This repository has been archived on 2024-04-29. You can view files and clone it, but cannot push or open issues or pull requests.
vyos-config/config-parts/firewall-name.sh

746 lines
38 KiB
Bash

#!/bin/vbash
# From GUEST to IOT
set firewall name guest-iot default-action 'drop'
set firewall name guest-iot description 'From GUEST to IOT'
set firewall name guest-iot enable-default-log
set firewall name guest-iot rule 1 action 'accept'
set firewall name guest-iot rule 1 description 'Rule: accept_tcp_printer_from_allowed_devices'
set firewall name guest-iot rule 1 destination group address-group 'printers'
set firewall name guest-iot rule 1 destination port 'http,9100'
set firewall name guest-iot rule 1 protocol 'tcp'
set firewall name guest-iot rule 1 source group address-group 'printer_allowed'
set firewall name guest-iot rule 2 action 'accept'
set firewall name guest-iot rule 2 description 'Rule: accept_udp_printer_from_allowed_devices'
set firewall name guest-iot rule 2 destination group address-group 'printers'
set firewall name guest-iot rule 2 destination port '161'
set firewall name guest-iot rule 2 protocol 'udp'
set firewall name guest-iot rule 2 source group address-group 'printer_allowed'
# From GUEST to LAN
set firewall name guest-lan default-action 'drop'
set firewall name guest-lan description 'From GUEST to LAN'
set firewall name guest-lan enable-default-log
# From GUEST to LOCAL
set firewall name guest-local default-action 'drop'
set firewall name guest-local description 'From GUEST to LOCAL'
set firewall name guest-local enable-default-log
set firewall name guest-local rule 1 action 'accept'
set firewall name guest-local rule 1 description 'Rule: accept_dhcp'
set firewall name guest-local rule 1 destination port '67,68'
set firewall name guest-local rule 1 protocol 'udp'
set firewall name guest-local rule 1 source port '67,68'
# From GUEST to SERVERS
set firewall name guest-servers default-action 'drop'
set firewall name guest-servers description 'From GUEST to SERVERS'
set firewall name guest-servers enable-default-log
# From GUEST to CONTAINERS
set firewall name guest-containers default-action 'drop'
set firewall name guest-containers description 'From GUEST to CONTAINERS'
set firewall name guest-containers enable-default-log
set firewall name guest-containers rule 1 action 'accept'
set firewall name guest-containers rule 1 description 'Rule: accept_dns'
set firewall name guest-containers rule 1 destination port 'domain,domain-s'
set firewall name guest-containers rule 1 protocol 'tcp_udp'
# From GUEST to TRUSTED
set firewall name guest-trusted default-action 'drop'
set firewall name guest-trusted description 'From GUEST to TRUSTED'
set firewall name guest-trusted enable-default-log
# From GUEST to VIDEO
set firewall name guest-video default-action 'drop'
set firewall name guest-video description 'From GUEST to VIDEO'
set firewall name guest-video enable-default-log
# From GUEST to WAN
set firewall name guest-wan default-action 'accept'
set firewall name guest-wan description 'From GUEST to WAN'
# From IOT to GUEST
set firewall name iot-guest default-action 'drop'
set firewall name iot-guest description 'From IOT to GUEST'
set firewall name iot-guest enable-default-log
# From IOT to LAN
set firewall name iot-lan default-action 'drop'
set firewall name iot-lan description 'From IOT to LAN'
set firewall name iot-lan enable-default-log
# From IOT to LOCAL
set firewall name iot-local default-action 'drop'
set firewall name iot-local description 'From IOT to LOCAL'
set firewall name iot-local enable-default-log
set firewall name iot-local rule 1 action 'accept'
set firewall name iot-local rule 1 description 'Rule: accept_ssh'
set firewall name iot-local rule 1 destination port 'ssh'
set firewall name iot-local rule 1 protocol 'tcp'
set firewall name iot-local rule 2 action 'accept'
set firewall name iot-local rule 2 description 'Rule: accept_ntp'
set firewall name iot-local rule 2 destination port 'ntp'
set firewall name iot-local rule 2 protocol 'udp'
set firewall name iot-local rule 3 action 'accept'
set firewall name iot-local rule 3 description 'Rule: accept_dhcp'
set firewall name iot-local rule 3 destination port '67,68'
set firewall name iot-local rule 3 protocol 'udp'
set firewall name iot-local rule 3 source port '67,68'
set firewall name iot-local rule 4 action 'accept'
set firewall name iot-local rule 4 description 'Rule: accept_igmp'
set firewall name iot-local rule 4 protocol '2'
set firewall name iot-local rule 5 action 'accept'
set firewall name iot-local rule 5 description 'Rule: accept_mdns'
set firewall name iot-local rule 5 destination port 'mdns'
set firewall name iot-local rule 5 protocol 'udp'
set firewall name iot-local rule 5 source port 'mdns'
set firewall name iot-local rule 6 action 'accept'
set firewall name iot-local rule 6 description 'Rule: accept_discovery_from_sonos_players'
set firewall name iot-local rule 6 destination port '1900,1901,1902'
set firewall name iot-local rule 6 protocol 'udp'
set firewall name iot-local rule 6 source group address-group 'sonos_players'
set firewall name iot-local rule 7 action 'accept'
set firewall name iot-local rule 7 description 'Rule: accept_discovery_from_sonos_controllers'
set firewall name iot-local rule 7 destination port '1900,1901,1902,57621'
set firewall name iot-local rule 7 protocol 'udp'
set firewall name iot-local rule 7 source group address-group 'sonos_controllers'
set firewall name iot-local rule 8 action 'accept'
set firewall name iot-local rule 8 description 'Rule: accept_dns'
set firewall name iot-local rule 8 destination port 'domain,domain-s'
set firewall name iot-local rule 8 protocol 'tcp_udp'
# From IOT to SERVERS
set firewall name iot-servers default-action 'drop'
set firewall name iot-servers description 'From IOT to SERVERS'
set firewall name iot-servers enable-default-log
set firewall name iot-servers rule 1 action 'accept'
set firewall name iot-servers rule 1 description 'Rule: accept_nas_smb_from_scanners'
set firewall name iot-servers rule 1 destination group address-group 'nas'
set firewall name iot-servers rule 1 destination port 'microsoft-ds'
set firewall name iot-servers rule 1 protocol 'tcp'
set firewall name iot-servers rule 1 source group address-group 'scanners'
set firewall name iot-servers rule 2 action 'accept'
set firewall name iot-servers rule 2 description 'Rule: accept_plex_from_plex_clients'
set firewall name iot-servers rule 2 destination group address-group 'k8s_plex'
set firewall name iot-servers rule 2 destination port '32400'
set firewall name iot-servers rule 2 protocol 'tcp'
set firewall name iot-servers rule 2 source group address-group 'plex_clients'
set firewall name iot-servers rule 3 action 'accept'
set firewall name iot-servers rule 3 description 'Rule: accept_jellyfin_from_jellyfin_clients'
set firewall name iot-servers rule 3 destination group address-group 'k8s_jellyfin'
set firewall name iot-servers rule 3 destination port '8096'
set firewall name iot-servers rule 3 protocol 'tcp'
set firewall name iot-servers rule 3 source group address-group 'jellyfin_clients'
set firewall name iot-servers rule 4 action 'accept'
set firewall name iot-servers rule 4 description 'Rule: accept_mqtt_from_mqtt_clients'
set firewall name iot-servers rule 4 destination group address-group 'k8s_mqtt'
set firewall name iot-servers rule 4 destination port '1883'
set firewall name iot-servers rule 4 protocol 'tcp'
set firewall name iot-servers rule 4 source group address-group 'mqtt_clients'
set firewall name iot-servers rule 5 action 'accept'
set firewall name iot-servers rule 5 description 'Rule: accept_mqtt_from_esp'
set firewall name iot-servers rule 5 destination group address-group 'k8s_mqtt'
set firewall name iot-servers rule 5 destination port '1883'
set firewall name iot-servers rule 5 protocol 'tcp'
set firewall name iot-servers rule 5 source group address-group 'esp'
set firewall name iot-servers rule 6 action 'accept'
set firewall name iot-servers rule 6 description 'Rule: accept_k8s_ingress_from_sonos_players'
set firewall name iot-servers rule 6 destination group address-group 'k8s_ingress'
set firewall name iot-servers rule 6 destination port 'http,https'
set firewall name iot-servers rule 6 protocol 'tcp'
set firewall name iot-servers rule 6 source group address-group 'sonos_players'
set firewall name iot-servers rule 7 action 'accept'
set firewall name iot-servers rule 7 description 'Rule: accept_k8s_ingress_from_ereaders'
set firewall name iot-servers rule 7 destination group address-group 'k8s_ingress'
set firewall name iot-servers rule 7 destination port 'http,https'
set firewall name iot-servers rule 7 protocol 'tcp'
set firewall name iot-servers rule 7 source group address-group 'ereaders'
set firewall name iot-servers rule 8 action 'accept'
set firewall name iot-servers rule 8 description 'Rule: accept_k8s_ingress_from_wall_displays'
set firewall name iot-servers rule 8 destination group address-group 'k8s_ingress'
set firewall name iot-servers rule 8 destination port 'http,https'
set firewall name iot-servers rule 8 protocol 'tcp'
set firewall name iot-servers rule 8 source group address-group 'wall_displays'
set firewall name iot-servers rule 9 action 'accept'
set firewall name iot-servers rule 9 description 'Rule: accept_k8s_ingress_from_allowed_devices'
set firewall name iot-servers rule 9 destination group address-group 'k8s_ingress'
set firewall name iot-servers rule 9 destination port 'http,https'
set firewall name iot-servers rule 9 protocol 'tcp'
set firewall name iot-servers rule 9 source group address-group 'k8s_ingress_allowed'
set firewall name iot-servers rule 10 action 'accept'
set firewall name iot-servers rule 10 description 'Rule: accept_vector_journald_from_allowed_devices'
set firewall name iot-servers rule 10 destination group address-group 'k8s_vector_aggregator'
set firewall name iot-servers rule 10 destination port '6002'
set firewall name iot-servers rule 10 protocol 'tcp'
set firewall name iot-servers rule 10 source group address-group 'vector_journald_allowed'
# From IOT to CONTAINERS
set firewall name iot-containers default-action 'accept'
set firewall name iot-containers description 'From IOT to CONTAINERS'
set firewall name iot-containers rule 1 action 'accept'
set firewall name iot-containers rule 1 description 'Rule: accept_dns'
set firewall name iot-containers rule 1 destination port 'domain,domain-s'
set firewall name iot-containers rule 1 protocol 'tcp_udp'
# From IOT to TRUSTED
set firewall name iot-trusted default-action 'drop'
set firewall name iot-trusted description 'From IOT to TRUSTED'
set firewall name iot-trusted enable-default-log
set firewall name iot-trusted rule 1 action 'accept'
set firewall name iot-trusted rule 1 description 'Rule: accept_udp_from_sonos_players_to_sonos_controllers'
set firewall name iot-trusted rule 1 destination group address-group 'sonos_controllers'
set firewall name iot-trusted rule 1 destination port '30000-65535'
set firewall name iot-trusted rule 1 protocol 'udp'
set firewall name iot-trusted rule 1 source group address-group 'sonos_players'
set firewall name iot-trusted rule 2 action 'accept'
set firewall name iot-trusted rule 2 description 'Rule: accept_tcp_from_sonos_players_to_sonos_controllers'
set firewall name iot-trusted rule 2 destination group address-group 'sonos_controllers'
set firewall name iot-trusted rule 2 destination port '1400,3400,3401,3500,30000-65535'
set firewall name iot-trusted rule 2 protocol 'tcp'
set firewall name iot-trusted rule 2 source group address-group 'sonos_players'
# From IOT to VIDEO
set firewall name iot-video default-action 'drop'
set firewall name iot-video description 'From IOT to VIDEO'
set firewall name iot-video enable-default-log
# From IOT to WAN
set firewall name iot-wan default-action 'accept'
set firewall name iot-wan description 'From IOT to WAN'
# From LAN to GUEST
set firewall name lan-guest default-action 'drop'
set firewall name lan-guest description 'From LAN to GUEST'
set firewall name lan-guest enable-default-log
# From LAN to GUEST
set firewall name lan-iot default-action 'drop'
set firewall name lan-iot description 'From LAN to IOT'
set firewall name lan-iot enable-default-log
# From LAN to LOCAL
set firewall name lan-local default-action 'drop'
set firewall name lan-local description 'From LAN to LOCAL'
set firewall name lan-local enable-default-log
set firewall name lan-local rule 1 action 'accept'
set firewall name lan-local rule 1 description 'Rule: accept_ssh'
set firewall name lan-local rule 1 destination port 'ssh'
set firewall name lan-local rule 1 protocol 'tcp'
set firewall name lan-local rule 2 action 'accept'
set firewall name lan-local rule 2 description 'Rule: accept_ntp'
set firewall name lan-local rule 2 destination port 'ntp'
set firewall name lan-local rule 2 protocol 'udp'
set firewall name lan-local rule 3 action 'accept'
set firewall name lan-local rule 3 description 'Rule: accept_dhcp'
set firewall name lan-local rule 3 destination port '67,68'
set firewall name lan-local rule 3 protocol 'udp'
set firewall name lan-local rule 3 source port '67,68'
set firewall name lan-local rule 4 action 'accept'
set firewall name lan-local rule 4 description 'Rule: accept_node_speed_exporter'
set firewall name lan-local rule 4 destination port '9798,9100'
set firewall name lan-local rule 4 protocol 'tcp'
# From LAN to SERVERS
set firewall name lan-servers default-action 'drop'
set firewall name lan-servers description 'From LAN to SERVERS'
set firewall name lan-servers enable-default-log
set firewall name lan-servers rule 1 action 'accept'
set firewall name lan-servers rule 1 description 'Rule: accept_icmp'
set firewall name lan-servers rule 1 protocol 'icmp'
# From LAN to CONTAINERS
set firewall name lan-containers default-action 'accept'
set firewall name lan-containers description 'From LAN to CONTAINERS'
set firewall name lan-containers rule 1 action 'accept'
set firewall name lan-containers rule 1 description 'Rule: accept_dns'
set firewall name lan-containers rule 1 destination port 'domain,domain-s'
set firewall name lan-containers rule 1 protocol 'tcp_udp'
# From LAN to TRUSTED
set firewall name lan-trusted default-action 'drop'
set firewall name lan-trusted description 'From LAN to TRUSTED'
set firewall name lan-trusted enable-default-log
# From LAN to VIDEO
set firewall name lan-video default-action 'drop'
set firewall name lan-video description 'From LAN to VIDEO'
set firewall name lan-video enable-default-log
# From LAN to WAN
set firewall name lan-wan default-action 'accept'
set firewall name lan-wan description 'From LAN to WAN'
# From LOCAL to GUEST
set firewall name local-guest default-action 'drop'
set firewall name local-guest description 'From LOCAL to GUEST'
set firewall name local-guest enable-default-log
# From LOCAL to IOT
set firewall name local-iot default-action 'drop'
set firewall name local-iot description 'From LOCAL to IOT'
set firewall name local-iot enable-default-log
set firewall name local-iot rule 1 action 'accept'
set firewall name local-iot rule 1 description 'Rule: accept_igmp'
set firewall name local-iot rule 1 protocol '2'
set firewall name local-iot rule 2 action 'accept'
set firewall name local-iot rule 2 description 'Rule: accept_mdns'
set firewall name local-iot rule 2 destination port 'mdns'
set firewall name local-iot rule 2 protocol 'udp'
set firewall name local-iot rule 2 source port 'mdns'
set firewall name local-iot rule 3 action 'accept'
set firewall name local-iot rule 3 description 'Rule: accept_discovery_from_sonos_controllers'
set firewall name local-iot rule 3 destination port '1900,1901,1902,57621'
set firewall name local-iot rule 3 protocol 'udp'
set firewall name local-iot rule 3 source group address-group 'sonos_controllers'
# From LOCAL to LAN
set firewall name local-lan default-action 'drop'
set firewall name local-lan description 'From LOCAL to LAN'
set firewall name local-lan enable-default-log
# From LOCAL to SERVERS
set firewall name local-servers default-action 'drop'
set firewall name local-servers description 'From LOCAL to SERVERS'
set firewall name local-servers enable-default-log
set firewall name local-servers rule 1 action 'accept'
set firewall name local-servers rule 1 description 'Rule: accept_bgp'
set firewall name local-servers rule 1 destination port 'bgp'
set firewall name local-servers rule 1 protocol 'tcp'
set firewall name local-servers rule 2 action 'accept'
set firewall name local-servers rule 2 description 'Rule: accept_k8s_api'
set firewall name local-servers rule 2 destination port '6443'
set firewall name local-servers rule 2 protocol 'tcp'
set firewall name local-servers rule 3 action 'accept'
set firewall name local-servers rule 3 description 'Rule: accept_dns'
set firewall name local-servers rule 3 destination port 'domain,domain-s'
set firewall name local-servers rule 3 protocol 'tcp_udp'
set firewall name local-servers rule 4 action 'accept'
set firewall name local-servers rule 4 description 'Rule: accept_vector_syslog'
set firewall name local-servers rule 4 destination group address-group 'k8s_vector_aggregator'
set firewall name local-servers rule 4 destination port '6001'
set firewall name local-servers rule 4 protocol 'tcp'
# From LOCAL to CONTAINERS
set firewall name local-containers default-action 'accept'
set firewall name local-containers description 'From LOCAL to CONTAINERS'
set firewall name local-containers rule 1 action 'accept'
set firewall name local-containers rule 1 description 'Rule: accept_dns'
set firewall name local-containers rule 1 destination port 'domain,domain-s'
set firewall name local-containers rule 1 protocol 'tcp_udp'
# From LOCAL to TRUSTED
set firewall name local-trusted default-action 'drop'
set firewall name local-trusted description 'From LOCAL to TRUSTED'
set firewall name local-trusted enable-default-log
set firewall name local-trusted rule 1 action 'accept'
set firewall name local-trusted rule 1 description 'Rule: accept_igmp'
set firewall name local-trusted rule 1 protocol '2'
set firewall name local-trusted rule 2 action 'accept'
set firewall name local-trusted rule 2 description 'Rule: accept_mdns'
set firewall name local-trusted rule 2 destination port 'mdns'
set firewall name local-trusted rule 2 protocol 'udp'
set firewall name local-trusted rule 2 source port 'mdns'
set firewall name local-trusted rule 3 action 'accept'
set firewall name local-trusted rule 3 description 'Rule: accept_discovery_from_sonos_players'
set firewall name local-trusted rule 3 destination port '1900,1901,1902'
set firewall name local-trusted rule 3 protocol 'udp'
set firewall name local-trusted rule 3 source group address-group 'sonos_players'
# From LOCAL to VIDEO
set firewall name local-video default-action 'drop'
set firewall name local-video description 'From LOCAL to VIDEO'
set firewall name local-video enable-default-log
# From LOCAL to WAN
set firewall name local-wan default-action 'accept'
set firewall name local-wan description 'From LOCAL to WAN'
# From SERVERS to GUEST
set firewall name servers-guest default-action 'drop'
set firewall name servers-guest description 'From SERVERS to GUEST'
set firewall name servers-guest enable-default-log
# From SERVERS to IOT
set firewall name servers-iot default-action 'drop'
set firewall name servers-iot description 'From SERVERS to IOT'
set firewall name servers-iot enable-default-log
set firewall name servers-iot rule 1 action 'accept'
set firewall name servers-iot rule 1 description 'Rule: accept_icmp'
set firewall name servers-iot rule 1 protocol 'icmp'
set firewall name servers-iot rule 2 action 'accept'
set firewall name servers-iot rule 2 description 'Rule: accept_p1reader_from_k8s_nodes'
set firewall name servers-iot rule 2 destination port '8088'
set firewall name servers-iot rule 2 protocol 'tcp'
set firewall name servers-iot rule 2 source group address-group 'k8s_nodes'
set firewall name servers-iot rule 3 action 'accept'
set firewall name servers-iot rule 3 description 'Rule: accept_adb_from_k8s_nodes'
set firewall name servers-iot rule 3 destination group address-group 'android_tv_players'
set firewall name servers-iot rule 3 destination port '5555'
set firewall name servers-iot rule 3 protocol 'tcp'
set firewall name servers-iot rule 3 source group address-group 'k8s_nodes'
set firewall name servers-iot rule 4 action 'accept'
set firewall name servers-iot rule 4 description 'Rule: accept_3d_printer_control_from_k8s_nodes'
set firewall name servers-iot rule 4 destination group address-group '3d_printer_controllers'
set firewall name servers-iot rule 4 destination port '7125'
set firewall name servers-iot rule 4 protocol 'tcp'
set firewall name servers-iot rule 4 source group address-group 'k8s_nodes'
set firewall name servers-iot rule 5 action 'accept'
set firewall name servers-iot rule 5 description 'Rule: accept_k8s_nodes'
set firewall name servers-iot rule 5 protocol 'tcp'
set firewall name servers-iot rule 5 source group address-group 'k8s_nodes'
# From SERVERS to LAN
set firewall name servers-lan default-action 'drop'
set firewall name servers-lan description 'From SERVERS to LAN'
set firewall name servers-lan enable-default-log
set firewall name servers-lan rule 1 action 'accept'
set firewall name servers-lan rule 1 description 'Rule: accept_icmp'
set firewall name servers-lan rule 1 protocol 'icmp'
# From SERVERS to LOCAL
set firewall name servers-local default-action 'drop'
set firewall name servers-local description 'From SERVERS to LOCAL'
set firewall name servers-local enable-default-log
set firewall name servers-local rule 1 action 'accept'
set firewall name servers-local rule 1 description 'Rule: accept_icmp'
set firewall name servers-local rule 1 protocol 'icmp'
set firewall name servers-local rule 2 action 'accept'
set firewall name servers-local rule 2 description 'Rule: accept_ntp'
set firewall name servers-local rule 2 destination port 'ntp'
set firewall name servers-local rule 2 protocol 'udp'
set firewall name servers-local rule 3 action 'accept'
set firewall name servers-local rule 3 description 'Rule: accept_dhcp'
set firewall name servers-local rule 3 destination port '67,68'
set firewall name servers-local rule 3 protocol 'udp'
set firewall name servers-local rule 3 source port '67,68'
set firewall name servers-local rule 4 action 'accept'
set firewall name servers-local rule 4 description 'Rule: accept_bgp'
set firewall name servers-local rule 4 destination port 'bgp'
set firewall name servers-local rule 4 protocol 'tcp'
set firewall name servers-local rule 5 action 'accept'
set firewall name servers-local rule 5 description 'Rule: accept_tftp'
set firewall name servers-local rule 5 destination port '69'
set firewall name servers-local rule 5 protocol 'udp'
set firewall name servers-local rule 6 action 'accept'
set firewall name servers-local rule 6 description 'Rule: accept_node_exporter_from_k8s_nodes'
set firewall name servers-local rule 6 destination port '9100'
set firewall name servers-local rule 6 protocol 'tcp'
set firewall name servers-local rule 6 source group address-group 'k8s_nodes'
set firewall name servers-local rule 7 action 'accept'
set firewall name servers-local rule 7 description 'Rule: accept_speedtest_exporter_from_k8s_nodes'
set firewall name servers-local rule 7 destination port '9798'
set firewall name servers-local rule 7 protocol 'tcp'
set firewall name servers-local rule 7 source group address-group 'k8s_nodes'
# TODO: Needed because of MetalLB?
set firewall name servers-local rule 8 action 'accept'
set firewall name servers-local rule 8 description 'Rule: accept_bgp_2'
set firewall name servers-local rule 8 destination port '3784'
set firewall name servers-local rule 8 protocol 'udp'
set firewall name servers-local rule 8 source group address-group 'k8s_nodes'
set firewall name servers-local rule 9 action 'accept'
set firewall name servers-local rule 9 description 'Rule: accept_dns'
set firewall name servers-local rule 9 destination port 'domain,domain-s'
set firewall name servers-local rule 9 protocol 'tcp_udp'
# From SERVERS to CONTAINERS
set firewall name servers-containers default-action 'accept'
set firewall name servers-containers description 'From SERVERS to CONTAINERS'
set firewall name servers-containers enable-default-log
set firewall name servers-containers rule 1 action 'accept'
set firewall name servers-containers rule 1 description 'Rule: accept_dns'
set firewall name servers-containers rule 1 destination port 'domain,domain-s'
set firewall name servers-containers rule 1 protocol 'tcp_udp'
set firewall name servers-containers rule 2 action 'accept'
set firewall name servers-containers rule 2 description 'Rule: accept_k8s_api'
set firewall name servers-containers rule 2 destination port '6443'
set firewall name servers-containers rule 2 protocol 'tcp'
# From SERVERS to TRUSTED
set firewall name servers-trusted default-action 'drop'
set firewall name servers-trusted description 'From SERVERS to TRUSTED'
set firewall name servers-trusted enable-default-log
set firewall name servers-trusted rule 1 action 'accept'
set firewall name servers-trusted rule 1 description 'Rule: accept_icmp'
set firewall name servers-trusted rule 1 protocol 'icmp'
# From SERVERS to VIDEO
set firewall name servers-video default-action 'drop'
set firewall name servers-video description 'From SERVERS to VIDEO'
set firewall name servers-video enable-default-log
set firewall name servers-video rule 1 action 'accept'
set firewall name servers-video rule 1 description 'Rule: accept_icmp'
set firewall name servers-video rule 1 protocol 'icmp'
set firewall name servers-video rule 2 action 'accept'
set firewall name servers-video rule 2 description 'Rule: accept_k8s_nodes'
set firewall name servers-video rule 2 protocol 'tcp_udp'
set firewall name servers-video rule 2 source group address-group 'k8s_nodes'
# From SERVERS to WAN
set firewall name servers-wan default-action 'accept'
set firewall name servers-wan description 'From SERVERS to WAN'
# From CONTAINERS to GUEST
set firewall name containers-guest default-action 'drop'
set firewall name containers-guest description 'From CONTAINERS to GUEST'
set firewall name containers-guest enable-default-log
# From CONTAINERS to IOT
set firewall name containers-iot default-action 'drop'
set firewall name containers-iot description 'From CONTAINERS to IOT'
set firewall name containers-iot enable-default-log
# From CONTAINERS to LAN
set firewall name containers-lan default-action 'drop'
set firewall name containers-lan description 'From CONTAINERS to LAN'
set firewall name containers-lan enable-default-log
# From CONTAINERS to LOCAL
set firewall name containers-local default-action 'drop'
set firewall name containers-local description 'From CONTAINERS to LOCAL'
set firewall name containers-local enable-default-log
set firewall name containers-local rule 1 action 'accept'
set firewall name containers-local rule 1 description 'Rule: accept_ntp'
set firewall name containers-local rule 1 destination port 'ntp'
set firewall name containers-local rule 1 protocol 'udp'
set firewall name containers-local rule 2 action 'accept'
set firewall name containers-local rule 2 description 'Rule: accept_dhcp'
set firewall name containers-local rule 2 destination port '67,68'
set firewall name containers-local rule 2 protocol 'udp'
set firewall name containers-local rule 2 source port '67,68'
# From CONTAINERS to SERVERS
set firewall name containers-servers default-action 'accept'
set firewall name containers-servers description 'From CONTAINERS to SERVERS'
set firewall name containers-servers rule 1 action 'accept'
set firewall name containers-servers rule 1 description 'Rule: accept_icmp'
set firewall name containers-servers rule 1 protocol 'icmp'
# From CONTAINERS to TRUSTED
set firewall name containers-trusted default-action 'drop'
set firewall name containers-trusted description 'From CONTAINERS to TRUSTED'
set firewall name containers-trusted enable-default-log
# From CONTAINERS to VIDEO
set firewall name containers-video default-action 'drop'
set firewall name containers-video description 'From CONTAINERS to VIDEO'
set firewall name containers-video enable-default-log
# From CONTAINERS to WAN
set firewall name containers-wan default-action 'accept'
set firewall name containers-wan description 'From CONTAINERS to WAN'
# From TRUSTED to GUEST
set firewall name trusted-guest default-action 'drop'
set firewall name trusted-guest description 'From TRUSTED to GUEST'
set firewall name trusted-guest enable-default-log
# From TRUSTED to IOT
set firewall name trusted-iot default-action 'accept'
set firewall name trusted-iot description 'From TRUSTED to IOT'
set firewall name trusted-iot rule 1 action 'accept'
set firewall name trusted-iot rule 1 description 'Rule: accept_icmp'
set firewall name trusted-iot rule 1 protocol 'icmp'
set firewall name trusted-iot rule 2 action 'accept'
set firewall name trusted-iot rule 2 description 'Rule: accept_app_control_from_sonos_controllers_tcp'
set firewall name trusted-iot rule 2 destination port '80,443,445,1400,3400,3401,3500,4070,4444'
set firewall name trusted-iot rule 2 protocol 'tcp'
set firewall name trusted-iot rule 2 source group address-group 'sonos_controllers'
set firewall name trusted-iot rule 3 action 'accept'
set firewall name trusted-iot rule 3 description 'Rule: accept_app_control_from_sonos_controllers_udp'
set firewall name trusted-iot rule 3 destination port '136-139,1900-1901,2869,10243,10280-10284,5353,6969'
set firewall name trusted-iot rule 3 protocol 'udp'
set firewall name trusted-iot rule 3 source group address-group 'sonos_controllers'
# From TRUSTED to LAN
set firewall name trusted-lan default-action 'accept'
set firewall name trusted-lan description 'From TRUSTED to LAN'
# From TRUSTED to LOCAL
set firewall name trusted-local default-action 'drop'
set firewall name trusted-local description 'From TRUSTED to LOCAL'
set firewall name trusted-local enable-default-log
set firewall name trusted-local rule 1 action 'accept'
set firewall name trusted-local rule 1 description 'Rule: accept_icmp'
set firewall name trusted-local rule 1 protocol 'icmp'
set firewall name trusted-local rule 2 action 'accept'
set firewall name trusted-local rule 2 description 'Rule: accept_ssh'
set firewall name trusted-local rule 2 destination port 'ssh'
set firewall name trusted-local rule 2 protocol 'tcp'
set firewall name trusted-local rule 3 action 'accept'
set firewall name trusted-local rule 3 description 'Rule: accept_ntp'
set firewall name trusted-local rule 3 destination port 'ntp'
set firewall name trusted-local rule 3 protocol 'udp'
set firewall name trusted-local rule 4 action 'accept'
set firewall name trusted-local rule 4 description 'Rule: accept_dhcp'
set firewall name trusted-local rule 4 destination port '67,68'
set firewall name trusted-local rule 4 protocol 'udp'
set firewall name trusted-local rule 4 source port '67,68'
set firewall name trusted-local rule 5 action 'accept'
set firewall name trusted-local rule 5 description 'Rule: accept_igmp'
set firewall name trusted-local rule 5 protocol '2'
set firewall name trusted-local rule 6 action 'accept'
set firewall name trusted-local rule 6 description 'Rule: accept_mdns'
set firewall name trusted-local rule 6 destination port 'mdns'
set firewall name trusted-local rule 6 protocol 'udp'
set firewall name trusted-local rule 6 source port 'mdns'
set firewall name trusted-local rule 7 action 'accept'
set firewall name trusted-local rule 7 description 'Rule: accept_wireguard'
set firewall name trusted-local rule 7 destination port '51820'
set firewall name trusted-local rule 7 protocol 'udp'
set firewall name trusted-local rule 8 action 'accept'
set firewall name trusted-local rule 8 description 'Rule: accept_vyos_api'
set firewall name trusted-local rule 8 destination port '8443'
set firewall name trusted-local rule 8 protocol 'tcp'
set firewall name trusted-local rule 9 action 'accept'
set firewall name trusted-local rule 9 description 'Rule: accept_discovery_from_sonos_players'
set firewall name trusted-local rule 9 destination port '1900,1901,1902'
set firewall name trusted-local rule 9 protocol 'udp'
set firewall name trusted-local rule 9 source group address-group 'sonos_players'
set firewall name trusted-local rule 10 action 'accept'
set firewall name trusted-local rule 10 description 'Rule: accept_discovery_from_sonos_controllers'
set firewall name trusted-local rule 10 destination port '1900,1901,1902,57621'
set firewall name trusted-local rule 10 protocol 'udp'
set firewall name trusted-local rule 10 source group address-group 'sonos_controllers'
set firewall name trusted-local rule 11 action 'accept'
set firewall name trusted-local rule 11 description 'Rule: accept_dns'
set firewall name trusted-local rule 11 destination port 'domain,domain-s'
set firewall name trusted-local rule 11 protocol 'tcp_udp'
# From TRUSTED to SERVERS
set firewall name trusted-servers default-action 'accept'
set firewall name trusted-servers description 'From TRUSTED to SERVERS'
set firewall name trusted-servers rule 1 action 'accept'
set firewall name trusted-servers rule 1 description 'Rule: accept_icmp'
set firewall name trusted-servers rule 1 protocol 'icmp'
# From TRUSTED to CONTAINERS
set firewall name trusted-containers default-action 'accept'
set firewall name trusted-containers description 'From TRUSTED to CONTAINERS'
set firewall name trusted-containers rule 1 action 'accept'
set firewall name trusted-containers rule 1 description 'Rule: accept_dns'
set firewall name trusted-containers rule 1 destination port 'domain,domain-s'
set firewall name trusted-containers rule 1 protocol 'tcp_udp'
# From TRUSTED to VIDEO
set firewall name trusted-video default-action 'accept'
set firewall name trusted-video description 'From TRUSTED to VIDEO'
set firewall name trusted-video rule 1 action 'accept'
set firewall name trusted-video rule 1 description 'Rule: accept_icmp'
set firewall name trusted-video rule 1 protocol 'icmp'
# From TRUSTED to WAN
set firewall name trusted-wan default-action 'accept'
set firewall name trusted-wan description 'From TRUSTED to WAN'
# From VIDEO to GUEST
set firewall name video-guest default-action 'drop'
set firewall name video-guest description 'From VIDEO to GUEST'
set firewall name video-guest enable-default-log
# From VIDEO to IOT
set firewall name video-iot default-action 'drop'
set firewall name video-iot description 'From VIDEO to IOT'
set firewall name video-iot enable-default-log
# From VIDEO to LAN
set firewall name video-lan default-action 'drop'
set firewall name video-lan description 'From VIDEO to LAN'
set firewall name video-lan enable-default-log
# From VIDEO to LOCAL
set firewall name video-local default-action 'drop'
set firewall name video-local description 'From VIDEO to LOCAL'
set firewall name video-local enable-default-log
set firewall name video-local rule 1 action 'accept'
set firewall name video-local rule 1 description 'Rule: accept_ntp'
set firewall name video-local rule 1 destination port 'ntp'
set firewall name video-local rule 1 protocol 'udp'
set firewall name video-local rule 2 action 'accept'
set firewall name video-local rule 2 description 'Rule: accept_dhcp'
set firewall name video-local rule 2 destination port '67,68'
set firewall name video-local rule 2 protocol 'udp'
set firewall name video-local rule 2 source port '67,68'
# From VIDEO to SERVERS
set firewall name video-servers default-action 'drop'
set firewall name video-servers description 'From VIDEO to SERVERS'
set firewall name video-servers enable-default-log
set firewall name video-servers rule 1 action 'accept'
set firewall name video-servers rule 1 description 'Rule: accept_hass_ingress_from_allowed_devices'
set firewall name video-servers rule 1 destination group address-group 'k8s_hass'
set firewall name video-servers rule 1 destination port '8123'
set firewall name video-servers rule 1 protocol 'tcp'
set firewall name video-servers rule 1 source group address-group 'hass_clients'
set firewall name video-servers rule 2 action 'accept'
set firewall name video-servers rule 2 description 'Rule: accept_k8s_nodes'
set firewall name video-servers rule 2 protocol 'udp'
set firewall name video-servers rule 2 destination group address-group 'k8s_nodes'
set firewall name video-servers rule 2 source port '6987-6989'
# From VIDEO to CONTAINERS
set firewall name video-containers default-action 'accept'
set firewall name video-containers description 'From VIDEO to CONTAINERS'
set firewall name video-containers rule 1 action 'accept'
set firewall name video-containers rule 1 description 'Rule: accept_dns'
set firewall name video-containers rule 1 destination port 'domain,domain-s'
set firewall name video-containers rule 1 protocol 'tcp_udp'
# From VIDEO to TRUSTED
set firewall name video-trusted default-action 'drop'
set firewall name video-trusted description 'From VIDEO to TRUSTED'
set firewall name video-trusted enable-default-log
# From VIDEO to WAN
set firewall name video-wan default-action 'drop'
set firewall name video-wan description 'From VIDEO to WAN'
# From WAN to GUEST
set firewall name wan-guest default-action 'drop'
set firewall name wan-guest description 'From WAN to GUEST'
set firewall name wan-guest enable-default-log
# From WAN to IOT
set firewall name wan-iot default-action 'drop'
set firewall name wan-iot description 'From WAN to IOT'
set firewall name wan-iot enable-default-log
# From WAN to LAN
set firewall name wan-lan default-action 'drop'
set firewall name wan-lan description 'From WAN to LAN'
set firewall name wan-lan enable-default-log
# From WAN to LOCAL
set firewall name wan-local default-action 'drop'
set firewall name wan-local description 'From WAN to LOCAL'
set firewall name wan-local enable-default-log
set firewall name wan-local rule 1 action 'accept'
set firewall name wan-local rule 1 description 'Rule: accept_wireguard'
set firewall name wan-local rule 1 destination port '51820'
set firewall name wan-local rule 1 protocol 'udp'
# From WAN to SERVERS
set firewall name wan-servers default-action 'drop'
set firewall name wan-servers description 'From WAN to SERVERS'
set firewall name wan-servers enable-default-log
## Plex
set firewall name wan-servers rule 10 action 'accept'
set firewall name wan-servers rule 10 destination port 32400
set firewall name wan-servers rule 10 protocol 'tcp'
set firewall name wan-servers rule 10 destination address 10.1.1.12
# From WAN to SERVICES
set firewall name wan-containers default-action 'drop'
set firewall name wan-containers description 'From WAN to CONTAINERS'
set firewall name wan-containers enable-default-log
# From WAN to TRUSTED
set firewall name wan-trusted default-action 'drop'
set firewall name wan-trusted description 'From WAN to TRUSTED'
set firewall name wan-trusted enable-default-log
# From WAN to VIDEO
set firewall name wan-video default-action 'drop'
set firewall name wan-video description 'From WAN to VIDEO'
set firewall name wan-video enable-default-log