/ZonesExampleConfigBoot
Created Nov 14, 2015
What previously has been http://wiki.ubnt.com/ZonesExampleConfigBoot
| firewall { | |
| ipv6-name dmz-lan-6 { | |
| default-action drop | |
| enable-default-log | |
| rule 100 { | |
| action accept | |
| log enable | |
| protocol ipv6-icmp | |
| } | |
| rule 1 { | |
| action accept | |
| state { | |
| established enable | |
| related enable | |
| } | |
| } | |
| rule 2 { | |
| action drop | |
| log enable | |
| state { | |
| invalid enable | |
| } | |
| } | |
| } | |
| ipv6-name dmz-local-6 { | |
| default-action drop | |
| enable-default-log | |
| rule 100 { | |
| action accept | |
| log enable | |
| protocol ipv6-icmp | |
| } | |
| rule 400 { | |
| action accept | |
| destination { | |
| port 123 | |
| } | |
| log enable | |
| protocol tcp | |
| } | |
| rule 600 { | |
| action accept | |
| destination { | |
| port 53 | |
| } | |
| log enable | |
| protocol tcp_udp | |
| } | |
| rule 700 { | |
| action accept | |
| destination { | |
| port 67,68 | |
| } | |
| log enable | |
| protocol udp | |
| } | |
| rule 1 { | |
| action accept | |
| state { | |
| established enable | |
| related enable | |
| } | |
| } | |
| rule 2 { | |
| action drop | |
| log enable | |
| state { | |
| invalid enable | |
| } | |
| } | |
| } | |
| ipv6-name dmz-wan-6 { | |
| default-action drop | |
| enable-default-log | |
| rule 100 { | |
| action accept | |
| log enable | |
| protocol ipv6-icmp | |
| } | |
| rule 200 { | |
| action accept | |
| destination { | |
| port 80,443 | |
| } | |
| log enable | |
| protocol tcp | |
| } | |
| rule 300 { | |
| action accept | |
| destination { | |
| port 20,21 | |
| } | |
| log enable | |
| protocol tcp | |
| } | |
| rule 500 { | |
| action accept | |
| destination { | |
| port 25 | |
| } | |
| log enable | |
| protocol tcp | |
| source { | |
| address 2001:db8:0:BBBB::200 | |
| } | |
| } | |
| rule 600 { | |
| action accept | |
| destination { | |
| port 53 | |
| } | |
| log enable | |
| protocol tcp_udp | |
| source { | |
| address 2001:db8:0:BBBB::200 | |
| } | |
| } | |
| rule 800 { | |
| action accept | |
| destination { | |
| port 22 | |
| } | |
| log enable | |
| protocol tcp | |
| } | |
| rule 1 { | |
| action accept | |
| state { | |
| established enable | |
| related enable | |
| } | |
| } | |
| rule 2 { | |
| action drop | |
| log enable | |
| state { | |
| invalid enable | |
| } | |
| } | |
| } | |
| ipv6-name lan-dmz-6 { | |
| default-action drop | |
| enable-default-log | |
| rule 100 { | |
| action accept | |
| log enable | |
| protocol ipv6-icmp | |
| } | |
| rule 200 { | |
| action accept | |
| destination { | |
| port 80,443 | |
| } | |
| log enable | |
| protocol tcp | |
| } | |
| rule 800 { | |
| action accept | |
| destination { | |
| port 22 | |
| } | |
| log enable | |
| protocol tcp | |
| } | |
| rule 900 { | |
| action accept | |
| destination { | |
| address 2001:db8:0:BBBB::200 | |
| port 993 | |
| } | |
| log enable | |
| protocol tcp | |
| } | |
| rule 1 { | |
| action accept | |
| state { | |
| established enable | |
| related enable | |
| } | |
| } | |
| rule 2 { | |
| action drop | |
| log enable | |
| state { | |
| invalid enable | |
| } | |
| } | |
| } | |
| ipv6-name lan-local-6 { | |
| default-action drop | |
| enable-default-log | |
| rule 100 { | |
| action accept | |
| log enable | |
| protocol ipv6-icmp | |
| } | |
| rule 400 { | |
| action accept | |
| destination { | |
| port 123 | |
| } | |
| log enable | |
| protocol tcp | |
| } | |
| rule 600 { | |
| action accept | |
| destination { | |
| port 53 | |
| } | |
| log enable | |
| protocol tcp_udp | |
| } | |
| rule 700 { | |
| action accept | |
| destination { | |
| port 67,68 | |
| } | |
| log enable | |
| protocol udp | |
| } | |
| rule 800 { | |
| action accept | |
| destination { | |
| port 22 | |
| } | |
| log enable | |
| protocol tcp | |
| source { | |
| address 2001:db8:0:AAAA::10 | |
| } | |
| } | |
| rule 1 { | |
| action accept | |
| state { | |
| established enable | |
| related enable | |
| } | |
| } | |
| rule 2 { | |
| action drop | |
| log enable | |
| state { | |
| invalid enable | |
| } | |
| } | |
| } | |
| ipv6-name lan-wan-6 { | |
| default-action drop | |
| enable-default-log | |
| rule 100 { | |
| action accept | |
| log enable | |
| protocol ipv6-icmp | |
| } | |
| rule 200 { | |
| action accept | |
| destination { | |
| port 80,443 | |
| } | |
| log enable | |
| protocol tcp | |
| } | |
| rule 300 { | |
| action accept | |
| destination { | |
| port 20,21 | |
| } | |
| log enable | |
| protocol tcp | |
| } | |
| rule 400 { | |
| action accept | |
| } | |
| rule 800 { | |
| action accept | |
| destination { | |
| port 22 | |
| } | |
| log enable | |
| protocol tcp | |
| } | |
| rule 1 { | |
| action accept | |
| state { | |
| established enable | |
| related enable | |
| } | |
| } | |
| rule 2 { | |
| action drop | |
| log enable | |
| state { | |
| invalid enable | |
| } | |
| } | |
| } | |
| ipv6-name local-dmz-6 { | |
| default-action drop | |
| enable-default-log | |
| rule 100 { | |
| action accept | |
| log enable | |
| protocol ipv6-icmp | |
| } | |
| rule 500 { | |
| action accept | |
| destination { | |
| port 25 | |
| } | |
| log enable | |
| protocol tcp | |
| } | |
| rule 600 { | |
| action accept | |
| destination { | |
| port 53 | |
| } | |
| log enable | |
| protocol tcp_udp | |
| } | |
| rule 700 { | |
| action accept | |
| destination { | |
| port 67,68 | |
| } | |
| log enable | |
| protocol udp | |
| } | |
| rule 1 { | |
| action accept | |
| state { | |
| established enable | |
| related enable | |
| } | |
| } | |
| rule 2 { | |
| action drop | |
| log enable | |
| state { | |
| invalid enable | |
| } | |
| } | |
| } | |
| ipv6-name local-lan-6 { | |
| default-action drop | |
| enable-default-log | |
| rule 100 { | |
| action accept | |
| log enable | |
| protocol ipv6-icmp | |
| } | |
| rule 700 { | |
| action accept | |
| destination { | |
| port 67,68 | |
| } | |
| log enable | |
| protocol udp | |
| } | |
| rule 1 { | |
| action accept | |
| state { | |
| established enable | |
| related enable | |
| } | |
| } | |
| rule 2 { | |
| action drop | |
| log enable | |
| state { | |
| invalid enable | |
| } | |
| } | |
| } | |
| ipv6-name local-wan-6 { | |
| default-action drop | |
| enable-default-log | |
| rule 100 { | |
| action accept | |
| log enable | |
| protocol ipv6-icmp | |
| } | |
| rule 200 { | |
| action accept | |
| destination { | |
| port 80,443 | |
| } | |
| log enable | |
| protocol tcp | |
| } | |
| rule 300 { | |
| action accept | |
| destination { | |
| port 20,21 | |
| } | |
| log enable | |
| protocol tcp | |
| } | |
| rule 800 { | |
| action accept | |
| destination { | |
| port 22 | |
| } | |
| log enable | |
| protocol tcp | |
| } | |
| rule 1 { | |
| action accept | |
| state { | |
| established enable | |
| related enable | |
| } | |
| } | |
| rule 2 { | |
| action drop | |
| log enable | |
| state { | |
| invalid enable | |
| } | |
| } | |
| } | |
| ipv6-name wan-dmz-6 { | |
| default-action drop | |
| enable-default-log | |
| rule 100 { | |
| action accept | |
| log enable | |
| protocol ipv6-icmp | |
| } | |
| rule 500 { | |
| action accept | |
| destination { | |
| port 25 | |
| } | |
| log enable | |
| protocol tcp | |
| } | |
| rule 600 { | |
| action accept | |
| destination { | |
| port 53 | |
| } | |
| log enable | |
| protocol tcp_udp | |
| } | |
| rule 1 { | |
| action accept | |
| state { | |
| established enable | |
| related enable | |
| } | |
| } | |
| rule 2 { | |
| action drop | |
| log enable | |
| state { | |
| invalid enable | |
| } | |
| } | |
| } | |
| ipv6-name wan-lan-6 { | |
| default-action drop | |
| enable-default-log | |
| rule 100 { | |
| action accept | |
| log enable | |
| protocol ipv6-icmp | |
| } | |
| rule 1 { | |
| action accept | |
| state { | |
| established enable | |
| related enable | |
| } | |
| } | |
| rule 2 { | |
| action drop | |
| log enable | |
| state { | |
| invalid enable | |
| } | |
| } | |
| } | |
| ipv6-name wan-local-6 { | |
| default-action drop | |
| enable-default-log | |
| rule 100 { | |
| action accept | |
| log enable | |
| protocol ipv6-icmp | |
| } | |
| rule 1 { | |
| action accept | |
| state { | |
| established enable | |
| related enable | |
| } | |
| } | |
| rule 2 { | |
| action drop | |
| log enable | |
| state { | |
| invalid enable | |
| } | |
| } | |
| } | |
| name dmz-lan { | |
| default-action drop | |
| enable-default-log | |
| rule 100 { | |
| action accept | |
| log enable | |
| protocol icmp | |
| } | |
| rule 1 { | |
| action accept | |
| state { | |
| established enable | |
| related enable | |
| } | |
| } | |
| rule 2 { | |
| action drop | |
| log enable | |
| state { | |
| invalid enable | |
| } | |
| } | |
| } | |
| name dmz-local { | |
| default-action drop | |
| enable-default-log | |
| rule 100 { | |
| action accept | |
| log enable | |
| protocol icmp | |
| } | |
| rule 400 { | |
| action accept | |
| destination { | |
| port 123 | |
| } | |
| log enable | |
| protocol tcp | |
| } | |
| rule 600 { | |
| action accept | |
| destination { | |
| port 53 | |
| } | |
| log enable | |
| protocol tcp_udp | |
| } | |
| rule 700 { | |
| action accept | |
| destination { | |
| port 67,68 | |
| } | |
| log enable | |
| protocol udp | |
| } | |
| rule 1 { | |
| action accept | |
| state { | |
| established enable | |
| related enable | |
| } | |
| } | |
| rule 2 { | |
| action drop | |
| log enable | |
| state { | |
| invalid enable | |
| } | |
| } | |
| } | |
| name dmz-wan { | |
| default-action drop | |
| enable-default-log | |
| rule 100 { | |
| action accept | |
| log enable | |
| protocol icmp | |
| } | |
| rule 200 { | |
| action accept | |
| destination { | |
| port 80,443 | |
| } | |
| log enable | |
| protocol tcp | |
| } | |
| rule 300 { | |
| action accept | |
| destination { | |
| port 20,21 | |
| } | |
| log enable | |
| protocol tcp | |
| } | |
| rule 500 { | |
| action accept | |
| destination { | |
| port 25 | |
| } | |
| log enable | |
| protocol tcp | |
| source { | |
| address 192.168.200.200 | |
| } | |
| } | |
| rule 600 { | |
| action accept | |
| destination { | |
| port 53 | |
| } | |
| log enable | |
| protocol tcp_udp | |
| source { | |
| address 192.168.200.200 | |
| } | |
| } | |
| rule 800 { | |
| action accept | |
| destination { | |
| port 22 | |
| } | |
| log enable | |
| protocol tcp | |
| } | |
| rule 1 { | |
| action accept | |
| state { | |
| established enable | |
| related enable | |
| } | |
| } | |
| rule 2 { | |
| action drop | |
| log enable | |
| state { | |
| invalid enable | |
| } | |
| } | |
| } | |
| name lan-dmz { | |
| default-action drop | |
| enable-default-log | |
| rule 100 { | |
| action accept | |
| log enable | |
| protocol icmp | |
| } | |
| rule 200 { | |
| action accept | |
| destination { | |
| port 80,443 | |
| } | |
| log enable | |
| protocol tcp | |
| } | |
| rule 800 { | |
| action accept | |
| destination { | |
| port 22 | |
| } | |
| log enable | |
| protocol tcp | |
| } | |
| rule 900 { | |
| action accept | |
| destination { | |
| address 192.168.200.200 | |
| port 993 | |
| } | |
| log enable | |
| protocol tcp | |
| } | |
| rule 1 { | |
| action accept | |
| state { | |
| established enable | |
| related enable | |
| } | |
| } | |
| rule 2 { | |
| action drop | |
| log enable | |
| state { | |
| invalid enable | |
| } | |
| } | |
| } | |
| name lan-local { | |
| default-action drop | |
| enable-default-log | |
| rule 100 { | |
| action accept | |
| log enable | |
| protocol icmp | |
| } | |
| rule 400 { | |
| action accept | |
| destination { | |
| port 123 | |
| } | |
| log enable | |
| protocol tcp | |
| } | |
| rule 600 { | |
| action accept | |
| destination { | |
| port 53 | |
| } | |
| log enable | |
| protocol tcp_udp | |
| } | |
| rule 700 { | |
| action accept | |
| destination { | |
| port 67,68 | |
| } | |
| log enable | |
| protocol udp | |
| } | |
| rule 800 { | |
| action accept | |
| destination { | |
| port 22 | |
| } | |
| log enable | |
| protocol tcp | |
| source { | |
| address 192.168.100.10 | |
| } | |
| } | |
| rule 1 { | |
| action accept | |
| state { | |
| established enable | |
| related enable | |
| } | |
| } | |
| rule 2 { | |
| action drop | |
| log enable | |
| state { | |
| invalid enable | |
| } | |
| } | |
| } | |
| name lan-wan { | |
| default-action drop | |
| enable-default-log | |
| rule 100 { | |
| action accept | |
| log enable | |
| protocol icmp | |
| } | |
| rule 200 { | |
| action accept | |
| destination { | |
| port 80,443 | |
| } | |
| log enable | |
| protocol tcp | |
| } | |
| rule 300 { | |
| action accept | |
| destination { | |
| port 20,21 | |
| } | |
| log enable | |
| protocol tcp | |
| } | |
| rule 400 { | |
| action accept | |
| } | |
| rule 800 { | |
| action accept | |
| destination { | |
| port 22 | |
| } | |
| log enable | |
| protocol tcp | |
| } | |
| rule 1 { | |
| action accept | |
| state { | |
| established enable | |
| related enable | |
| } | |
| } | |
| rule 2 { | |
| action drop | |
| log enable | |
| state { | |
| invalid enable | |
| } | |
| } | |
| } | |
| name local-dmz { | |
| default-action drop | |
| enable-default-log | |
| rule 100 { | |
| action accept | |
| log enable | |
| protocol icmp | |
| } | |
| rule 500 { | |
| action accept | |
| destination { | |
| address 192.168.200.200 | |
| port 25 | |
| } | |
| log enable | |
| protocol tcp | |
| } | |
| rule 600 { | |
| action accept | |
| destination { | |
| address 192.168.200.200 | |
| port 53 | |
| } | |
| log enable | |
| protocol tcp_udp | |
| } | |
| rule 700 { | |
| action accept | |
| destination { | |
| port 67,68 | |
| } | |
| log enable | |
| protocol udp | |
| } | |
| rule 1 { | |
| action accept | |
| state { | |
| established enable | |
| related enable | |
| } | |
| } | |
| rule 2 { | |
| action drop | |
| log enable | |
| state { | |
| invalid enable | |
| } | |
| } | |
| } | |
| name local-lan { | |
| default-action drop | |
| enable-default-log | |
| rule 100 { | |
| action accept | |
| log enable | |
| protocol icmp | |
| } | |
| rule 700 { | |
| action accept | |
| destination { | |
| port 67,68 | |
| } | |
| log enable | |
| protocol udp | |
| } | |
| rule 1 { | |
| action accept | |
| state { | |
| established enable | |
| related enable | |
| } | |
| } | |
| rule 2 { | |
| action drop | |
| log enable | |
| state { | |
| invalid enable | |
| } | |
| } | |
| } | |
| name local-wan { | |
| default-action drop | |
| enable-default-log | |
| rule 100 { | |
| action accept | |
| log enable | |
| protocol icmp | |
| } | |
| rule 200 { | |
| action accept | |
| destination { | |
| port 80,443 | |
| } | |
| log enable | |
| protocol tcp | |
| } | |
| rule 300 { | |
| action accept | |
| destination { | |
| port 20,21 | |
| } | |
| log enable | |
| protocol tcp | |
| } | |
| rule 400 { | |
| action accept | |
| destination { | |
| port 123 | |
| } | |
| log enable | |
| protocol tcp | |
| } | |
| rule 500 { | |
| action accept | |
| destination { | |
| port 25 | |
| } | |
| log enable | |
| protocol tcp | |
| } | |
| rule 800 { | |
| action accept | |
| destination { | |
| port 22 | |
| } | |
| log enable | |
| protocol tcp | |
| } | |
| rule 1 { | |
| action accept | |
| state { | |
| established enable | |
| related enable | |
| } | |
| } | |
| rule 2 { | |
| action drop | |
| log enable | |
| state { | |
| invalid enable | |
| } | |
| } | |
| } | |
| name wan-dmz { | |
| default-action drop | |
| enable-default-log | |
| rule 500 { | |
| action accept | |
| destination { | |
| address 192.168.200.200 | |
| port 25 | |
| } | |
| log enable | |
| protocol tcp | |
| } | |
| rule 600 { | |
| action accept | |
| destination { | |
| address 192.168.200.200 | |
| port 53 | |
| } | |
| log enable | |
| protocol tcp_udp | |
| } | |
| rule 1 { | |
| action accept | |
| state { | |
| established enable | |
| related enable | |
| } | |
| } | |
| rule 2 { | |
| action drop | |
| log enable | |
| state { | |
| invalid enable | |
| } | |
| } | |
| } | |
| name wan-lan { | |
| default-action drop | |
| enable-default-log | |
| rule 1 { | |
| action accept | |
| state { | |
| established enable | |
| related enable | |
| } | |
| } | |
| rule 2 { | |
| action drop | |
| log enable | |
| state { | |
| invalid enable | |
| } | |
| } | |
| } | |
| name wan-local { | |
| default-action drop | |
| enable-default-log | |
| rule 100 { | |
| action accept | |
| log enable | |
| protocol icmp | |
| } | |
| rule 1 { | |
| action accept | |
| state { | |
| established enable | |
| related enable | |
| } | |
| } | |
| rule 2 { | |
| action drop | |
| log enable | |
| state { | |
| invalid enable | |
| } | |
| } | |
| } | |
| } interfaces { | |
| ethernet eth0 { | |
| vif 10 { | |
| address 172.16.10.1/24 | |
| address 2001:db8:0:9999::1/64 | |
| } | |
| vif 20 { | |
| address 192.168.100.1/24 | |
| address 2001:db8:0:AAAA::1/64 | |
| } | |
| vif 30 { | |
| address 192.168.200.1/24 | |
| address 2001:db8:0:BBBB::1/64 | |
| } | |
| } | |
| ethernet eth1 { | |
| } | |
| ethernet eth2 { | |
| } | |
| loopback lo { | |
| } | |
| } zone-policy { | |
| zone dmz { | |
| default-action drop | |
| from lan { | |
| firewall { | |
| ipv6-name lan-dmz-6 | |
| name lan-dmz | |
| } | |
| } | |
| from local { | |
| firewall { | |
| ipv6-name local-dmz-6 | |
| name local-dmz | |
| } | |
| } | |
| from wan { | |
| firewall { | |
| ipv6-name wan-dmz-6 | |
| name wan-dmz | |
| } | |
| } | |
| interface eth0.30 | |
| } | |
| zone lan { | |
| default-action drop | |
| from dmz { | |
| firewall { | |
| ipv6-name dmz-lan-6 | |
| name dmz-lan | |
| } | |
| } | |
| from local { | |
| firewall { | |
| ipv6-name local-lan-6 | |
| name local-lan | |
| } | |
| } | |
| from wan { | |
| firewall { | |
| ipv6-name wan-lan-6 | |
| name wan-lan | |
| } | |
| } | |
| interface eth0.20 | |
| } | |
| zone local { | |
| default-action drop | |
| from dmz { | |
| firewall { | |
| name dmz-local | |
| } | |
| } | |
| from lan { | |
| firewall { | |
| name lan-local | |
| } | |
| } | |
| from wan { | |
| firewall { | |
| name wan-local | |
| } | |
| } | |
| local-zone | |
| } | |
| zone wan { | |
| default-action drop | |
| from dmz { | |
| firewall { | |
| ipv6-name dmz-wan-6 | |
| name dmz-wan | |
| } | |
| } | |
| from lan { | |
| firewall { | |
| ipv6-name lan-wan-6 | |
| name lan-wan | |
| } | |
| } | |
| from local { | |
| firewall { | |
| ipv6-name local-wan-6 | |
| name local-wan | |
| } | |
| } | |
| interface eth0.10 | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment