Created
July 6, 2016 11:56
-
-
Save chrisgonyea/b14d0a318192dfaae529e7998cea667a to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
firewall { | |
all-ping enable | |
broadcast-ping disable | |
ipv6-name WANv6_IN { | |
default-action drop | |
description wan_in | |
enable-default-log | |
rule 10 { | |
action accept | |
description "Allow Enabled/Related state" | |
state { | |
established enable | |
related enable | |
} | |
} | |
rule 20 { | |
action drop | |
log enable | |
state { | |
invalid enable | |
} | |
} | |
rule 50 { | |
action accept | |
description "Allow ICMPv6" | |
log enable | |
protocol icmpv6 | |
} | |
} | |
ipv6-name WANv6_LOCAL { | |
default-action drop | |
description WANv6_LOCAL | |
enable-default-log | |
rule 10 { | |
action accept | |
description "Drop Invalid state" | |
state { | |
established enable | |
related enable | |
} | |
} | |
rule 20 { | |
action drop | |
log enable | |
state { | |
invalid enable | |
} | |
} | |
rule 50 { | |
action accept | |
description "Allow ICMPv6" | |
log enable | |
protocol icmpv6 | |
} | |
rule 60 { | |
action accept | |
description DHCPv6 | |
destination { | |
port 546 | |
} | |
protocol udp | |
source { | |
port 547 | |
} | |
} | |
} | |
ipv6-receive-redirects disable | |
ipv6-src-route disable | |
ip-src-route disable | |
log-martians enable | |
name WAN_IN { | |
default-action drop | |
description "WAN to internal" | |
rule 10 { | |
action accept | |
description "Allow established/related" | |
state { | |
established enable | |
related enable | |
} | |
} | |
rule 20 { | |
action drop | |
description "Drop invalid state" | |
state { | |
invalid enable | |
} | |
} | |
} | |
name WAN_LOCAL { | |
default-action drop | |
description "WAN to router" | |
rule 10 { | |
action accept | |
description "Allow established/related" | |
state { | |
established enable | |
related enable | |
} | |
} | |
rule 20 { | |
action drop | |
description "Drop invalid state" | |
state { | |
invalid enable | |
} | |
} | |
} | |
receive-redirects disable | |
send-redirects enable | |
source-validation disable | |
syn-cookies enable | |
} | |
interfaces { | |
ethernet eth0 { | |
address 192.168.1.1/24 | |
description LAN | |
dhcp-options { | |
default-route update | |
default-route-distance 210 | |
name-server no-update | |
} | |
duplex auto | |
ipv6 { | |
dup-addr-detect-transmits 1 | |
router-advert { | |
cur-hop-limit 64 | |
link-mtu 0 | |
managed-flag true | |
max-interval 600 | |
other-config-flag false | |
prefix ::/64 { | |
autonomous-flag true | |
on-link-flag true | |
valid-lifetime 2592000 | |
} | |
reachable-time 0 | |
retrans-timer 0 | |
send-advert true | |
} | |
} | |
speed auto | |
} | |
ethernet eth1 { | |
address dhcp | |
description Internet | |
dhcp-options { | |
default-route update | |
default-route-distance 210 | |
name-server no-update | |
} | |
dhcpv6-pd { | |
pd 0 { | |
interface eth0 { | |
host-address ::1 | |
prefix-id :1 | |
service slaac | |
} | |
interface eth2 { | |
host-address ::1 | |
prefix-id :2 | |
service slaac | |
} | |
prefix-length 60 | |
} | |
rapid-commit enable | |
} | |
duplex auto | |
firewall { | |
in { | |
ipv6-name WANv6_IN | |
name WAN_IN | |
} | |
local { | |
ipv6-name WANv6_LOCAL | |
name WAN_LOCAL | |
} | |
} | |
speed auto | |
} | |
ethernet eth2 { | |
address 192.168.2.1/24 | |
description RIPE_Atlas | |
duplex auto | |
ipv6 { | |
dup-addr-detect-transmits 1 | |
router-advert { | |
cur-hop-limit 64 | |
link-mtu 0 | |
managed-flag true | |
max-interval 600 | |
other-config-flag false | |
prefix ::/64 { | |
autonomous-flag true | |
on-link-flag true | |
valid-lifetime 2592000 | |
} | |
reachable-time 0 | |
retrans-timer 0 | |
send-advert true | |
} | |
} | |
speed auto | |
} | |
loopback lo { | |
} | |
} | |
port-forward { | |
auto-firewall enable | |
hairpin-nat disable | |
lan-interface eth0 | |
lan-interface eth2 | |
wan-interface eth1 | |
} | |
service { | |
dhcp-server { | |
disabled false | |
hostfile-update enable | |
shared-network-name LAN1 { | |
authoritative disable | |
subnet 192.168.1.0/24 { | |
default-router 192.168.1.1 | |
dns-server 192.168.1.1 | |
lease 86400 | |
start 192.168.1.21 { | |
stop 192.168.1.240 | |
} | |
} | |
} | |
shared-network-name LAN2 { | |
authoritative disable | |
subnet 192.168.2.0/24 { | |
default-router 192.168.2.1 | |
dns-server 192.168.2.1 | |
lease 86400 | |
start 192.168.2.21 { | |
stop 192.168.2.240 | |
} | |
} | |
} | |
} | |
dns { | |
forwarding { | |
cache-size 1000 | |
listen-on eth0 | |
listen-on eth2 | |
name-server 75.75.75.75 | |
name-server 75.75.76.76 | |
name-server 2001:558:feed::1 | |
name-server 2001:558:feed::2 | |
options dnssec | |
options trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5 | |
options dnssec-check-unsigned | |
} | |
} | |
gui { | |
older-ciphers disable | |
} | |
nat { | |
rule 5010 { | |
outbound-interface eth1 | |
type masquerade | |
} | |
} | |
ssh { | |
listen-address 192.168.1.1 | |
port 22 | |
protocol-version v2 | |
} | |
} | |
system { | |
domain-name local | |
host-name gw | |
} | |
name-server 127.0.0.1 | |
ntp { | |
server 0.ubnt.pool.ntp.org { | |
} | |
server 1.ubnt.pool.ntp.org { | |
} | |
server 2.ubnt.pool.ntp.org { | |
} | |
server 3.ubnt.pool.ntp.org { | |
} | |
} | |
offload { | |
ipsec enable | |
ipv4 { | |
forwarding enable | |
pppoe enable | |
vlan enable | |
} | |
ipv6 { | |
forwarding enable | |
pppoe disable | |
vlan enable | |
} | |
} | |
package { | |
repository wheezy { | |
components "main contrib non-free" | |
distribution wheezy | |
url http://http.us.debian.org/debian | |
} | |
} | |
static-host-mapping { | |
host-name gw.mht.gonyea.com { | |
inet 192.168.1.1 | |
} | |
} | |
syslog { | |
global { | |
facility all { | |
level notice | |
} | |
facility protocols { | |
level debug | |
} | |
} | |
} | |
time-zone America/New_York | |
traffic-analysis { | |
dpi enable | |
export enable | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment