Compare commits
3 commits
17402b0356
...
4afb6e4325
Author | SHA1 | Date | |
---|---|---|---|
|
4afb6e4325 | ||
1d402a8b6d | |||
|
f7b292ba74 |
9 changed files with 836 additions and 1014 deletions
2
.github/workflows/run-renovate.yaml
vendored
2
.github/workflows/run-renovate.yaml
vendored
|
@ -45,7 +45,7 @@ jobs:
|
|||
token: '${{ steps.generate-token.outputs.token }}'
|
||||
|
||||
- name: Renovate
|
||||
uses: renovatebot/github-action@v39.2.3
|
||||
uses: renovatebot/github-action@v39.2.4
|
||||
env:
|
||||
DRY_RUN: ${{ inputs.dryRun }}
|
||||
LOG_LEVEL: ${{ inputs.renovateLogLevel }}
|
||||
|
|
|
@ -3,21 +3,6 @@
|
|||
# Container networks
|
||||
set container network containers prefix '10.5.0.0/24'
|
||||
|
||||
# bind
|
||||
set container name bind cap-add 'net-bind-service'
|
||||
set container name bind image 'docker.io/internetsystemsconsortium/bind9:9.19'
|
||||
set container name bind command '/usr/sbin/named -4 -f -c /etc/bind/named.conf -u bind'
|
||||
set container name bind memory '0'
|
||||
set container name bind network containers address '10.5.0.3'
|
||||
set container name bind restart 'on-failure'
|
||||
set container name bind shared-memory '0'
|
||||
set container name bind volume config source '/config/containers/bind/config'
|
||||
set container name bind volume config destination '/etc/bind'
|
||||
set container name bind volume config mode 'ro'
|
||||
set container name bind volume cache source '/tmp/bind/cache'
|
||||
set container name bind volume cache destination '/var/cache/bind'
|
||||
set container name bind volume cache mode 'rw'
|
||||
|
||||
# haproxy-k8s-api
|
||||
set container name haproxy-k8s-api image 'docker.io/library/haproxy:2.9.1'
|
||||
set container name haproxy-k8s-api memory '0'
|
||||
|
@ -57,7 +42,7 @@ set container name speedtest-exporter shared-memory '0'
|
|||
# udp-broadcast-relay-mdns
|
||||
set container name udp-broadcast-relay-mdns allow-host-networks
|
||||
set container name udp-broadcast-relay-mdns cap-add 'net-raw'
|
||||
set container name udp-broadcast-relay-mdns environment CFG_DEV value 'eth1.20;eth1.40'
|
||||
set container name udp-broadcast-relay-mdns environment CFG_DEV value 'eth4.20;eth4.40'
|
||||
set container name udp-broadcast-relay-mdns environment CFG_ID value '2'
|
||||
set container name udp-broadcast-relay-mdns environment CFG_MULTICAST value '224.0.0.251'
|
||||
set container name udp-broadcast-relay-mdns environment CFG_PORT value '5353'
|
||||
|
@ -70,7 +55,7 @@ set container name udp-broadcast-relay-mdns shared-memory '0'
|
|||
# udp-broadcast-relay-sonos
|
||||
set container name udp-broadcast-relay-sonos allow-host-networks
|
||||
set container name udp-broadcast-relay-sonos cap-add 'net-raw'
|
||||
set container name udp-broadcast-relay-sonos environment CFG_DEV value 'eth1.20;eth1.40'
|
||||
set container name udp-broadcast-relay-sonos environment CFG_DEV value 'eth4.20;eth4.40'
|
||||
set container name udp-broadcast-relay-sonos environment CFG_ID value '1'
|
||||
set container name udp-broadcast-relay-sonos environment CFG_MULTICAST value '239.255.255.250'
|
||||
set container name udp-broadcast-relay-sonos environment CFG_PORT value '1900'
|
||||
|
|
760
config-parts/firewall-ipv4.sh
Normal file
760
config-parts/firewall-ipv4.sh
Normal file
|
@ -0,0 +1,760 @@
|
|||
#!/bin/vbash
|
||||
# From IOT to LAN
|
||||
set firewall ipv4 name iot-lan default-action 'drop'
|
||||
set firewall ipv4 name iot-lan description 'From IOT to LAN'
|
||||
set firewall ipv4 name iot-lan enable-default-log
|
||||
set firewall ipv4 name iot-lan rule 999 action 'drop'
|
||||
set firewall ipv4 name iot-lan rule 999 description 'Rule: drop_invalid'
|
||||
set firewall ipv4 name iot-lan rule 999 state invalid
|
||||
set firewall ipv4 name iot-lan rule 999 log
|
||||
|
||||
# From IOT to LOCAL
|
||||
set firewall ipv4 name iot-local default-action 'drop'
|
||||
set firewall ipv4 name iot-local description 'From IOT to LOCAL'
|
||||
set firewall ipv4 name iot-local enable-default-log
|
||||
set firewall ipv4 name iot-local rule 50 action 'accept'
|
||||
set firewall ipv4 name iot-local rule 50 description 'Rule: accept_dhcp'
|
||||
set firewall ipv4 name iot-local rule 50 destination port '67,68'
|
||||
set firewall ipv4 name iot-local rule 50 protocol 'udp'
|
||||
set firewall ipv4 name iot-local rule 50 source port '67,68'
|
||||
set firewall ipv4 name iot-local rule 60 action 'accept'
|
||||
set firewall ipv4 name iot-local rule 60 description 'Rule: accept_ntp'
|
||||
set firewall ipv4 name iot-local rule 60 destination port 'ntp'
|
||||
set firewall ipv4 name iot-local rule 60 protocol 'udp'
|
||||
set firewall ipv4 name iot-local rule 100 action 'accept'
|
||||
set firewall ipv4 name iot-local rule 100 description 'Rule: accept_igmp'
|
||||
set firewall ipv4 name iot-local rule 100 protocol '2'
|
||||
set firewall ipv4 name iot-local rule 110 action 'accept'
|
||||
set firewall ipv4 name iot-local rule 110 description 'Rule: accept_mdns'
|
||||
set firewall ipv4 name iot-local rule 110 destination port 'mdns'
|
||||
set firewall ipv4 name iot-local rule 110 protocol 'udp'
|
||||
set firewall ipv4 name iot-local rule 110 source port 'mdns'
|
||||
set firewall ipv4 name iot-local rule 120 action 'accept'
|
||||
set firewall ipv4 name iot-local rule 120 description 'Rule: accept_dns'
|
||||
set firewall ipv4 name iot-local rule 120 destination port 'domain,domain-s'
|
||||
set firewall ipv4 name iot-local rule 120 protocol 'tcp_udp'
|
||||
set firewall ipv4 name iot-local rule 200 action 'accept'
|
||||
set firewall ipv4 name iot-local rule 200 description 'Rule: accept_discovery_from_sonos_players'
|
||||
set firewall ipv4 name iot-local rule 200 destination group port-group sonos-discovery
|
||||
set firewall ipv4 name iot-local rule 200 protocol 'udp'
|
||||
set firewall ipv4 name iot-local rule 200 source group address-group 'sonos_players'
|
||||
set firewall ipv4 name iot-local rule 999 action 'drop'
|
||||
set firewall ipv4 name iot-local rule 999 description 'Rule: drop_invalid'
|
||||
set firewall ipv4 name iot-local rule 999 state invalid
|
||||
set firewall ipv4 name iot-local rule 999 log
|
||||
|
||||
# From IOT to SERVERS
|
||||
set firewall ipv4 name iot-servers default-action 'drop'
|
||||
set firewall ipv4 name iot-servers description 'From IOT to SERVERS'
|
||||
set firewall ipv4 name iot-servers enable-default-log
|
||||
set firewall ipv4 name iot-servers rule 100 action 'accept'
|
||||
set firewall ipv4 name iot-servers rule 100 description 'Rule: accept_nas_smb_from_scanners'
|
||||
set firewall ipv4 name iot-servers rule 100 destination group address-group 'nas'
|
||||
set firewall ipv4 name iot-servers rule 100 destination port 'microsoft-ds'
|
||||
set firewall ipv4 name iot-servers rule 100 protocol 'tcp'
|
||||
set firewall ipv4 name iot-servers rule 100 source group address-group 'scanners'
|
||||
set firewall ipv4 name iot-servers rule 200 action 'accept'
|
||||
set firewall ipv4 name iot-servers rule 200 description 'Rule: accept_plex_from_plex_clients'
|
||||
set firewall ipv4 name iot-servers rule 200 destination group address-group 'k8s_plex'
|
||||
set firewall ipv4 name iot-servers rule 200 destination port '32400'
|
||||
set firewall ipv4 name iot-servers rule 200 protocol 'tcp'
|
||||
set firewall ipv4 name iot-servers rule 200 source group address-group 'plex_clients'
|
||||
set firewall ipv4 name iot-servers rule 300 action 'accept'
|
||||
set firewall ipv4 name iot-servers rule 300 description 'Rule: accept_mqtt_from_mqtt_clients'
|
||||
set firewall ipv4 name iot-servers rule 300 destination group address-group 'k8s_mqtt'
|
||||
set firewall ipv4 name iot-servers rule 300 destination port '1883'
|
||||
set firewall ipv4 name iot-servers rule 300 protocol 'tcp'
|
||||
set firewall ipv4 name iot-servers rule 300 source group address-group 'mqtt_clients'
|
||||
set firewall ipv4 name iot-servers rule 400 action 'accept'
|
||||
set firewall ipv4 name iot-servers rule 400 description 'Rule: accept_k8s_ingress_from_sonos_players'
|
||||
set firewall ipv4 name iot-servers rule 400 destination group address-group 'k8s_ingress'
|
||||
set firewall ipv4 name iot-servers rule 400 destination port 'http,https'
|
||||
set firewall ipv4 name iot-servers rule 400 protocol 'tcp'
|
||||
set firewall ipv4 name iot-servers rule 400 source group address-group 'sonos_players'
|
||||
set firewall ipv4 name iot-servers rule 410 action 'accept'
|
||||
set firewall ipv4 name iot-servers rule 410 description 'Rule: accept_k8s_ingress_from_allowed_devices'
|
||||
set firewall ipv4 name iot-servers rule 410 destination group address-group 'k8s_ingress'
|
||||
set firewall ipv4 name iot-servers rule 410 destination port 'http,https'
|
||||
set firewall ipv4 name iot-servers rule 410 protocol 'tcp'
|
||||
set firewall ipv4 name iot-servers rule 410 source group address-group 'k8s_ingress_allowed'
|
||||
set firewall ipv4 name iot-servers rule 999 action 'drop'
|
||||
set firewall ipv4 name iot-servers rule 999 description 'Rule: drop_invalid'
|
||||
set firewall ipv4 name iot-servers rule 999 state invalid
|
||||
set firewall ipv4 name iot-servers rule 999 log
|
||||
|
||||
# From IOT to CONTAINERS
|
||||
set firewall ipv4 name iot-containers default-action 'accept'
|
||||
set firewall ipv4 name iot-containers description 'From IOT to CONTAINERS'
|
||||
set firewall ipv4 name iot-containers rule 40 action 'accept'
|
||||
set firewall ipv4 name iot-containers rule 40 description 'Rule: accept_dns'
|
||||
set firewall ipv4 name iot-containers rule 40 destination port 'domain,domain-s'
|
||||
set firewall ipv4 name iot-containers rule 40 protocol 'tcp_udp'
|
||||
set firewall ipv4 name iot-containers rule 999 action 'drop'
|
||||
set firewall ipv4 name iot-containers rule 999 description 'Rule: drop_invalid'
|
||||
set firewall ipv4 name iot-containers rule 999 state invalid
|
||||
set firewall ipv4 name iot-containers rule 999 log
|
||||
|
||||
# From IOT to TRUSTED
|
||||
set firewall ipv4 name iot-trusted default-action 'drop'
|
||||
set firewall ipv4 name iot-trusted description 'From IOT to TRUSTED'
|
||||
set firewall ipv4 name iot-trusted enable-default-log
|
||||
set firewall ipv4 name iot-trusted rule 100 action 'accept'
|
||||
set firewall ipv4 name iot-trusted rule 100 description 'Rule: accept_udp_from_sonos_players_to_sonos_controllers'
|
||||
set firewall ipv4 name iot-trusted rule 100 destination group address-group 'sonos_controllers'
|
||||
set firewall ipv4 name iot-trusted rule 100 destination port '319,320,30000-65535'
|
||||
set firewall ipv4 name iot-trusted rule 100 protocol 'udp'
|
||||
set firewall ipv4 name iot-trusted rule 100 source group address-group 'sonos_players'
|
||||
set firewall ipv4 name iot-trusted rule 110 action 'accept'
|
||||
set firewall ipv4 name iot-trusted rule 110 description 'Rule: accept_tcp_from_sonos_players_to_sonos_controllers'
|
||||
set firewall ipv4 name iot-trusted rule 110 destination group address-group 'sonos_controllers'
|
||||
set firewall ipv4 name iot-trusted rule 110 destination port '1400,3400,3401,3500,30000-65535'
|
||||
set firewall ipv4 name iot-trusted rule 110 protocol 'tcp'
|
||||
set firewall ipv4 name iot-trusted rule 110 source group address-group 'sonos_players'
|
||||
set firewall ipv4 name iot-trusted rule 999 action 'drop'
|
||||
set firewall ipv4 name iot-trusted rule 999 description 'Rule: drop_invalid'
|
||||
set firewall ipv4 name iot-trusted rule 999 state invalid
|
||||
set firewall ipv4 name iot-trusted rule 999 log
|
||||
|
||||
# From IOT to VIDEO
|
||||
set firewall ipv4 name iot-video default-action 'drop'
|
||||
set firewall ipv4 name iot-video description 'From IOT to VIDEO'
|
||||
set firewall ipv4 name iot-video enable-default-log
|
||||
set firewall ipv4 name iot-video rule 100 action 'accept'
|
||||
set firewall ipv4 name iot-video rule 100 description 'Rule: accept_k8s_nodes'
|
||||
set firewall ipv4 name iot-video rule 100 protocol 'tcp'
|
||||
set firewall ipv4 name iot-video rule 100 source group address-group 'k8s_nodes'
|
||||
set firewall ipv4 name iot-video rule 999 action 'drop'
|
||||
set firewall ipv4 name iot-video rule 999 description 'Rule: drop_invalid'
|
||||
set firewall ipv4 name iot-video rule 999 state invalid
|
||||
set firewall ipv4 name iot-video rule 999 log
|
||||
|
||||
# From IOT to WAN
|
||||
set firewall ipv4 name iot-wan default-action 'accept'
|
||||
set firewall ipv4 name iot-wan description 'From IOT to WAN'
|
||||
|
||||
# From LAN to IoT
|
||||
set firewall ipv4 name lan-iot default-action 'drop'
|
||||
set firewall ipv4 name lan-iot description 'From LAN to IOT'
|
||||
set firewall ipv4 name lan-iot enable-default-log
|
||||
set firewall ipv4 name lan-iot rule 999 action 'drop'
|
||||
set firewall ipv4 name lan-iot rule 999 description 'Rule: drop_invalid'
|
||||
set firewall ipv4 name lan-iot rule 999 state invalid
|
||||
set firewall ipv4 name lan-iot rule 999 log
|
||||
|
||||
# From LAN to LOCAL
|
||||
set firewall ipv4 name lan-local default-action 'drop'
|
||||
set firewall ipv4 name lan-local description 'From LAN to LOCAL'
|
||||
set firewall ipv4 name lan-local enable-default-log
|
||||
set firewall ipv4 name lan-local rule 40 action 'accept'
|
||||
set firewall ipv4 name lan-local rule 40 description 'Rule: accept_dns'
|
||||
set firewall ipv4 name lan-local rule 40 destination port 'domain,domain-s'
|
||||
set firewall ipv4 name lan-local rule 40 protocol 'tcp_udp'
|
||||
set firewall ipv4 name lan-local rule 50 action 'accept'
|
||||
set firewall ipv4 name lan-local rule 50 description 'Rule: accept_dhcp'
|
||||
set firewall ipv4 name lan-local rule 50 destination port '67,68'
|
||||
set firewall ipv4 name lan-local rule 50 protocol 'udp'
|
||||
set firewall ipv4 name lan-local rule 50 source port '67,68'
|
||||
set firewall ipv4 name lan-local rule 60 action 'accept'
|
||||
set firewall ipv4 name lan-local rule 60 description 'Rule: accept_ntp'
|
||||
set firewall ipv4 name lan-local rule 60 destination port 'ntp'
|
||||
set firewall ipv4 name lan-local rule 60 protocol 'udp'
|
||||
set firewall ipv4 name lan-local rule 70 action 'accept'
|
||||
set firewall ipv4 name lan-local rule 70 description 'Rule: accept_node_speed_exporter'
|
||||
set firewall ipv4 name lan-local rule 70 destination port '9798,9100'
|
||||
set firewall ipv4 name lan-local rule 70 protocol 'tcp'
|
||||
set firewall ipv4 name lan-local rule 80 action 'accept'
|
||||
set firewall ipv4 name lan-local rule 80 description 'Rule: accept perfmon3'
|
||||
set firewall ipv4 name lan-local rule 80 destination port '5201'
|
||||
set firewall ipv4 name lan-local rule 80 protocol 'tcp'
|
||||
set firewall ipv4 name lan-local rule 999 action 'drop'
|
||||
set firewall ipv4 name lan-local rule 999 description 'Rule: drop_invalid'
|
||||
set firewall ipv4 name lan-local rule 999 state invalid
|
||||
set firewall ipv4 name lan-local rule 999 log
|
||||
|
||||
# From LAN to SERVERS
|
||||
set firewall ipv4 name lan-servers default-action 'drop'
|
||||
set firewall ipv4 name lan-servers description 'From LAN to SERVERS'
|
||||
set firewall ipv4 name lan-servers enable-default-log
|
||||
set firewall ipv4 name lan-servers rule 999 action 'drop'
|
||||
set firewall ipv4 name lan-servers rule 999 description 'Rule: drop_invalid'
|
||||
set firewall ipv4 name lan-servers rule 999 state invalid
|
||||
set firewall ipv4 name lan-servers rule 999 log
|
||||
|
||||
# From LAN to CONTAINERS
|
||||
set firewall ipv4 name lan-containers default-action 'accept'
|
||||
set firewall ipv4 name lan-containers description 'From LAN to CONTAINERS'
|
||||
set firewall ipv4 name lan-containers rule 40 action 'accept'
|
||||
set firewall ipv4 name lan-containers rule 40 description 'Rule: accept_dns'
|
||||
set firewall ipv4 name lan-containers rule 40 destination port 'domain,domain-s'
|
||||
set firewall ipv4 name lan-containers rule 40 protocol 'tcp_udp'
|
||||
set firewall ipv4 name lan-containers rule 999 action 'drop'
|
||||
set firewall ipv4 name lan-containers rule 999 description 'Rule: drop_invalid'
|
||||
set firewall ipv4 name lan-containers rule 999 state invalid
|
||||
set firewall ipv4 name lan-containers rule 999 log
|
||||
|
||||
# From LAN to TRUSTED
|
||||
set firewall ipv4 name lan-trusted default-action 'drop'
|
||||
set firewall ipv4 name lan-trusted description 'From LAN to TRUSTED'
|
||||
set firewall ipv4 name lan-trusted enable-default-log
|
||||
set firewall ipv4 name lan-trusted rule 999 action 'drop'
|
||||
set firewall ipv4 name lan-trusted rule 999 description 'Rule: drop_invalid'
|
||||
set firewall ipv4 name lan-trusted rule 999 state invalid
|
||||
set firewall ipv4 name lan-trusted rule 999 log
|
||||
|
||||
# From LAN to VIDEO
|
||||
set firewall ipv4 name lan-video default-action 'drop'
|
||||
set firewall ipv4 name lan-video description 'From LAN to VIDEO'
|
||||
set firewall ipv4 name lan-video enable-default-log
|
||||
set firewall ipv4 name lan-video rule 999 action 'drop'
|
||||
set firewall ipv4 name lan-video rule 999 description 'Rule: drop_invalid'
|
||||
set firewall ipv4 name lan-video rule 999 state invalid
|
||||
set firewall ipv4 name lan-video rule 999 log
|
||||
|
||||
# From LAN to WAN
|
||||
set firewall ipv4 name lan-wan default-action 'accept'
|
||||
set firewall ipv4 name lan-wan description 'From LAN to WAN'
|
||||
|
||||
# From LOCAL to IOT
|
||||
set firewall ipv4 name local-iot default-action 'drop'
|
||||
set firewall ipv4 name local-iot description 'From LOCAL to IOT'
|
||||
set firewall ipv4 name local-iot enable-default-log
|
||||
set firewall ipv4 name local-iot rule 100 action 'accept'
|
||||
set firewall ipv4 name local-iot rule 100 description 'Rule: accept_igmp'
|
||||
set firewall ipv4 name local-iot rule 100 protocol '2'
|
||||
set firewall ipv4 name local-iot rule 110 action 'accept'
|
||||
set firewall ipv4 name local-iot rule 110 description 'Rule: accept_mdns'
|
||||
set firewall ipv4 name local-iot rule 110 destination port 'mdns'
|
||||
set firewall ipv4 name local-iot rule 110 protocol 'udp'
|
||||
set firewall ipv4 name local-iot rule 110 source port 'mdns'
|
||||
set firewall ipv4 name local-iot rule 200 action 'accept'
|
||||
set firewall ipv4 name local-iot rule 200 description 'Rule: accept_discovery_from_sonos_controllers'
|
||||
set firewall ipv4 name local-iot rule 200 destination group port-group sonos-discovery
|
||||
set firewall ipv4 name local-iot rule 200 protocol 'udp'
|
||||
set firewall ipv4 name local-iot rule 200 source group address-group 'sonos_controllers'
|
||||
set firewall ipv4 name local-iot rule 999 action 'drop'
|
||||
set firewall ipv4 name local-iot rule 999 description 'Rule: drop_invalid'
|
||||
set firewall ipv4 name local-iot rule 999 state invalid
|
||||
set firewall ipv4 name local-iot rule 999 log
|
||||
|
||||
# From LOCAL to LAN
|
||||
set firewall ipv4 name local-lan default-action 'drop'
|
||||
set firewall ipv4 name local-lan description 'From LOCAL to LAN'
|
||||
set firewall ipv4 name local-lan enable-default-log
|
||||
set firewall ipv4 name local-lan rule 999 action 'drop'
|
||||
set firewall ipv4 name local-lan rule 999 description 'Rule: drop_invalid'
|
||||
set firewall ipv4 name local-lan rule 999 state invalid
|
||||
set firewall ipv4 name local-lan rule 999 log
|
||||
|
||||
# From LOCAL to SERVERS
|
||||
set firewall ipv4 name local-servers default-action 'drop'
|
||||
set firewall ipv4 name local-servers description 'From LOCAL to SERVERS'
|
||||
set firewall ipv4 name local-servers enable-default-log
|
||||
set firewall ipv4 name local-servers rule 40 action 'accept'
|
||||
set firewall ipv4 name local-servers rule 40 description 'Rule: accept_dns'
|
||||
set firewall ipv4 name local-servers rule 40 destination port 'domain,domain-s'
|
||||
set firewall ipv4 name local-servers rule 40 protocol 'tcp_udp'
|
||||
set firewall ipv4 name local-servers rule 70 action 'accept'
|
||||
set firewall ipv4 name local-servers rule 70 description 'Rule: accept_bgp'
|
||||
set firewall ipv4 name local-servers rule 70 destination port 'bgp'
|
||||
set firewall ipv4 name local-servers rule 70 protocol 'tcp'
|
||||
set firewall ipv4 name local-servers rule 100 action 'accept'
|
||||
set firewall ipv4 name local-servers rule 100 description 'Rule: accept_k8s_api'
|
||||
set firewall ipv4 name local-servers rule 100 destination port '6443'
|
||||
set firewall ipv4 name local-servers rule 100 protocol 'tcp'
|
||||
set firewall ipv4 name local-servers rule 200 action 'accept'
|
||||
set firewall ipv4 name local-servers rule 200 description 'Rule: accept_vector_syslog'
|
||||
set firewall ipv4 name local-servers rule 200 destination group address-group 'k8s_vector_aggregator'
|
||||
set firewall ipv4 name local-servers rule 200 destination port '6001'
|
||||
set firewall ipv4 name local-servers rule 200 protocol 'tcp'
|
||||
set firewall ipv4 name local-servers rule 999 action 'drop'
|
||||
set firewall ipv4 name local-servers rule 999 description 'Rule: drop_invalid'
|
||||
set firewall ipv4 name local-servers rule 999 state invalid
|
||||
set firewall ipv4 name local-servers rule 999 log
|
||||
|
||||
# From LOCAL to CONTAINERS
|
||||
set firewall ipv4 name local-containers default-action 'accept'
|
||||
set firewall ipv4 name local-containers description 'From LOCAL to CONTAINERS'
|
||||
set firewall ipv4 name local-containers rule 40 action 'accept'
|
||||
set firewall ipv4 name local-containers rule 40 description 'Rule: accept_dns'
|
||||
set firewall ipv4 name local-containers rule 40 destination port 'domain,domain-s'
|
||||
set firewall ipv4 name local-containers rule 40 protocol 'tcp_udp'
|
||||
set firewall ipv4 name local-containers rule 999 action 'drop'
|
||||
set firewall ipv4 name local-containers rule 999 description 'Rule: drop_invalid'
|
||||
set firewall ipv4 name local-containers rule 999 state invalid
|
||||
set firewall ipv4 name local-containers rule 999 log
|
||||
|
||||
# From LOCAL to TRUSTED
|
||||
set firewall ipv4 name local-trusted default-action 'drop'
|
||||
set firewall ipv4 name local-trusted description 'From LOCAL to TRUSTED'
|
||||
set firewall ipv4 name local-trusted enable-default-log
|
||||
set firewall ipv4 name local-trusted rule 100 action 'accept'
|
||||
set firewall ipv4 name local-trusted rule 100 description 'Rule: accept_igmp'
|
||||
set firewall ipv4 name local-trusted rule 100 protocol '2'
|
||||
set firewall ipv4 name local-trusted rule 110 action 'accept'
|
||||
set firewall ipv4 name local-trusted rule 110 description 'Rule: accept_mdns'
|
||||
set firewall ipv4 name local-trusted rule 110 destination port 'mdns'
|
||||
set firewall ipv4 name local-trusted rule 110 protocol 'udp'
|
||||
set firewall ipv4 name local-trusted rule 110 source port 'mdns'
|
||||
set firewall ipv4 name local-trusted rule 200 action 'accept'
|
||||
set firewall ipv4 name local-trusted rule 200 description 'Rule: accept_discovery_from_sonos_players'
|
||||
set firewall ipv4 name local-trusted rule 200 destination group port-group sonos-discovery
|
||||
set firewall ipv4 name local-trusted rule 200 protocol 'udp'
|
||||
set firewall ipv4 name local-trusted rule 200 source group address-group 'sonos_players'
|
||||
set firewall ipv4 name local-trusted rule 400 action 'accept'
|
||||
set firewall ipv4 name local-trusted rule 400 description 'Rule: accept_wireguard'
|
||||
set firewall ipv4 name local-trusted rule 400 source port '51820'
|
||||
set firewall ipv4 name local-trusted rule 400 protocol 'udp'
|
||||
set firewall ipv4 name local-trusted rule 999 action 'drop'
|
||||
set firewall ipv4 name local-trusted rule 999 description 'Rule: drop_invalid'
|
||||
set firewall ipv4 name local-trusted rule 999 state invalid
|
||||
set firewall ipv4 name local-trusted rule 999 log
|
||||
|
||||
# From LOCAL to VIDEO
|
||||
set firewall ipv4 name local-video default-action 'drop'
|
||||
set firewall ipv4 name local-video description 'From LOCAL to VIDEO'
|
||||
set firewall ipv4 name local-video enable-default-log
|
||||
set firewall ipv4 name local-video rule 999 action 'drop'
|
||||
set firewall ipv4 name local-video rule 999 description 'Rule: drop_invalid'
|
||||
set firewall ipv4 name local-video rule 999 state invalid
|
||||
set firewall ipv4 name local-video rule 999 log
|
||||
|
||||
# From LOCAL to WAN
|
||||
set firewall ipv4 name local-wan default-action 'accept'
|
||||
set firewall ipv4 name local-wan description 'From LOCAL to WAN'
|
||||
|
||||
|
||||
# From SERVERS to IOT
|
||||
set firewall ipv4 name servers-iot default-action 'drop'
|
||||
set firewall ipv4 name servers-iot description 'From SERVERS to IOT'
|
||||
set firewall ipv4 name servers-iot enable-default-log
|
||||
set firewall ipv4 name servers-iot rule 100 action 'accept'
|
||||
set firewall ipv4 name servers-iot rule 100 description 'Rule: accept_k8s_nodes'
|
||||
set firewall ipv4 name servers-iot rule 100 protocol 'tcp'
|
||||
set firewall ipv4 name servers-iot rule 100 source group address-group 'k8s_nodes'
|
||||
set firewall ipv4 name servers-iot rule 110 action 'accept'
|
||||
set firewall ipv4 name servers-iot rule 110 description 'Rule: accept_k8s_nodes'
|
||||
set firewall ipv4 name servers-iot rule 110 protocol 'icmp'
|
||||
set firewall ipv4 name servers-iot rule 110 source group address-group 'k8s_nodes'
|
||||
set firewall ipv4 name servers-iot rule 999 action 'drop'
|
||||
set firewall ipv4 name servers-iot rule 999 description 'Rule: drop_invalid'
|
||||
set firewall ipv4 name servers-iot rule 999 state invalid
|
||||
set firewall ipv4 name servers-iot rule 999 log
|
||||
|
||||
# From SERVERS to LAN
|
||||
set firewall ipv4 name servers-lan default-action 'drop'
|
||||
set firewall ipv4 name servers-lan description 'From SERVERS to LAN'
|
||||
set firewall ipv4 name servers-lan enable-default-log
|
||||
set firewall ipv4 name servers-lan rule 999 action 'drop'
|
||||
set firewall ipv4 name servers-lan rule 999 description 'Rule: drop_invalid'
|
||||
set firewall ipv4 name servers-lan rule 999 state invalid
|
||||
set firewall ipv4 name servers-lan rule 999 log
|
||||
|
||||
# From SERVERS to LOCAL
|
||||
set firewall ipv4 name servers-local default-action 'drop'
|
||||
set firewall ipv4 name servers-local description 'From SERVERS to LOCAL'
|
||||
set firewall ipv4 name servers-local enable-default-log
|
||||
set firewall ipv4 name servers-local rule 50 action 'accept'
|
||||
set firewall ipv4 name servers-local rule 50 description 'Rule: accept_dhcp'
|
||||
set firewall ipv4 name servers-local rule 50 destination port '67,68'
|
||||
set firewall ipv4 name servers-local rule 50 protocol 'udp'
|
||||
set firewall ipv4 name servers-local rule 50 source port '67,68'
|
||||
set firewall ipv4 name servers-local rule 60 action 'accept'
|
||||
set firewall ipv4 name servers-local rule 60 description 'Rule: accept_ntp'
|
||||
set firewall ipv4 name servers-local rule 60 destination port 'ntp'
|
||||
set firewall ipv4 name servers-local rule 60 protocol 'udp'
|
||||
set firewall ipv4 name servers-local rule 70 action 'accept'
|
||||
set firewall ipv4 name servers-local rule 70 description 'Rule: accept_bgp'
|
||||
set firewall ipv4 name servers-local rule 70 destination port 'bgp'
|
||||
set firewall ipv4 name servers-local rule 70 protocol 'tcp'
|
||||
set firewall ipv4 name servers-local rule 80 action 'accept'
|
||||
set firewall ipv4 name servers-local rule 80 description 'Rule: accept_tftp'
|
||||
set firewall ipv4 name servers-local rule 80 destination port '69'
|
||||
set firewall ipv4 name servers-local rule 80 protocol 'udp'
|
||||
set firewall ipv4 name servers-local rule 90 action 'accept'
|
||||
set firewall ipv4 name servers-local rule 90 description 'Rule: accept_dns'
|
||||
set firewall ipv4 name servers-local rule 90 destination port 'domain,domain-s'
|
||||
set firewall ipv4 name servers-local rule 90 protocol 'tcp_udp'
|
||||
set firewall ipv4 name servers-local rule 100 action 'accept'
|
||||
set firewall ipv4 name servers-local rule 100 description 'Rule: accept_node_exporter_from_k8s_nodes'
|
||||
set firewall ipv4 name servers-local rule 100 destination port '9100'
|
||||
set firewall ipv4 name servers-local rule 100 protocol 'tcp'
|
||||
set firewall ipv4 name servers-local rule 100 source group address-group 'k8s_nodes'
|
||||
set firewall ipv4 name servers-local rule 110 action 'accept'
|
||||
set firewall ipv4 name servers-local rule 110 description 'Rule: accept_speedtest_exporter_from_k8s_nodes'
|
||||
set firewall ipv4 name servers-local rule 110 destination port '9798'
|
||||
set firewall ipv4 name servers-local rule 110 protocol 'tcp'
|
||||
set firewall ipv4 name servers-local rule 110 source group address-group 'k8s_nodes'
|
||||
set firewall ipv4 name servers-local rule 999 action 'drop'
|
||||
set firewall ipv4 name servers-local rule 999 description 'Rule: drop_invalid'
|
||||
set firewall ipv4 name servers-local rule 999 state invalid
|
||||
set firewall ipv4 name servers-local rule 999 log
|
||||
|
||||
# From SERVERS to CONTAINERS
|
||||
set firewall ipv4 name servers-containers default-action 'accept'
|
||||
set firewall ipv4 name servers-containers description 'From SERVERS to CONTAINERS'
|
||||
set firewall ipv4 name servers-containers enable-default-log
|
||||
set firewall ipv4 name servers-containers rule 40 action 'accept'
|
||||
set firewall ipv4 name servers-containers rule 40 description 'Rule: accept_dns'
|
||||
set firewall ipv4 name servers-containers rule 40 destination port 'domain,domain-s'
|
||||
set firewall ipv4 name servers-containers rule 40 protocol 'tcp_udp'
|
||||
set firewall ipv4 name servers-containers rule 100 action 'accept'
|
||||
set firewall ipv4 name servers-containers rule 100 description 'Rule: accept_k8s_nodes'
|
||||
set firewall ipv4 name servers-containers rule 100 protocol 'tcp'
|
||||
set firewall ipv4 name servers-containers rule 100 source group address-group 'k8s_nodes'
|
||||
set firewall ipv4 name servers-containers rule 999 action 'drop'
|
||||
set firewall ipv4 name servers-containers rule 999 description 'Rule: drop_invalid'
|
||||
set firewall ipv4 name servers-containers rule 999 state invalid
|
||||
set firewall ipv4 name servers-containers rule 999 log
|
||||
|
||||
# From SERVERS to TRUSTED
|
||||
set firewall ipv4 name servers-trusted default-action 'drop'
|
||||
set firewall ipv4 name servers-trusted description 'From SERVERS to TRUSTED'
|
||||
set firewall ipv4 name servers-trusted enable-default-log
|
||||
set firewall ipv4 name servers-trusted rule 999 action 'drop'
|
||||
set firewall ipv4 name servers-trusted rule 999 description 'Rule: drop_invalid'
|
||||
set firewall ipv4 name servers-trusted rule 999 state invalid
|
||||
set firewall ipv4 name servers-trusted rule 999 log
|
||||
|
||||
# From SERVERS to VIDEO
|
||||
set firewall ipv4 name servers-video default-action 'drop'
|
||||
set firewall ipv4 name servers-video description 'From SERVERS to VIDEO'
|
||||
set firewall ipv4 name servers-video enable-default-log
|
||||
set firewall ipv4 name servers-video rule 100 action 'accept'
|
||||
set firewall ipv4 name servers-video rule 100 description 'Rule: accept_k8s_nodes'
|
||||
set firewall ipv4 name servers-video rule 100 protocol 'tcp_udp'
|
||||
set firewall ipv4 name servers-video rule 100 source group address-group 'k8s_nodes'
|
||||
set firewall ipv4 name servers-video rule 999 action 'drop'
|
||||
set firewall ipv4 name servers-video rule 999 description 'Rule: drop_invalid'
|
||||
set firewall ipv4 name servers-video rule 999 state invalid
|
||||
set firewall ipv4 name servers-video rule 999 log
|
||||
|
||||
# From SERVERS to WAN
|
||||
set firewall ipv4 name servers-wan default-action 'accept'
|
||||
set firewall ipv4 name servers-wan description 'From SERVERS to WAN'
|
||||
|
||||
# From CONTAINERS to IOT
|
||||
set firewall ipv4 name containers-iot default-action 'drop'
|
||||
set firewall ipv4 name containers-iot description 'From CONTAINERS to IOT'
|
||||
set firewall ipv4 name containers-iot enable-default-log
|
||||
set firewall ipv4 name containers-iot rule 999 action 'drop'
|
||||
set firewall ipv4 name containers-iot rule 999 description 'Rule: drop_invalid'
|
||||
set firewall ipv4 name containers-iot rule 999 state invalid
|
||||
set firewall ipv4 name containers-iot rule 999 log
|
||||
|
||||
# From CONTAINERS to LAN
|
||||
set firewall ipv4 name containers-lan default-action 'drop'
|
||||
set firewall ipv4 name containers-lan description 'From CONTAINERS to LAN'
|
||||
set firewall ipv4 name containers-lan enable-default-log
|
||||
set firewall ipv4 name containers-lan rule 999 action 'drop'
|
||||
set firewall ipv4 name containers-lan rule 999 description 'Rule: drop_invalid'
|
||||
set firewall ipv4 name containers-lan rule 999 state invalid
|
||||
set firewall ipv4 name containers-lan rule 999 log
|
||||
|
||||
# From CONTAINERS to LOCAL
|
||||
set firewall ipv4 name containers-local default-action 'drop'
|
||||
set firewall ipv4 name containers-local description 'From CONTAINERS to LOCAL'
|
||||
set firewall ipv4 name containers-local enable-default-log
|
||||
set firewall ipv4 name containers-local rule 50 action 'accept'
|
||||
set firewall ipv4 name containers-local rule 50 description 'Rule: accept_dhcp'
|
||||
set firewall ipv4 name containers-local rule 50 destination port '67,68'
|
||||
set firewall ipv4 name containers-local rule 50 protocol 'udp'
|
||||
set firewall ipv4 name containers-local rule 50 source port '67,68'
|
||||
set firewall ipv4 name containers-local rule 60 action 'accept'
|
||||
set firewall ipv4 name containers-local rule 60 description 'Rule: accept_ntp'
|
||||
set firewall ipv4 name containers-local rule 60 destination port 'ntp'
|
||||
set firewall ipv4 name containers-local rule 60 protocol 'udp'
|
||||
set firewall ipv4 name containers-local rule 999 action 'drop'
|
||||
set firewall ipv4 name containers-local rule 999 description 'Rule: drop_invalid'
|
||||
set firewall ipv4 name containers-local rule 999 state invalid
|
||||
set firewall ipv4 name containers-local rule 999 log
|
||||
|
||||
# From CONTAINERS to SERVERS
|
||||
set firewall ipv4 name containers-servers default-action 'accept'
|
||||
set firewall ipv4 name containers-servers description 'From CONTAINERS to SERVERS'
|
||||
set firewall ipv4 name containers-servers rule 999 action 'drop'
|
||||
set firewall ipv4 name containers-servers rule 999 description 'Rule: drop_invalid'
|
||||
set firewall ipv4 name containers-servers rule 999 state invalid
|
||||
set firewall ipv4 name containers-servers rule 999 log
|
||||
|
||||
# From CONTAINERS to TRUSTED
|
||||
set firewall ipv4 name containers-trusted default-action 'drop'
|
||||
set firewall ipv4 name containers-trusted description 'From CONTAINERS to TRUSTED'
|
||||
set firewall ipv4 name containers-trusted enable-default-log
|
||||
set firewall ipv4 name containers-trusted rule 999 action 'drop'
|
||||
set firewall ipv4 name containers-trusted rule 999 description 'Rule: drop_invalid'
|
||||
set firewall ipv4 name containers-trusted rule 999 state invalid
|
||||
set firewall ipv4 name containers-trusted rule 999 log
|
||||
|
||||
# From CONTAINERS to VIDEO
|
||||
set firewall ipv4 name containers-video default-action 'drop'
|
||||
set firewall ipv4 name containers-video description 'From CONTAINERS to VIDEO'
|
||||
set firewall ipv4 name containers-video enable-default-log
|
||||
set firewall ipv4 name containers-video rule 999 action 'drop'
|
||||
set firewall ipv4 name containers-video rule 999 description 'Rule: drop_invalid'
|
||||
set firewall ipv4 name containers-video rule 999 state invalid
|
||||
set firewall ipv4 name containers-video rule 999 log
|
||||
|
||||
# From CONTAINERS to WAN
|
||||
set firewall ipv4 name containers-wan default-action 'accept'
|
||||
set firewall ipv4 name containers-wan description 'From CONTAINERS to WAN'
|
||||
|
||||
# From TRUSTED to IOT
|
||||
set firewall ipv4 name trusted-iot default-action 'accept'
|
||||
set firewall ipv4 name trusted-iot description 'From TRUSTED to IOT'
|
||||
set firewall ipv4 name trusted-iot rule 110 action 'accept'
|
||||
set firewall ipv4 name trusted-iot rule 110 description 'Rule: accept_tcp_from_sonos_controllers_to_sonos_players'
|
||||
set firewall ipv4 name trusted-iot rule 110 destination port '1400,1443,4444,7000,30000-65535'
|
||||
set firewall ipv4 name trusted-iot rule 110 protocol 'tcp'
|
||||
set firewall ipv4 name trusted-iot rule 110 source group address-group 'sonos_controllers'
|
||||
set firewall ipv4 name trusted-iot rule 111 action 'accept'
|
||||
set firewall ipv4 name trusted-iot rule 111 description 'Rule: accept_udp_from_sonos_controllers_to_sonos_players'
|
||||
set firewall ipv4 name trusted-iot rule 111 destination port '319,320,30000-65535'
|
||||
set firewall ipv4 name trusted-iot rule 111 protocol 'udp'
|
||||
set firewall ipv4 name trusted-iot rule 111 source group address-group 'sonos_controllers'
|
||||
set firewall ipv4 name trusted-iot rule 999 action 'drop'
|
||||
set firewall ipv4 name trusted-iot rule 999 description 'Rule: drop_invalid'
|
||||
set firewall ipv4 name trusted-iot rule 999 state invalid
|
||||
set firewall ipv4 name trusted-iot rule 999 log
|
||||
|
||||
# From TRUSTED to LAN
|
||||
set firewall ipv4 name trusted-lan default-action 'accept'
|
||||
set firewall ipv4 name trusted-lan description 'From TRUSTED to LAN'
|
||||
set firewall ipv4 name trusted-lan rule 999 action 'drop'
|
||||
set firewall ipv4 name trusted-lan rule 999 description 'Rule: drop_invalid'
|
||||
set firewall ipv4 name trusted-lan rule 999 state invalid
|
||||
set firewall ipv4 name trusted-lan rule 999 log
|
||||
|
||||
# From TRUSTED to LOCAL
|
||||
set firewall ipv4 name trusted-local default-action 'drop'
|
||||
set firewall ipv4 name trusted-local description 'From TRUSTED to LOCAL'
|
||||
set firewall ipv4 name trusted-local enable-default-log
|
||||
set firewall ipv4 name trusted-local rule 50 action 'accept'
|
||||
set firewall ipv4 name trusted-local rule 50 description 'Rule: accept_dhcp'
|
||||
set firewall ipv4 name trusted-local rule 50 destination port '67,68'
|
||||
set firewall ipv4 name trusted-local rule 50 protocol 'udp'
|
||||
set firewall ipv4 name trusted-local rule 50 source port '67,68'
|
||||
set firewall ipv4 name trusted-local rule 60 action 'accept'
|
||||
set firewall ipv4 name trusted-local rule 60 description 'Rule: accept_ntp'
|
||||
set firewall ipv4 name trusted-local rule 60 destination port 'ntp'
|
||||
set firewall ipv4 name trusted-local rule 60 protocol 'udp'
|
||||
set firewall ipv4 name trusted-local rule 100 action 'accept'
|
||||
set firewall ipv4 name trusted-local rule 100 description 'Rule: accept_igmp'
|
||||
set firewall ipv4 name trusted-local rule 100 protocol '2'
|
||||
set firewall ipv4 name trusted-local rule 110 action 'accept'
|
||||
set firewall ipv4 name trusted-local rule 110 description 'Rule: accept_mdns'
|
||||
set firewall ipv4 name trusted-local rule 110 destination port 'mdns'
|
||||
set firewall ipv4 name trusted-local rule 110 protocol 'udp'
|
||||
set firewall ipv4 name trusted-local rule 110 source port 'mdns'
|
||||
set firewall ipv4 name trusted-local rule 120 action 'accept'
|
||||
set firewall ipv4 name trusted-local rule 120 description 'Rule: accept_dns'
|
||||
set firewall ipv4 name trusted-local rule 120 destination port 'domain,domain-s'
|
||||
set firewall ipv4 name trusted-local rule 120 protocol 'tcp_udp'
|
||||
set firewall ipv4 name trusted-local rule 210 action 'accept'
|
||||
set firewall ipv4 name trusted-local rule 210 description 'Rule: accept_discovery_from_sonos_controllers'
|
||||
set firewall ipv4 name trusted-local rule 210 destination group port-group sonos-discovery
|
||||
set firewall ipv4 name trusted-local rule 210 protocol 'udp'
|
||||
set firewall ipv4 name trusted-local rule 210 source group address-group 'sonos_controllers'
|
||||
set firewall ipv4 name trusted-local rule 211 action 'accept'
|
||||
set firewall ipv4 name trusted-local rule 211 description 'Rule: accept_discovery_from_sonos_players'
|
||||
set firewall ipv4 name trusted-local rule 211 destination group port-group sonos-discovery
|
||||
set firewall ipv4 name trusted-local rule 211 protocol 'udp'
|
||||
set firewall ipv4 name trusted-local rule 211 source group address-group 'sonos_players'
|
||||
set firewall ipv4 name trusted-local rule 400 action 'accept'
|
||||
set firewall ipv4 name trusted-local rule 400 description 'Rule: accept_ssh'
|
||||
set firewall ipv4 name trusted-local rule 400 destination port 'ssh'
|
||||
set firewall ipv4 name trusted-local rule 400 protocol 'tcp'
|
||||
set firewall ipv4 name trusted-local rule 410 action 'accept'
|
||||
set firewall ipv4 name trusted-local rule 410 description 'Rule: accept_vyos_api'
|
||||
set firewall ipv4 name trusted-local rule 410 destination port '8443'
|
||||
set firewall ipv4 name trusted-local rule 410 protocol 'tcp'
|
||||
set firewall ipv4 name trusted-local rule 420 action 'accept'
|
||||
set firewall ipv4 name trusted-local rule 420 description 'Rule: accept_wireguard'
|
||||
set firewall ipv4 name trusted-local rule 420 destination port '51820'
|
||||
set firewall ipv4 name trusted-local rule 420 protocol 'udp'
|
||||
set firewall ipv4 name trusted-local rule 999 action 'drop'
|
||||
set firewall ipv4 name trusted-local rule 999 description 'Rule: drop_invalid'
|
||||
set firewall ipv4 name trusted-local rule 999 state invalid
|
||||
set firewall ipv4 name trusted-local rule 999 log
|
||||
|
||||
# From TRUSTED to SERVERS
|
||||
set firewall ipv4 name trusted-servers default-action 'accept'
|
||||
set firewall ipv4 name trusted-servers description 'From TRUSTED to SERVERS'
|
||||
set firewall ipv4 name trusted-servers rule 999 action 'drop'
|
||||
set firewall ipv4 name trusted-servers rule 999 description 'Rule: drop_invalid'
|
||||
set firewall ipv4 name trusted-servers rule 999 state invalid
|
||||
set firewall ipv4 name trusted-servers rule 999 log
|
||||
|
||||
# From TRUSTED to CONTAINERS
|
||||
set firewall ipv4 name trusted-containers default-action 'accept'
|
||||
set firewall ipv4 name trusted-containers description 'From TRUSTED to CONTAINERS'
|
||||
set firewall ipv4 name trusted-containers rule 40 action 'accept'
|
||||
set firewall ipv4 name trusted-containers rule 40 description 'Rule: accept_dns'
|
||||
set firewall ipv4 name trusted-containers rule 40 destination port 'domain,domain-s'
|
||||
set firewall ipv4 name trusted-containers rule 40 protocol 'tcp_udp'
|
||||
set firewall ipv4 name trusted-containers rule 999 action 'drop'
|
||||
set firewall ipv4 name trusted-containers rule 999 description 'Rule: drop_invalid'
|
||||
set firewall ipv4 name trusted-containers rule 999 state invalid
|
||||
set firewall ipv4 name trusted-containers rule 999 log
|
||||
|
||||
# From TRUSTED to VIDEO
|
||||
set firewall ipv4 name trusted-video default-action 'accept'
|
||||
set firewall ipv4 name trusted-video description 'From TRUSTED to VIDEO'
|
||||
set firewall ipv4 name trusted-video rule 999 action 'drop'
|
||||
set firewall ipv4 name trusted-video rule 999 description 'Rule: drop_invalid'
|
||||
set firewall ipv4 name trusted-video rule 999 state invalid
|
||||
set firewall ipv4 name trusted-video rule 999 log
|
||||
|
||||
# From TRUSTED to WAN
|
||||
set firewall ipv4 name trusted-wan default-action 'accept'
|
||||
set firewall ipv4 name trusted-wan description 'From TRUSTED to WAN'
|
||||
|
||||
|
||||
# From VIDEO to IOT
|
||||
set firewall ipv4 name video-iot default-action 'drop'
|
||||
set firewall ipv4 name video-iot description 'From VIDEO to IOT'
|
||||
set firewall ipv4 name video-iot enable-default-log
|
||||
set firewall ipv4 name video-iot rule 100 action 'accept'
|
||||
set firewall ipv4 name video-iot rule 100 description 'Rule: allow connecting to hass'
|
||||
set firewall ipv4 name video-iot rule 100 protocol 'tcp'
|
||||
set firewall ipv4 name video-iot rule 100 destination group address-group 'k8s_hass'
|
||||
set firewall ipv4 name video-iot rule 100 destination port '8123'
|
||||
set firewall ipv4 name video-iot rule 999 action 'drop'
|
||||
set firewall ipv4 name video-iot rule 999 description 'Rule: drop_invalid'
|
||||
set firewall ipv4 name video-iot rule 999 state invalid
|
||||
set firewall ipv4 name video-iot rule 999 log
|
||||
|
||||
# From VIDEO to LAN
|
||||
set firewall ipv4 name video-lan default-action 'drop'
|
||||
set firewall ipv4 name video-lan description 'From VIDEO to LAN'
|
||||
set firewall ipv4 name video-lan enable-default-log
|
||||
set firewall ipv4 name video-lan rule 999 action 'drop'
|
||||
set firewall ipv4 name video-lan rule 999 description 'Rule: drop_invalid'
|
||||
set firewall ipv4 name video-lan rule 999 state invalid
|
||||
set firewall ipv4 name video-lan rule 999 log
|
||||
|
||||
# From VIDEO to LOCAL
|
||||
set firewall ipv4 name video-local default-action 'drop'
|
||||
set firewall ipv4 name video-local description 'From VIDEO to LOCAL'
|
||||
set firewall ipv4 name video-local enable-default-log
|
||||
set firewall ipv4 name video-local rule 50 action 'accept'
|
||||
set firewall ipv4 name video-local rule 50 description 'Rule: accept_dhcp'
|
||||
set firewall ipv4 name video-local rule 50 destination port '67,68'
|
||||
set firewall ipv4 name video-local rule 50 protocol 'udp'
|
||||
set firewall ipv4 name video-local rule 50 source port '67,68'
|
||||
set firewall ipv4 name video-local rule 60 action 'accept'
|
||||
set firewall ipv4 name video-local rule 60 description 'Rule: accept_ntp'
|
||||
set firewall ipv4 name video-local rule 60 destination port 'ntp'
|
||||
set firewall ipv4 name video-local rule 60 protocol 'udp'
|
||||
set firewall ipv4 name video-local rule 999 action 'drop'
|
||||
set firewall ipv4 name video-local rule 999 description 'Rule: drop_invalid'
|
||||
set firewall ipv4 name video-local rule 999 state invalid
|
||||
set firewall ipv4 name video-local rule 999 log
|
||||
|
||||
# From VIDEO to SERVERS
|
||||
set firewall ipv4 name video-servers default-action 'drop'
|
||||
set firewall ipv4 name video-servers description 'From VIDEO to SERVERS'
|
||||
set firewall ipv4 name video-servers enable-default-log
|
||||
set firewall ipv4 name video-servers rule 100 action 'accept'
|
||||
set firewall ipv4 name video-servers rule 100 description 'Rule: accept_k8s_nodes'
|
||||
set firewall ipv4 name video-servers rule 100 protocol 'udp'
|
||||
set firewall ipv4 name video-servers rule 100 destination group address-group 'k8s_nodes'
|
||||
set firewall ipv4 name video-servers rule 100 source port '6987-6989'
|
||||
set firewall ipv4 name video-servers rule 999 action 'drop'
|
||||
set firewall ipv4 name video-servers rule 999 description 'Rule: drop_invalid'
|
||||
set firewall ipv4 name video-servers rule 999 state invalid
|
||||
set firewall ipv4 name video-servers rule 999 log
|
||||
|
||||
# From VIDEO to CONTAINERS
|
||||
set firewall ipv4 name video-containers default-action 'accept'
|
||||
set firewall ipv4 name video-containers description 'From VIDEO to CONTAINERS'
|
||||
set firewall ipv4 name video-containers rule 40 action 'accept'
|
||||
set firewall ipv4 name video-containers rule 40 description 'Rule: accept_dns'
|
||||
set firewall ipv4 name video-containers rule 40 destination port 'domain,domain-s'
|
||||
set firewall ipv4 name video-containers rule 40 protocol 'tcp_udp'
|
||||
set firewall ipv4 name video-containers rule 999 action 'drop'
|
||||
set firewall ipv4 name video-containers rule 999 description 'Rule: drop_invalid'
|
||||
set firewall ipv4 name video-containers rule 999 state invalid
|
||||
set firewall ipv4 name video-containers rule 999 log
|
||||
|
||||
# From VIDEO to TRUSTED
|
||||
set firewall ipv4 name video-trusted default-action 'drop'
|
||||
set firewall ipv4 name video-trusted description 'From VIDEO to TRUSTED'
|
||||
set firewall ipv4 name video-trusted enable-default-log
|
||||
set firewall ipv4 name video-trusted rule 999 action 'drop'
|
||||
set firewall ipv4 name video-trusted rule 999 description 'Rule: drop_invalid'
|
||||
set firewall ipv4 name video-trusted rule 999 state invalid
|
||||
set firewall ipv4 name video-trusted rule 999 log
|
||||
|
||||
# From VIDEO to WAN
|
||||
set firewall ipv4 name video-wan default-action 'drop'
|
||||
set firewall ipv4 name video-wan description 'From VIDEO to WAN'
|
||||
# From WAN to IOT
|
||||
set firewall ipv4 name wan-iot default-action 'drop'
|
||||
set firewall ipv4 name wan-iot description 'From WAN to IOT'
|
||||
set firewall ipv4 name wan-iot enable-default-log
|
||||
set firewall ipv4 name wan-iot rule 999 action 'drop'
|
||||
set firewall ipv4 name wan-iot rule 999 description 'Rule: drop_invalid'
|
||||
set firewall ipv4 name wan-iot rule 999 state invalid
|
||||
set firewall ipv4 name wan-iot rule 999 log
|
||||
|
||||
# From WAN to LAN
|
||||
set firewall ipv4 name wan-lan default-action 'drop'
|
||||
set firewall ipv4 name wan-lan description 'From WAN to LAN'
|
||||
set firewall ipv4 name wan-lan enable-default-log
|
||||
set firewall ipv4 name wan-lan rule 999 action 'drop'
|
||||
set firewall ipv4 name wan-lan rule 999 description 'Rule: drop_invalid'
|
||||
set firewall ipv4 name wan-lan rule 999 state invalid
|
||||
set firewall ipv4 name wan-lan rule 999 log
|
||||
|
||||
# From WAN to LOCAL
|
||||
set firewall ipv4 name wan-local default-action 'drop'
|
||||
set firewall ipv4 name wan-local description 'From WAN to LOCAL'
|
||||
set firewall ipv4 name wan-local enable-default-log
|
||||
set firewall ipv4 name wan-local rule 1 action 'drop'
|
||||
set firewall ipv4 name wan-local rule 1 description 'Rule: drop_invalid'
|
||||
set firewall ipv4 name wan-local rule 1 state invalid
|
||||
set firewall ipv4 name wan-local rule 1 log
|
||||
set firewall ipv4 name wan-local rule 100 action 'accept'
|
||||
set firewall ipv4 name wan-local rule 100 description 'Rule: accept_wireguard'
|
||||
set firewall ipv4 name wan-local rule 100 destination port '51820'
|
||||
set firewall ipv4 name wan-local rule 100 protocol 'udp'
|
||||
|
||||
# From WAN to SERVERS
|
||||
set firewall ipv4 name wan-servers default-action 'drop'
|
||||
set firewall ipv4 name wan-servers description 'From WAN to SERVERS'
|
||||
set firewall ipv4 name wan-servers enable-default-log
|
||||
set firewall ipv4 name wan-servers rule 100 action 'accept'
|
||||
set firewall ipv4 name wan-servers rule 100 destination port 32400
|
||||
set firewall ipv4 name wan-servers rule 100 protocol 'tcp'
|
||||
set firewall ipv4 name wan-servers rule 100 destination address 10.1.1.12
|
||||
set firewall ipv4 name wan-servers rule 999 action 'drop'
|
||||
set firewall ipv4 name wan-servers rule 999 description 'Rule: drop_invalid'
|
||||
set firewall ipv4 name wan-servers rule 999 state invalid
|
||||
set firewall ipv4 name wan-servers rule 999 log
|
||||
|
||||
# From WAN to CONTAINERS
|
||||
set firewall ipv4 name wan-containers default-action 'drop'
|
||||
set firewall ipv4 name wan-containers description 'From WAN to CONTAINERS'
|
||||
set firewall ipv4 name wan-containers enable-default-log
|
||||
set firewall ipv4 name wan-containers rule 999 action 'drop'
|
||||
set firewall ipv4 name wan-containers rule 999 description 'Rule: drop_invalid'
|
||||
set firewall ipv4 name wan-containers rule 999 state invalid
|
||||
set firewall ipv4 name wan-containers rule 999 log
|
||||
|
||||
# From WAN to TRUSTED
|
||||
set firewall ipv4 name wan-trusted default-action 'drop'
|
||||
set firewall ipv4 name wan-trusted description 'From WAN to TRUSTED'
|
||||
set firewall ipv4 name wan-trusted enable-default-log
|
||||
set firewall ipv4 name wan-trusted rule 999 action 'drop'
|
||||
set firewall ipv4 name wan-trusted rule 999 description 'Rule: drop_invalid'
|
||||
set firewall ipv4 name wan-trusted rule 999 state invalid
|
||||
set firewall ipv4 name wan-trusted rule 999 log
|
||||
|
||||
# From WAN to VIDEO
|
||||
set firewall ipv4 name wan-video default-action 'drop'
|
||||
set firewall ipv4 name wan-video description 'From WAN to VIDEO'
|
||||
set firewall ipv4 name wan-video enable-default-log
|
||||
set firewall ipv4 name wan-video rule 999 action 'drop'
|
||||
set firewall ipv4 name wan-video rule 999 description 'Rule: drop_invalid'
|
||||
set firewall ipv4 name wan-video rule 999 state invalid
|
||||
set firewall ipv4 name wan-video rule 999 log
|
|
@ -1,778 +0,0 @@
|
|||
#!/bin/vbash
|
||||
|
||||
# From LOCAL to IOT
|
||||
set firewall name local-iot default-action 'drop'
|
||||
set firewall name local-iot description 'From LOCAL to IOT'
|
||||
set firewall name local-iot enable-default-log
|
||||
set firewall name local-iot rule 100 action 'accept'
|
||||
set firewall name local-iot rule 100 description 'Rule: accept_igmp'
|
||||
set firewall name local-iot rule 100 protocol '2'
|
||||
set firewall name local-iot rule 110 action 'accept'
|
||||
set firewall name local-iot rule 110 description 'Rule: accept_mdns'
|
||||
set firewall name local-iot rule 110 destination port 'mdns'
|
||||
set firewall name local-iot rule 110 protocol 'udp'
|
||||
set firewall name local-iot rule 110 source port 'mdns'
|
||||
set firewall name local-iot rule 200 action 'accept'
|
||||
set firewall name local-iot rule 200 description 'Rule: accept_discovery_from_sonos_controllers'
|
||||
set firewall name local-iot rule 200 destination port '1900,1901,1902,57621'
|
||||
set firewall name local-iot rule 200 protocol 'udp'
|
||||
set firewall name local-iot rule 200 source group address-group 'sonos_controllers'
|
||||
set firewall name local-iot rule 999 action 'drop'
|
||||
set firewall name local-iot rule 999 description 'Rule: drop_invalid'
|
||||
set firewall name local-iot rule 999 state invalid 'enable'
|
||||
set firewall name local-iot rule 999 log 'enable'
|
||||
|
||||
# From LOCAL to LAN
|
||||
set firewall name local-lan default-action 'drop'
|
||||
set firewall name local-lan description 'From LOCAL to LAN'
|
||||
set firewall name local-lan enable-default-log
|
||||
set firewall name local-lan rule 999 action 'drop'
|
||||
set firewall name local-lan rule 999 description 'Rule: drop_invalid'
|
||||
set firewall name local-lan rule 999 state invalid 'enable'
|
||||
set firewall name local-lan rule 999 log 'enable'
|
||||
|
||||
# From LOCAL to SERVERS
|
||||
set firewall name local-servers default-action 'drop'
|
||||
set firewall name local-servers description 'From LOCAL to SERVERS'
|
||||
set firewall name local-servers enable-default-log
|
||||
set firewall name local-servers rule 40 action 'accept'
|
||||
set firewall name local-servers rule 40 description 'Rule: accept_dns'
|
||||
set firewall name local-servers rule 40 destination port 'domain,domain-s'
|
||||
set firewall name local-servers rule 40 protocol 'tcp_udp'
|
||||
set firewall name local-servers rule 70 action 'accept'
|
||||
set firewall name local-servers rule 70 description 'Rule: accept_bgp'
|
||||
set firewall name local-servers rule 70 destination port 'bgp'
|
||||
set firewall name local-servers rule 70 protocol 'tcp'
|
||||
set firewall name local-servers rule 100 action 'accept'
|
||||
set firewall name local-servers rule 100 description 'Rule: accept_k8s_api'
|
||||
set firewall name local-servers rule 100 destination port '6443'
|
||||
set firewall name local-servers rule 100 protocol 'tcp'
|
||||
set firewall name local-servers rule 200 action 'accept'
|
||||
set firewall name local-servers rule 200 description 'Rule: accept_vector_syslog'
|
||||
set firewall name local-servers rule 200 destination group address-group 'k8s_vector_aggregator'
|
||||
set firewall name local-servers rule 200 destination port '6001'
|
||||
set firewall name local-servers rule 200 protocol 'tcp'
|
||||
set firewall name local-servers rule 999 action 'drop'
|
||||
set firewall name local-servers rule 999 description 'Rule: drop_invalid'
|
||||
set firewall name local-servers rule 999 state invalid 'enable'
|
||||
set firewall name local-servers rule 999 log 'enable'
|
||||
|
||||
# From LOCAL to CONTAINERS
|
||||
set firewall name local-containers default-action 'accept'
|
||||
set firewall name local-containers description 'From LOCAL to CONTAINERS'
|
||||
set firewall name local-containers rule 40 action 'accept'
|
||||
set firewall name local-containers rule 40 description 'Rule: accept_dns'
|
||||
set firewall name local-containers rule 40 destination port 'domain,domain-s'
|
||||
set firewall name local-containers rule 40 protocol 'tcp_udp'
|
||||
set firewall name local-containers rule 999 action 'drop'
|
||||
set firewall name local-containers rule 999 description 'Rule: drop_invalid'
|
||||
set firewall name local-containers rule 999 state invalid 'enable'
|
||||
set firewall name local-containers rule 999 log 'enable'
|
||||
|
||||
# From LOCAL to TRUSTED
|
||||
set firewall name local-trusted default-action 'drop'
|
||||
set firewall name local-trusted description 'From LOCAL to TRUSTED'
|
||||
set firewall name local-trusted enable-default-log
|
||||
set firewall name local-trusted rule 100 action 'accept'
|
||||
set firewall name local-trusted rule 100 description 'Rule: accept_igmp'
|
||||
set firewall name local-trusted rule 100 protocol '2'
|
||||
set firewall name local-trusted rule 110 action 'accept'
|
||||
set firewall name local-trusted rule 110 description 'Rule: accept_mdns'
|
||||
set firewall name local-trusted rule 110 destination port 'mdns'
|
||||
set firewall name local-trusted rule 110 protocol 'udp'
|
||||
set firewall name local-trusted rule 110 source port 'mdns'
|
||||
set firewall name local-trusted rule 200 action 'accept'
|
||||
set firewall name local-trusted rule 200 description 'Rule: accept_discovery_from_sonos_players'
|
||||
set firewall name local-trusted rule 200 destination port '1900,1901,1902'
|
||||
set firewall name local-trusted rule 200 protocol 'udp'
|
||||
set firewall name local-trusted rule 200 source group address-group 'sonos_players'
|
||||
set firewall name local-trusted rule 300 action 'accept'
|
||||
set firewall name local-trusted rule 300 description 'Rule: accept_wireguard'
|
||||
set firewall name local-trusted rule 300 source port '51820'
|
||||
set firewall name local-trusted rule 300 protocol 'udp'
|
||||
set firewall name local-trusted rule 999 action 'drop'
|
||||
set firewall name local-trusted rule 999 description 'Rule: drop_invalid'
|
||||
set firewall name local-trusted rule 999 state invalid 'enable'
|
||||
set firewall name local-trusted rule 999 log 'enable'
|
||||
|
||||
# From LOCAL to VIDEO
|
||||
set firewall name local-video default-action 'drop'
|
||||
set firewall name local-video description 'From LOCAL to VIDEO'
|
||||
set firewall name local-video enable-default-log
|
||||
set firewall name local-video rule 999 action 'drop'
|
||||
set firewall name local-video rule 999 description 'Rule: drop_invalid'
|
||||
set firewall name local-video rule 999 state invalid 'enable'
|
||||
set firewall name local-video rule 999 log 'enable'
|
||||
|
||||
# From LOCAL to WAN
|
||||
set firewall name local-wan default-action 'accept'
|
||||
set firewall name local-wan description 'From LOCAL to WAN'
|
||||
|
||||
# From WAN to IOT
|
||||
set firewall name wan-iot default-action 'drop'
|
||||
set firewall name wan-iot description 'From WAN to IOT'
|
||||
set firewall name wan-iot enable-default-log
|
||||
set firewall name wan-iot rule 999 action 'drop'
|
||||
set firewall name wan-iot rule 999 description 'Rule: drop_invalid'
|
||||
set firewall name wan-iot rule 999 state invalid 'enable'
|
||||
set firewall name wan-iot rule 999 log 'enable'
|
||||
|
||||
# From WAN to LAN
|
||||
set firewall name wan-lan default-action 'drop'
|
||||
set firewall name wan-lan description 'From WAN to LAN'
|
||||
set firewall name wan-lan enable-default-log
|
||||
set firewall name wan-lan rule 999 action 'drop'
|
||||
set firewall name wan-lan rule 999 description 'Rule: drop_invalid'
|
||||
set firewall name wan-lan rule 999 state invalid 'enable'
|
||||
set firewall name wan-lan rule 999 log 'enable'
|
||||
|
||||
# From WAN to LOCAL
|
||||
set firewall name wan-local default-action 'drop'
|
||||
set firewall name wan-local description 'From WAN to LOCAL'
|
||||
set firewall name wan-local enable-default-log
|
||||
set firewall name wan-local rule 1 action 'drop'
|
||||
set firewall name wan-local rule 1 description 'Rule: drop_invalid'
|
||||
set firewall name wan-local rule 1 state invalid 'enable'
|
||||
set firewall name wan-local rule 1 log 'enable'
|
||||
set firewall name wan-local rule 100 action 'accept'
|
||||
set firewall name wan-local rule 100 description 'Rule: accept_wireguard'
|
||||
set firewall name wan-local rule 100 destination port '51820'
|
||||
set firewall name wan-local rule 100 protocol 'udp'
|
||||
|
||||
# From WAN to SERVERS
|
||||
set firewall name wan-servers default-action 'drop'
|
||||
set firewall name wan-servers description 'From WAN to SERVERS'
|
||||
set firewall name wan-servers enable-default-log
|
||||
set firewall name wan-servers rule 100 action 'accept'
|
||||
set firewall name wan-servers rule 100 destination port 32400
|
||||
set firewall name wan-servers rule 100 protocol 'tcp'
|
||||
set firewall name wan-servers rule 100 destination address 10.1.1.12
|
||||
set firewall name wan-servers rule 999 action 'drop'
|
||||
set firewall name wan-servers rule 999 description 'Rule: drop_invalid'
|
||||
set firewall name wan-servers rule 999 state invalid 'enable'
|
||||
set firewall name wan-servers rule 999 log 'enable'
|
||||
|
||||
# From WAN to CONTAINERS
|
||||
set firewall name wan-containers default-action 'drop'
|
||||
set firewall name wan-containers description 'From WAN to CONTAINERS'
|
||||
set firewall name wan-containers enable-default-log
|
||||
set firewall name wan-containers rule 999 action 'drop'
|
||||
set firewall name wan-containers rule 999 description 'Rule: drop_invalid'
|
||||
set firewall name wan-containers rule 999 state invalid 'enable'
|
||||
set firewall name wan-containers rule 999 log 'enable'
|
||||
|
||||
# From WAN to TRUSTED
|
||||
set firewall name wan-trusted default-action 'drop'
|
||||
set firewall name wan-trusted description 'From WAN to TRUSTED'
|
||||
set firewall name wan-trusted enable-default-log
|
||||
set firewall name wan-trusted rule 999 action 'drop'
|
||||
set firewall name wan-trusted rule 999 description 'Rule: drop_invalid'
|
||||
set firewall name wan-trusted rule 999 state invalid 'enable'
|
||||
set firewall name wan-trusted rule 999 log 'enable'
|
||||
|
||||
# From WAN to VIDEO
|
||||
set firewall name wan-video default-action 'drop'
|
||||
set firewall name wan-video description 'From WAN to VIDEO'
|
||||
set firewall name wan-video enable-default-log
|
||||
set firewall name wan-video rule 999 action 'drop'
|
||||
set firewall name wan-video rule 999 description 'Rule: drop_invalid'
|
||||
set firewall name wan-video rule 999 state invalid 'enable'
|
||||
set firewall name wan-video rule 999 log 'enable'
|
||||
|
||||
# From LAN to IoT
|
||||
set firewall name lan-iot default-action 'drop'
|
||||
set firewall name lan-iot description 'From LAN to IOT'
|
||||
set firewall name lan-iot enable-default-log
|
||||
set firewall name lan-iot rule 999 action 'drop'
|
||||
set firewall name lan-iot rule 999 description 'Rule: drop_invalid'
|
||||
set firewall name lan-iot rule 999 state invalid 'enable'
|
||||
set firewall name lan-iot rule 999 log 'enable'
|
||||
|
||||
# From LAN to LOCAL
|
||||
set firewall name lan-local default-action 'drop'
|
||||
set firewall name lan-local description 'From LAN to LOCAL'
|
||||
set firewall name lan-local enable-default-log
|
||||
set firewall name lan-local rule 40 action 'accept'
|
||||
set firewall name lan-local rule 40 description 'Rule: accept_dns'
|
||||
set firewall name lan-local rule 40 destination port 'domain,domain-s'
|
||||
set firewall name lan-local rule 40 protocol 'tcp_udp'
|
||||
set firewall name lan-local rule 50 action 'accept'
|
||||
set firewall name lan-local rule 50 description 'Rule: accept_dhcp'
|
||||
set firewall name lan-local rule 50 destination port '67,68'
|
||||
set firewall name lan-local rule 50 protocol 'udp'
|
||||
set firewall name lan-local rule 50 source port '67,68'
|
||||
set firewall name lan-local rule 60 action 'accept'
|
||||
set firewall name lan-local rule 60 description 'Rule: accept_ntp'
|
||||
set firewall name lan-local rule 60 destination port 'ntp'
|
||||
set firewall name lan-local rule 60 protocol 'udp'
|
||||
set firewall name lan-local rule 70 action 'accept'
|
||||
set firewall name lan-local rule 70 description 'Rule: accept_node_speed_exporter'
|
||||
set firewall name lan-local rule 70 destination port '9798,9100'
|
||||
set firewall name lan-local rule 70 protocol 'tcp'
|
||||
set firewall name lan-local rule 80 action 'accept'
|
||||
set firewall name lan-local rule 80 description 'Rule: accept perfmon3'
|
||||
set firewall name lan-local rule 80 destination port '5201'
|
||||
set firewall name lan-local rule 80 protocol 'tcp'
|
||||
set firewall name lan-local rule 999 action 'drop'
|
||||
set firewall name lan-local rule 999 description 'Rule: drop_invalid'
|
||||
set firewall name lan-local rule 999 state invalid 'enable'
|
||||
set firewall name lan-local rule 999 log 'enable'
|
||||
|
||||
# From LAN to SERVERS
|
||||
set firewall name lan-servers default-action 'drop'
|
||||
set firewall name lan-servers description 'From LAN to SERVERS'
|
||||
set firewall name lan-servers enable-default-log
|
||||
set firewall name lan-servers rule 999 action 'drop'
|
||||
set firewall name lan-servers rule 999 description 'Rule: drop_invalid'
|
||||
set firewall name lan-servers rule 999 state invalid 'enable'
|
||||
set firewall name lan-servers rule 999 log 'enable'
|
||||
|
||||
# From LAN to CONTAINERS
|
||||
set firewall name lan-containers default-action 'accept'
|
||||
set firewall name lan-containers description 'From LAN to CONTAINERS'
|
||||
set firewall name lan-containers rule 40 action 'accept'
|
||||
set firewall name lan-containers rule 40 description 'Rule: accept_dns'
|
||||
set firewall name lan-containers rule 40 destination port 'domain,domain-s'
|
||||
set firewall name lan-containers rule 40 protocol 'tcp_udp'
|
||||
set firewall name lan-containers rule 999 action 'drop'
|
||||
set firewall name lan-containers rule 999 description 'Rule: drop_invalid'
|
||||
set firewall name lan-containers rule 999 state invalid 'enable'
|
||||
set firewall name lan-containers rule 999 log 'enable'
|
||||
|
||||
# From LAN to TRUSTED
|
||||
set firewall name lan-trusted default-action 'drop'
|
||||
set firewall name lan-trusted description 'From LAN to TRUSTED'
|
||||
set firewall name lan-trusted enable-default-log
|
||||
set firewall name lan-trusted rule 999 action 'drop'
|
||||
set firewall name lan-trusted rule 999 description 'Rule: drop_invalid'
|
||||
set firewall name lan-trusted rule 999 state invalid 'enable'
|
||||
set firewall name lan-trusted rule 999 log 'enable'
|
||||
|
||||
# From LAN to VIDEO
|
||||
set firewall name lan-video default-action 'drop'
|
||||
set firewall name lan-video description 'From LAN to VIDEO'
|
||||
set firewall name lan-video enable-default-log
|
||||
set firewall name lan-video rule 999 action 'drop'
|
||||
set firewall name lan-video rule 999 description 'Rule: drop_invalid'
|
||||
set firewall name lan-video rule 999 state invalid 'enable'
|
||||
set firewall name lan-video rule 999 log 'enable'
|
||||
|
||||
# From LAN to WAN
|
||||
set firewall name lan-wan default-action 'accept'
|
||||
set firewall name lan-wan description 'From LAN to WAN'
|
||||
|
||||
# From SERVERS to IOT
|
||||
set firewall name servers-iot default-action 'drop'
|
||||
set firewall name servers-iot description 'From SERVERS to IOT'
|
||||
set firewall name servers-iot enable-default-log
|
||||
set firewall name servers-iot rule 100 action 'accept'
|
||||
set firewall name servers-iot rule 100 description 'Rule: accept_k8s_nodes'
|
||||
set firewall name servers-iot rule 100 protocol 'tcp'
|
||||
set firewall name servers-iot rule 100 source group address-group 'k8s_nodes'
|
||||
set firewall name servers-iot rule 110 action 'accept'
|
||||
set firewall name servers-iot rule 110 description 'Rule: accept_k8s_nodes'
|
||||
set firewall name servers-iot rule 110 protocol 'icmp'
|
||||
set firewall name servers-iot rule 110 source group address-group 'k8s_nodes'
|
||||
set firewall name servers-iot rule 999 action 'drop'
|
||||
set firewall name servers-iot rule 999 description 'Rule: drop_invalid'
|
||||
set firewall name servers-iot rule 999 state invalid 'enable'
|
||||
set firewall name servers-iot rule 999 log 'enable'
|
||||
|
||||
# From SERVERS to LAN
|
||||
set firewall name servers-lan default-action 'drop'
|
||||
set firewall name servers-lan description 'From SERVERS to LAN'
|
||||
set firewall name servers-lan enable-default-log
|
||||
set firewall name servers-lan rule 999 action 'drop'
|
||||
set firewall name servers-lan rule 999 description 'Rule: drop_invalid'
|
||||
set firewall name servers-lan rule 999 state invalid 'enable'
|
||||
set firewall name servers-lan rule 999 log 'enable'
|
||||
|
||||
# From SERVERS to LOCAL
|
||||
set firewall name servers-local default-action 'drop'
|
||||
set firewall name servers-local description 'From SERVERS to LOCAL'
|
||||
set firewall name servers-local enable-default-log
|
||||
set firewall name servers-local rule 50 action 'accept'
|
||||
set firewall name servers-local rule 50 description 'Rule: accept_dhcp'
|
||||
set firewall name servers-local rule 50 destination port '67,68'
|
||||
set firewall name servers-local rule 50 protocol 'udp'
|
||||
set firewall name servers-local rule 50 source port '67,68'
|
||||
set firewall name servers-local rule 60 action 'accept'
|
||||
set firewall name servers-local rule 60 description 'Rule: accept_ntp'
|
||||
set firewall name servers-local rule 60 destination port 'ntp'
|
||||
set firewall name servers-local rule 60 protocol 'udp'
|
||||
set firewall name servers-local rule 70 action 'accept'
|
||||
set firewall name servers-local rule 70 description 'Rule: accept_bgp'
|
||||
set firewall name servers-local rule 70 destination port 'bgp'
|
||||
set firewall name servers-local rule 70 protocol 'tcp'
|
||||
set firewall name servers-local rule 80 action 'accept'
|
||||
set firewall name servers-local rule 80 description 'Rule: accept_tftp'
|
||||
set firewall name servers-local rule 80 destination port '69'
|
||||
set firewall name servers-local rule 80 protocol 'udp'
|
||||
set firewall name servers-local rule 90 action 'accept'
|
||||
set firewall name servers-local rule 90 description 'Rule: accept_dns'
|
||||
set firewall name servers-local rule 90 destination port 'domain,domain-s'
|
||||
set firewall name servers-local rule 90 protocol 'tcp_udp'
|
||||
set firewall name servers-local rule 100 action 'accept'
|
||||
set firewall name servers-local rule 100 description 'Rule: accept_node_exporter_from_k8s_nodes'
|
||||
set firewall name servers-local rule 100 destination port '9100'
|
||||
set firewall name servers-local rule 100 protocol 'tcp'
|
||||
set firewall name servers-local rule 100 source group address-group 'k8s_nodes'
|
||||
set firewall name servers-local rule 110 action 'accept'
|
||||
set firewall name servers-local rule 110 description 'Rule: accept_speedtest_exporter_from_k8s_nodes'
|
||||
set firewall name servers-local rule 110 destination port '9798'
|
||||
set firewall name servers-local rule 110 protocol 'tcp'
|
||||
set firewall name servers-local rule 110 source group address-group 'k8s_nodes'
|
||||
set firewall name servers-local rule 999 action 'drop'
|
||||
set firewall name servers-local rule 999 description 'Rule: drop_invalid'
|
||||
set firewall name servers-local rule 999 state invalid 'enable'
|
||||
set firewall name servers-local rule 999 log 'enable'
|
||||
|
||||
# From SERVERS to CONTAINERS
|
||||
set firewall name servers-containers default-action 'accept'
|
||||
set firewall name servers-containers description 'From SERVERS to CONTAINERS'
|
||||
set firewall name servers-containers enable-default-log
|
||||
set firewall name servers-containers rule 40 action 'accept'
|
||||
set firewall name servers-containers rule 40 description 'Rule: accept_dns'
|
||||
set firewall name servers-containers rule 40 destination port 'domain,domain-s'
|
||||
set firewall name servers-containers rule 40 protocol 'tcp_udp'
|
||||
set firewall name servers-containers rule 100 action 'accept'
|
||||
set firewall name servers-containers rule 100 description 'Rule: accept_k8s_nodes'
|
||||
set firewall name servers-containers rule 100 protocol 'tcp'
|
||||
set firewall name servers-containers rule 100 source group address-group 'k8s_nodes'
|
||||
set firewall name servers-containers rule 999 action 'drop'
|
||||
set firewall name servers-containers rule 999 description 'Rule: drop_invalid'
|
||||
set firewall name servers-containers rule 999 state invalid 'enable'
|
||||
set firewall name servers-containers rule 999 log 'enable'
|
||||
|
||||
# From SERVERS to TRUSTED
|
||||
set firewall name servers-trusted default-action 'drop'
|
||||
set firewall name servers-trusted description 'From SERVERS to TRUSTED'
|
||||
set firewall name servers-trusted enable-default-log
|
||||
set firewall name servers-trusted rule 999 action 'drop'
|
||||
set firewall name servers-trusted rule 999 description 'Rule: drop_invalid'
|
||||
set firewall name servers-trusted rule 999 state invalid 'enable'
|
||||
set firewall name servers-trusted rule 999 log 'enable'
|
||||
|
||||
# From SERVERS to VIDEO
|
||||
set firewall name servers-video default-action 'drop'
|
||||
set firewall name servers-video description 'From SERVERS to VIDEO'
|
||||
set firewall name servers-video enable-default-log
|
||||
set firewall name servers-video rule 100 action 'accept'
|
||||
set firewall name servers-video rule 100 description 'Rule: accept_k8s_nodes'
|
||||
set firewall name servers-video rule 100 protocol 'tcp_udp'
|
||||
set firewall name servers-video rule 100 source group address-group 'k8s_nodes'
|
||||
set firewall name servers-video rule 999 action 'drop'
|
||||
set firewall name servers-video rule 999 description 'Rule: drop_invalid'
|
||||
set firewall name servers-video rule 999 state invalid 'enable'
|
||||
set firewall name servers-video rule 999 log 'enable'
|
||||
|
||||
# From SERVERS to WAN
|
||||
set firewall name servers-wan default-action 'accept'
|
||||
set firewall name servers-wan description 'From SERVERS to WAN'
|
||||
|
||||
# From CONTAINERS to IOT
|
||||
set firewall name containers-iot default-action 'drop'
|
||||
set firewall name containers-iot description 'From CONTAINERS to IOT'
|
||||
set firewall name containers-iot enable-default-log
|
||||
set firewall name containers-iot rule 999 action 'drop'
|
||||
set firewall name containers-iot rule 999 description 'Rule: drop_invalid'
|
||||
set firewall name containers-iot rule 999 state invalid 'enable'
|
||||
set firewall name containers-iot rule 999 log 'enable'
|
||||
|
||||
# From CONTAINERS to LAN
|
||||
set firewall name containers-lan default-action 'drop'
|
||||
set firewall name containers-lan description 'From CONTAINERS to LAN'
|
||||
set firewall name containers-lan enable-default-log
|
||||
set firewall name containers-lan rule 999 action 'drop'
|
||||
set firewall name containers-lan rule 999 description 'Rule: drop_invalid'
|
||||
set firewall name containers-lan rule 999 state invalid 'enable'
|
||||
set firewall name containers-lan rule 999 log 'enable'
|
||||
|
||||
# From CONTAINERS to LOCAL
|
||||
set firewall name containers-local default-action 'drop'
|
||||
set firewall name containers-local description 'From CONTAINERS to LOCAL'
|
||||
set firewall name containers-local enable-default-log
|
||||
set firewall name containers-local rule 50 action 'accept'
|
||||
set firewall name containers-local rule 50 description 'Rule: accept_dhcp'
|
||||
set firewall name containers-local rule 50 destination port '67,68'
|
||||
set firewall name containers-local rule 50 protocol 'udp'
|
||||
set firewall name containers-local rule 50 source port '67,68'
|
||||
set firewall name containers-local rule 60 action 'accept'
|
||||
set firewall name containers-local rule 60 description 'Rule: accept_ntp'
|
||||
set firewall name containers-local rule 60 destination port 'ntp'
|
||||
set firewall name containers-local rule 60 protocol 'udp'
|
||||
set firewall name containers-local rule 999 action 'drop'
|
||||
set firewall name containers-local rule 999 description 'Rule: drop_invalid'
|
||||
set firewall name containers-local rule 999 state invalid 'enable'
|
||||
set firewall name containers-local rule 999 log 'enable'
|
||||
|
||||
# From CONTAINERS to SERVERS
|
||||
set firewall name containers-servers default-action 'accept'
|
||||
set firewall name containers-servers description 'From CONTAINERS to SERVERS'
|
||||
set firewall name containers-servers rule 999 action 'drop'
|
||||
set firewall name containers-servers rule 999 description 'Rule: drop_invalid'
|
||||
set firewall name containers-servers rule 999 state invalid 'enable'
|
||||
set firewall name containers-servers rule 999 log 'enable'
|
||||
|
||||
# From CONTAINERS to TRUSTED
|
||||
set firewall name containers-trusted default-action 'drop'
|
||||
set firewall name containers-trusted description 'From CONTAINERS to TRUSTED'
|
||||
set firewall name containers-trusted enable-default-log
|
||||
set firewall name containers-trusted rule 999 action 'drop'
|
||||
set firewall name containers-trusted rule 999 description 'Rule: drop_invalid'
|
||||
set firewall name containers-trusted rule 999 state invalid 'enable'
|
||||
set firewall name containers-trusted rule 999 log 'enable'
|
||||
|
||||
# From CONTAINERS to VIDEO
|
||||
set firewall name containers-video default-action 'drop'
|
||||
set firewall name containers-video description 'From CONTAINERS to VIDEO'
|
||||
set firewall name containers-video enable-default-log
|
||||
set firewall name containers-video rule 999 action 'drop'
|
||||
set firewall name containers-video rule 999 description 'Rule: drop_invalid'
|
||||
set firewall name containers-video rule 999 state invalid 'enable'
|
||||
set firewall name containers-video rule 999 log 'enable'
|
||||
|
||||
# From CONTAINERS to WAN
|
||||
set firewall name containers-wan default-action 'accept'
|
||||
set firewall name containers-wan description 'From CONTAINERS to WAN'
|
||||
|
||||
# From TRUSTED to IOT
|
||||
set firewall name trusted-iot default-action 'accept'
|
||||
set firewall name trusted-iot description 'From TRUSTED to IOT'
|
||||
set firewall name trusted-iot rule 100 action 'accept'
|
||||
set firewall name trusted-iot rule 100 description 'Rule: accept_app_control_from_sonos_controllers_tcp'
|
||||
set firewall name trusted-iot rule 100 destination port '80,443,445,1400,3400,3401,3500,4070,4444'
|
||||
set firewall name trusted-iot rule 100 protocol 'tcp'
|
||||
set firewall name trusted-iot rule 100 source group address-group 'sonos_controllers'
|
||||
set firewall name trusted-iot rule 110 action 'accept'
|
||||
set firewall name trusted-iot rule 110 description 'Rule: accept_app_control_from_sonos_controllers_udp'
|
||||
set firewall name trusted-iot rule 110 destination port '136-139,1900-1901,2869,10243,10280-10284,5353,6969'
|
||||
set firewall name trusted-iot rule 110 protocol 'udp'
|
||||
set firewall name trusted-iot rule 110 source group address-group 'sonos_controllers'
|
||||
set firewall name trusted-iot rule 999 action 'drop'
|
||||
set firewall name trusted-iot rule 999 description 'Rule: drop_invalid'
|
||||
set firewall name trusted-iot rule 999 state invalid 'enable'
|
||||
set firewall name trusted-iot rule 999 log 'enable'
|
||||
|
||||
# From TRUSTED to LAN
|
||||
set firewall name trusted-lan default-action 'accept'
|
||||
set firewall name trusted-lan description 'From TRUSTED to LAN'
|
||||
set firewall name trusted-lan rule 999 action 'drop'
|
||||
set firewall name trusted-lan rule 999 description 'Rule: drop_invalid'
|
||||
set firewall name trusted-lan rule 999 state invalid 'enable'
|
||||
set firewall name trusted-lan rule 999 log 'enable'
|
||||
|
||||
# From TRUSTED to LOCAL
|
||||
set firewall name trusted-local default-action 'drop'
|
||||
set firewall name trusted-local description 'From TRUSTED to LOCAL'
|
||||
set firewall name trusted-local enable-default-log
|
||||
set firewall name trusted-local rule 50 action 'accept'
|
||||
set firewall name trusted-local rule 50 description 'Rule: accept_dhcp'
|
||||
set firewall name trusted-local rule 50 destination port '67,68'
|
||||
set firewall name trusted-local rule 50 protocol 'udp'
|
||||
set firewall name trusted-local rule 50 source port '67,68'
|
||||
set firewall name trusted-local rule 60 action 'accept'
|
||||
set firewall name trusted-local rule 60 description 'Rule: accept_ntp'
|
||||
set firewall name trusted-local rule 60 destination port 'ntp'
|
||||
set firewall name trusted-local rule 60 protocol 'udp'
|
||||
set firewall name trusted-local rule 100 action 'accept'
|
||||
set firewall name trusted-local rule 100 description 'Rule: accept_igmp'
|
||||
set firewall name trusted-local rule 100 protocol '2'
|
||||
set firewall name trusted-local rule 110 action 'accept'
|
||||
set firewall name trusted-local rule 110 description 'Rule: accept_mdns'
|
||||
set firewall name trusted-local rule 110 destination port 'mdns'
|
||||
set firewall name trusted-local rule 110 protocol 'udp'
|
||||
set firewall name trusted-local rule 110 source port 'mdns'
|
||||
set firewall name trusted-local rule 120 action 'accept'
|
||||
set firewall name trusted-local rule 120 description 'Rule: accept_dns'
|
||||
set firewall name trusted-local rule 120 destination port 'domain,domain-s'
|
||||
set firewall name trusted-local rule 120 protocol 'tcp_udp'
|
||||
set firewall name trusted-local rule 200 action 'accept'
|
||||
set firewall name trusted-local rule 200 description 'Rule: accept_ssh'
|
||||
set firewall name trusted-local rule 200 destination port 'ssh'
|
||||
set firewall name trusted-local rule 200 protocol 'tcp'
|
||||
set firewall name trusted-local rule 210 action 'accept'
|
||||
set firewall name trusted-local rule 210 description 'Rule: accept_vyos_api'
|
||||
set firewall name trusted-local rule 210 destination port '8443'
|
||||
set firewall name trusted-local rule 210 protocol 'tcp'
|
||||
set firewall name trusted-local rule 220 action 'accept'
|
||||
set firewall name trusted-local rule 220 description 'Rule: accept_wireguard'
|
||||
set firewall name trusted-local rule 220 destination port '51820'
|
||||
set firewall name trusted-local rule 220 protocol 'udp'
|
||||
set firewall name trusted-local rule 300 action 'accept'
|
||||
set firewall name trusted-local rule 300 description 'Rule: accept_discovery_from_sonos_players'
|
||||
set firewall name trusted-local rule 300 destination port '1900,1901,1902'
|
||||
set firewall name trusted-local rule 300 protocol 'udp'
|
||||
set firewall name trusted-local rule 300 source group address-group 'sonos_players'
|
||||
set firewall name trusted-local rule 310 action 'accept'
|
||||
set firewall name trusted-local rule 310 description 'Rule: accept_discovery_from_sonos_controllers'
|
||||
set firewall name trusted-local rule 310 destination port '1900,1901,1902,57621'
|
||||
set firewall name trusted-local rule 310 protocol 'udp'
|
||||
set firewall name trusted-local rule 310 source group address-group 'sonos_controllers'
|
||||
set firewall name trusted-local rule 999 action 'drop'
|
||||
set firewall name trusted-local rule 999 description 'Rule: drop_invalid'
|
||||
set firewall name trusted-local rule 999 state invalid 'enable'
|
||||
set firewall name trusted-local rule 999 log 'enable'
|
||||
|
||||
# From TRUSTED to SERVERS
|
||||
set firewall name trusted-servers default-action 'accept'
|
||||
set firewall name trusted-servers description 'From TRUSTED to SERVERS'
|
||||
set firewall name trusted-servers rule 999 action 'drop'
|
||||
set firewall name trusted-servers rule 999 description 'Rule: drop_invalid'
|
||||
set firewall name trusted-servers rule 999 state invalid 'enable'
|
||||
set firewall name trusted-servers rule 999 log 'enable'
|
||||
|
||||
# From TRUSTED to CONTAINERS
|
||||
set firewall name trusted-containers default-action 'accept'
|
||||
set firewall name trusted-containers description 'From TRUSTED to CONTAINERS'
|
||||
set firewall name trusted-containers rule 40 action 'accept'
|
||||
set firewall name trusted-containers rule 40 description 'Rule: accept_dns'
|
||||
set firewall name trusted-containers rule 40 destination port 'domain,domain-s'
|
||||
set firewall name trusted-containers rule 40 protocol 'tcp_udp'
|
||||
set firewall name trusted-containers rule 999 action 'drop'
|
||||
set firewall name trusted-containers rule 999 description 'Rule: drop_invalid'
|
||||
set firewall name trusted-containers rule 999 state invalid 'enable'
|
||||
set firewall name trusted-containers rule 999 log 'enable'
|
||||
|
||||
# From TRUSTED to VIDEO
|
||||
set firewall name trusted-video default-action 'accept'
|
||||
set firewall name trusted-video description 'From TRUSTED to VIDEO'
|
||||
set firewall name trusted-video rule 999 action 'drop'
|
||||
set firewall name trusted-video rule 999 description 'Rule: drop_invalid'
|
||||
set firewall name trusted-video rule 999 state invalid 'enable'
|
||||
set firewall name trusted-video rule 999 log 'enable'
|
||||
|
||||
# From TRUSTED to WAN
|
||||
set firewall name trusted-wan default-action 'accept'
|
||||
set firewall name trusted-wan description 'From TRUSTED to WAN'
|
||||
|
||||
# From IOT to LAN
|
||||
set firewall name iot-lan default-action 'drop'
|
||||
set firewall name iot-lan description 'From IOT to LAN'
|
||||
set firewall name iot-lan enable-default-log
|
||||
set firewall name iot-lan rule 999 action 'drop'
|
||||
set firewall name iot-lan rule 999 description 'Rule: drop_invalid'
|
||||
set firewall name iot-lan rule 999 state invalid 'enable'
|
||||
set firewall name iot-lan rule 999 log 'enable'
|
||||
|
||||
# From IOT to LOCAL
|
||||
set firewall name iot-local default-action 'drop'
|
||||
set firewall name iot-local description 'From IOT to LOCAL'
|
||||
set firewall name iot-local enable-default-log
|
||||
set firewall name iot-local rule 50 action 'accept'
|
||||
set firewall name iot-local rule 50 description 'Rule: accept_dhcp'
|
||||
set firewall name iot-local rule 50 destination port '67,68'
|
||||
set firewall name iot-local rule 50 protocol 'udp'
|
||||
set firewall name iot-local rule 50 source port '67,68'
|
||||
set firewall name iot-local rule 60 action 'accept'
|
||||
set firewall name iot-local rule 60 description 'Rule: accept_ntp'
|
||||
set firewall name iot-local rule 60 destination port 'ntp'
|
||||
set firewall name iot-local rule 60 protocol 'udp'
|
||||
set firewall name iot-local rule 100 action 'accept'
|
||||
set firewall name iot-local rule 100 description 'Rule: accept_igmp'
|
||||
set firewall name iot-local rule 100 protocol '2'
|
||||
set firewall name iot-local rule 110 action 'accept'
|
||||
set firewall name iot-local rule 110 description 'Rule: accept_mdns'
|
||||
set firewall name iot-local rule 110 destination port 'mdns'
|
||||
set firewall name iot-local rule 110 protocol 'udp'
|
||||
set firewall name iot-local rule 110 source port 'mdns'
|
||||
set firewall name iot-local rule 120 action 'accept'
|
||||
set firewall name iot-local rule 120 description 'Rule: accept_dns'
|
||||
set firewall name iot-local rule 120 destination port 'domain,domain-s'
|
||||
set firewall name iot-local rule 120 protocol 'tcp_udp'
|
||||
set firewall name iot-local rule 200 action 'accept'
|
||||
set firewall name iot-local rule 200 description 'Rule: accept_discovery_from_sonos_players'
|
||||
set firewall name iot-local rule 200 destination port '1900,1901,1902'
|
||||
set firewall name iot-local rule 200 protocol 'udp'
|
||||
set firewall name iot-local rule 200 source group address-group 'sonos_players'
|
||||
set firewall name iot-local rule 210 action 'accept'
|
||||
set firewall name iot-local rule 210 description 'Rule: accept_discovery_from_sonos_controllers'
|
||||
set firewall name iot-local rule 210 destination port '1900,1901,1902,57621'
|
||||
set firewall name iot-local rule 210 protocol 'udp'
|
||||
set firewall name iot-local rule 210 source group address-group 'sonos_controllers'
|
||||
set firewall name iot-local rule 999 action 'drop'
|
||||
set firewall name iot-local rule 999 description 'Rule: drop_invalid'
|
||||
set firewall name iot-local rule 999 state invalid 'enable'
|
||||
set firewall name iot-local rule 999 log 'enable'
|
||||
|
||||
# From IOT to SERVERS
|
||||
set firewall name iot-servers default-action 'drop'
|
||||
set firewall name iot-servers description 'From IOT to SERVERS'
|
||||
set firewall name iot-servers enable-default-log
|
||||
set firewall name iot-servers rule 100 action 'accept'
|
||||
set firewall name iot-servers rule 100 description 'Rule: accept_nas_smb_from_scanners'
|
||||
set firewall name iot-servers rule 100 destination group address-group 'nas'
|
||||
set firewall name iot-servers rule 100 destination port 'microsoft-ds'
|
||||
set firewall name iot-servers rule 100 protocol 'tcp'
|
||||
set firewall name iot-servers rule 100 source group address-group 'scanners'
|
||||
set firewall name iot-servers rule 200 action 'accept'
|
||||
set firewall name iot-servers rule 200 description 'Rule: accept_plex_from_plex_clients'
|
||||
set firewall name iot-servers rule 200 destination group address-group 'k8s_plex'
|
||||
set firewall name iot-servers rule 200 destination port '32400'
|
||||
set firewall name iot-servers rule 200 protocol 'tcp'
|
||||
set firewall name iot-servers rule 200 source group address-group 'plex_clients'
|
||||
set firewall name iot-servers rule 210 action 'accept'
|
||||
set firewall name iot-servers rule 300 action 'accept'
|
||||
set firewall name iot-servers rule 300 description 'Rule: accept_mqtt_from_mqtt_clients'
|
||||
set firewall name iot-servers rule 300 destination group address-group 'k8s_mqtt'
|
||||
set firewall name iot-servers rule 300 destination port '1883'
|
||||
set firewall name iot-servers rule 300 protocol 'tcp'
|
||||
set firewall name iot-servers rule 300 source group address-group 'mqtt_clients'
|
||||
set firewall name iot-servers rule 310 action 'accept'
|
||||
set firewall name iot-servers rule 310 description 'Rule: accept_mqtt_from_esp'
|
||||
set firewall name iot-servers rule 310 destination group address-group 'k8s_mqtt'
|
||||
set firewall name iot-servers rule 310 destination port '1883'
|
||||
set firewall name iot-servers rule 310 protocol 'tcp'
|
||||
set firewall name iot-servers rule 310 source group address-group 'esp'
|
||||
set firewall name iot-servers rule 400 action 'accept'
|
||||
set firewall name iot-servers rule 400 description 'Rule: accept_k8s_ingress_from_sonos_players'
|
||||
set firewall name iot-servers rule 400 destination group address-group 'k8s_ingress'
|
||||
set firewall name iot-servers rule 400 destination port 'http,https'
|
||||
set firewall name iot-servers rule 400 protocol 'tcp'
|
||||
set firewall name iot-servers rule 400 source group address-group 'sonos_players'
|
||||
set firewall name iot-servers rule 420 action 'accept'
|
||||
set firewall name iot-servers rule 420 description 'Rule: accept_k8s_ingress_from_allowed_devices'
|
||||
set firewall name iot-servers rule 420 destination group address-group 'k8s_ingress'
|
||||
set firewall name iot-servers rule 420 destination port 'http,https'
|
||||
set firewall name iot-servers rule 420 protocol 'tcp'
|
||||
set firewall name iot-servers rule 420 source group address-group 'k8s_ingress_allowed'
|
||||
set firewall name iot-servers rule 500 action 'accept'
|
||||
set firewall name iot-servers rule 500 description 'Rule: accept_vector_journald_from_allowed_devices'
|
||||
set firewall name iot-servers rule 500 destination group address-group 'k8s_vector_aggregator'
|
||||
set firewall name iot-servers rule 500 destination port '6002'
|
||||
set firewall name iot-servers rule 500 protocol 'tcp'
|
||||
set firewall name iot-servers rule 500 source group address-group 'vector_journald_allowed'
|
||||
set firewall name iot-servers rule 999 action 'drop'
|
||||
set firewall name iot-servers rule 999 description 'Rule: drop_invalid'
|
||||
set firewall name iot-servers rule 999 state invalid 'enable'
|
||||
set firewall name iot-servers rule 999 log 'enable'
|
||||
|
||||
# From IOT to CONTAINERS
|
||||
set firewall name iot-containers default-action 'accept'
|
||||
set firewall name iot-containers description 'From IOT to CONTAINERS'
|
||||
set firewall name iot-containers rule 40 action 'accept'
|
||||
set firewall name iot-containers rule 40 description 'Rule: accept_dns'
|
||||
set firewall name iot-containers rule 40 destination port 'domain,domain-s'
|
||||
set firewall name iot-containers rule 40 protocol 'tcp_udp'
|
||||
set firewall name iot-containers rule 999 action 'drop'
|
||||
set firewall name iot-containers rule 999 description 'Rule: drop_invalid'
|
||||
set firewall name iot-containers rule 999 state invalid 'enable'
|
||||
set firewall name iot-containers rule 999 log 'enable'
|
||||
|
||||
# From IOT to TRUSTED
|
||||
set firewall name iot-trusted default-action 'drop'
|
||||
set firewall name iot-trusted description 'From IOT to TRUSTED'
|
||||
set firewall name iot-trusted enable-default-log
|
||||
set firewall name iot-trusted rule 100 action 'accept'
|
||||
set firewall name iot-trusted rule 100 description 'Rule: accept_udp_from_sonos_players_to_sonos_controllers'
|
||||
set firewall name iot-trusted rule 100 destination group address-group 'sonos_controllers'
|
||||
set firewall name iot-trusted rule 100 destination port '30000-65535'
|
||||
set firewall name iot-trusted rule 100 protocol 'udp'
|
||||
set firewall name iot-trusted rule 100 source group address-group 'sonos_players'
|
||||
set firewall name iot-trusted rule 110 action 'accept'
|
||||
set firewall name iot-trusted rule 110 description 'Rule: accept_tcp_from_sonos_players_to_sonos_controllers'
|
||||
set firewall name iot-trusted rule 110 destination group address-group 'sonos_controllers'
|
||||
set firewall name iot-trusted rule 110 destination port '1400,3400,3401,3500,30000-65535'
|
||||
set firewall name iot-trusted rule 110 protocol 'tcp'
|
||||
set firewall name iot-trusted rule 110 source group address-group 'sonos_players'
|
||||
set firewall name iot-trusted rule 999 action 'drop'
|
||||
set firewall name iot-trusted rule 999 description 'Rule: drop_invalid'
|
||||
set firewall name iot-trusted rule 999 state invalid 'enable'
|
||||
set firewall name iot-trusted rule 999 log 'enable'
|
||||
|
||||
# From IOT to VIDEO
|
||||
set firewall name iot-video default-action 'drop'
|
||||
set firewall name iot-video description 'From IOT to VIDEO'
|
||||
set firewall name iot-video enable-default-log
|
||||
set firewall name iot-video rule 100 action 'accept'
|
||||
set firewall name iot-video rule 100 description 'Rule: accept_k8s_nodes'
|
||||
set firewall name iot-video rule 100 protocol 'tcp'
|
||||
set firewall name iot-video rule 100 source group address-group 'k8s_nodes'
|
||||
set firewall name iot-video rule 999 action 'drop'
|
||||
set firewall name iot-video rule 999 description 'Rule: drop_invalid'
|
||||
set firewall name iot-video rule 999 state invalid 'enable'
|
||||
set firewall name iot-video rule 999 log 'enable'
|
||||
|
||||
# From IOT to WAN
|
||||
set firewall name iot-wan default-action 'accept'
|
||||
set firewall name iot-wan description 'From IOT to WAN'
|
||||
|
||||
# From VIDEO to IOT
|
||||
set firewall name video-iot default-action 'drop'
|
||||
set firewall name video-iot description 'From VIDEO to IOT'
|
||||
set firewall name video-iot enable-default-log
|
||||
set firewall name video-iot rule 100 action 'accept'
|
||||
set firewall name video-iot rule 100 description 'Rule: allow connecting to hass'
|
||||
set firewall name video-iot rule 100 protocol 'tcp'
|
||||
set firewall name video-iot rule 100 destination group address-group 'k8s_hass'
|
||||
set firewall name video-iot rule 100 destination port '8123'
|
||||
set firewall name video-iot rule 999 action 'drop'
|
||||
set firewall name video-iot rule 999 description 'Rule: drop_invalid'
|
||||
set firewall name video-iot rule 999 state invalid 'enable'
|
||||
set firewall name video-iot rule 999 log 'enable'
|
||||
|
||||
# From VIDEO to LAN
|
||||
set firewall name video-lan default-action 'drop'
|
||||
set firewall name video-lan description 'From VIDEO to LAN'
|
||||
set firewall name video-lan enable-default-log
|
||||
set firewall name video-lan rule 999 action 'drop'
|
||||
set firewall name video-lan rule 999 description 'Rule: drop_invalid'
|
||||
set firewall name video-lan rule 999 state invalid 'enable'
|
||||
set firewall name video-lan rule 999 log 'enable'
|
||||
|
||||
# From VIDEO to LOCAL
|
||||
set firewall name video-local default-action 'drop'
|
||||
set firewall name video-local description 'From VIDEO to LOCAL'
|
||||
set firewall name video-local enable-default-log
|
||||
set firewall name video-local rule 50 action 'accept'
|
||||
set firewall name video-local rule 50 description 'Rule: accept_dhcp'
|
||||
set firewall name video-local rule 50 destination port '67,68'
|
||||
set firewall name video-local rule 50 protocol 'udp'
|
||||
set firewall name video-local rule 50 source port '67,68'
|
||||
set firewall name video-local rule 60 action 'accept'
|
||||
set firewall name video-local rule 60 description 'Rule: accept_ntp'
|
||||
set firewall name video-local rule 60 destination port 'ntp'
|
||||
set firewall name video-local rule 60 protocol 'udp'
|
||||
set firewall name video-local rule 999 action 'drop'
|
||||
set firewall name video-local rule 999 description 'Rule: drop_invalid'
|
||||
set firewall name video-local rule 999 state invalid 'enable'
|
||||
set firewall name video-local rule 999 log 'enable'
|
||||
|
||||
# From VIDEO to SERVERS
|
||||
set firewall name video-servers default-action 'drop'
|
||||
set firewall name video-servers description 'From VIDEO to SERVERS'
|
||||
set firewall name video-servers enable-default-log
|
||||
set firewall name video-servers rule 100 action 'accept'
|
||||
set firewall name video-servers rule 100 description 'Rule: accept_k8s_nodes'
|
||||
set firewall name video-servers rule 100 protocol 'udp'
|
||||
set firewall name video-servers rule 100 destination group address-group 'k8s_nodes'
|
||||
set firewall name video-servers rule 100 source port '6987-6989'
|
||||
set firewall name video-servers rule 999 action 'drop'
|
||||
set firewall name video-servers rule 999 description 'Rule: drop_invalid'
|
||||
set firewall name video-servers rule 999 state invalid 'enable'
|
||||
set firewall name video-servers rule 999 log 'enable'
|
||||
|
||||
# From VIDEO to CONTAINERS
|
||||
set firewall name video-containers default-action 'accept'
|
||||
set firewall name video-containers description 'From VIDEO to CONTAINERS'
|
||||
set firewall name video-containers rule 40 action 'accept'
|
||||
set firewall name video-containers rule 40 description 'Rule: accept_dns'
|
||||
set firewall name video-containers rule 40 destination port 'domain,domain-s'
|
||||
set firewall name video-containers rule 40 protocol 'tcp_udp'
|
||||
set firewall name video-containers rule 999 action 'drop'
|
||||
set firewall name video-containers rule 999 description 'Rule: drop_invalid'
|
||||
set firewall name video-containers rule 999 state invalid 'enable'
|
||||
set firewall name video-containers rule 999 log 'enable'
|
||||
|
||||
# From VIDEO to TRUSTED
|
||||
set firewall name video-trusted default-action 'drop'
|
||||
set firewall name video-trusted description 'From VIDEO to TRUSTED'
|
||||
set firewall name video-trusted enable-default-log
|
||||
set firewall name video-trusted rule 999 action 'drop'
|
||||
set firewall name video-trusted rule 999 description 'Rule: drop_invalid'
|
||||
set firewall name video-trusted rule 999 state invalid 'enable'
|
||||
set firewall name video-trusted rule 999 log 'enable'
|
||||
|
||||
# From VIDEO to WAN
|
||||
set firewall name video-wan default-action 'drop'
|
||||
set firewall name video-wan description 'From VIDEO to WAN'
|
|
@ -1,5 +1,27 @@
|
|||
#!/bin/vbash
|
||||
|
||||
# iot
|
||||
set firewall zone iot default-action 'drop'
|
||||
set firewall zone iot from lan firewall name 'lan-iot'
|
||||
set firewall zone iot from local firewall name 'local-iot'
|
||||
set firewall zone iot from servers firewall name 'servers-iot'
|
||||
set firewall zone iot from containers firewall name 'containers-iot'
|
||||
set firewall zone iot from trusted firewall name 'trusted-iot'
|
||||
set firewall zone iot from video firewall name 'video-iot'
|
||||
set firewall zone iot from wan firewall name 'wan-iot'
|
||||
set firewall zone iot interface 'eth4.30'
|
||||
|
||||
# lan
|
||||
set firewall zone lan default-action 'drop'
|
||||
set firewall zone lan from iot firewall name 'iot-lan'
|
||||
set firewall zone lan from local firewall name 'local-lan'
|
||||
set firewall zone lan from servers firewall name 'servers-lan'
|
||||
set firewall zone lan from containers firewall name 'containers-lan'
|
||||
set firewall zone lan from trusted firewall name 'trusted-lan'
|
||||
set firewall zone lan from video firewall name 'video-lan'
|
||||
set firewall zone lan from wan firewall name 'wan-lan'
|
||||
set firewall zone lan interface 'eth4'
|
||||
|
||||
# local
|
||||
set firewall zone local default-action 'drop'
|
||||
set firewall zone local description 'Local router zone'
|
||||
|
@ -12,26 +34,16 @@ set firewall zone local from video firewall name 'video-local'
|
|||
set firewall zone local from wan firewall name 'wan-local'
|
||||
set firewall zone local local-zone
|
||||
|
||||
# wan
|
||||
set firewall zone wan from iot firewall name 'iot-wan'
|
||||
set firewall zone wan from lan firewall name 'lan-wan'
|
||||
set firewall zone wan from local firewall name 'local-wan'
|
||||
set firewall zone wan from servers firewall name 'servers-wan'
|
||||
set firewall zone wan from containers firewall name 'containers-wan'
|
||||
set firewall zone wan from trusted firewall name 'trusted-wan'
|
||||
set firewall zone wan from video firewall name 'video-wan'
|
||||
set firewall zone wan interface 'eth0'
|
||||
|
||||
# lan
|
||||
set firewall zone lan default-action 'drop'
|
||||
set firewall zone lan from iot firewall name 'iot-lan'
|
||||
set firewall zone lan from local firewall name 'local-lan'
|
||||
set firewall zone lan from servers firewall name 'servers-lan'
|
||||
set firewall zone lan from containers firewall name 'containers-lan'
|
||||
set firewall zone lan from trusted firewall name 'trusted-lan'
|
||||
set firewall zone lan from video firewall name 'video-lan'
|
||||
set firewall zone lan from wan firewall name 'wan-lan'
|
||||
set firewall zone lan interface 'eth1'
|
||||
# servers
|
||||
set firewall zone servers default-action 'drop'
|
||||
set firewall zone servers from iot firewall name 'iot-servers'
|
||||
set firewall zone servers from lan firewall name 'lan-servers'
|
||||
set firewall zone servers from local firewall name 'local-servers'
|
||||
set firewall zone servers from containers firewall name 'containers-servers'
|
||||
set firewall zone servers from trusted firewall name 'trusted-servers'
|
||||
set firewall zone servers from video firewall name 'video-servers'
|
||||
set firewall zone servers from wan firewall name 'wan-servers'
|
||||
set firewall zone servers interface 'eth4.10'
|
||||
|
||||
# containers
|
||||
set firewall zone containers default-action 'drop'
|
||||
|
@ -45,17 +57,6 @@ set firewall zone containers from video firewall name 'video-containers'
|
|||
set firewall zone containers from wan firewall name 'wan-containers'
|
||||
set firewall zone containers interface 'pod-containers'
|
||||
|
||||
# servers
|
||||
set firewall zone servers default-action 'drop'
|
||||
set firewall zone servers from iot firewall name 'iot-servers'
|
||||
set firewall zone servers from lan firewall name 'lan-servers'
|
||||
set firewall zone servers from local firewall name 'local-servers'
|
||||
set firewall zone servers from containers firewall name 'containers-servers'
|
||||
set firewall zone servers from trusted firewall name 'trusted-servers'
|
||||
set firewall zone servers from video firewall name 'video-servers'
|
||||
set firewall zone servers from wan firewall name 'wan-servers'
|
||||
set firewall zone servers interface 'eth1.10'
|
||||
|
||||
# trusted
|
||||
set firewall zone trusted default-action 'drop'
|
||||
set firewall zone trusted from iot firewall name 'iot-trusted'
|
||||
|
@ -65,20 +66,9 @@ set firewall zone trusted from servers firewall name 'servers-trusted'
|
|||
set firewall zone trusted from containers firewall name 'containers-trusted'
|
||||
set firewall zone trusted from video firewall name 'video-trusted'
|
||||
set firewall zone trusted from wan firewall name 'wan-trusted'
|
||||
set firewall zone trusted interface 'eth1.20'
|
||||
set firewall zone trusted interface 'eth4.20'
|
||||
set firewall zone trusted interface 'wg01'
|
||||
|
||||
# iot
|
||||
set firewall zone iot default-action 'drop'
|
||||
set firewall zone iot from lan firewall name 'lan-iot'
|
||||
set firewall zone iot from local firewall name 'local-iot'
|
||||
set firewall zone iot from servers firewall name 'servers-iot'
|
||||
set firewall zone iot from containers firewall name 'containers-iot'
|
||||
set firewall zone iot from trusted firewall name 'trusted-iot'
|
||||
set firewall zone iot from video firewall name 'video-iot'
|
||||
set firewall zone iot from wan firewall name 'wan-iot'
|
||||
set firewall zone iot interface 'eth1.30'
|
||||
|
||||
# video
|
||||
set firewall zone video default-action 'drop'
|
||||
set firewall zone video from iot firewall name 'iot-video'
|
||||
|
@ -88,5 +78,15 @@ set firewall zone video from servers firewall name 'servers-video'
|
|||
set firewall zone video from containers firewall name 'containers-video'
|
||||
set firewall zone video from trusted firewall name 'trusted-video'
|
||||
set firewall zone video from wan firewall name 'wan-video'
|
||||
set firewall zone video interface 'eth1.40'
|
||||
set firewall zone video interface 'eth4.40'
|
||||
set firewall zone wan default-action 'drop'
|
||||
|
||||
# wan
|
||||
set firewall zone wan from iot firewall name 'iot-wan'
|
||||
set firewall zone wan from lan firewall name 'lan-wan'
|
||||
set firewall zone wan from local firewall name 'local-wan'
|
||||
set firewall zone wan from servers firewall name 'servers-wan'
|
||||
set firewall zone wan from containers firewall name 'containers-wan'
|
||||
set firewall zone wan from trusted firewall name 'trusted-wan'
|
||||
set firewall zone wan from video firewall name 'video-wan'
|
||||
set firewall zone wan interface 'eth0'
|
|
@ -1,87 +1,20 @@
|
|||
#!/bin/vbash
|
||||
|
||||
# General configuration
|
||||
set firewall state-policy established action 'accept'
|
||||
set firewall state-policy invalid action 'drop'
|
||||
set firewall state-policy related action 'accept'
|
||||
set firewall global-options state-policy established action 'accept'
|
||||
set firewall global-options state-policy related action 'accept'
|
||||
set firewall global-options all-ping 'enable'
|
||||
|
||||
# Address Groups
|
||||
set firewall group address-group ios_devices address '10.1.2.31'
|
||||
set firewall group address-group ios_devices address '10.1.2.32'
|
||||
set firewall group address-group ios_devices address '10.1.2.33'
|
||||
set firewall group address-group ios_devices address '10.1.2.34'
|
||||
set firewall group address-group ios_devices address '10.1.2.35'
|
||||
set firewall group address-group ios_devices address '10.1.2.36'
|
||||
|
||||
set firewall group address-group esp address '10.1.3.21'
|
||||
|
||||
set firewall group address-group router-addresses address 10.0.0.1
|
||||
set firewall group address-group router-addresses address 127.0.0.1
|
||||
set firewall group address-group k8s_nodes address '10.1.1.61-63' # master nodes
|
||||
set firewall group address-group k8s_nodes address '10.1.1.41-46' # worker nodes
|
||||
set firewall group address-group k8s_api address '10.5.0.2'
|
||||
|
||||
# external nginx
|
||||
set firewall group address-group k8s_ingress address '10.45.0.1'
|
||||
# internal nginx
|
||||
set firewall group address-group k8s_ingress address '10.45.0.3'
|
||||
|
||||
set firewall group address-group k8s_ingress_allowed address '10.1.3.35'
|
||||
set firewall group address-group k8s_ingress_allowed address '10.1.3.36'
|
||||
|
||||
set firewall group address-group k8s_mqtt address '10.45.0.10'
|
||||
|
||||
set firewall group address-group k8s_nodes address '10.1.1.41'
|
||||
set firewall group address-group k8s_nodes address '10.1.1.42'
|
||||
set firewall group address-group k8s_nodes address '10.1.1.43'
|
||||
set firewall group address-group k8s_nodes address '10.1.1.44'
|
||||
set firewall group address-group k8s_nodes address '10.1.1.45'
|
||||
set firewall group address-group k8s_nodes address '10.1.1.46'
|
||||
set firewall group address-group k8s_nodes address '10.1.1.61'
|
||||
set firewall group address-group k8s_nodes address '10.1.1.62'
|
||||
set firewall group address-group k8s_nodes address '10.1.1.63'
|
||||
|
||||
set firewall group address-group k8s_hass address '10.45.0.5'
|
||||
set firewall group address-group k8s_plex address '10.45.0.20'
|
||||
set firewall group address-group k8s_ingress address '10.45.0.1' # external nginx
|
||||
set firewall group address-group k8s_ingress address '10.45.0.3' # internal nginx
|
||||
set firewall group address-group k8s_vector_aggregator address '10.45.0.2'
|
||||
|
||||
set firewall group address-group mqtt_clients address '10.1.2.21'
|
||||
set firewall group address-group mqtt_clients address '10.1.2.32'
|
||||
set firewall group address-group mqtt_clients address '10.1.3.18'
|
||||
set firewall group address-group mqtt_clients address '10.1.3.22'
|
||||
set firewall group address-group mqtt_clients address '10.1.3.56'
|
||||
set firewall group address-group mqtt_clients address '10.1.3.33' # SwitchBot Plug Mini 1
|
||||
set firewall group address-group mqtt_clients address '10.1.3.34' # SwitchBot Plug Mini 2
|
||||
set firewall group address-group mqtt_clients address '10.1.3.35' # SwitchBot Plug Mini 3
|
||||
set firewall group address-group mqtt_clients address '10.1.3.36' # SwitchBot Plug Mini 4
|
||||
|
||||
set firewall group address-group hass_clients address '10.1.4.12'
|
||||
|
||||
set firewall group address-group nas address '10.1.1.11'
|
||||
|
||||
set firewall group address-group plex_clients address '10.1.2.21'
|
||||
set firewall group address-group plex_clients address '10.1.2.31'
|
||||
set firewall group address-group plex_clients address '10.1.2.32'
|
||||
set firewall group address-group plex_clients address '10.1.2.33'
|
||||
set firewall group address-group plex_clients address '10.1.2.34'
|
||||
set firewall group address-group plex_clients address '10.1.2.35'
|
||||
set firewall group address-group plex_clients address '10.1.2.36'
|
||||
set firewall group address-group plex_clients address '10.1.3.16'
|
||||
|
||||
set firewall group address-group printers address '10.1.3.55'
|
||||
|
||||
set firewall group address-group printer_allowed address '192.168.2.11'
|
||||
|
||||
set firewall group address-group sonos_controllers address '10.1.2.21'
|
||||
set firewall group address-group sonos_controllers address '10.1.2.31'
|
||||
set firewall group address-group sonos_controllers address '10.1.2.32'
|
||||
set firewall group address-group sonos_controllers address '10.1.2.33'
|
||||
set firewall group address-group sonos_controllers address '10.1.2.34'
|
||||
set firewall group address-group sonos_controllers address '10.1.2.36'
|
||||
|
||||
set firewall group address-group sonos_players address '10.1.3.71'
|
||||
set firewall group address-group sonos_players address '10.1.3.72'
|
||||
set firewall group address-group sonos_players address '10.1.3.73'
|
||||
set firewall group address-group sonos_players address '10.1.3.74'
|
||||
|
||||
set firewall group address-group scanners address '10.1.3.55'
|
||||
|
||||
set firewall group address-group nas address '10.1.1.11-12'
|
||||
set firewall group address-group unifi_devices address '10.1.0.11'
|
||||
set firewall group address-group unifi_devices address '10.1.0.12'
|
||||
set firewall group address-group unifi_devices address '10.1.0.13'
|
||||
|
@ -89,15 +22,10 @@ set firewall group address-group unifi_devices address '10.1.0.21'
|
|||
set firewall group address-group unifi_devices address '10.1.0.22'
|
||||
set firewall group address-group unifi_devices address '10.1.0.23'
|
||||
set firewall group address-group unifi_devices address '10.1.0.24'
|
||||
|
||||
set firewall group address-group vector_journald_allowed address '10.1.3.56'
|
||||
set firewall group address-group vector_journald_allowed address '10.1.3.60'
|
||||
|
||||
set firewall group address-group vyos_coredns address '10.5.0.3'
|
||||
|
||||
set firewall group address-group vyos_unifi address '10.5.0.10'
|
||||
|
||||
set firewall group network-group k8s_services network '10.45.0.0/16'
|
||||
|
||||
# Port groups
|
||||
set firewall group port-group wireguard port '51820'
|
||||
set firewall group port-group sonos-discovery port '1900-1902'
|
||||
set firewall group port-group sonos-discovery port '57621'
|
||||
|
|
|
@ -1,20 +1,20 @@
|
|||
#!/bin/vbash
|
||||
|
||||
set interfaces ethernet eth0 address 'dhcp'
|
||||
set interfaces ethernet eth0 description 'WAN'
|
||||
set interfaces ethernet eth0 hw-id 'a0:42:3f:2f:a9:69'
|
||||
set interfaces ethernet eth5 address 'dhcp'
|
||||
set interfaces ethernet eth5 description 'WAN'
|
||||
set interfaces ethernet eth5 hw-id '80:61:5f:04:88:5b'
|
||||
|
||||
set interfaces ethernet eth1 address '10.1.0.1/24'
|
||||
set interfaces ethernet eth1 description 'LAN'
|
||||
set interfaces ethernet eth1 hw-id 'a0:42:3f:2f:a9:68'
|
||||
set interfaces ethernet eth1 vif 10 address '10.1.1.1/24'
|
||||
set interfaces ethernet eth1 vif 10 description 'SERVERS'
|
||||
set interfaces ethernet eth1 vif 20 address '10.1.2.1/24'
|
||||
set interfaces ethernet eth1 vif 20 description 'TRUSTED'
|
||||
set interfaces ethernet eth1 vif 30 address '10.1.3.1/24'
|
||||
set interfaces ethernet eth1 vif 30 description 'IOT'
|
||||
set interfaces ethernet eth1 vif 40 address '10.1.4.1/24'
|
||||
set interfaces ethernet eth1 vif 40 description 'VIDEO'
|
||||
set interfaces ethernet eth4 address '10.1.0.1/24'
|
||||
set interfaces ethernet eth4 description 'LAN'
|
||||
set interfaces ethernet eth4 hw-id '80:61:5f:04:88:5a'
|
||||
set interfaces ethernet eth4 vif 10 address '10.1.1.1/24'
|
||||
set interfaces ethernet eth4 vif 10 description 'SERVERS'
|
||||
set interfaces ethernet eth4 vif 20 address '10.1.2.1/24'
|
||||
set interfaces ethernet eth4 vif 20 description 'TRUSTED'
|
||||
set interfaces ethernet eth4 vif 30 address '10.1.3.1/24'
|
||||
set interfaces ethernet eth4 vif 30 description 'IOT'
|
||||
set interfaces ethernet eth4 vif 40 address '10.1.4.1/24'
|
||||
set interfaces ethernet eth4 vif 40 description 'VIDEO'
|
||||
|
||||
set interfaces wireguard wg01 address '10.0.11.1/24'
|
||||
set interfaces wireguard wg01 description 'WIREGUARD'
|
||||
|
|
|
@ -3,79 +3,13 @@
|
|||
# Forward Plex to Sting
|
||||
set nat destination rule 110 description 'PLEX'
|
||||
set nat destination rule 110 destination port '32400'
|
||||
set nat destination rule 110 inbound-interface 'eth0'
|
||||
set nat destination rule 110 inbound-interface 'eth5'
|
||||
set nat destination rule 110 protocol 'tcp'
|
||||
set nat destination rule 110 translation address '10.1.1.12'
|
||||
set nat destination rule 110 translation port '32400'
|
||||
|
||||
# Force DNS
|
||||
set nat destination rule 102 description 'Force DNS for IoT'
|
||||
set nat destination rule 102 destination address '!10.1.3.1'
|
||||
set nat destination rule 102 destination port '53'
|
||||
set nat destination rule 102 inbound-interface 'eth1.30'
|
||||
set nat destination rule 102 protocol 'tcp_udp'
|
||||
set nat destination rule 102 translation address '10.1.3.1'
|
||||
set nat destination rule 102 translation port '53'
|
||||
|
||||
set nat destination rule 103 description 'Force DNS for Video'
|
||||
set nat destination rule 103 destination address '!10.1.4.1'
|
||||
set nat destination rule 103 destination port '53'
|
||||
set nat destination rule 103 inbound-interface 'eth1.40'
|
||||
set nat destination rule 103 protocol 'tcp_udp'
|
||||
set nat destination rule 103 translation address '10.1.4.1'
|
||||
set nat destination rule 103 translation port '53'
|
||||
|
||||
set nat destination rule 104 description 'Force NTP for LAN'
|
||||
set nat destination rule 104 destination address '!10.1.0.1'
|
||||
set nat destination rule 104 destination port '123'
|
||||
set nat destination rule 104 inbound-interface 'eth1'
|
||||
set nat destination rule 104 protocol 'udp'
|
||||
set nat destination rule 104 translation address '10.1.0.1'
|
||||
set nat destination rule 104 translation port '123'
|
||||
|
||||
# Force NTP
|
||||
set nat destination rule 105 description 'Force NTP for Servers'
|
||||
set nat destination rule 105 destination address '!10.1.1.1'
|
||||
set nat destination rule 105 destination port '123'
|
||||
set nat destination rule 105 inbound-interface 'eth1.10'
|
||||
set nat destination rule 105 protocol 'udp'
|
||||
set nat destination rule 105 translation address '10.1.1.1'
|
||||
set nat destination rule 105 translation port '123'
|
||||
set nat destination rule 106 description 'Force NTP for Trusted'
|
||||
|
||||
set nat destination rule 106 destination address '!10.1.2.1'
|
||||
set nat destination rule 106 destination port '123'
|
||||
set nat destination rule 106 inbound-interface 'eth1.20'
|
||||
set nat destination rule 106 protocol 'udp'
|
||||
set nat destination rule 106 translation address '10.1.2.1'
|
||||
set nat destination rule 106 translation port '123'
|
||||
|
||||
set nat destination rule 107 description 'Force NTP for IoT'
|
||||
set nat destination rule 107 destination address '!10.1.3.1'
|
||||
set nat destination rule 107 destination port '123'
|
||||
set nat destination rule 107 inbound-interface 'eth1.30'
|
||||
set nat destination rule 107 protocol 'udp'
|
||||
set nat destination rule 107 translation address '10.1.3.1'
|
||||
set nat destination rule 107 translation port '123'
|
||||
|
||||
set nat destination rule 108 description 'Force NTP for Video'
|
||||
set nat destination rule 108 destination address '!10.1.4.1'
|
||||
set nat destination rule 108 destination port '123'
|
||||
set nat destination rule 108 inbound-interface 'eth1.40'
|
||||
set nat destination rule 108 protocol 'udp'
|
||||
set nat destination rule 108 translation address '10.1.4.1'
|
||||
set nat destination rule 108 translation port '123'
|
||||
|
||||
set nat destination rule 109 description 'Force NTP for Wireguard Trusted'
|
||||
set nat destination rule 109 destination address '!10.0.11.1'
|
||||
set nat destination rule 109 destination port '123'
|
||||
set nat destination rule 109 inbound-interface 'wg01'
|
||||
set nat destination rule 109 protocol 'udp'
|
||||
set nat destination rule 109 translation address '10.0.11.1'
|
||||
set nat destination rule 109 translation port '123'
|
||||
|
||||
# LAN -> WAN masquerade
|
||||
set nat source rule 100 description 'LAN -> WAN'
|
||||
set nat source rule 100 destination address '0.0.0.0/0'
|
||||
set nat source rule 100 outbound-interface 'eth0'
|
||||
set nat source rule 100 outbound-interface name 'eth5'
|
||||
set nat source rule 100 translation address 'masquerade'
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
#!/bin/vbash
|
||||
|
||||
set system domain-name 'jahanson.tech'
|
||||
set system host-name 'gateway'
|
||||
set system host-name 'gandalf'
|
||||
|
||||
set system ipv6 disable-forwarding
|
||||
|
||||
|
@ -14,13 +14,6 @@ set system name-server '1.1.1.1'
|
|||
|
||||
set system sysctl parameter kernel.pty.max value '24000'
|
||||
|
||||
# Sent to vector syslog server
|
||||
set system syslog global facility all level info
|
||||
set system syslog host 10.45.0.2 facility kern level 'warning'
|
||||
set system syslog host 10.45.0.2 protocol 'tcp'
|
||||
set system syslog host 10.45.0.2 port '6001'
|
||||
set system syslog host 10.45.0.2 format 'octet-counted'
|
||||
|
||||
# Custom backup
|
||||
set system task-scheduler task backup-config crontab-spec '30 0 * * *'
|
||||
set system task-scheduler task backup-config executable path '/config/scripts/custom-config-backup.sh'
|
||||
|
|
Reference in a new issue