drop' -set firewall name guest-local description 'From GUEST to LOCAL' -set firewall name guest-local enable-default-log -set firewall name guest-local rule 1 action 'accept' -set firewall name guest-local rule 1 description 'Rule: accept_dhcp' -set firewall name guest-local rule 1 destination port '67,68' -set firewall name guest-local rule 1 protocol 'udp' -set firewall name guest-local rule 1 source port '67,68' - -# From GUEST to SERVERS -set firewall name guest-servers default-action 'drop' -set firewall name guest-servers description 'From GUEST to SERVERS' -set firewall name guest-servers enable-default-log - -# From GUEST to CONTAINERS -set firewall name guest-containers default-action 'drop' -set firewall name guest-containers description 'From GUEST to CONTAINERS' -set firewall name guest-containers enable-default-log -set firewall name guest-containers rule 1 action 'accept' -set firewall name guest-containers rule 1 description 'Rule: accept_dns' -set firewall name guest-containers rule 1 destination port 'domain,domain-s' -set firewall name guest-containers rule 1 protocol 'tcp_udp' - -# From GUEST to TRUSTED -set firewall name guest-trusted default-action 'drop' -set firewall name guest-trusted description 'From GUEST to TRUSTED' -set firewall name guest-trusted enable-default-log - -# From GUEST to VIDEO -set firewall name guest-video default-action 'drop' -set firewall name guest-video description 'From GUEST to VIDEO' -set firewall name guest-video enable-default-log - -# From GUEST to WAN -set firewall name guest-wan default-action 'accept' -set firewall name guest-wan description 'From GUEST to WAN' - -# From IOT to GUEST -set firewall name iot-guest default-action 'drop' -set firewall name iot-guest description 'From IOT to GUEST' -set firewall name iot-guest enable-default-log - -# From IOT to LAN -set firewall name iot-lan default-action 'drop' -set firewall name iot-lan description 'From IOT to LAN' -set firewall name iot-lan enable-default-log - -# From IOT to LOCAL -set firewall name iot-local default-action 'drop' -set firewall name iot-local description 'From IOT to LOCAL' -set firewall name iot-local enable-default-log -set firewall name iot-local rule 1 action 'accept' -set firewall name iot-local rule 1 description 'Rule: accept_ssh' -set firewall name iot-local rule 1 destination port 'ssh' -set firewall name iot-local rule 1 protocol 'tcp' -set firewall name iot-local rule 2 action 'accept' -set firewall name iot-local rule 2 description 'Rule: accept_ntp' -set firewall name iot-local rule 2 destination port 'ntp' -set firewall name iot-local rule 2 protocol 'udp' -set firewall name iot-local rule 3 action 'accept' -set firewall name iot-local rule 3 description 'Rule: accept_dhcp' -set firewall name iot-local rule 3 destination port '67,68' -set firewall name iot-local rule 3 protocol 'udp' -set firewall name iot-local rule 3 source port '67,68' -set firewall name iot-local rule 4 action 'accept' -set firewall name iot-local rule 4 description 'Rule: accept_igmp' -set firewall name iot-local rule 4 protocol '2' -set firewall name iot-local rule 5 action 'accept' -set firewall name iot-local rule 5 description 'Rule: accept_mdns' -set firewall name iot-local rule 5 destination port 'mdns' -set firewall name iot-local rule 5 protocol 'udp' -set firewall name iot-local rule 5 source port 'mdns' -set firewall name iot-local rule 6 action 'accept' -set firewall name iot-local rule 6 description 'Rule: accept_discovery_from_sonos_players' -set firewall name iot-local rule 6 destination port '1900,1901,1902' -set firewall name iot-local rule 6 protocol 'udp' -set firewall name iot-local rule 6 source group address-group 'sonos_players' -set firewall name iot-local rule 7 action 'accept' -set firewall name iot-local rule 7 description 'Rule: accept_discovery_from_sonos_controllers' -set firewall name iot-local rule 7 destination port '1900,1901,1902,57621' -set firewall name iot-local rule 7 protocol 'udp' -set firewall name iot-local rule 7 source group address-group 'sonos_controllers' -set firewall name iot-local rule 8 action 'accept' -set firewall name iot-local rule 8 description 'Rule: accept_dns' -set firewall name iot-local rule 8 destination port 'domain,domain-s' -set firewall name iot-local rule 8 protocol 'tcp_udp' - -# From IOT to SERVERS -set firewall name iot-servers default-action 'drop' -set firewall name iot-servers description 'From IOT to SERVERS' -set firewall name iot-servers enable-default-log -set firewall name iot-servers rule 1 action 'accept' -set firewall name iot-servers rule 1 description 'Rule: accept_nas_smb_from_scanners' -set firewall name iot-servers rule 1 destination group address-group 'nas' -set firewall name iot-servers rule 1 destination port 'microsoft-ds' -set firewall name iot-servers rule 1 protocol 'tcp' -set firewall name iot-servers rule 1 source group address-group 'scanners' -set firewall name iot-servers rule 2 action 'accept' -set firewall name iot-servers rule 2 description 'Rule: accept_plex_from_plex_clients' -set firewall name iot-servers rule 2 destination group address-group 'k8s_plex' -set firewall name iot-servers rule 2 destination port '32400' -set firewall name iot-servers rule 2 protocol 'tcp' -set firewall name iot-servers rule 2 source group address-group 'plex_clients' -set firewall name iot-servers rule 3 action 'accept' -set firewall name iot-servers rule 3 description 'Rule: accept_jellyfin_from_jellyfin_clients' -set firewall name iot-servers rule 3 destination group address-group 'k8s_jellyfin' -set firewall name iot-servers rule 3 destination port '8096' -set firewall name iot-servers rule 3 protocol 'tcp' -set firewall name iot-servers rule 3 source group address-group 'jellyfin_clients' -set firewall name iot-servers rule 4 action 'accept' -set firewall name iot-servers rule 4 description 'Rule: accept_mqtt_from_mqtt_clients' -set firewall name iot-servers rule 4 destination group address-group 'k8s_mqtt' -set firewall name iot-servers rule 4 destination port '1883' -set firewall name iot-servers rule 4 protocol 'tcp' -set firewall name iot-servers rule 4 source group address-group 'mqtt_clients' -set firewall name iot-servers rule 5 action 'accept' -set firewall name iot-servers rule 5 description 'Rule: accept_mqtt_from_esp' -set firewall name iot-servers rule 5 destination group address-group 'k8s_mqtt' -set firewall name iot-servers rule 5 destination port '1883' -set firewall name iot-servers rule 5 protocol 'tcp' -set firewall name iot-servers rule 5 source group address-group 'esp' -set firewall name iot-servers rule 6 action 'accept' -set firewall name iot-servers rule 6 description 'Rule: accept_k8s_ingress_from_sonos_players' -set firewall name iot-servers rule 6 destination group address-group 'k8s_ingress' -set firewall name iot-servers rule 6 destination port 'http,https' -set firewall name iot-servers rule 6 protocol 'tcp' -set firewall name iot-servers rule 6 source group address-group 'sonos_players' -set firewall name iot-servers rule 7 action 'accept' -set firewall name iot-servers rule 7 description 'Rule: accept_k8s_ingress_from_ereaders' -set firewall name iot-servers rule 7 destination group address-group 'k8s_ingress' -set firewall name iot-servers rule 7 destination port 'http,https' -set firewall name iot-servers rule 7 protocol 'tcp' -set firewall name iot-servers rule 7 source group address-group 'ereaders' -set firewall name iot-servers rule 8 action 'accept' -set firewall name iot-servers rule 8 description 'Rule: accept_k8s_ingress_from_wall_displays' -set firewall name iot-servers rule 8 destination group address-group 'k8s_ingress' -set firewall name iot-servers rule 8 destination port 'http,https' -set firewall name iot-servers rule 8 protocol 'tcp' -set firewall name iot-servers rule 8 source group address-group 'wall_displays' -set firewall name iot-servers rule 9 action 'accept' -set firewall name iot-servers rule 9 description 'Rule: accept_k8s_ingress_from_allowed_devices' -set firewall name iot-servers rule 9 destination group address-group 'k8s_ingress' -set firewall name iot-servers rule 9 destination port 'http,https' -set firewall name iot-servers rule 9 protocol 'tcp' -set firewall name iot-servers rule 9 source group address-group 'k8s_ingress_allowed' -set firewall name iot-servers rule 10 action 'accept' -set firewall name iot-servers rule 10 description 'Rule: accept_vector_journald_from_allowed_devices' -set firewall name iot-servers rule 10 destination group address-group 'k8s_vector_aggregator' -set firewall name iot-servers rule 10 destination port '6002' -set firewall name iot-servers rule 10 protocol 'tcp' -set firewall name iot-servers rule 10 source group address-group 'vector_journald_allowed' - -# From IOT to CONTAINERS -set firewall name iot-containers default-action 'accept' -set firewall name iot-containers description 'From IOT to CONTAINERS' -set firewall name iot-containers rule 1 action 'accept' -set firewall name iot-containers rule 1 description 'Rule: accept_dns' -set firewall name iot-containers rule 1 destination port 'domain,domain-s' -set firewall name iot-containers rule 1 protocol 'tcp_udp' - -# From IOT to TRUSTED -set firewall name iot-trusted default-action 'drop' -set firewall name iot-trusted description 'From IOT to TRUSTED' -set firewall name iot-trusted enable-default-log -set firewall name iot-trusted rule 1 action 'accept' -set firewall name iot-trusted rule 1 description 'Rule: accept_udp_from_sonos_players_to_sonos_controllers' -set firewall name iot-trusted rule 1 destination group address-group 'sonos_controllers' -set firewall name iot-trusted rule 1 destination port '30000-65535' -set firewall name iot-trusted rule 1 protocol 'udp' -set firewall name iot-trusted rule 1 source group address-group 'sonos_players' -set firewall name iot-trusted rule 2 action 'accept' -set firewall name iot-trusted rule 2 description 'Rule: accept_tcp_from_sonos_players_to_sonos_controllers' -set firewall name iot-trusted rule 2 destination group address-group 'sonos_controllers' -set firewall name iot-trusted rule 2 destination port '1400,3400,3401,3500,30000-65535' -set firewall name iot-trusted rule 2 protocol 'tcp' -set firewall name iot-trusted rule 2 source group address-group 'sonos_players' - -# From IOT to VIDEO -set firewall name iot-video default-action 'drop' -set firewall name iot-video description 'From IOT to VIDEO' -set firewall name iot-video enable-default-log - -# From IOT to WAN -set firewall name iot-wan default-action 'accept' -set firewall name iot-wan description 'From IOT to WAN' - -# From LAN to GUEST -set firewall name lan-guest default-action 'drop' -set firewall name lan-guest description 'From LAN to GUEST' -set firewall name lan-guest enable-default-log - -# From LAN to GUEST -set firewall name lan-iot default-action 'drop' -set firewall name lan-iot description 'From LAN to IOT' -set firewall name lan-iot enable-default-log - -# From LAN to LOCAL -set firewall name lan-local default-action 'drop' -set firewall name lan-local description 'From LAN to LOCAL' -set firewall name lan-local enable-default-log -set firewall name lan-local rule 1 action 'accept' -set firewall name lan-local rule 1 description 'Rule: accept_ssh' -set firewall name lan-local rule 1 destination port 'ssh' -set firewall name lan-local rule 1 protocol 'tcp' -set firewall name lan-local rule 2 action 'accept' -set firewall name lan-local rule 2 description 'Rule: accept_ntp' -set firewall name lan-local rule 2 destination port 'ntp' -set firewall name lan-local rule 2 protocol 'udp' -set firewall name lan-local rule 3 action 'accept' -set firewall name lan-local rule 3 description 'Rule: accept_dhcp' -set firewall name lan-local rule 3 destination port '67,68' -set firewall name lan-local rule 3 protocol 'udp' -set firewall name lan-local rule 3 source port '67,68' -set firewall name lan-local rule 4 action 'accept' -set firewall name lan-local rule 4 description 'Rule: accept_node_speed_exporter' -set firewall name lan-local rule 4 destination port '9798,9100' -set firewall name lan-local rule 4 protocol 'tcp' -set firewall name lan-local rule 5 action 'accept' -set firewall name lan-local rule 5 description 'Rule: accept perfmon3' -set firewall name lan-local rule 5 destination port '5201' -set firewall name lan-local rule 5 protocol 'tcp' - -# From LAN to SERVERS -set firewall name lan-servers default-action 'drop' -set firewall name lan-servers description 'From LAN to SERVERS' -set firewall name lan-servers enable-default-log -set firewall name lan-servers rule 1 action 'accept' -set firewall name lan-servers rule 1 description 'Rule: accept_icmp' -set firewall name lan-servers rule 1 protocol 'icmp' - -# From LAN to CONTAINERS -set firewall name lan-containers default-action 'accept' -set firewall name lan-containers description 'From LAN to CONTAINERS' -set firewall name lan-containers rule 1 action 'accept' -set firewall name lan-containers rule 1 description 'Rule: accept_dns' -set firewall name lan-containers rule 1 destination port 'domain,domain-s' -set firewall name lan-containers rule 1 protocol 'tcp_udp' - -# From LAN to TRUSTED -set firewall name lan-trusted default-action 'drop' -set firewall name lan-trusted description 'From LAN to TRUSTED' -set firewall name lan-trusted enable-default-log - -# From LAN to VIDEO -set firewall name lan-video default-action 'drop' -set firewall name lan-video description 'From LAN to VIDEO' -set firewall name lan-video enable-default-log - -# From LAN to WAN -set firewall name lan-wan default-action 'accept' -set firewall name lan-wan description 'From LAN to WAN' - -# From LOCAL to GUEST -set firewall name local-guest default-action 'drop' -set firewall name local-guest description 'From LOCAL to GUEST' -set firewall name local-guest enable-default-log - # From LOCAL to IOT set firewall name local-iot default-action 'drop' set firewall name local-iot description 'From LOCAL to IOT' set firewall name local-iot enable-default-log -set firewall name local-iot rule 1 action 'accept' -set firewall name local-iot rule 1 description 'Rule: accept_igmp' -set firewall name local-iot rule 1 protocol '2' -set firewall name local-iot rule 2 action 'accept' -set firewall name local-iot rule 2 description 'Rule: accept_mdns' -set firewall name local-iot rule 2 destination port 'mdns' -set firewall name local-iot rule 2 protocol 'udp' -set firewall name local-iot rule 2 source port 'mdns' -set firewall name local-iot rule 3 action 'accept' -set firewall name local-iot rule 3 description 'Rule: accept_discovery_from_sonos_controllers' -set firewall name local-iot rule 3 destination port '1900,1901,1902,57621' -set firewall name local-iot rule 3 protocol 'udp' -set firewall name local-iot rule 3 source group address-group 'sonos_controllers' +set firewall name local-iot rule 100 action 'accept' +set firewall name local-iot rule 100 description 'Rule: accept_igmp' +set firewall name local-iot rule 100 protocol '2' +set firewall name local-iot rule 110 action 'accept' +set firewall name local-iot rule 110 description 'Rule: accept_mdns' +set firewall name local-iot rule 110 destination port 'mdns' +set firewall name local-iot rule 110 protocol 'udp' +set firewall name local-iot rule 110 source port 'mdns' +set firewall name local-iot rule 200 action 'accept' +set firewall name local-iot rule 200 description 'Rule: accept_discovery_from_sonos_controllers' +set firewall name local-iot rule 200 destination port '1900,1901,1902,57621' +set firewall name local-iot rule 200 protocol 'udp' +set firewall name local-iot rule 200 source group address-group 'sonos_controllers' +set firewall name local-iot rule 999 action 'drop' +set firewall name local-iot rule 999 description 'Rule: drop_invalid' +set firewall name local-iot rule 999 state invalid 'enable' +set firewall name local-iot rule 999 log 'enable' # From LOCAL to LAN set firewall name local-lan default-action 'drop' set firewall name local-lan description 'From LOCAL to LAN' set firewall name local-lan enable-default-log +set firewall name local-lan rule 999 action 'drop' +set firewall name local-lan rule 999 description 'Rule: drop_invalid' +set firewall name local-lan rule 999 state invalid 'enable' +set firewall name local-lan rule 999 log 'enable' # From LOCAL to SERVERS set firewall name local-servers default-action 'drop' set firewall name local-servers description 'From LOCAL to SERVERS' set firewall name local-servers enable-default-log -set firewall name local-servers rule 1 action 'accept' -set firewall name local-servers rule 1 description 'Rule: accept_bgp' -set firewall name local-servers rule 1 destination port 'bgp' -set firewall name local-servers rule 1 protocol 'tcp' -set firewall name local-servers rule 2 action 'accept' -set firewall name local-servers rule 2 description 'Rule: accept_k8s_api' -set firewall name local-servers rule 2 destination port '6443' -set firewall name local-servers rule 2 protocol 'tcp' -set firewall name local-servers rule 3 action 'accept' -set firewall name local-servers rule 3 description 'Rule: accept_dns' -set firewall name local-servers rule 3 destination port 'domain,domain-s' -set firewall name local-servers rule 3 protocol 'tcp_udp' -set firewall name local-servers rule 4 action 'accept' -set firewall name local-servers rule 4 description 'Rule: accept_vector_syslog' -set firewall name local-servers rule 4 destination group address-group 'k8s_vector_aggregator' -set firewall name local-servers rule 4 destination port '6001' -set firewall name local-servers rule 4 protocol 'tcp' +set firewall name local-servers rule 40 action 'accept' +set firewall name local-servers rule 40 description 'Rule: accept_dns' +set firewall name local-servers rule 40 destination port 'domain,domain-s' +set firewall name local-servers rule 40 protocol 'tcp_udp' +set firewall name local-servers rule 70 action 'accept' +set firewall name local-servers rule 70 description 'Rule: accept_bgp' +set firewall name local-servers rule 70 destination port 'bgp' +set firewall name local-servers rule 70 protocol 'tcp' +set firewall name local-servers rule 100 action 'accept' +set firewall name local-servers rule 100 description 'Rule: accept_k8s_api' +set firewall name local-servers rule 100 destination port '6443' +set firewall name local-servers rule 100 protocol 'tcp' +set firewall name local-servers rule 200 action 'accept' +set firewall name local-servers rule 200 description 'Rule: accept_vector_syslog' +set firewall name local-servers rule 200 destination group address-group 'k8s_vector_aggregator' +set firewall name local-servers rule 200 destination port '6001' +set firewall name local-servers rule 200 protocol 'tcp' +set firewall name local-servers rule 999 action 'drop' +set firewall name local-servers rule 999 description 'Rule: drop_invalid' +set firewall name local-servers rule 999 state invalid 'enable' +set firewall name local-servers rule 999 log 'enable' # From LOCAL to CONTAINERS set firewall name local-containers default-action 'accept' set firewall name local-containers description 'From LOCAL to CONTAINERS' -set firewall name local-containers rule 1 action 'accept' -set firewall name local-containers rule 1 description 'Rule: accept_dns' -set firewall name local-containers rule 1 destination port 'domain,domain-s' -set firewall name local-containers rule 1 protocol 'tcp_udp' +set firewall name local-containers rule 40 action 'accept' +set firewall name local-containers rule 40 description 'Rule: accept_dns' +set firewall name local-containers rule 40 destination port 'domain,domain-s' +set firewall name local-containers rule 40 protocol 'tcp_udp' +set firewall name local-containers rule 999 action 'drop' +set firewall name local-containers rule 999 description 'Rule: drop_invalid' +set firewall name local-containers rule 999 state invalid 'enable' +set firewall name local-containers rule 999 log 'enable' # From LOCAL to TRUSTED set firewall name local-trusted default-action 'drop' set firewall name local-trusted description 'From LOCAL to TRUSTED' set firewall name local-trusted enable-default-log -set firewall name local-trusted rule 1 action 'accept' -set firewall name local-trusted rule 1 description 'Rule: accept_igmp' -set firewall name local-trusted rule 1 protocol '2' -set firewall name local-trusted rule 2 action 'accept' -set firewall name local-trusted rule 2 description 'Rule: accept_mdns' -set firewall name local-trusted rule 2 destination port 'mdns' -set firewall name local-trusted rule 2 protocol 'udp' -set firewall name local-trusted rule 2 source port 'mdns' -set firewall name local-trusted rule 3 action 'accept' -set firewall name local-trusted rule 3 description 'Rule: accept_discovery_from_sonos_players' -set firewall name local-trusted rule 3 destination port '1900,1901,1902' -set firewall name local-trusted rule 3 protocol 'udp' -set firewall name local-trusted rule 3 source group address-group 'sonos_players' +set firewall name local-trusted rule 100 action 'accept' +set firewall name local-trusted rule 100 description 'Rule: accept_igmp' +set firewall name local-trusted rule 100 protocol '2' +set firewall name local-trusted rule 110 action 'accept' +set firewall name local-trusted rule 110 description 'Rule: accept_mdns' +set firewall name local-trusted rule 110 destination port 'mdns' +set firewall name local-trusted rule 110 protocol 'udp' +set firewall name local-trusted rule 110 source port 'mdns' +set firewall name local-trusted rule 200 action 'accept' +set firewall name local-trusted rule 200 description 'Rule: accept_discovery_from_sonos_players' +set firewall name local-trusted rule 200 destination port '1900,1901,1902' +set firewall name local-trusted rule 200 protocol 'udp' +set firewall name local-trusted rule 200 source group address-group 'sonos_players' +set firewall name local-trusted rule 300 action 'accept' +set firewall name local-trusted rule 300 description 'Rule: accept_wireguard' +set firewall name local-trusted rule 300 source port '51820' +set firewall name local-trusted rule 300 protocol 'udp' +set firewall name local-trusted rule 999 action 'drop' +set firewall name local-trusted rule 999 description 'Rule: drop_invalid' +set firewall name local-trusted rule 999 state invalid 'enable' +set firewall name local-trusted rule 999 log 'enable' # From LOCAL to VIDEO set firewall name local-video default-action 'drop' set firewall name local-video description 'From LOCAL to VIDEO' set firewall name local-video enable-default-log +set firewall name local-video rule 999 action 'drop' +set firewall name local-video rule 999 description 'Rule: drop_invalid' +set firewall name local-video rule 999 state invalid 'enable' +set firewall name local-video rule 999 log 'enable' # From LOCAL to WAN set firewall name local-wan default-action 'accept' set firewall name local-wan description 'From LOCAL to WAN' -# From SERVERS to GUEST -set firewall name servers-guest default-action 'drop' -set firewall name servers-guest description 'From SERVERS to GUEST' -set firewall name servers-guest enable-default-log - -# From SERVERS to IOT -set firewall name servers-iot default-action 'drop' -set firewall name servers-iot description 'From SERVERS to IOT' -set firewall name servers-iot enable-default-log -set firewall name servers-iot rule 1 action 'accept' -set firewall name servers-iot rule 1 description 'Rule: accept_icmp' -set firewall name servers-iot rule 1 protocol 'icmp' -set firewall name servers-iot rule 2 action 'accept' -set firewall name servers-iot rule 2 description 'Rule: accept_p1reader_from_k8s_nodes' -set firewall name servers-iot rule 2 destination port '8088' -set firewall name servers-iot rule 2 protocol 'tcp' -set firewall name servers-iot rule 2 source group address-group 'k8s_nodes' -set firewall name servers-iot rule 3 action 'accept' -set firewall name servers-iot rule 3 description 'Rule: accept_adb_from_k8s_nodes' -set firewall name servers-iot rule 3 destination group address-group 'android_tv_players' -set firewall name servers-iot rule 3 destination port '5555' -set firewall name servers-iot rule 3 protocol 'tcp' -set firewall name servers-iot rule 3 source group address-group 'k8s_nodes' -set firewall name servers-iot rule 4 action 'accept' -set firewall name servers-iot rule 4 description 'Rule: accept_3d_printer_control_from_k8s_nodes' -set firewall name servers-iot rule 4 destination group address-group '3d_printer_controllers' -set firewall name servers-iot rule 4 destination port '7125' -set firewall name servers-iot rule 4 protocol 'tcp' -set firewall name servers-iot rule 4 source group address-group 'k8s_nodes' -set firewall name servers-iot rule 5 action 'accept' -set firewall name servers-iot rule 5 description 'Rule: accept_k8s_nodes' -set firewall name servers-iot rule 5 protocol 'tcp' -set firewall name servers-iot rule 5 source group address-group 'k8s_nodes' - -# From SERVERS to LAN -set firewall name servers-lan default-action 'drop' -set firewall name servers-lan description 'From SERVERS to LAN' -set firewall name servers-lan enable-default-log -set firewall name servers-lan rule 1 action 'accept' -set firewall name servers-lan rule 1 description 'Rule: accept_icmp' -set firewall name servers-lan rule 1 protocol 'icmp' - -# From SERVERS to LOCAL -set firewall name servers-local default-action 'drop' -set firewall name servers-local description 'From SERVERS to LOCAL' -set firewall name servers-local enable-default-log -set firewall name servers-local rule 1 action 'accept' -set firewall name servers-local rule 1 description 'Rule: accept_icmp' -set firewall name servers-local rule 1 protocol 'icmp' -set firewall name servers-local rule 2 action 'accept' -set firewall name servers-local rule 2 description 'Rule: accept_ntp' -set firewall name servers-local rule 2 destination port 'ntp' -set firewall name servers-local rule 2 protocol 'udp' -set firewall name servers-local rule 3 action 'accept' -set firewall name servers-local rule 3 description 'Rule: accept_dhcp' -set firewall name servers-local rule 3 destination port '67,68' -set firewall name servers-local rule 3 protocol 'udp' -set firewall name servers-local rule 3 source port '67,68' -set firewall name servers-local rule 4 action 'accept' -set firewall name servers-local rule 4 description 'Rule: accept_bgp' -set firewall name servers-local rule 4 destination port 'bgp' -set firewall name servers-local rule 4 protocol 'tcp' -set firewall name servers-local rule 5 action 'accept' -set firewall name servers-local rule 5 description 'Rule: accept_tftp' -set firewall name servers-local rule 5 destination port '69' -set firewall name servers-local rule 5 protocol 'udp' -set firewall name servers-local rule 6 action 'accept' -set firewall name servers-local rule 6 description 'Rule: accept_node_exporter_from_k8s_nodes' -set firewall name servers-local rule 6 destination port '9100' -set firewall name servers-local rule 6 protocol 'tcp' -set firewall name servers-local rule 6 source group address-group 'k8s_nodes' -set firewall name servers-local rule 7 action 'accept' -set firewall name servers-local rule 7 description 'Rule: accept_speedtest_exporter_from_k8s_nodes' -set firewall name servers-local rule 7 destination port '9798' -set firewall name servers-local rule 7 protocol 'tcp' -set firewall name servers-local rule 7 source group address-group 'k8s_nodes' -# TODO: Needed because of MetalLB? -set firewall name servers-local rule 8 action 'accept' -set firewall name servers-local rule 8 description 'Rule: accept_bgp_2' -set firewall name servers-local rule 8 destination port '3784' -set firewall name servers-local rule 8 protocol 'udp' -set firewall name servers-local rule 8 source group address-group 'k8s_nodes' -set firewall name servers-local rule 9 action 'accept' -set firewall name servers-local rule 9 description 'Rule: accept_dns' -set firewall name servers-local rule 9 destination port 'domain,domain-s' -set firewall name servers-local rule 9 protocol 'tcp_udp' - -# From SERVERS to CONTAINERS -set firewall name servers-containers default-action 'accept' -set firewall name servers-containers description 'From SERVERS to CONTAINERS' -set firewall name servers-containers enable-default-log -set firewall name servers-containers rule 1 action 'accept' -set firewall name servers-containers rule 1 description 'Rule: accept_dns' -set firewall name servers-containers rule 1 destination port 'domain,domain-s' -set firewall name servers-containers rule 1 protocol 'tcp_udp' -set firewall name servers-containers rule 2 action 'accept' -set firewall name servers-containers rule 2 description 'Rule: accept_k8s_api' -set firewall name servers-containers rule 2 destination port '6443' -set firewall name servers-containers rule 2 protocol 'tcp' - -# From SERVERS to TRUSTED -set firewall name servers-trusted default-action 'drop' -set firewall name servers-trusted description 'From SERVERS to TRUSTED' -set firewall name servers-trusted enable-default-log -set firewall name servers-trusted rule 1 action 'accept' -set firewall name servers-trusted rule 1 description 'Rule: accept_icmp' -set firewall name servers-trusted rule 1 protocol 'icmp' - -# From SERVERS to VIDEO -set firewall name servers-video default-action 'drop' -set firewall name servers-video description 'From SERVERS to VIDEO' -set firewall name servers-video enable-default-log -set firewall name servers-video rule 1 action 'accept' -set firewall name servers-video rule 1 description 'Rule: accept_icmp' -set firewall name servers-video rule 1 protocol 'icmp' -set firewall name servers-video rule 2 action 'accept' -set firewall name servers-video rule 2 description 'Rule: accept_k8s_nodes' -set firewall name servers-video rule 2 protocol 'tcp_udp' -set firewall name servers-video rule 2 source group address-group 'k8s_nodes' - -# From SERVERS to WAN -set firewall name servers-wan default-action 'accept' -set firewall name servers-wan description 'From SERVERS to WAN' - -# From CONTAINERS to GUEST -set firewall name containers-guest default-action 'drop' -set firewall name containers-guest description 'From CONTAINERS to GUEST' -set firewall name containers-guest enable-default-log - -# From CONTAINERS to IOT -set firewall name containers-iot default-action 'drop' -set firewall name containers-iot description 'From CONTAINERS to IOT' -set firewall name containers-iot enable-default-log - -# From CONTAINERS to LAN -set firewall name containers-lan default-action 'drop' -set firewall name containers-lan description 'From CONTAINERS to LAN' -set firewall name containers-lan enable-default-log - -# From CONTAINERS to LOCAL -set firewall name containers-local default-action 'drop' -set firewall name containers-local description 'From CONTAINERS to LOCAL' -set firewall name containers-local enable-default-log -set firewall name containers-local rule 1 action 'accept' -set firewall name containers-local rule 1 description 'Rule: accept_ntp' -set firewall name containers-local rule 1 destination port 'ntp' -set firewall name containers-local rule 1 protocol 'udp' -set firewall name containers-local rule 2 action 'accept' -set firewall name containers-local rule 2 description 'Rule: accept_dhcp' -set firewall name containers-local rule 2 destination port '67,68' -set firewall name containers-local rule 2 protocol 'udp' -set firewall name containers-local rule 2 source port '67,68' - -# From CONTAINERS to SERVERS -set firewall name containers-servers default-action 'accept' -set firewall name containers-servers description 'From CONTAINERS to SERVERS' -set firewall name containers-servers rule 1 action 'accept' -set firewall name containers-servers rule 1 description 'Rule: accept_icmp' -set firewall name containers-servers rule 1 protocol 'icmp' - -# From CONTAINERS to TRUSTED -set firewall name containers-trusted default-action 'drop' -set firewall name containers-trusted description 'From CONTAINERS to TRUSTED' -set firewall name containers-trusted enable-default-log - -# From CONTAINERS to VIDEO -set firewall name containers-video default-action 'drop' -set firewall name containers-video description 'From CONTAINERS to VIDEO' -set firewall name containers-video enable-default-log - -# From CONTAINERS to WAN -set firewall name containers-wan default-action 'accept' -set firewall name containers-wan description 'From CONTAINERS to WAN' - -# From TRUSTED to GUEST -set firewall name trusted-guest default-action 'drop' -set firewall name trusted-guest description 'From TRUSTED to GUEST' -set firewall name trusted-guest enable-default-log - -# From TRUSTED to IOT -set firewall name trusted-iot default-action 'accept' -set firewall name trusted-iot description 'From TRUSTED to IOT' -set firewall name trusted-iot rule 1 action 'accept' -set firewall name trusted-iot rule 1 description 'Rule: accept_icmp' -set firewall name trusted-iot rule 1 protocol 'icmp' -set firewall name trusted-iot rule 2 action 'accept' -set firewall name trusted-iot rule 2 description 'Rule: accept_app_control_from_sonos_controllers_tcp' -set firewall name trusted-iot rule 2 destination port '80,443,445,1400,3400,3401,3500,4070,4444' -set firewall name trusted-iot rule 2 protocol 'tcp' -set firewall name trusted-iot rule 2 source group address-group 'sonos_controllers' -set firewall name trusted-iot rule 3 action 'accept' -set firewall name trusted-iot rule 3 description 'Rule: accept_app_control_from_sonos_controllers_udp' -set firewall name trusted-iot rule 3 destination port '136-139,1900-1901,2869,10243,10280-10284,5353,6969' -set firewall name trusted-iot rule 3 protocol 'udp' -set firewall name trusted-iot rule 3 source group address-group 'sonos_controllers' - -# From TRUSTED to LAN -set firewall name trusted-lan default-action 'accept' -set firewall name trusted-lan description 'From TRUSTED to LAN' - -# From TRUSTED to LOCAL -set firewall name trusted-local default-action 'drop' -set firewall name trusted-local description 'From TRUSTED to LOCAL' -set firewall name trusted-local enable-default-log -set firewall name trusted-local rule 1 action 'accept' -set firewall name trusted-local rule 1 description 'Rule: accept_icmp' -set firewall name trusted-local rule 1 protocol 'icmp' -set firewall name trusted-local rule 2 action 'accept' -set firewall name trusted-local rule 2 description 'Rule: accept_ssh' -set firewall name trusted-local rule 2 destination port 'ssh' -set firewall name trusted-local rule 2 protocol 'tcp' -set firewall name trusted-local rule 3 action 'accept' -set firewall name trusted-local rule 3 description 'Rule: accept_ntp' -set firewall name trusted-local rule 3 destination port 'ntp' -set firewall name trusted-local rule 3 protocol 'udp' -set firewall name trusted-local rule 4 action 'accept' -set firewall name trusted-local rule 4 description 'Rule: accept_dhcp' -set firewall name trusted-local rule 4 destination port '67,68' -set firewall name trusted-local rule 4 protocol 'udp' -set firewall name trusted-local rule 4 source port '67,68' -set firewall name trusted-local rule 5 action 'accept' -set firewall name trusted-local rule 5 description 'Rule: accept_igmp' -set firewall name trusted-local rule 5 protocol '2' -set firewall name trusted-local rule 6 action 'accept' -set firewall name trusted-local rule 6 description 'Rule: accept_mdns' -set firewall name trusted-local rule 6 destination port 'mdns' -set firewall name trusted-local rule 6 protocol 'udp' -set firewall name trusted-local rule 6 source port 'mdns' -set firewall name trusted-local rule 7 action 'accept' -set firewall name trusted-local rule 7 description 'Rule: accept_wireguard' -set firewall name trusted-local rule 7 destination port '51820' -set firewall name trusted-local rule 7 protocol 'udp' -set firewall name trusted-local rule 8 action 'accept' -set firewall name trusted-local rule 8 description 'Rule: accept_vyos_api' -set firewall name trusted-local rule 8 destination port '8443' -set firewall name trusted-local rule 8 protocol 'tcp' -set firewall name trusted-local rule 9 action 'accept' -set firewall name trusted-local rule 9 description 'Rule: accept_discovery_from_sonos_players' -set firewall name trusted-local rule 9 destination port '1900,1901,1902' -set firewall name trusted-local rule 9 protocol 'udp' -set firewall name trusted-local rule 9 source group address-group 'sonos_players' -set firewall name trusted-local rule 10 action 'accept' -set firewall name trusted-local rule 10 description 'Rule: accept_discovery_from_sonos_controllers' -set firewall name trusted-local rule 10 destination port '1900,1901,1902,57621' -set firewall name trusted-local rule 10 protocol 'udp' -set firewall name trusted-local rule 10 source group address-group 'sonos_controllers' -set firewall name trusted-local rule 11 action 'accept' -set firewall name trusted-local rule 11 description 'Rule: accept_dns' -set firewall name trusted-local rule 11 destination port 'domain,domain-s' -set firewall name trusted-local rule 11 protocol 'tcp_udp' - -# From TRUSTED to SERVERS -set firewall name trusted-servers default-action 'accept' -set firewall name trusted-servers description 'From TRUSTED to SERVERS' -set firewall name trusted-servers rule 1 action 'accept' -set firewall name trusted-servers rule 1 description 'Rule: accept_icmp' -set firewall name trusted-servers rule 1 protocol 'icmp' - -# From TRUSTED to CONTAINERS -set firewall name trusted-containers default-action 'accept' -set firewall name trusted-containers description 'From TRUSTED to CONTAINERS' -set firewall name trusted-containers rule 1 action 'accept' -set firewall name trusted-containers rule 1 description 'Rule: accept_dns' -set firewall name trusted-containers rule 1 destination port 'domain,domain-s' -set firewall name trusted-containers rule 1 protocol 'tcp_udp' - -# From TRUSTED to VIDEO -set firewall name trusted-video default-action 'accept' -set firewall name trusted-video description 'From TRUSTED to VIDEO' -set firewall name trusted-video rule 1 action 'accept' -set firewall name trusted-video rule 1 description 'Rule: accept_icmp' -set firewall name trusted-video rule 1 protocol 'icmp' - -# From TRUSTED to WAN -set firewall name trusted-wan default-action 'accept' -set firewall name trusted-wan description 'From TRUSTED to WAN' - -# From VIDEO to GUEST -set firewall name video-guest default-action 'drop' -set firewall name video-guest description 'From VIDEO to GUEST' -set firewall name video-guest enable-default-log - -# From VIDEO to IOT -set firewall name video-iot default-action 'drop' -set firewall name video-iot description 'From VIDEO to IOT' -set firewall name video-iot enable-default-log - -# From VIDEO to LAN -set firewall name video-lan default-action 'drop' -set firewall name video-lan description 'From VIDEO to LAN' -set firewall name video-lan enable-default-log - -# From VIDEO to LOCAL -set firewall name video-local default-action 'drop' -set firewall name video-local description 'From VIDEO to LOCAL' -set firewall name video-local enable-default-log -set firewall name video-local rule 1 action 'accept' -set firewall name video-local rule 1 description 'Rule: accept_ntp' -set firewall name video-local rule 1 destination port 'ntp' -set firewall name video-local rule 1 protocol 'udp' -set firewall name video-local rule 2 action 'accept' -set firewall name video-local rule 2 description 'Rule: accept_dhcp' -set firewall name video-local rule 2 destination port '67,68' -set firewall name video-local rule 2 protocol 'udp' -set firewall name video-local rule 2 source port '67,68' - -# From VIDEO to SERVERS -set firewall name video-servers default-action 'drop' -set firewall name video-servers description 'From VIDEO to SERVERS' -set firewall name video-servers enable-default-log -set firewall name video-servers rule 1 action 'accept' -set firewall name video-servers rule 1 description 'Rule: accept_hass_ingress_from_allowed_devices' -set firewall name video-servers rule 1 destination group address-group 'k8s_hass' -set firewall name video-servers rule 1 destination port '8123' -set firewall name video-servers rule 1 protocol 'tcp' -set firewall name video-servers rule 1 source group address-group 'hass_clients' -set firewall name video-servers rule 2 action 'accept' -set firewall name video-servers rule 2 description 'Rule: accept_k8s_nodes' -set firewall name video-servers rule 2 protocol 'udp' -set firewall name video-servers rule 2 destination group address-group 'k8s_nodes' -set firewall name video-servers rule 2 source port '6987-6989' - -# From VIDEO to CONTAINERS -set firewall name video-containers default-action 'accept' -set firewall name video-containers description 'From VIDEO to CONTAINERS' -set firewall name video-containers rule 1 action 'accept' -set firewall name video-containers rule 1 description 'Rule: accept_dns' -set firewall name video-containers rule 1 destination port 'domain,domain-s' -set firewall name video-containers rule 1 protocol 'tcp_udp' - -# From VIDEO to TRUSTED -set firewall name video-trusted default-action 'drop' -set firewall name video-trusted description 'From VIDEO to TRUSTED' -set firewall name video-trusted enable-default-log - -# From VIDEO to WAN -set firewall name video-wan default-action 'drop' -set firewall name video-wan description 'From VIDEO to WAN' - -# From WAN to GUEST -set firewall name wan-guest default-action 'drop' -set firewall name wan-guest description 'From WAN to GUEST' -set firewall name wan-guest enable-default-log - # From WAN to IOT set firewall name wan-iot default-action 'drop' set firewall name wan-iot description 'From WAN to IOT' set firewall name wan-iot enable-default-log +set firewall name wan-iot rule 999 action 'drop' +set firewall name wan-iot rule 999 description 'Rule: drop_invalid' +set firewall name wan-iot rule 999 state invalid 'enable' +set firewall name wan-iot rule 999 log 'enable' # From WAN to LAN set firewall name wan-lan default-action 'drop' set firewall name wan-lan description 'From WAN to LAN' set firewall name wan-lan enable-default-log +set firewall name wan-lan rule 999 action 'drop' +set firewall name wan-lan rule 999 description 'Rule: drop_invalid' +set firewall name wan-lan rule 999 state invalid 'enable' +set firewall name wan-lan rule 999 log 'enable' # From WAN to LOCAL set firewall name wan-local default-action 'drop' set firewall name wan-local description 'From WAN to LOCAL' set firewall name wan-local enable-default-log -set firewall name wan-local rule 1 action 'accept' -set firewall name wan-local rule 1 description 'Rule: accept_wireguard' -set firewall name wan-local rule 1 destination port '51820' -set firewall name wan-local rule 1 protocol 'udp' +set firewall name wan-local rule 1 action 'drop' +set firewall name wan-local rule 1 description 'Rule: drop_invalid' +set firewall name wan-local rule 1 state invalid 'enable' +set firewall name wan-local rule 1 log 'enable' +set firewall name wan-local rule 100 action 'accept' +set firewall name wan-local rule 100 description 'Rule: accept_wireguard' +set firewall name wan-local rule 100 destination port '51820' +set firewall name wan-local rule 100 protocol 'udp' # From WAN to SERVERS set firewall name wan-servers default-action 'drop' set firewall name wan-servers description 'From WAN to SERVERS' set firewall name wan-servers enable-default-log +set firewall name wan-servers rule 100 action 'accept' +set firewall name wan-servers rule 100 destination port 32400 +set firewall name wan-servers rule 100 protocol 'tcp' +set firewall name wan-servers rule 100 destination address 10.1.1.12 +set firewall name wan-servers rule 999 action 'drop' +set firewall name wan-servers rule 999 description 'Rule: drop_invalid' +set firewall name wan-servers rule 999 state invalid 'enable' +set firewall name wan-servers rule 999 log 'enable' -## Plex -set firewall name wan-servers rule 10 action 'accept' -set firewall name wan-servers rule 10 destination port 32400 -set firewall name wan-servers rule 10 protocol 'tcp' -set firewall name wan-servers rule 10 destination address 10.1.1.12 - -# From WAN to SERVICES +# From WAN to CONTAINERS set firewall name wan-containers default-action 'drop' set firewall name wan-containers description 'From WAN to CONTAINERS' set firewall name wan-containers enable-default-log +set firewall name wan-containers rule 999 action 'drop' +set firewall name wan-containers rule 999 description 'Rule: drop_invalid' +set firewall name wan-containers rule 999 state invalid 'enable' +set firewall name wan-containers rule 999 log 'enable' # From WAN to TRUSTED set firewall name wan-trusted default-action 'drop' set firewall name wan-trusted description 'From WAN to TRUSTED' set firewall name wan-trusted enable-default-log +set firewall name wan-trusted rule 999 action 'drop' +set firewall name wan-trusted rule 999 description 'Rule: drop_invalid' +set firewall name wan-trusted rule 999 state invalid 'enable' +set firewall name wan-trusted rule 999 log 'enable' # From WAN to VIDEO set firewall name wan-video default-action 'drop' set firewall name wan-video description 'From WAN to VIDEO' set firewall name wan-video enable-default-log +set firewall name wan-video rule 999 action 'drop' +set firewall name wan-video rule 999 description 'Rule: drop_invalid' +set firewall name wan-video rule 999 state invalid 'enable' +set firewall name wan-video rule 999 log 'enable' + +# From LAN to IoT +set firewall name lan-iot default-action 'drop' +set firewall name lan-iot description 'From LAN to IOT' +set firewall name lan-iot enable-default-log +set firewall name lan-iot rule 999 action 'drop' +set firewall name lan-iot rule 999 description 'Rule: drop_invalid' +set firewall name lan-iot rule 999 state invalid 'enable' +set firewall name lan-iot rule 999 log 'enable' + +# From LAN to LOCAL +set firewall name lan-local default-action 'drop' +set firewall name lan-local description 'From LAN to LOCAL' +set firewall name lan-local enable-default-log +set firewall name lan-local rule 50 action 'accept' +set firewall name lan-local rule 50 description 'Rule: accept_dhcp' +set firewall name lan-local rule 50 destination port '67,68' +set firewall name lan-local rule 50 protocol 'udp' +set firewall name lan-local rule 50 source port '67,68' +set firewall name lan-local rule 60 action 'accept' +set firewall name lan-local rule 60 description 'Rule: accept_ntp' +set firewall name lan-local rule 60 destination port 'ntp' +set firewall name lan-local rule 60 protocol 'udp' +set firewall name lan-local rule 70 action 'accept' +set firewall name lan-local rule 70 description 'Rule: accept_node_speed_exporter' +set firewall name lan-local rule 70 destination port '9798,9100' +set firewall name lan-local rule 70 protocol 'tcp' +set firewall name lan-local rule 80 action 'accept' +set firewall name lan-local rule 80 description 'Rule: accept perfmon3' +set firewall name lan-local rule 80 destination port '5201' +set firewall name lan-local rule 80 protocol 'tcp' +set firewall name lan-local rule 999 action 'drop' +set firewall name lan-local rule 999 description 'Rule: drop_invalid' +set firewall name lan-local rule 999 state invalid 'enable' +set firewall name lan-local rule 999 log 'enable' + +# From LAN to SERVERS +set firewall name lan-servers default-action 'drop' +set firewall name lan-servers description 'From LAN to SERVERS' +set firewall name lan-servers enable-default-log +set firewall name lan-servers rule 999 action 'drop' +set firewall name lan-servers rule 999 description 'Rule: drop_invalid' +set firewall name lan-servers rule 999 state invalid 'enable' +set firewall name lan-servers rule 999 log 'enable' + +# From LAN to CONTAINERS +set firewall name lan-containers default-action 'accept' +set firewall name lan-containers description 'From LAN to CONTAINERS' +set firewall name lan-containers rule 40 action 'accept' +set firewall name lan-containers rule 40 description 'Rule: accept_dns' +set firewall name lan-containers rule 40 destination port 'domain,domain-s' +set firewall name lan-containers rule 40 protocol 'tcp_udp' +set firewall name lan-containers rule 999 action 'drop' +set firewall name lan-containers rule 999 description 'Rule: drop_invalid' +set firewall name lan-containers rule 999 state invalid 'enable' +set firewall name lan-containers rule 999 log 'enable' + +# From LAN to TRUSTED +set firewall name lan-trusted default-action 'drop' +set firewall name lan-trusted description 'From LAN to TRUSTED' +set firewall name lan-trusted enable-default-log +set firewall name lan-trusted rule 999 action 'drop' +set firewall name lan-trusted rule 999 description 'Rule: drop_invalid' +set firewall name lan-trusted rule 999 state invalid 'enable' +set firewall name lan-trusted rule 999 log 'enable' + +# From LAN to VIDEO +set firewall name lan-video default-action 'drop' +set firewall name lan-video description 'From LAN to VIDEO' +set firewall name lan-video enable-default-log +set firewall name lan-video rule 999 action 'drop' +set firewall name lan-video rule 999 description 'Rule: drop_invalid' +set firewall name lan-video rule 999 state invalid 'enable' +set firewall name lan-video rule 999 log 'enable' + +# From LAN to WAN +set firewall name lan-wan default-action 'accept' +set firewall name lan-wan description 'From LAN to WAN' + +# From SERVERS to IOT +set firewall name servers-iot default-action 'drop' +set firewall name servers-iot description 'From SERVERS to IOT' +set firewall name servers-iot enable-default-log +set firewall name servers-iot rule 100 action 'accept' +set firewall name servers-iot rule 100 description 'Rule: accept_k8s_nodes' +set firewall name servers-iot rule 100 protocol 'tcp' +set firewall name servers-iot rule 100 source group address-group 'k8s_nodes' +set firewall name servers-iot rule 110 action 'accept' +set firewall name servers-iot rule 110 description 'Rule: accept_k8s_nodes' +set firewall name servers-iot rule 110 protocol 'icmp' +set firewall name servers-iot rule 110 source group address-group 'k8s_nodes' +set firewall name servers-iot rule 999 action 'drop' +set firewall name servers-iot rule 999 description 'Rule: drop_invalid' +set firewall name servers-iot rule 999 state invalid 'enable' +set firewall name servers-iot rule 999 log 'enable' + +# From SERVERS to LAN +set firewall name servers-lan default-action 'drop' +set firewall name servers-lan description 'From SERVERS to LAN' +set firewall name servers-lan enable-default-log +set firewall name servers-lan rule 999 action 'drop' +set firewall name servers-lan rule 999 description 'Rule: drop_invalid' +set firewall name servers-lan rule 999 state invalid 'enable' +set firewall name servers-lan rule 999 log 'enable' + +# From SERVERS to LOCAL +set firewall name servers-local default-action 'drop' +set firewall name servers-local description 'From SERVERS to LOCAL' +set firewall name servers-local enable-default-log +set firewall name servers-local rule 50 action 'accept' +set firewall name servers-local rule 50 description 'Rule: accept_dhcp' +set firewall name servers-local rule 50 destination port '67,68' +set firewall name servers-local rule 50 protocol 'udp' +set firewall name servers-local rule 50 source port '67,68' +set firewall name servers-local rule 60 action 'accept' +set firewall name servers-local rule 60 description 'Rule: accept_ntp' +set firewall name servers-local rule 60 destination port 'ntp' +set firewall name servers-local rule 60 protocol 'udp' +set firewall name servers-local rule 70 action 'accept' +set firewall name servers-local rule 70 description 'Rule: accept_bgp' +set firewall name servers-local rule 70 destination port 'bgp' +set firewall name servers-local rule 70 protocol 'tcp' +set firewall name servers-local rule 80 action 'accept' +set firewall name servers-local rule 80 description 'Rule: accept_tftp' +set firewall name servers-local rule 80 destination port '69' +set firewall name servers-local rule 80 protocol 'udp' +set firewall name servers-local rule 90 action 'accept' +set firewall name servers-local rule 90 description 'Rule: accept_dns' +set firewall name servers-local rule 90 destination port 'domain,domain-s' +set firewall name servers-local rule 90 protocol 'tcp_udp' +set firewall name servers-local rule 100 action 'accept' +set firewall name servers-local rule 100 description 'Rule: accept_node_exporter_from_k8s_nodes' +set firewall name servers-local rule 100 destination port '9100' +set firewall name servers-local rule 100 protocol 'tcp' +set firewall name servers-local rule 100 source group address-group 'k8s_nodes' +set firewall name servers-local rule 110 action 'accept' +set firewall name servers-local rule 110 description 'Rule: accept_speedtest_exporter_from_k8s_nodes' +set firewall name servers-local rule 110 destination port '9798' +set firewall name servers-local rule 110 protocol 'tcp' +set firewall name servers-local rule 110 source group address-group 'k8s_nodes' +set firewall name servers-local rule 999 action 'drop' +set firewall name servers-local rule 999 description 'Rule: drop_invalid' +set firewall name servers-local rule 999 state invalid 'enable' +set firewall name servers-local rule 999 log 'enable' + +# From SERVERS to CONTAINERS +set firewall name servers-containers default-action 'accept' +set firewall name servers-containers description 'From SERVERS to CONTAINERS' +set firewall name servers-containers enable-default-log +set firewall name servers-containers rule 40 action 'accept' +set firewall name servers-containers rule 40 description 'Rule: accept_dns' +set firewall name servers-containers rule 40 destination port 'domain,domain-s' +set firewall name servers-containers rule 40 protocol 'tcp_udp' +set firewall name servers-containers rule 100 action 'accept' +set firewall name servers-containers rule 100 description 'Rule: accept_k8s_nodes' +set firewall name servers-containers rule 100 protocol 'tcp' +set firewall name servers-containers rule 100 source group address-group 'k8s_nodes' +set firewall name servers-containers rule 999 action 'drop' +set firewall name servers-containers rule 999 description 'Rule: drop_invalid' +set firewall name servers-containers rule 999 state invalid 'enable' +set firewall name servers-containers rule 999 log 'enable' + +# From SERVERS to TRUSTED +set firewall name servers-trusted default-action 'drop' +set firewall name servers-trusted description 'From SERVERS to TRUSTED' +set firewall name servers-trusted enable-default-log +set firewall name servers-trusted rule 999 action 'drop' +set firewall name servers-trusted rule 999 description 'Rule: drop_invalid' +set firewall name servers-trusted rule 999 state invalid 'enable' +set firewall name servers-trusted rule 999 log 'enable' + +# From SERVERS to VIDEO +set firewall name servers-video default-action 'drop' +set firewall name servers-video description 'From SERVERS to VIDEO' +set firewall name servers-video enable-default-log +set firewall name servers-video rule 100 action 'accept' +set firewall name servers-video rule 100 description 'Rule: accept_k8s_nodes' +set firewall name servers-video rule 100 protocol 'tcp_udp' +set firewall name servers-video rule 100 source group address-group 'k8s_nodes' +set firewall name servers-video rule 999 action 'drop' +set firewall name servers-video rule 999 description 'Rule: drop_invalid' +set firewall name servers-video rule 999 state invalid 'enable' +set firewall name servers-video rule 999 log 'enable' + +# From SERVERS to WAN +set firewall name servers-wan default-action 'accept' +set firewall name servers-wan description 'From SERVERS to WAN' + +# From CONTAINERS to IOT +set firewall name containers-iot default-action 'drop' +set firewall name containers-iot description 'From CONTAINERS to IOT' +set firewall name containers-iot enable-default-log +set firewall name containers-iot rule 999 action 'drop' +set firewall name containers-iot rule 999 description 'Rule: drop_invalid' +set firewall name containers-iot rule 999 state invalid 'enable' +set firewall name containers-iot rule 999 log 'enable' + +# From CONTAINERS to LAN +set firewall name containers-lan default-action 'drop' +set firewall name containers-lan description 'From CONTAINERS to LAN' +set firewall name containers-lan enable-default-log +set firewall name containers-lan rule 999 action 'drop' +set firewall name containers-lan rule 999 description 'Rule: drop_invalid' +set firewall name containers-lan rule 999 state invalid 'enable' +set firewall name containers-lan rule 999 log 'enable' + +# From CONTAINERS to LOCAL +set firewall name containers-local default-action 'drop' +set firewall name containers-local description 'From CONTAINERS to LOCAL' +set firewall name containers-local enable-default-log +set firewall name containers-local rule 50 action 'accept' +set firewall name containers-local rule 50 description 'Rule: accept_dhcp' +set firewall name containers-local rule 50 destination port '67,68' +set firewall name containers-local rule 50 protocol 'udp' +set firewall name containers-local rule 50 source port '67,68' +set firewall name containers-local rule 60 action 'accept' +set firewall name containers-local rule 60 description 'Rule: accept_ntp' +set firewall name containers-local rule 60 destination port 'ntp' +set firewall name containers-local rule 60 protocol 'udp' +set firewall name containers-local rule 999 action 'drop' +set firewall name containers-local rule 999 description 'Rule: drop_invalid' +set firewall name containers-local rule 999 state invalid 'enable' +set firewall name containers-local rule 999 log 'enable' + +# From CONTAINERS to SERVERS +set firewall name containers-servers default-action 'accept' +set firewall name containers-servers description 'From CONTAINERS to SERVERS' +set firewall name containers-servers rule 999 action 'drop' +set firewall name containers-servers rule 999 description 'Rule: drop_invalid' +set firewall name containers-servers rule 999 state invalid 'enable' +set firewall name containers-servers rule 999 log 'enable' + +# From CONTAINERS to TRUSTED +set firewall name containers-trusted default-action 'drop' +set firewall name containers-trusted description 'From CONTAINERS to TRUSTED' +set firewall name containers-trusted enable-default-log +set firewall name containers-trusted rule 999 action 'drop' +set firewall name containers-trusted rule 999 description 'Rule: drop_invalid' +set firewall name containers-trusted rule 999 state invalid 'enable' +set firewall name containers-trusted rule 999 log 'enable' + +# From CONTAINERS to VIDEO +set firewall name containers-video default-action 'drop' +set firewall name containers-video description 'From CONTAINERS to VIDEO' +set firewall name containers-video enable-default-log +set firewall name containers-video rule 999 action 'drop' +set firewall name containers-video rule 999 description 'Rule: drop_invalid' +set firewall name containers-video rule 999 state invalid 'enable' +set firewall name containers-video rule 999 log 'enable' + +# From CONTAINERS to WAN +set firewall name containers-wan default-action 'accept' +set firewall name containers-wan description 'From CONTAINERS to WAN' + +# From TRUSTED to IOT +set firewall name trusted-iot default-action 'accept' +set firewall name trusted-iot description 'From TRUSTED to IOT' +set firewall name trusted-iot rule 100 action 'accept' +set firewall name trusted-iot rule 100 description 'Rule: accept_app_control_from_sonos_controllers_tcp' +set firewall name trusted-iot rule 100 destination port '80,443,445,1400,3400,3401,3500,4070,4444' +set firewall name trusted-iot rule 100 protocol 'tcp' +set firewall name trusted-iot rule 100 source group address-group 'sonos_controllers' +set firewall name trusted-iot rule 110 action 'accept' +set firewall name trusted-iot rule 110 description 'Rule: accept_app_control_from_sonos_controllers_udp' +set firewall name trusted-iot rule 110 destination port '136-139,1900-1901,2869,10243,10280-10284,5353,6969' +set firewall name trusted-iot rule 110 protocol 'udp' +set firewall name trusted-iot rule 110 source group address-group 'sonos_controllers' +set firewall name trusted-iot rule 999 action 'drop' +set firewall name trusted-iot rule 999 description 'Rule: drop_invalid' +set firewall name trusted-iot rule 999 state invalid 'enable' +set firewall name trusted-iot rule 999 log 'enable' + +# From TRUSTED to LAN +set firewall name trusted-lan default-action 'accept' +set firewall name trusted-lan description 'From TRUSTED to LAN' +set firewall name trusted-lan rule 999 action 'drop' +set firewall name trusted-lan rule 999 description 'Rule: drop_invalid' +set firewall name trusted-lan rule 999 state invalid 'enable' +set firewall name trusted-lan rule 999 log 'enable' + +# From TRUSTED to LOCAL +set firewall name trusted-local default-action 'drop' +set firewall name trusted-local description 'From TRUSTED to LOCAL' +set firewall name trusted-local enable-default-log +set firewall name trusted-local rule 50 action 'accept' +set firewall name trusted-local rule 50 description 'Rule: accept_dhcp' +set firewall name trusted-local rule 50 destination port '67,68' +set firewall name trusted-local rule 50 protocol 'udp' +set firewall name trusted-local rule 50 source port '67,68' +set firewall name trusted-local rule 60 action 'accept' +set firewall name trusted-local rule 60 description 'Rule: accept_ntp' +set firewall name trusted-local rule 60 destination port 'ntp' +set firewall name trusted-local rule 60 protocol 'udp' +set firewall name trusted-local rule 100 action 'accept' +set firewall name trusted-local rule 100 description 'Rule: accept_igmp' +set firewall name trusted-local rule 100 protocol '2' +set firewall name trusted-local rule 110 action 'accept' +set firewall name trusted-local rule 110 description 'Rule: accept_mdns' +set firewall name trusted-local rule 110 destination port 'mdns' +set firewall name trusted-local rule 110 protocol 'udp' +set firewall name trusted-local rule 110 source port 'mdns' +set firewall name trusted-local rule 120 action 'accept' +set firewall name trusted-local rule 120 description 'Rule: accept_dns' +set firewall name trusted-local rule 120 destination port 'domain,domain-s' +set firewall name trusted-local rule 120 protocol 'tcp_udp' +set firewall name trusted-local rule 200 action 'accept' +set firewall name trusted-local rule 200 description 'Rule: accept_ssh' +set firewall name trusted-local rule 200 destination port 'ssh' +set firewall name trusted-local rule 200 protocol 'tcp' +set firewall name trusted-local rule 210 action 'accept' +set firewall name trusted-local rule 210 description 'Rule: accept_vyos_api' +set firewall name trusted-local rule 210 destination port '8443' +set firewall name trusted-local rule 210 protocol 'tcp' +set firewall name trusted-local rule 220 action 'accept' +set firewall name trusted-local rule 220 description 'Rule: accept_wireguard' +set firewall name trusted-local rule 220 destination port '51820' +set firewall name trusted-local rule 220 protocol 'udp' +set firewall name trusted-local rule 300 action 'accept' +set firewall name trusted-local rule 300 description 'Rule: accept_discovery_from_sonos_players' +set firewall name trusted-local rule 300 destination port '1900,1901,1902' +set firewall name trusted-local rule 300 protocol 'udp' +set firewall name trusted-local rule 300 source group address-group 'sonos_players' +set firewall name trusted-local rule 310 action 'accept' +set firewall name trusted-local rule 310 description 'Rule: accept_discovery_from_sonos_controllers' +set firewall name trusted-local rule 310 destination port '1900,1901,1902,57621' +set firewall name trusted-local rule 310 protocol 'udp' +set firewall name trusted-local rule 310 source group address-group 'sonos_controllers' +set firewall name trusted-local rule 999 action 'drop' +set firewall name trusted-local rule 999 description 'Rule: drop_invalid' +set firewall name trusted-local rule 999 state invalid 'enable' +set firewall name trusted-local rule 999 log 'enable' + +# From TRUSTED to SERVERS +set firewall name trusted-servers default-action 'accept' +set firewall name trusted-servers description 'From TRUSTED to SERVERS' +set firewall name trusted-servers rule 999 action 'drop' +set firewall name trusted-servers rule 999 description 'Rule: drop_invalid' +set firewall name trusted-servers rule 999 state invalid 'enable' +set firewall name trusted-servers rule 999 log 'enable' + +# From TRUSTED to CONTAINERS +set firewall name trusted-containers default-action 'accept' +set firewall name trusted-containers description 'From TRUSTED to CONTAINERS' +set firewall name trusted-containers rule 40 action 'accept' +set firewall name trusted-containers rule 40 description 'Rule: accept_dns' +set firewall name trusted-containers rule 40 destination port 'domain,domain-s' +set firewall name trusted-containers rule 40 protocol 'tcp_udp' +set firewall name trusted-containers rule 999 action 'drop' +set firewall name trusted-containers rule 999 description 'Rule: drop_invalid' +set firewall name trusted-containers rule 999 state invalid 'enable' +set firewall name trusted-containers rule 999 log 'enable' + +# From TRUSTED to VIDEO +set firewall name trusted-video default-action 'accept' +set firewall name trusted-video description 'From TRUSTED to VIDEO' +set firewall name trusted-video rule 999 action 'drop' +set firewall name trusted-video rule 999 description 'Rule: drop_invalid' +set firewall name trusted-video rule 999 state invalid 'enable' +set firewall name trusted-video rule 999 log 'enable' + +# From TRUSTED to WAN +set firewall name trusted-wan default-action 'accept' +set firewall name trusted-wan description 'From TRUSTED to WAN' + +# From IOT to LAN +set firewall name iot-lan default-action 'drop' +set firewall name iot-lan description 'From IOT to LAN' +set firewall name iot-lan enable-default-log +set firewall name iot-lan rule 999 action 'drop' +set firewall name iot-lan rule 999 description 'Rule: drop_invalid' +set firewall name iot-lan rule 999 state invalid 'enable' +set firewall name iot-lan rule 999 log 'enable' + +# From IOT to LOCAL +set firewall name iot-local default-action 'drop' +set firewall name iot-local description 'From IOT to LOCAL' +set firewall name iot-local enable-default-log +set firewall name iot-local rule 50 action 'accept' +set firewall name iot-local rule 50 description 'Rule: accept_dhcp' +set firewall name iot-local rule 50 destination port '67,68' +set firewall name iot-local rule 50 protocol 'udp' +set firewall name iot-local rule 50 source port '67,68' +set firewall name iot-local rule 60 action 'accept' +set firewall name iot-local rule 60 description 'Rule: accept_ntp' +set firewall name iot-local rule 60 destination port 'ntp' +set firewall name iot-local rule 60 protocol 'udp' +set firewall name iot-local rule 100 action 'accept' +set firewall name iot-local rule 100 description 'Rule: accept_igmp' +set firewall name iot-local rule 100 protocol '2' +set firewall name iot-local rule 110 action 'accept' +set firewall name iot-local rule 110 description 'Rule: accept_mdns' +set firewall name iot-local rule 110 destination port 'mdns' +set firewall name iot-local rule 110 protocol 'udp' +set firewall name iot-local rule 110 source port 'mdns' +set firewall name iot-local rule 120 action 'accept' +set firewall name iot-local rule 120 description 'Rule: accept_dns' +set firewall name iot-local rule 120 destination port 'domain,domain-s' +set firewall name iot-local rule 120 protocol 'tcp_udp' +set firewall name iot-local rule 200 action 'accept' +set firewall name iot-local rule 200 description 'Rule: accept_discovery_from_sonos_players' +set firewall name iot-local rule 200 destination port '1900,1901,1902' +set firewall name iot-local rule 200 protocol 'udp' +set firewall name iot-local rule 200 source group address-group 'sonos_players' +set firewall name iot-local rule 210 action 'accept' +set firewall name iot-local rule 210 description 'Rule: accept_discovery_from_sonos_controllers' +set firewall name iot-local rule 210 destination port '1900,1901,1902,57621' +set firewall name iot-local rule 210 protocol 'udp' +set firewall name iot-local rule 210 source group address-group 'sonos_controllers' +set firewall name iot-local rule 999 action 'drop' +set firewall name iot-local rule 999 description 'Rule: drop_invalid' +set firewall name iot-local rule 999 state invalid 'enable' +set firewall name iot-local rule 999 log 'enable' + +# From IOT to SERVERS +set firewall name iot-servers default-action 'drop' +set firewall name iot-servers description 'From IOT to SERVERS' +set firewall name iot-servers enable-default-log +set firewall name iot-servers rule 100 action 'accept' +set firewall name iot-servers rule 100 description 'Rule: accept_nas_smb_from_scanners' +set firewall name iot-servers rule 100 destination group address-group 'nas' +set firewall name iot-servers rule 100 destination port 'microsoft-ds' +set firewall name iot-servers rule 100 protocol 'tcp' +set firewall name iot-servers rule 100 source group address-group 'scanners' +set firewall name iot-servers rule 200 action 'accept' +set firewall name iot-servers rule 200 description 'Rule: accept_plex_from_plex_clients' +set firewall name iot-servers rule 200 destination group address-group 'k8s_plex' +set firewall name iot-servers rule 200 destination port '32400' +set firewall name iot-servers rule 200 protocol 'tcp' +set firewall name iot-servers rule 200 source group address-group 'plex_clients' +set firewall name iot-servers rule 210 action 'accept' +set firewall name iot-servers rule 300 action 'accept' +set firewall name iot-servers rule 300 description 'Rule: accept_mqtt_from_mqtt_clients' +set firewall name iot-servers rule 300 destination group address-group 'k8s_mqtt' +set firewall name iot-servers rule 300 destination port '1883' +set firewall name iot-servers rule 300 protocol 'tcp' +set firewall name iot-servers rule 300 source group address-group 'mqtt_clients' +set firewall name iot-servers rule 310 action 'accept' +set firewall name iot-servers rule 310 description 'Rule: accept_mqtt_from_esp' +set firewall name iot-servers rule 310 destination group address-group 'k8s_mqtt' +set firewall name iot-servers rule 310 destination port '1883' +set firewall name iot-servers rule 310 protocol 'tcp' +set firewall name iot-servers rule 310 source group address-group 'esp' +set firewall name iot-servers rule 400 action 'accept' +set firewall name iot-servers rule 400 description 'Rule: accept_k8s_ingress_from_sonos_players' +set firewall name iot-servers rule 400 destination group address-group 'k8s_ingress' +set firewall name iot-servers rule 400 destination port 'http,https' +set firewall name iot-servers rule 400 protocol 'tcp' +set firewall name iot-servers rule 400 source group address-group 'sonos_players' +set firewall name iot-servers rule 410 action 'accept' +set firewall name iot-servers rule 410 description 'Rule: accept_k8s_ingress_from_wall_displays' +set firewall name iot-servers rule 410 destination group address-group 'k8s_ingress' +set firewall name iot-servers rule 410 destination port 'http,https' +set firewall name iot-servers rule 410 protocol 'tcp' +set firewall name iot-servers rule 410 source group address-group 'wall_displays' +set firewall name iot-servers rule 420 action 'accept' +set firewall name iot-servers rule 420 description 'Rule: accept_k8s_ingress_from_allowed_devices' +set firewall name iot-servers rule 420 destination group address-group 'k8s_ingress' +set firewall name iot-servers rule 420 destination port 'http,https' +set firewall name iot-servers rule 420 protocol 'tcp' +set firewall name iot-servers rule 420 source group address-group 'k8s_ingress_allowed' +set firewall name iot-servers rule 500 action 'accept' +set firewall name iot-servers rule 500 description 'Rule: accept_vector_journald_from_allowed_devices' +set firewall name iot-servers rule 500 destination group address-group 'k8s_vector_aggregator' +set firewall name iot-servers rule 500 destination port '6002' +set firewall name iot-servers rule 500 protocol 'tcp' +set firewall name iot-servers rule 500 source group address-group 'vector_journald_allowed' +set firewall name iot-servers rule 999 action 'drop' +set firewall name iot-servers rule 999 description 'Rule: drop_invalid' +set firewall name iot-servers rule 999 state invalid 'enable' +set firewall name iot-servers rule 999 log 'enable' + +# From IOT to CONTAINERS +set firewall name iot-containers default-action 'accept' +set firewall name iot-containers description 'From IOT to CONTAINERS' +set firewall name iot-containers rule 40 action 'accept' +set firewall name iot-containers rule 40 description 'Rule: accept_dns' +set firewall name iot-containers rule 40 destination port 'domain,domain-s' +set firewall name iot-containers rule 40 protocol 'tcp_udp' +set firewall name iot-containers rule 999 action 'drop' +set firewall name iot-containers rule 999 description 'Rule: drop_invalid' +set firewall name iot-containers rule 999 state invalid 'enable' +set firewall name iot-containers rule 999 log 'enable' + +# From IOT to TRUSTED +set firewall name iot-trusted default-action 'drop' +set firewall name iot-trusted description 'From IOT to TRUSTED' +set firewall name iot-trusted enable-default-log +set firewall name iot-trusted rule 100 action 'accept' +set firewall name iot-trusted rule 100 description 'Rule: accept_udp_from_sonos_players_to_sonos_controllers' +set firewall name iot-trusted rule 100 destination group address-group 'sonos_controllers' +set firewall name iot-trusted rule 100 destination port '30000-65535' +set firewall name iot-trusted rule 100 protocol 'udp' +set firewall name iot-trusted rule 100 source group address-group 'sonos_players' +set firewall name iot-trusted rule 110 action 'accept' +set firewall name iot-trusted rule 110 description 'Rule: accept_tcp_from_sonos_players_to_sonos_controllers' +set firewall name iot-trusted rule 110 destination group address-group 'sonos_controllers' +set firewall name iot-trusted rule 110 destination port '1400,3400,3401,3500,30000-65535' +set firewall name iot-trusted rule 110 protocol 'tcp' +set firewall name iot-trusted rule 110 source group address-group 'sonos_players' +set firewall name iot-trusted rule 999 action 'drop' +set firewall name iot-trusted rule 999 description 'Rule: drop_invalid' +set firewall name iot-trusted rule 999 state invalid 'enable' +set firewall name iot-trusted rule 999 log 'enable' + +# From IOT to VIDEO +set firewall name iot-video default-action 'drop' +set firewall name iot-video description 'From IOT to VIDEO' +set firewall name iot-video enable-default-log +set firewall name iot-video rule 100 action 'accept' +set firewall name iot-video rule 100 description 'Rule: accept_k8s_nodes' +set firewall name iot-video rule 100 protocol 'tcp' +set firewall name iot-video rule 100 source group address-group 'k8s_nodes' +set firewall name iot-video rule 999 action 'drop' +set firewall name iot-video rule 999 description 'Rule: drop_invalid' +set firewall name iot-video rule 999 state invalid 'enable' +set firewall name iot-video rule 999 log 'enable' + +# From IOT to WAN +set firewall name iot-wan default-action 'accept' +set firewall name iot-wan description 'From IOT to WAN' + +# From VIDEO to IOT +set firewall name video-iot default-action 'drop' +set firewall name video-iot description 'From VIDEO to IOT' +set firewall name video-iot enable-default-log +set firewall name video-iot rule 100 action 'accept' +set firewall name video-iot rule 100 description 'Rule: allow connecting to hass' +set firewall name video-iot rule 100 protocol 'tcp' +set firewall name video-iot rule 100 destination group address-group 'k8s_hass' +set firewall name video-iot rule 100 destination port '8123' +set firewall name video-iot rule 999 action 'drop' +set firewall name video-iot rule 999 description 'Rule: drop_invalid' +set firewall name video-iot rule 999 state invalid 'enable' +set firewall name video-iot rule 999 log 'enable' + +# From VIDEO to LAN +set firewall name video-lan default-action 'drop' +set firewall name video-lan description 'From VIDEO to LAN' +set firewall name video-lan enable-default-log +set firewall name video-lan rule 999 action 'drop' +set firewall name video-lan rule 999 description 'Rule: drop_invalid' +set firewall name video-lan rule 999 state invalid 'enable' +set firewall name video-lan rule 999 log 'enable' + +# From VIDEO to LOCAL +set firewall name video-local default-action 'drop' +set firewall name video-local description 'From VIDEO to LOCAL' +set firewall name video-local enable-default-log +set firewall name video-local rule 50 action 'accept' +set firewall name video-local rule 50 description 'Rule: accept_dhcp' +set firewall name video-local rule 50 destination port '67,68' +set firewall name video-local rule 50 protocol 'udp' +set firewall name video-local rule 50 source port '67,68' +set firewall name video-local rule 60 action 'accept' +set firewall name video-local rule 60 description 'Rule: accept_ntp' +set firewall name video-local rule 60 destination port 'ntp' +set firewall name video-local rule 60 protocol 'udp' +set firewall name video-local rule 999 action 'drop' +set firewall name video-local rule 999 description 'Rule: drop_invalid' +set firewall name video-local rule 999 state invalid 'enable' +set firewall name video-local rule 999 log 'enable' + +# From VIDEO to SERVERS +set firewall name video-servers default-action 'drop' +set firewall name video-servers description 'From VIDEO to SERVERS' +set firewall name video-servers enable-default-log +set firewall name video-servers rule 100 action 'accept' +set firewall name video-servers rule 100 description 'Rule: accept_k8s_nodes' +set firewall name video-servers rule 100 protocol 'udp' +set firewall name video-servers rule 100 destination group address-group 'k8s_nodes' +set firewall name video-servers rule 100 source port '6987-6989' +set firewall name video-servers rule 999 action 'drop' +set firewall name video-servers rule 999 description 'Rule: drop_invalid' +set firewall name video-servers rule 999 state invalid 'enable' +set firewall name video-servers rule 999 log 'enable' + +# From VIDEO to CONTAINERS +set firewall name video-containers default-action 'accept' +set firewall name video-containers description 'From VIDEO to CONTAINERS' +set firewall name video-containers rule 40 action 'accept' +set firewall name video-containers rule 40 description 'Rule: accept_dns' +set firewall name video-containers rule 40 destination port 'domain,domain-s' +set firewall name video-containers rule 40 protocol 'tcp_udp' +set firewall name video-containers rule 999 action 'drop' +set firewall name video-containers rule 999 description 'Rule: drop_invalid' +set firewall name video-containers rule 999 state invalid 'enable' +set firewall name video-containers rule 999 log 'enable' + +# From VIDEO to TRUSTED +set firewall name video-trusted default-action 'drop' +set firewall name video-trusted description 'From VIDEO to TRUSTED' +set firewall name video-trusted enable-default-log +set firewall name video-trusted rule 999 action 'drop' +set firewall name video-trusted rule 999 description 'Rule: drop_invalid' +set firewall name video-trusted rule 999 state invalid 'enable' +set firewall name video-trusted rule 999 log 'enable' + +# From VIDEO to WAN +set firewall name video-wan default-action 'drop' +set firewall name video-wan description 'From VIDEO to WAN' diff --git a/config-parts/firewall-zone.sh b/config-parts/firewall-zone.sh index 6517ef8..c42a789 100644 --- a/config-parts/firewall-zone.sh +++ b/config-parts/firewall-zone.sh @@ -1,41 +1,8 @@ #!/bin/vbash -set firewall zone guest default-action 'drop' -set firewall zone guest from iot firewall name 'iot-guest' -set firewall zone guest from lan firewall name 'lan-guest' -set firewall zone guest from local firewall name 'local-guest' -set firewall zone guest from servers firewall name 'servers-guest' -set firewall zone guest from containers firewall name 'containers-guest' -set firewall zone guest from trusted firewall name 'trusted-guest' -set firewall zone guest from video firewall name 'video-guest' -set firewall zone guest from wan firewall name 'wan-guest' -set firewall zone guest interface 'eth1.30' - -set firewall zone iot default-action 'drop' -set firewall zone iot from guest firewall name 'guest-iot' -set firewall zone iot from lan firewall name 'lan-iot' -set firewall zone iot from local firewall name 'local-iot' -set firewall zone iot from servers firewall name 'servers-iot' -set firewall zone iot from containers firewall name 'containers-iot' -set firewall zone iot from trusted firewall name 'trusted-iot' -set firewall zone iot from video firewall name 'video-iot' -set firewall zone iot from wan firewall name 'wan-iot' -set firewall zone iot interface 'eth1.40' - -set firewall zone lan default-action 'drop' -set firewall zone lan from guest firewall name 'guest-lan' -set firewall zone lan from iot firewall name 'iot-lan' -set firewall zone lan from local firewall name 'local-lan' -set firewall zone lan from servers firewall name 'servers-lan' -set firewall zone lan from containers firewall name 'containers-lan' -set firewall zone lan from trusted firewall name 'trusted-lan' -set firewall zone lan from video firewall name 'video-lan' -set firewall zone lan from wan firewall name 'wan-lan' -set firewall zone lan interface 'eth1' - +# local set firewall zone local default-action 'drop' set firewall zone local description 'Local router zone' -set firewall zone local from guest firewall name 'guest-local' set firewall zone local from iot firewall name 'iot-local' set firewall zone local from lan firewall name 'lan-local' set firewall zone local from servers firewall name 'servers-local' @@ -45,20 +12,30 @@ set firewall zone local from video firewall name 'video-local' set firewall zone local from wan firewall name 'wan-local' set firewall zone local local-zone -set firewall zone servers default-action 'drop' -set firewall zone servers from guest firewall name 'guest-servers' -set firewall zone servers from iot firewall name 'iot-servers' -set firewall zone servers from lan firewall name 'lan-servers' -set firewall zone servers from local firewall name 'local-servers' -set firewall zone servers from containers firewall name 'containers-servers' -set firewall zone servers from trusted firewall name 'trusted-servers' -set firewall zone servers from video firewall name 'video-servers' -set firewall zone servers from wan firewall name 'wan-servers' -set firewall zone servers interface 'eth1.10' +# wan +set firewall zone wan from iot firewall name 'iot-wan' +set firewall zone wan from lan firewall name 'lan-wan' +set firewall zone wan from local firewall name 'local-wan' +set firewall zone wan from servers firewall name 'servers-wan' +set firewall zone wan from containers firewall name 'containers-wan' +set firewall zone wan from trusted firewall name 'trusted-wan' +set firewall zone wan from video firewall name 'video-wan' +set firewall zone wan interface 'eth0' +# lan +set firewall zone lan default-action 'drop' +set firewall zone lan from iot firewall name 'iot-lan' +set firewall zone lan from local firewall name 'local-lan' +set firewall zone lan from servers firewall name 'servers-lan' +set firewall zone lan from containers firewall name 'containers-lan' +set firewall zone lan from trusted firewall name 'trusted-lan' +set firewall zone lan from video firewall name 'video-lan' +set firewall zone lan from wan firewall name 'wan-lan' +set firewall zone lan interface 'eth1' + +# containers set firewall zone containers default-action 'drop' set firewall zone containers description 'VyOS containers zone' -set firewall zone containers from guest firewall name 'guest-containers' set firewall zone containers from iot firewall name 'iot-containers' set firewall zone containers from lan firewall name 'lan-containers' set firewall zone containers from local firewall name 'local-containers' @@ -68,8 +45,19 @@ set firewall zone containers from video firewall name 'video-containers' set firewall zone containers from wan firewall name 'wan-containers' set firewall zone containers interface 'pod-containers' +# servers +set firewall zone servers default-action 'drop' +set firewall zone servers from iot firewall name 'iot-servers' +set firewall zone servers from lan firewall name 'lan-servers' +set firewall zone servers from local firewall name 'local-servers' +set firewall zone servers from containers firewall name 'containers-servers' +set firewall zone servers from trusted firewall name 'trusted-servers' +set firewall zone servers from video firewall name 'video-servers' +set firewall zone servers from wan firewall name 'wan-servers' +set firewall zone servers interface 'eth1.10' + +# trusted set firewall zone trusted default-action 'drop' -set firewall zone trusted from guest firewall name 'guest-trusted' set firewall zone trusted from iot firewall name 'iot-trusted' set firewall zone trusted from lan firewall name 'lan-trusted' set firewall zone trusted from local firewall name 'local-trusted' @@ -80,8 +68,19 @@ set firewall zone trusted from wan firewall name 'wan-trusted' set firewall zone trusted interface 'eth1.20' set firewall zone trusted interface 'wg01' +# iot +set firewall zone iot default-action 'drop' +set firewall zone iot from lan firewall name 'lan-iot' +set firewall zone iot from local firewall name 'local-iot' +set firewall zone iot from servers firewall name 'servers-iot' +set firewall zone iot from containers firewall name 'containers-iot' +set firewall zone iot from trusted firewall name 'trusted-iot' +set firewall zone iot from video firewall name 'video-iot' +set firewall zone iot from wan firewall name 'wan-iot' +set firewall zone iot interface 'eth1.30' + +# video set firewall zone video default-action 'drop' -set firewall zone video from guest firewall name 'guest-video' set firewall zone video from iot firewall name 'iot-video' set firewall zone video from lan firewall name 'lan-video' set firewall zone video from local firewall name 'local-video' @@ -89,15 +88,5 @@ set firewall zone video from servers firewall name 'servers-video' set firewall zone video from containers firewall name 'containers-video' set firewall zone video from trusted firewall name 'trusted-video' set firewall zone video from wan firewall name 'wan-video' -set firewall zone video interface 'eth1.50' +set firewall zone video interface 'eth1.40' set firewall zone wan default-action 'drop' - -set firewall zone wan from guest firewall name 'guest-wan' -set firewall zone wan from iot firewall name 'iot-wan' -set firewall zone wan from lan firewall name 'lan-wan' -set firewall zone wan from local firewall name 'local-wan' -set firewall zone wan from servers firewall name 'servers-wan' -set firewall zone wan from containers firewall name 'containers-wan' -set firewall zone wan from trusted firewall name 'trusted-wan' -set firewall zone wan from video firewall name 'video-wan' -set firewall zone wan interface 'eth0' diff --git a/config-parts/firewall.sh b/config-parts/firewall.sh index e3fd991..32d8334 100644 --- a/config-parts/firewall.sh +++ b/config-parts/firewall.sh @@ -6,24 +6,6 @@ set firewall state-policy invalid action 'drop' set firewall state-policy related action 'accept' # Address Groups -set firewall group address-group 3d_printer_controllers address '10.1.3.56' - -set firewall group address-group android_tv_players address '10.1.3.16' - -set firewall group address-group ereaders address '10.1.3.51' -set firewall group address-group ereaders address '10.1.3.52' - -set firewall group address-group esp address '10.1.3.21' -set firewall group address-group esp address '10.1.3.31' -set firewall group address-group esp address '10.1.3.32' -set firewall group address-group esp address '10.1.3.33' -set firewall group address-group esp address '10.1.3.34' -set firewall group address-group esp address '10.1.3.35' -set firewall group address-group esp address '10.1.3.36' -set firewall group address-group esp address '10.1.3.42' -set firewall group address-group esp address '10.1.3.45' -set firewall group address-group esp address '10.1.3.46' - set firewall group address-group ios_devices address '10.1.2.31' set firewall group address-group ios_devices address '10.1.2.32' set firewall group address-group ios_devices address '10.1.2.33' @@ -31,24 +13,16 @@ set firewall group address-group ios_devices address '10.1.2.34' set firewall group address-group ios_devices address '10.1.2.35' set firewall group address-group ios_devices address '10.1.2.36' -set firewall group address-group jellyfin_clients address '10.1.2.21' -set firewall group address-group jellyfin_clients address '10.1.2.31' -set firewall group address-group jellyfin_clients address '10.1.2.32' -set firewall group address-group jellyfin_clients address '10.1.2.33' -set firewall group address-group jellyfin_clients address '10.1.2.34' -set firewall group address-group jellyfin_clients address '10.1.2.35' -set firewall group address-group jellyfin_clients address '10.1.2.36' -set firewall group address-group jellyfin_clients address '10.1.3.16' - set firewall group address-group k8s_api address '10.5.0.2' +# external nginx set firewall group address-group k8s_ingress address '10.45.0.1' +# internal nginx +set firewall group address-group k8s_ingress address '10.45.0.3' set firewall group address-group k8s_ingress_allowed address '10.1.3.35' set firewall group address-group k8s_ingress_allowed address '10.1.3.36' -set firewall group address-group k8s_jellyfin address '10.45.0.21' - set firewall group address-group k8s_mqtt address '10.45.0.10' set firewall group address-group k8s_nodes address '10.1.1.41' @@ -92,8 +66,6 @@ set firewall group address-group printers address '10.1.3.55' set firewall group address-group printer_allowed address '192.168.2.11' -set firewall group address-group scanners address '10.1.3.55' - set firewall group address-group sonos_controllers address '10.1.2.21' set firewall group address-group sonos_controllers address '10.1.2.31' set firewall group address-group sonos_controllers address '10.1.2.32' @@ -101,12 +73,6 @@ set firewall group address-group sonos_controllers address '10.1.2.33' set firewall group address-group sonos_controllers address '10.1.2.34' set firewall group address-group sonos_controllers address '10.1.2.36' -set firewall group address-group sonos_players address '10.1.3.61' -set firewall group address-group sonos_players address '10.1.3.62' -set firewall group address-group sonos_players address '10.1.3.63' -set firewall group address-group sonos_players address '10.1.3.65' -set firewall group address-group sonos_players address '10.1.3.66' - set firewall group address-group sonos_players address '10.1.3.71' set firewall group address-group sonos_players address '10.1.3.72' set firewall group address-group sonos_players address '10.1.3.73' @@ -125,13 +91,8 @@ set firewall group address-group vector_journald_allowed address '10.1.3.60' set firewall group address-group vyos_coredns address '10.5.0.3' -set firewall group address-group vyos_dnsdist address '10.5.0.4' - set firewall group address-group vyos_unifi address '10.5.0.10' -set firewall group address-group wall_displays address '10.1.3.53' -set firewall group address-group wall_displays address '10.1.3.54' - set firewall group network-group k8s_services network '10.45.0.0/16' # Port groups diff --git a/config-parts/interfaces.sh b/config-parts/interfaces.sh index 9bfbbf6..cc2078a 100644 --- a/config-parts/interfaces.sh +++ b/config-parts/interfaces.sh @@ -11,12 +11,10 @@ set interfaces ethernet eth1 vif 10 address '10.1.1.1/24' set interfaces ethernet eth1 vif 10 description 'SERVERS' set interfaces ethernet eth1 vif 20 address '10.1.2.1/24' set interfaces ethernet eth1 vif 20 description 'TRUSTED' -set interfaces ethernet eth1 vif 30 address '192.168.2.1/24' -set interfaces ethernet eth1 vif 30 description 'GUEST' -set interfaces ethernet eth1 vif 40 address '10.1.3.1/24' -set interfaces ethernet eth1 vif 40 description 'IOT' -set interfaces ethernet eth1 vif 50 address '10.1.4.1/24' -set interfaces ethernet eth1 vif 50 description 'VIDEO' +set interfaces ethernet eth1 vif 30 address '10.1.3.1/24' +set interfaces ethernet eth1 vif 30 description 'IOT' +set interfaces ethernet eth1 vif 40 address '10.1.4.1/24' +set interfaces ethernet eth1 vif 40 description 'VIDEO' set interfaces wireguard wg01 address '10.0.11.1/24' set interfaces wireguard wg01 description 'WIREGUARD' diff --git a/config-parts/nat.sh b/config-parts/nat.sh index eff4bfd..4c5bff1 100644 --- a/config-parts/nat.sh +++ b/config-parts/nat.sh @@ -10,19 +10,19 @@ set nat destination rule 110 translation port '32400' # Force DNS set nat destination rule 102 description 'Force DNS for IoT' -set nat destination rule 102 destination address '!10.5.0.4' +set nat destination rule 102 destination address '!10.1.3.1' set nat destination rule 102 destination port '53' -set nat destination rule 102 inbound-interface 'eth1.40' +set nat destination rule 102 inbound-interface 'eth1.30' set nat destination rule 102 protocol 'tcp_udp' -set nat destination rule 102 translation address '10.5.0.4' +set nat destination rule 102 translation address '10.1.3.1' set nat destination rule 102 translation port '53' set nat destination rule 103 description 'Force DNS for Video' -set nat destination rule 103 destination address '!10.5.0.4' +set nat destination rule 103 destination address '!10.1.4.1' set nat destination rule 103 destination port '53' -set nat destination rule 103 inbound-interface 'eth1.50' +set nat destination rule 103 inbound-interface 'eth1.40' set nat destination rule 103 protocol 'tcp_udp' -set nat destination rule 103 translation address '10.5.0.4' +set nat destination rule 103 translation address '10.1.4.1' set nat destination rule 103 translation port '53' set nat destination rule 104 description 'Force NTP for LAN' @@ -53,7 +53,7 @@ set nat destination rule 106 translation port '123' set nat destination rule 107 description 'Force NTP for IoT' set nat destination rule 107 destination address '!10.1.3.1' set nat destination rule 107 destination port '123' -set nat destination rule 107 inbound-interface 'eth1.40' +set nat destination rule 107 inbound-interface 'eth1.30' set nat destination rule 107 protocol 'udp' set nat destination rule 107 translation address '10.1.3.1' set nat destination rule 107 translation port '123' @@ -61,7 +61,7 @@ set nat destination rule 107 translation port '123' set nat destination rule 108 description 'Force NTP for Video' set nat destination rule 108 destination address '!10.1.4.1' set nat destination rule 108 destination port '123' -set nat destination rule 108 inbound-interface 'eth1.50' +set nat destination rule 108 inbound-interface 'eth1.40' set nat destination rule 108 protocol 'udp' set nat destination rule 108 translation address '10.1.4.1' set nat destination rule 108 translation port '123' diff --git a/config-parts/service-dhcp_server.sh b/config-parts/service-dhcp_server.sh index 9036725..ba020e3 100644 --- a/config-parts/service-dhcp_server.sh +++ b/config-parts/service-dhcp_server.sh @@ -1,50 +1,5 @@ #!/bin/vbash -# Guest VLAN -set service dhcp-server shared-network-name GUEST authoritative -set service dhcp-server shared-network-name GUEST ping-check -set service dhcp-server shared-network-name GUEST subnet 192.168.2.0/24 default-router '192.168.2.1' -set service dhcp-server shared-network-name GUEST subnet 192.168.2.0/24 lease '86400' -set service dhcp-server shared-network-name GUEST subnet 192.168.2.0/24 name-server '10.5.0.4' -set service dhcp-server shared-network-name GUEST subnet 192.168.2.0/24 range 0 start '192.168.2.200' -set service dhcp-server shared-network-name GUEST subnet 192.168.2.0/24 range 0 stop '192.168.2.254' - -set service dhcp-server shared-network-name GUEST subnet 192.168.2.0/24 static-mapping manyie-work-laptop ip-address '192.168.2.11' -set service dhcp-server shared-network-name GUEST subnet 192.168.2.0/24 static-mapping manyie-work-laptop mac-address '14:f6:d8:32:46:41' - -# IoT VLAN -set service dhcp-server shared-network-name IOT authoritative -set service dhcp-server shared-network-name IOT ping-check -set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 default-router '10.1.3.1' -set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 domain-name 'jahanson.tech' -set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 lease '86400' -set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 name-server '10.5.0.4' -set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 range 0 start '10.1.3.200' -set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 range 0 stop '10.1.3.254' - -set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping kitchen-oven ip-address '10.1.3.12' -set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping kitchen-oven mac-address '88:e7:12:2a:63:ca' -set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping livingroom-vacuum ip-address '10.1.3.18' -set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping livingroom-vacuum mac-address '50:14:79:08:db:08' - -set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping switchbot-plug-mini-1 ip-address '10.1.3.33' -set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping switchbot-plug-mini-1 mac-address 'A0:76:4E:21:DE:D0' -set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping switchbot-plug-mini-2 ip-address '10.1.3.34' -set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping switchbot-plug-mini-2 mac-address '34:85:18:0E:C7:CC' -set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping switchbot-plug-mini-3 ip-address '10.1.3.35' -set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping switchbot-plug-mini-3 mac-address '68:B6:B3:B3:EF:6C' -set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping switchbot-plug-mini-4 ip-address '10.1.3.36' -set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping switchbot-plug-mini-4 mac-address 'A0:76:4E:1F:D7:84' - -set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping office-sonos-beam ip-address '10.1.3.71' -set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping office-sonos-beam mac-address '54:2a:1b:8e:e0:3b' -set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping sonos-2 ip-address '10.1.3.72' -set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping sonos-2 mac-address '48:a6:b8:fa:62:0e' -set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping sonos-3 ip-address '10.1.3.73' -set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping sonos-3 mac-address '48:a6:b8:fa:64:a6' -set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping sonos-4 ip-address '10.1.3.74' -set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping sonos-4 mac-address '48:a6:b8:48:a8:e5' - # LAN set service dhcp-server shared-network-name LAN authoritative set service dhcp-server shared-network-name LAN ping-check @@ -82,7 +37,13 @@ set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 name-serv set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 range 0 start '10.1.1.200' set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 range 0 stop '10.1.1.254' -# Need to add all of the macs for the servers. +# NAS +set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping elessar ip-address '10.1.1.11' +set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping elessar mac-address '00:11:32:87:f6:1d' +set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping sting ip-address '10.1.1.12' +set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping sting mac-address 'a8:a1:59:4a:d1:b3' + +# k8s prod workers set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping nenya ip-address '10.1.1.41' set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping nenya mac-address 'c8:1f:66:10:4d:b9' set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping vilya ip-address '10.1.1.42' @@ -96,18 +57,19 @@ set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-ma set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping thrain ip-address '10.1.1.46' set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping thrain mac-address '98:90:96:B0:AD:EA' -set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping elessar ip-address '10.1.1.11' -set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping elessar mac-address '00:11:32:87:f6:1d' -set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping sting ip-address '10.1.1.12' -set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping sting mac-address 'a8:a1:59:4a:d1:b3' - +# Nextcloud set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping nextcloud ip-address '10.1.1.51' set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping nextcloud mac-address '96:C6:B7:2A:5C:2A' + +# Raspberry Pis set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping frodo ip-address '10.1.1.52' set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping frodo mac-address 'dc:a6:32:09:76:4c' + +# VMs set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping tulkas ip-address '10.1.1.53' set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping tulkas mac-address '26:82:2F:16:7A:36' +# k8s prod masters set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping galadriel ip-address '10.1.1.61' set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping galadriel mac-address '34:17:EB:D9:AB:D2' set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping elrond ip-address '10.1.1.62' @@ -132,16 +94,38 @@ set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 static-ma set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 static-mapping legiondary ip-address '10.1.2.21' set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 static-mapping legiondary mac-address '54:05:db:b1:95:ff' -set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 static-mapping eva-ipad ip-address '10.1.2.35' -set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 static-mapping eva-ipad mac-address 'aa:ab:96:ce:f8:03' -set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 static-mapping kitchen-ipad ip-address '10.1.2.36' -set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 static-mapping kitchen-ipad mac-address '34:e2:fd:ac:7c:fa' -set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 static-mapping manyie-ipad ip-address '10.1.2.34' -set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 static-mapping manyie-ipad mac-address '94:bf:2d:f0:3f:c3' -set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 static-mapping manyie-iphone ip-address '10.1.2.33' -set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 static-mapping manyie-iphone mac-address '8c:98:6b:a9:18:cb' -set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 static-mapping manyie-macbook ip-address '10.1.2.22' -set service dhcp-server shared-network-name TRUSTED subnet 10.1.2.0/24 static-mapping manyie-macbook mac-address '8c:85:90:18:42:38' +# IoT VLAN +set service dhcp-server shared-network-name IOT authoritative +set service dhcp-server shared-network-name IOT ping-check +set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 default-router '10.1.3.1' +set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 domain-name 'jahanson.tech' +set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 lease '86400' +set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 name-server '10.5.0.4' +set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 range 0 start '10.1.3.200' +set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 range 0 stop '10.1.3.254' + +set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping kitchen-oven ip-address '10.1.3.12' +set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping kitchen-oven mac-address '88:e7:12:2a:63:ca' +set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping livingroom-vacuum ip-address '10.1.3.18' +set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping livingroom-vacuum mac-address '50:14:79:08:db:08' + +set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping switchbot-plug-mini-1 ip-address '10.1.3.33' +set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping switchbot-plug-mini-1 mac-address 'A0:76:4E:21:DE:D0' +set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping switchbot-plug-mini-2 ip-address '10.1.3.34' +set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping switchbot-plug-mini-2 mac-address '34:85:18:0E:C7:CC' +set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping switchbot-plug-mini-3 ip-address '10.1.3.35' +set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping switchbot-plug-mini-3 mac-address '68:B6:B3:B3:EF:6C' +set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping switchbot-plug-mini-4 ip-address '10.1.3.36' +set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping switchbot-plug-mini-4 mac-address 'A0:76:4E:1F:D7:84' + +set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping office-sonos-beam ip-address '10.1.3.71' +set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping office-sonos-beam mac-address '54:2a:1b:8e:e0:3b' +set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping sonos-2 ip-address '10.1.3.72' +set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping sonos-2 mac-address '48:a6:b8:fa:62:0e' +set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping sonos-3 ip-address '10.1.3.73' +set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping sonos-3 mac-address '48:a6:b8:fa:64:a6' +set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping sonos-4 ip-address '10.1.3.74' +set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping sonos-4 mac-address '48:a6:b8:48:a8:e5' # Video VLAN set service dhcp-server shared-network-name VIDEO authoritative @@ -149,7 +133,7 @@ set service dhcp-server shared-network-name VIDEO ping-check set service dhcp-server shared-network-name VIDEO subnet 10.1.4.0/24 default-router '10.1.4.1' set service dhcp-server shared-network-name VIDEO subnet 10.1.4.0/24 domain-name 'jahanson.tech' set service dhcp-server shared-network-name VIDEO subnet 10.1.4.0/24 lease '86400' -set service dhcp-server shared-network-name VIDEO subnet 10.1.4.0/24 name-server '10.5.0.4' +set service dhcp-server shared-network-name VIDEO subnet 10.1.4.0/24 name-server '10.1.4.1' set service dhcp-server shared-network-name VIDEO subnet 10.1.4.0/24 range 0 start '10.1.4.200' set service dhcp-server shared-network-name VIDEO subnet 10.1.4.0/24 range 0 stop '10.1.4.254' diff --git a/config-parts/system.sh b/config-parts/system.sh index 3943e3e..5c878f5 100644 --- a/config-parts/system.sh +++ b/config-parts/system.sh @@ -15,9 +15,11 @@ set system name-server '1.1.1.1' set system sysctl parameter kernel.pty.max value '24000' # Sent to vector syslog server +set system syslog global facility all level info set system syslog host 10.45.0.2 facility kern level 'warning' set system syslog host 10.45.0.2 protocol 'tcp' set system syslog host 10.45.0.2 port '6001' +set system syslog host 10.45.0.2 format 'octet-counted' # Custom backup set system task-scheduler task backup-config crontab-spec '30 0 * * *' diff --git a/containers/dnsdist/.gitignore b/containers/dnsdist/.gitignore deleted file mode 100644 index 80f91e9..0000000 --- a/containers/dnsdist/.gitignore +++ /dev/null @@ -1,9 +0,0 @@ -# Ignore everything -/* - -# Track certain files and directories -!.gitignore - -!/config/ -/config/* -!/config/dnsdist.conf diff --git a/containers/dnsdist/config/dnsdist.conf b/containers/dnsdist/config/dnsdist.conf deleted file mode 100644 index 625cfef..0000000 --- a/containers/dnsdist/config/dnsdist.conf +++ /dev/null @@ -1,93 +0,0 @@ --- udp/tcp dns listening -setLocal("0.0.0.0:53", {}) - --- Local Bind -newServer({ - address = "10.5.0.3", - pool = "bind", - checkName = "gateway.jahanson.tech" -}) - --- NextDNS - Servers -newServer({ - address = "188.172.251.1:443", - tls = "openssl", - subjectName = "8d3cd7.dns.nextdns.io", - dohPath = "/8d3cd7", - validateCertificates = true, - checkInterval = 10, - checkTimeout = 2000, - pool = "nextdns_servers" -}) - --- NextDNS - Trusted -newServer({ - address = "188.172.251.1:443", - tls = "openssl", - subjectName = "d79ecb.dns.nextdns.io", - dohPath = "/d79ecb", - validateCertificates = true, - checkInterval = 10, - checkTimeout = 2000, - pool = "nextdns_trusted" -}) - --- NextDNS - IoT -newServer({ - address = "188.172.251.1:443", - tls = "openssl", - subjectName = "e29a3c.dns.nextdns.io", - dohPath = "/e29a3c", - validateCertificates = true, - checkInterval = 10, - checkTimeout = 2000, - pool = "nextdns_iot" -}) - --- CloudFlare DNS over TLS -newServer({ - address = "1.1.1.1:853", - tls = "openssl", - subjectName = "cloudflare-dns.com", - validateCertificates = true, - checkInterval = 10, - checkTimeout = 2000, - pool = "cloudflare" -}) -newServer({ - address = "1.0.0.1:853", - tls = "openssl", - subjectName = "cloudflare-dns.com", - validateCertificates = true, - checkInterval = 10, - checkTimeout = 2000, - pool = "cloudflare" -}) - --- Enable caching -pc = newPacketCache(10000, { - maxTTL = 86400, - minTTL = 0, - temporaryFailureTTL = 60, - staleTTL = 60, - dontAge = false -}) -getPool(""):setCache(pc) - --- Request logging, uncomment to log DNS requests/responses to stdout --- addAction(AllRule(), LogAction("", false, false, true, false, false)) --- addResponseAction(AllRule(), LogResponseAction("", false, true, false, false)) - --- Routing rules -addAction("192.168.2.0/24", PoolAction("cloudflare")) -- guest vlan -addAction("192.168.2.0/24", DropAction()) -- stop processing -addAction('unifi', PoolAction('bind')) -addAction('hsn.dev', PoolAction('bind')) -addAction('jahanson.tech', PoolAction('bind')) -addAction('1.10.in-addr.arpa', PoolAction('bind')) - -addAction("10.1.0.0/24", PoolAction("nextdns_servers")) -- lan -addAction("10.1.1.0/24", PoolAction("nextdns_servers")) -- servers vlan -addAction("10.1.2.0/24", PoolAction("nextdns_trusted")) -- trusted vlan -addAction("10.1.3.0/24", PoolAction("nextdns_iot")) -- iot vlan -addAction("10.0.11.0/24", PoolAction("nextdns_trusted")) -- wg_trusted vlan \ No newline at end of file