Skip to content

Instantly share code, notes, and snippets.

@cimnine
Created November 14, 2015 11:00
Show Gist options
  • Save cimnine/9b9dc854a43702f953ea to your computer and use it in GitHub Desktop.
Save cimnine/9b9dc854a43702f953ea to your computer and use it in GitHub Desktop.
firewall {
ipv6-name dmz-lan-6 {
default-action drop
enable-default-log
rule 100 {
action accept
log enable
protocol ipv6-icmp
}
rule 1 {
action accept
state {
established enable
related enable
}
}
rule 2 {
action drop
log enable
state {
invalid enable
}
}
}
ipv6-name dmz-local-6 {
default-action drop
enable-default-log
rule 100 {
action accept
log enable
protocol ipv6-icmp
}
rule 400 {
action accept
destination {
port 123
}
log enable
protocol tcp
}
rule 600 {
action accept
destination {
port 53
}
log enable
protocol tcp_udp
}
rule 700 {
action accept
destination {
port 67,68
}
log enable
protocol udp
}
rule 1 {
action accept
state {
established enable
related enable
}
}
rule 2 {
action drop
log enable
state {
invalid enable
}
}
}
ipv6-name dmz-wan-6 {
default-action drop
enable-default-log
rule 100 {
action accept
log enable
protocol ipv6-icmp
}
rule 200 {
action accept
destination {
port 80,443
}
log enable
protocol tcp
}
rule 300 {
action accept
destination {
port 20,21
}
log enable
protocol tcp
}
rule 500 {
action accept
destination {
port 25
}
log enable
protocol tcp
source {
address 2001:db8:0:BBBB::200
}
}
rule 600 {
action accept
destination {
port 53
}
log enable
protocol tcp_udp
source {
address 2001:db8:0:BBBB::200
}
}
rule 800 {
action accept
destination {
port 22
}
log enable
protocol tcp
}
rule 1 {
action accept
state {
established enable
related enable
}
}
rule 2 {
action drop
log enable
state {
invalid enable
}
}
}
ipv6-name lan-dmz-6 {
default-action drop
enable-default-log
rule 100 {
action accept
log enable
protocol ipv6-icmp
}
rule 200 {
action accept
destination {
port 80,443
}
log enable
protocol tcp
}
rule 800 {
action accept
destination {
port 22
}
log enable
protocol tcp
}
rule 900 {
action accept
destination {
address 2001:db8:0:BBBB::200
port 993
}
log enable
protocol tcp
}
rule 1 {
action accept
state {
established enable
related enable
}
}
rule 2 {
action drop
log enable
state {
invalid enable
}
}
}
ipv6-name lan-local-6 {
default-action drop
enable-default-log
rule 100 {
action accept
log enable
protocol ipv6-icmp
}
rule 400 {
action accept
destination {
port 123
}
log enable
protocol tcp
}
rule 600 {
action accept
destination {
port 53
}
log enable
protocol tcp_udp
}
rule 700 {
action accept
destination {
port 67,68
}
log enable
protocol udp
}
rule 800 {
action accept
destination {
port 22
}
log enable
protocol tcp
source {
address 2001:db8:0:AAAA::10
}
}
rule 1 {
action accept
state {
established enable
related enable
}
}
rule 2 {
action drop
log enable
state {
invalid enable
}
}
}
ipv6-name lan-wan-6 {
default-action drop
enable-default-log
rule 100 {
action accept
log enable
protocol ipv6-icmp
}
rule 200 {
action accept
destination {
port 80,443
}
log enable
protocol tcp
}
rule 300 {
action accept
destination {
port 20,21
}
log enable
protocol tcp
}
rule 400 {
action accept
}
rule 800 {
action accept
destination {
port 22
}
log enable
protocol tcp
}
rule 1 {
action accept
state {
established enable
related enable
}
}
rule 2 {
action drop
log enable
state {
invalid enable
}
}
}
ipv6-name local-dmz-6 {
default-action drop
enable-default-log
rule 100 {
action accept
log enable
protocol ipv6-icmp
}
rule 500 {
action accept
destination {
port 25
}
log enable
protocol tcp
}
rule 600 {
action accept
destination {
port 53
}
log enable
protocol tcp_udp
}
rule 700 {
action accept
destination {
port 67,68
}
log enable
protocol udp
}
rule 1 {
action accept
state {
established enable
related enable
}
}
rule 2 {
action drop
log enable
state {
invalid enable
}
}
}
ipv6-name local-lan-6 {
default-action drop
enable-default-log
rule 100 {
action accept
log enable
protocol ipv6-icmp
}
rule 700 {
action accept
destination {
port 67,68
}
log enable
protocol udp
}
rule 1 {
action accept
state {
established enable
related enable
}
}
rule 2 {
action drop
log enable
state {
invalid enable
}
}
}
ipv6-name local-wan-6 {
default-action drop
enable-default-log
rule 100 {
action accept
log enable
protocol ipv6-icmp
}
rule 200 {
action accept
destination {
port 80,443
}
log enable
protocol tcp
}
rule 300 {
action accept
destination {
port 20,21
}
log enable
protocol tcp
}
rule 800 {
action accept
destination {
port 22
}
log enable
protocol tcp
}
rule 1 {
action accept
state {
established enable
related enable
}
}
rule 2 {
action drop
log enable
state {
invalid enable
}
}
}
ipv6-name wan-dmz-6 {
default-action drop
enable-default-log
rule 100 {
action accept
log enable
protocol ipv6-icmp
}
rule 500 {
action accept
destination {
port 25
}
log enable
protocol tcp
}
rule 600 {
action accept
destination {
port 53
}
log enable
protocol tcp_udp
}
rule 1 {
action accept
state {
established enable
related enable
}
}
rule 2 {
action drop
log enable
state {
invalid enable
}
}
}
ipv6-name wan-lan-6 {
default-action drop
enable-default-log
rule 100 {
action accept
log enable
protocol ipv6-icmp
}
rule 1 {
action accept
state {
established enable
related enable
}
}
rule 2 {
action drop
log enable
state {
invalid enable
}
}
}
ipv6-name wan-local-6 {
default-action drop
enable-default-log
rule 100 {
action accept
log enable
protocol ipv6-icmp
}
rule 1 {
action accept
state {
established enable
related enable
}
}
rule 2 {
action drop
log enable
state {
invalid enable
}
}
}
name dmz-lan {
default-action drop
enable-default-log
rule 100 {
action accept
log enable
protocol icmp
}
rule 1 {
action accept
state {
established enable
related enable
}
}
rule 2 {
action drop
log enable
state {
invalid enable
}
}
}
name dmz-local {
default-action drop
enable-default-log
rule 100 {
action accept
log enable
protocol icmp
}
rule 400 {
action accept
destination {
port 123
}
log enable
protocol tcp
}
rule 600 {
action accept
destination {
port 53
}
log enable
protocol tcp_udp
}
rule 700 {
action accept
destination {
port 67,68
}
log enable
protocol udp
}
rule 1 {
action accept
state {
established enable
related enable
}
}
rule 2 {
action drop
log enable
state {
invalid enable
}
}
}
name dmz-wan {
default-action drop
enable-default-log
rule 100 {
action accept
log enable
protocol icmp
}
rule 200 {
action accept
destination {
port 80,443
}
log enable
protocol tcp
}
rule 300 {
action accept
destination {
port 20,21
}
log enable
protocol tcp
}
rule 500 {
action accept
destination {
port 25
}
log enable
protocol tcp
source {
address 192.168.200.200
}
}
rule 600 {
action accept
destination {
port 53
}
log enable
protocol tcp_udp
source {
address 192.168.200.200
}
}
rule 800 {
action accept
destination {
port 22
}
log enable
protocol tcp
}
rule 1 {
action accept
state {
established enable
related enable
}
}
rule 2 {
action drop
log enable
state {
invalid enable
}
}
}
name lan-dmz {
default-action drop
enable-default-log
rule 100 {
action accept
log enable
protocol icmp
}
rule 200 {
action accept
destination {
port 80,443
}
log enable
protocol tcp
}
rule 800 {
action accept
destination {
port 22
}
log enable
protocol tcp
}
rule 900 {
action accept
destination {
address 192.168.200.200
port 993
}
log enable
protocol tcp
}
rule 1 {
action accept
state {
established enable
related enable
}
}
rule 2 {
action drop
log enable
state {
invalid enable
}
}
}
name lan-local {
default-action drop
enable-default-log
rule 100 {
action accept
log enable
protocol icmp
}
rule 400 {
action accept
destination {
port 123
}
log enable
protocol tcp
}
rule 600 {
action accept
destination {
port 53
}
log enable
protocol tcp_udp
}
rule 700 {
action accept
destination {
port 67,68
}
log enable
protocol udp
}
rule 800 {
action accept
destination {
port 22
}
log enable
protocol tcp
source {
address 192.168.100.10
}
}
rule 1 {
action accept
state {
established enable
related enable
}
}
rule 2 {
action drop
log enable
state {
invalid enable
}
}
}
name lan-wan {
default-action drop
enable-default-log
rule 100 {
action accept
log enable
protocol icmp
}
rule 200 {
action accept
destination {
port 80,443
}
log enable
protocol tcp
}
rule 300 {
action accept
destination {
port 20,21
}
log enable
protocol tcp
}
rule 400 {
action accept
}
rule 800 {
action accept
destination {
port 22
}
log enable
protocol tcp
}
rule 1 {
action accept
state {
established enable
related enable
}
}
rule 2 {
action drop
log enable
state {
invalid enable
}
}
}
name local-dmz {
default-action drop
enable-default-log
rule 100 {
action accept
log enable
protocol icmp
}
rule 500 {
action accept
destination {
address 192.168.200.200
port 25
}
log enable
protocol tcp
}
rule 600 {
action accept
destination {
address 192.168.200.200
port 53
}
log enable
protocol tcp_udp
}
rule 700 {
action accept
destination {
port 67,68
}
log enable
protocol udp
}
rule 1 {
action accept
state {
established enable
related enable
}
}
rule 2 {
action drop
log enable
state {
invalid enable
}
}
}
name local-lan {
default-action drop
enable-default-log
rule 100 {
action accept
log enable
protocol icmp
}
rule 700 {
action accept
destination {
port 67,68
}
log enable
protocol udp
}
rule 1 {
action accept
state {
established enable
related enable
}
}
rule 2 {
action drop
log enable
state {
invalid enable
}
}
}
name local-wan {
default-action drop
enable-default-log
rule 100 {
action accept
log enable
protocol icmp
}
rule 200 {
action accept
destination {
port 80,443
}
log enable
protocol tcp
}
rule 300 {
action accept
destination {
port 20,21
}
log enable
protocol tcp
}
rule 400 {
action accept
destination {
port 123
}
log enable
protocol tcp
}
rule 500 {
action accept
destination {
port 25
}
log enable
protocol tcp
}
rule 800 {
action accept
destination {
port 22
}
log enable
protocol tcp
}
rule 1 {
action accept
state {
established enable
related enable
}
}
rule 2 {
action drop
log enable
state {
invalid enable
}
}
}
name wan-dmz {
default-action drop
enable-default-log
rule 500 {
action accept
destination {
address 192.168.200.200
port 25
}
log enable
protocol tcp
}
rule 600 {
action accept
destination {
address 192.168.200.200
port 53
}
log enable
protocol tcp_udp
}
rule 1 {
action accept
state {
established enable
related enable
}
}
rule 2 {
action drop
log enable
state {
invalid enable
}
}
}
name wan-lan {
default-action drop
enable-default-log
rule 1 {
action accept
state {
established enable
related enable
}
}
rule 2 {
action drop
log enable
state {
invalid enable
}
}
}
name wan-local {
default-action drop
enable-default-log
rule 100 {
action accept
log enable
protocol icmp
}
rule 1 {
action accept
state {
established enable
related enable
}
}
rule 2 {
action drop
log enable
state {
invalid enable
}
}
}
} interfaces {
ethernet eth0 {
vif 10 {
address 172.16.10.1/24
address 2001:db8:0:9999::1/64
}
vif 20 {
address 192.168.100.1/24
address 2001:db8:0:AAAA::1/64
}
vif 30 {
address 192.168.200.1/24
address 2001:db8:0:BBBB::1/64
}
}
ethernet eth1 {
}
ethernet eth2 {
}
loopback lo {
}
} zone-policy {
zone dmz {
default-action drop
from lan {
firewall {
ipv6-name lan-dmz-6
name lan-dmz
}
}
from local {
firewall {
ipv6-name local-dmz-6
name local-dmz
}
}
from wan {
firewall {
ipv6-name wan-dmz-6
name wan-dmz
}
}
interface eth0.30
}
zone lan {
default-action drop
from dmz {
firewall {
ipv6-name dmz-lan-6
name dmz-lan
}
}
from local {
firewall {
ipv6-name local-lan-6
name local-lan
}
}
from wan {
firewall {
ipv6-name wan-lan-6
name wan-lan
}
}
interface eth0.20
}
zone local {
default-action drop
from dmz {
firewall {
name dmz-local
}
}
from lan {
firewall {
name lan-local
}
}
from wan {
firewall {
name wan-local
}
}
local-zone
}
zone wan {
default-action drop
from dmz {
firewall {
ipv6-name dmz-wan-6
name dmz-wan
}
}
from lan {
firewall {
ipv6-name lan-wan-6
name lan-wan
}
}
from local {
firewall {
ipv6-name local-wan-6
name local-wan
}
}
interface eth0.10
}
}
@ccronin97
Copy link

Sweet, thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment