njh/_README.md

## _README.md

      
    Raw
  

              _README.md
            
          
    Dual-stack VyOS Zone based Firewall Generator

A ruby script to generate the boilerplate for a dual-stack VyOS zone based firewall.
Zones:

PRIVATE: contains the LAN and WAN modem admin interface
PUBLIC: The Internet - contains the PPPoE interface
DMZ: contain the DMZ interface for servers
LOCAL: The firewall itself


## generate-firewall.rb
#!/usr/bin/env ruby

require 'titleize'

zones = {
  'PRIVATE' => ['eth0', 'eth1'],
  'PUBLIC' => ['pppoe0'],
  'DMZ' => ['eth2'],
  'LOCAL' => []
}

default_actions = {
   'PRIVATE-from-PUBLIC' => 'reject',
   'PRIVATE-from-DMZ' => 'accept',
   'PRIVATE-from-LOCAL' => 'reject',
   'PUBLIC-from-PRIVATE' => 'accept',
   'PUBLIC-from-DMZ' => 'accept',
   'PUBLIC-from-LOCAL' => 'accept',
   'DMZ-from-PRIVATE' => 'accept',
   'DMZ-from-PUBLIC' => 'reject',
   'DMZ-from-LOCAL' => 'reject',
   'LOCAL-from-PRIVATE' => 'accept',
   'LOCAL-from-PUBLIC' => 'reject',
   'LOCAL-from-DMZ' => 'reject',
}


def puts_filewall_rules(name, protocol, default_action)
  raise "default_action is not set for #{name}" if default_action.nil?
  name_dec = (protocol == 'ipv6' ? 'ipv6-name' : 'name')
  puts "set firewall #{name_dec} #{name} default-action #{default_action}"
  puts "set firewall #{name_dec} #{name} rule 1010 action accept"
  puts "set firewall #{name_dec} #{name} rule 1010 state established enable"
  puts "set firewall #{name_dec} #{name} rule 1010 state related enable"
  puts "set firewall #{name_dec} #{name} rule 1020 action drop"
  puts "set firewall #{name_dec} #{name} rule 1020 state invalid enable"
end

zones.each_pair do  |zone, interfaces|
  puts "# Zone #{zone}"
  puts "set zone-policy zone #{zone} description '#{zone.titleize} Zone'"
  if interfaces.empty?
    puts "set zone-policy zone #{zone} local-zone"
  else
    interfaces.each do |interface|
      puts "set zone-policy zone #{zone} interface #{interface}"
    end
  end

  zones.keys.each do |from_zone|
    next if zone == from_zone
    key = "#{zone}-from-#{from_zone}"

    puts_filewall_rules("#{key}-v4", 'ipv4', default_actions[key])
    puts_filewall_rules("#{key}-v6", 'ipv6', default_actions[key])
    puts "set zone-policy zone #{zone} from #{from_zone} firewall name #{key}-v4"
    puts "set zone-policy zone #{zone} from #{from_zone} firewall ipv6-name #{key}-v6"
    puts
  end

  puts
end

## generated-rules.txt
# Zone PRIVATE
set zone-policy zone PRIVATE description 'Private Zone'
set zone-policy zone PRIVATE interface eth0
set zone-policy zone PRIVATE interface eth1
set firewall name PRIVATE-from-PUBLIC-v4 default-action reject
set firewall name PRIVATE-from-PUBLIC-v4 rule 1010 action accept
set firewall name PRIVATE-from-PUBLIC-v4 rule 1010 state established enable
set firewall name PRIVATE-from-PUBLIC-v4 rule 1010 state related enable
set firewall name PRIVATE-from-PUBLIC-v4 rule 1020 action drop
set firewall name PRIVATE-from-PUBLIC-v4 rule 1020 state invalid enable
set firewall ipv6-name PRIVATE-from-PUBLIC-v6 default-action reject
set firewall ipv6-name PRIVATE-from-PUBLIC-v6 rule 1010 action accept
set firewall ipv6-name PRIVATE-from-PUBLIC-v6 rule 1010 state established enable
set firewall ipv6-name PRIVATE-from-PUBLIC-v6 rule 1010 state related enable
set firewall ipv6-name PRIVATE-from-PUBLIC-v6 rule 1020 action drop
set firewall ipv6-name PRIVATE-from-PUBLIC-v6 rule 1020 state invalid enable
set zone-policy zone PRIVATE from PUBLIC firewall name PRIVATE-from-PUBLIC-v4
set zone-policy zone PRIVATE from PUBLIC firewall ipv6-name PRIVATE-from-PUBLIC-v6

set firewall name PRIVATE-from-DMZ-v4 default-action accept
set firewall name PRIVATE-from-DMZ-v4 rule 1010 action accept
set firewall name PRIVATE-from-DMZ-v4 rule 1010 state established enable
set firewall name PRIVATE-from-DMZ-v4 rule 1010 state related enable
set firewall name PRIVATE-from-DMZ-v4 rule 1020 action drop
set firewall name PRIVATE-from-DMZ-v4 rule 1020 state invalid enable
set firewall ipv6-name PRIVATE-from-DMZ-v6 default-action accept
set firewall ipv6-name PRIVATE-from-DMZ-v6 rule 1010 action accept
set firewall ipv6-name PRIVATE-from-DMZ-v6 rule 1010 state established enable
set firewall ipv6-name PRIVATE-from-DMZ-v6 rule 1010 state related enable
set firewall ipv6-name PRIVATE-from-DMZ-v6 rule 1020 action drop
set firewall ipv6-name PRIVATE-from-DMZ-v6 rule 1020 state invalid enable
set zone-policy zone PRIVATE from DMZ firewall name PRIVATE-from-DMZ-v4
set zone-policy zone PRIVATE from DMZ firewall ipv6-name PRIVATE-from-DMZ-v6

set firewall name PRIVATE-from-LOCAL-v4 default-action reject
set firewall name PRIVATE-from-LOCAL-v4 rule 1010 action accept
set firewall name PRIVATE-from-LOCAL-v4 rule 1010 state established enable
set firewall name PRIVATE-from-LOCAL-v4 rule 1010 state related enable
set firewall name PRIVATE-from-LOCAL-v4 rule 1020 action drop
set firewall name PRIVATE-from-LOCAL-v4 rule 1020 state invalid enable
set firewall ipv6-name PRIVATE-from-LOCAL-v6 default-action reject
set firewall ipv6-name PRIVATE-from-LOCAL-v6 rule 1010 action accept
set firewall ipv6-name PRIVATE-from-LOCAL-v6 rule 1010 state established enable
set firewall ipv6-name PRIVATE-from-LOCAL-v6 rule 1010 state related enable
set firewall ipv6-name PRIVATE-from-LOCAL-v6 rule 1020 action drop
set firewall ipv6-name PRIVATE-from-LOCAL-v6 rule 1020 state invalid enable
set zone-policy zone PRIVATE from LOCAL firewall name PRIVATE-from-LOCAL-v4
set zone-policy zone PRIVATE from LOCAL firewall ipv6-name PRIVATE-from-LOCAL-v6


# Zone PUBLIC
set zone-policy zone PUBLIC description 'Public Zone'
set zone-policy zone PUBLIC interface pppoe0
set firewall name PUBLIC-from-PRIVATE-v4 default-action accept
set firewall name PUBLIC-from-PRIVATE-v4 rule 1010 action accept
set firewall name PUBLIC-from-PRIVATE-v4 rule 1010 state established enable
set firewall name PUBLIC-from-PRIVATE-v4 rule 1010 state related enable
set firewall name PUBLIC-from-PRIVATE-v4 rule 1020 action drop
set firewall name PUBLIC-from-PRIVATE-v4 rule 1020 state invalid enable
set firewall ipv6-name PUBLIC-from-PRIVATE-v6 default-action accept
set firewall ipv6-name PUBLIC-from-PRIVATE-v6 rule 1010 action accept
set firewall ipv6-name PUBLIC-from-PRIVATE-v6 rule 1010 state established enable
set firewall ipv6-name PUBLIC-from-PRIVATE-v6 rule 1010 state related enable
set firewall ipv6-name PUBLIC-from-PRIVATE-v6 rule 1020 action drop
set firewall ipv6-name PUBLIC-from-PRIVATE-v6 rule 1020 state invalid enable
set zone-policy zone PUBLIC from PRIVATE firewall name PUBLIC-from-PRIVATE-v4
set zone-policy zone PUBLIC from PRIVATE firewall ipv6-name PUBLIC-from-PRIVATE-v6

set firewall name PUBLIC-from-DMZ-v4 default-action accept
set firewall name PUBLIC-from-DMZ-v4 rule 1010 action accept
set firewall name PUBLIC-from-DMZ-v4 rule 1010 state established enable
set firewall name PUBLIC-from-DMZ-v4 rule 1010 state related enable
set firewall name PUBLIC-from-DMZ-v4 rule 1020 action drop
set firewall name PUBLIC-from-DMZ-v4 rule 1020 state invalid enable
set firewall ipv6-name PUBLIC-from-DMZ-v6 default-action accept
set firewall ipv6-name PUBLIC-from-DMZ-v6 rule 1010 action accept
set firewall ipv6-name PUBLIC-from-DMZ-v6 rule 1010 state established enable
set firewall ipv6-name PUBLIC-from-DMZ-v6 rule 1010 state related enable
set firewall ipv6-name PUBLIC-from-DMZ-v6 rule 1020 action drop
set firewall ipv6-name PUBLIC-from-DMZ-v6 rule 1020 state invalid enable
set zone-policy zone PUBLIC from DMZ firewall name PUBLIC-from-DMZ-v4
set zone-policy zone PUBLIC from DMZ firewall ipv6-name PUBLIC-from-DMZ-v6

set firewall name PUBLIC-from-LOCAL-v4 default-action accept
set firewall name PUBLIC-from-LOCAL-v4 rule 1010 action accept
set firewall name PUBLIC-from-LOCAL-v4 rule 1010 state established enable
set firewall name PUBLIC-from-LOCAL-v4 rule 1010 state related enable
set firewall name PUBLIC-from-LOCAL-v4 rule 1020 action drop
set firewall name PUBLIC-from-LOCAL-v4 rule 1020 state invalid enable
set firewall ipv6-name PUBLIC-from-LOCAL-v6 default-action accept
set firewall ipv6-name PUBLIC-from-LOCAL-v6 rule 1010 action accept
set firewall ipv6-name PUBLIC-from-LOCAL-v6 rule 1010 state established enable
set firewall ipv6-name PUBLIC-from-LOCAL-v6 rule 1010 state related enable
set firewall ipv6-name PUBLIC-from-LOCAL-v6 rule 1020 action drop
set firewall ipv6-name PUBLIC-from-LOCAL-v6 rule 1020 state invalid enable
set zone-policy zone PUBLIC from LOCAL firewall name PUBLIC-from-LOCAL-v4
set zone-policy zone PUBLIC from LOCAL firewall ipv6-name PUBLIC-from-LOCAL-v6


# Zone DMZ
set zone-policy zone DMZ description 'Dmz Zone'
set zone-policy zone DMZ interface eth2
set firewall name DMZ-from-PRIVATE-v4 default-action accept
set firewall name DMZ-from-PRIVATE-v4 rule 1010 action accept
set firewall name DMZ-from-PRIVATE-v4 rule 1010 state established enable
set firewall name DMZ-from-PRIVATE-v4 rule 1010 state related enable
set firewall name DMZ-from-PRIVATE-v4 rule 1020 action drop
set firewall name DMZ-from-PRIVATE-v4 rule 1020 state invalid enable
set firewall ipv6-name DMZ-from-PRIVATE-v6 default-action accept
set firewall ipv6-name DMZ-from-PRIVATE-v6 rule 1010 action accept
set firewall ipv6-name DMZ-from-PRIVATE-v6 rule 1010 state established enable
set firewall ipv6-name DMZ-from-PRIVATE-v6 rule 1010 state related enable
set firewall ipv6-name DMZ-from-PRIVATE-v6 rule 1020 action drop
set firewall ipv6-name DMZ-from-PRIVATE-v6 rule 1020 state invalid enable
set zone-policy zone DMZ from PRIVATE firewall name DMZ-from-PRIVATE-v4
set zone-policy zone DMZ from PRIVATE firewall ipv6-name DMZ-from-PRIVATE-v6

set firewall name DMZ-from-PUBLIC-v4 default-action reject
set firewall name DMZ-from-PUBLIC-v4 rule 1010 action accept
set firewall name DMZ-from-PUBLIC-v4 rule 1010 state established enable
set firewall name DMZ-from-PUBLIC-v4 rule 1010 state related enable
set firewall name DMZ-from-PUBLIC-v4 rule 1020 action drop
set firewall name DMZ-from-PUBLIC-v4 rule 1020 state invalid enable
set firewall ipv6-name DMZ-from-PUBLIC-v6 default-action reject
set firewall ipv6-name DMZ-from-PUBLIC-v6 rule 1010 action accept
set firewall ipv6-name DMZ-from-PUBLIC-v6 rule 1010 state established enable
set firewall ipv6-name DMZ-from-PUBLIC-v6 rule 1010 state related enable
set firewall ipv6-name DMZ-from-PUBLIC-v6 rule 1020 action drop
set firewall ipv6-name DMZ-from-PUBLIC-v6 rule 1020 state invalid enable
set zone-policy zone DMZ from PUBLIC firewall name DMZ-from-PUBLIC-v4
set zone-policy zone DMZ from PUBLIC firewall ipv6-name DMZ-from-PUBLIC-v6

set firewall name DMZ-from-LOCAL-v4 default-action reject
set firewall name DMZ-from-LOCAL-v4 rule 1010 action accept
set firewall name DMZ-from-LOCAL-v4 rule 1010 state established enable
set firewall name DMZ-from-LOCAL-v4 rule 1010 state related enable
set firewall name DMZ-from-LOCAL-v4 rule 1020 action drop
set firewall name DMZ-from-LOCAL-v4 rule 1020 state invalid enable
set firewall ipv6-name DMZ-from-LOCAL-v6 default-action reject
set firewall ipv6-name DMZ-from-LOCAL-v6 rule 1010 action accept
set firewall ipv6-name DMZ-from-LOCAL-v6 rule 1010 state established enable
set firewall ipv6-name DMZ-from-LOCAL-v6 rule 1010 state related enable
set firewall ipv6-name DMZ-from-LOCAL-v6 rule 1020 action drop
set firewall ipv6-name DMZ-from-LOCAL-v6 rule 1020 state invalid enable
set zone-policy zone DMZ from LOCAL firewall name DMZ-from-LOCAL-v4
set zone-policy zone DMZ from LOCAL firewall ipv6-name DMZ-from-LOCAL-v6


# Zone LOCAL
set zone-policy zone LOCAL description 'Local Zone'
set zone-policy zone LOCAL local-zone
set firewall name LOCAL-from-PRIVATE-v4 default-action accept
set firewall name LOCAL-from-PRIVATE-v4 rule 1010 action accept
set firewall name LOCAL-from-PRIVATE-v4 rule 1010 state established enable
set firewall name LOCAL-from-PRIVATE-v4 rule 1010 state related enable
set firewall name LOCAL-from-PRIVATE-v4 rule 1020 action drop
set firewall name LOCAL-from-PRIVATE-v4 rule 1020 state invalid enable
set firewall ipv6-name LOCAL-from-PRIVATE-v6 default-action accept
set firewall ipv6-name LOCAL-from-PRIVATE-v6 rule 1010 action accept
set firewall ipv6-name LOCAL-from-PRIVATE-v6 rule 1010 state established enable
set firewall ipv6-name LOCAL-from-PRIVATE-v6 rule 1010 state related enable
set firewall ipv6-name LOCAL-from-PRIVATE-v6 rule 1020 action drop
set firewall ipv6-name LOCAL-from-PRIVATE-v6 rule 1020 state invalid enable
set zone-policy zone LOCAL from PRIVATE firewall name LOCAL-from-PRIVATE-v4
set zone-policy zone LOCAL from PRIVATE firewall ipv6-name LOCAL-from-PRIVATE-v6

set firewall name LOCAL-from-PUBLIC-v4 default-action reject
set firewall name LOCAL-from-PUBLIC-v4 rule 1010 action accept
set firewall name LOCAL-from-PUBLIC-v4 rule 1010 state established enable
set firewall name LOCAL-from-PUBLIC-v4 rule 1010 state related enable
set firewall name LOCAL-from-PUBLIC-v4 rule 1020 action drop
set firewall name LOCAL-from-PUBLIC-v4 rule 1020 state invalid enable
set firewall ipv6-name LOCAL-from-PUBLIC-v6 default-action reject
set firewall ipv6-name LOCAL-from-PUBLIC-v6 rule 1010 action accept
set firewall ipv6-name LOCAL-from-PUBLIC-v6 rule 1010 state established enable
set firewall ipv6-name LOCAL-from-PUBLIC-v6 rule 1010 state related enable
set firewall ipv6-name LOCAL-from-PUBLIC-v6 rule 1020 action drop
set firewall ipv6-name LOCAL-from-PUBLIC-v6 rule 1020 state invalid enable
set zone-policy zone LOCAL from PUBLIC firewall name LOCAL-from-PUBLIC-v4
set zone-policy zone LOCAL from PUBLIC firewall ipv6-name LOCAL-from-PUBLIC-v6

set firewall name LOCAL-from-DMZ-v4 default-action reject
set firewall name LOCAL-from-DMZ-v4 rule 1010 action accept
set firewall name LOCAL-from-DMZ-v4 rule 1010 state established enable
set firewall name LOCAL-from-DMZ-v4 rule 1010 state related enable
set firewall name LOCAL-from-DMZ-v4 rule 1020 action drop
set firewall name LOCAL-from-DMZ-v4 rule 1020 state invalid enable
set firewall ipv6-name LOCAL-from-DMZ-v6 default-action reject
set firewall ipv6-name LOCAL-from-DMZ-v6 rule 1010 action accept
set firewall ipv6-name LOCAL-from-DMZ-v6 rule 1010 state established enable
set firewall ipv6-name LOCAL-from-DMZ-v6 rule 1010 state related enable
set firewall ipv6-name LOCAL-from-DMZ-v6 rule 1020 action drop
set firewall ipv6-name LOCAL-from-DMZ-v6 rule 1020 state invalid enable
set zone-policy zone LOCAL from DMZ firewall name LOCAL-from-DMZ-v4
set zone-policy zone LOCAL from DMZ firewall ipv6-name LOCAL-from-DMZ-v6
	#!/usr/bin/env ruby

	require 'titleize'

	zones = {
	'PRIVATE' => ['eth0', 'eth1'],
	'PUBLIC' => ['pppoe0'],
	'DMZ' => ['eth2'],
	'LOCAL' => []
	}

	default_actions = {
	'PRIVATE-from-PUBLIC' => 'reject',
	'PRIVATE-from-DMZ' => 'accept',
	'PRIVATE-from-LOCAL' => 'reject',
	'PUBLIC-from-PRIVATE' => 'accept',
	'PUBLIC-from-DMZ' => 'accept',
	'PUBLIC-from-LOCAL' => 'accept',
	'DMZ-from-PRIVATE' => 'accept',
	'DMZ-from-PUBLIC' => 'reject',
	'DMZ-from-LOCAL' => 'reject',
	'LOCAL-from-PRIVATE' => 'accept',
	'LOCAL-from-PUBLIC' => 'reject',
	'LOCAL-from-DMZ' => 'reject',
	}



	def puts_filewall_rules(name, protocol, default_action)
	raise "default_action is not set for #{name}" if default_action.nil?
	name_dec = (protocol == 'ipv6' ? 'ipv6-name' : 'name')
	puts "set firewall #{name_dec} #{name} default-action #{default_action}"
	puts "set firewall #{name_dec} #{name} rule 1010 action accept"
	puts "set firewall #{name_dec} #{name} rule 1010 state established enable"
	puts "set firewall #{name_dec} #{name} rule 1010 state related enable"
	puts "set firewall #{name_dec} #{name} rule 1020 action drop"
	puts "set firewall #{name_dec} #{name} rule 1020 state invalid enable"
	end

	zones.each_pair do \|zone, interfaces\|
	puts "# Zone #{zone}"
	puts "set zone-policy zone #{zone} description '#{zone.titleize} Zone'"
	if interfaces.empty?
	puts "set zone-policy zone #{zone} local-zone"
	else
	interfaces.each do \|interface\|
	puts "set zone-policy zone #{zone} interface #{interface}"
	end
	end

	zones.keys.each do \|from_zone\|
	next if zone == from_zone
	key = "#{zone}-from-#{from_zone}"

	puts_filewall_rules("#{key}-v4", 'ipv4', default_actions[key])
	puts_filewall_rules("#{key}-v6", 'ipv6', default_actions[key])
	puts "set zone-policy zone #{zone} from #{from_zone} firewall name #{key}-v4"
	puts "set zone-policy zone #{zone} from #{from_zone} firewall ipv6-name #{key}-v6"
	puts
	end

	puts
	end
	# Zone PRIVATE
	set zone-policy zone PRIVATE description 'Private Zone'
	set zone-policy zone PRIVATE interface eth0
	set zone-policy zone PRIVATE interface eth1
	set firewall name PRIVATE-from-PUBLIC-v4 default-action reject
	set firewall name PRIVATE-from-PUBLIC-v4 rule 1010 action accept
	set firewall name PRIVATE-from-PUBLIC-v4 rule 1010 state established enable
	set firewall name PRIVATE-from-PUBLIC-v4 rule 1010 state related enable
	set firewall name PRIVATE-from-PUBLIC-v4 rule 1020 action drop
	set firewall name PRIVATE-from-PUBLIC-v4 rule 1020 state invalid enable
	set firewall ipv6-name PRIVATE-from-PUBLIC-v6 default-action reject
	set firewall ipv6-name PRIVATE-from-PUBLIC-v6 rule 1010 action accept
	set firewall ipv6-name PRIVATE-from-PUBLIC-v6 rule 1010 state established enable
	set firewall ipv6-name PRIVATE-from-PUBLIC-v6 rule 1010 state related enable
	set firewall ipv6-name PRIVATE-from-PUBLIC-v6 rule 1020 action drop
	set firewall ipv6-name PRIVATE-from-PUBLIC-v6 rule 1020 state invalid enable
	set zone-policy zone PRIVATE from PUBLIC firewall name PRIVATE-from-PUBLIC-v4
	set zone-policy zone PRIVATE from PUBLIC firewall ipv6-name PRIVATE-from-PUBLIC-v6

	set firewall name PRIVATE-from-DMZ-v4 default-action accept
	set firewall name PRIVATE-from-DMZ-v4 rule 1010 action accept
	set firewall name PRIVATE-from-DMZ-v4 rule 1010 state established enable
	set firewall name PRIVATE-from-DMZ-v4 rule 1010 state related enable
	set firewall name PRIVATE-from-DMZ-v4 rule 1020 action drop
	set firewall name PRIVATE-from-DMZ-v4 rule 1020 state invalid enable
	set firewall ipv6-name PRIVATE-from-DMZ-v6 default-action accept
	set firewall ipv6-name PRIVATE-from-DMZ-v6 rule 1010 action accept
	set firewall ipv6-name PRIVATE-from-DMZ-v6 rule 1010 state established enable
	set firewall ipv6-name PRIVATE-from-DMZ-v6 rule 1010 state related enable
	set firewall ipv6-name PRIVATE-from-DMZ-v6 rule 1020 action drop
	set firewall ipv6-name PRIVATE-from-DMZ-v6 rule 1020 state invalid enable
	set zone-policy zone PRIVATE from DMZ firewall name PRIVATE-from-DMZ-v4
	set zone-policy zone PRIVATE from DMZ firewall ipv6-name PRIVATE-from-DMZ-v6

	set firewall name PRIVATE-from-LOCAL-v4 default-action reject
	set firewall name PRIVATE-from-LOCAL-v4 rule 1010 action accept
	set firewall name PRIVATE-from-LOCAL-v4 rule 1010 state established enable
	set firewall name PRIVATE-from-LOCAL-v4 rule 1010 state related enable
	set firewall name PRIVATE-from-LOCAL-v4 rule 1020 action drop
	set firewall name PRIVATE-from-LOCAL-v4 rule 1020 state invalid enable
	set firewall ipv6-name PRIVATE-from-LOCAL-v6 default-action reject
	set firewall ipv6-name PRIVATE-from-LOCAL-v6 rule 1010 action accept
	set firewall ipv6-name PRIVATE-from-LOCAL-v6 rule 1010 state established enable
	set firewall ipv6-name PRIVATE-from-LOCAL-v6 rule 1010 state related enable
	set firewall ipv6-name PRIVATE-from-LOCAL-v6 rule 1020 action drop
	set firewall ipv6-name PRIVATE-from-LOCAL-v6 rule 1020 state invalid enable
	set zone-policy zone PRIVATE from LOCAL firewall name PRIVATE-from-LOCAL-v4
	set zone-policy zone PRIVATE from LOCAL firewall ipv6-name PRIVATE-from-LOCAL-v6


	# Zone PUBLIC
	set zone-policy zone PUBLIC description 'Public Zone'
	set zone-policy zone PUBLIC interface pppoe0
	set firewall name PUBLIC-from-PRIVATE-v4 default-action accept
	set firewall name PUBLIC-from-PRIVATE-v4 rule 1010 action accept
	set firewall name PUBLIC-from-PRIVATE-v4 rule 1010 state established enable
	set firewall name PUBLIC-from-PRIVATE-v4 rule 1010 state related enable
	set firewall name PUBLIC-from-PRIVATE-v4 rule 1020 action drop
	set firewall name PUBLIC-from-PRIVATE-v4 rule 1020 state invalid enable
	set firewall ipv6-name PUBLIC-from-PRIVATE-v6 default-action accept
	set firewall ipv6-name PUBLIC-from-PRIVATE-v6 rule 1010 action accept
	set firewall ipv6-name PUBLIC-from-PRIVATE-v6 rule 1010 state established enable
	set firewall ipv6-name PUBLIC-from-PRIVATE-v6 rule 1010 state related enable
	set firewall ipv6-name PUBLIC-from-PRIVATE-v6 rule 1020 action drop
	set firewall ipv6-name PUBLIC-from-PRIVATE-v6 rule 1020 state invalid enable
	set zone-policy zone PUBLIC from PRIVATE firewall name PUBLIC-from-PRIVATE-v4
	set zone-policy zone PUBLIC from PRIVATE firewall ipv6-name PUBLIC-from-PRIVATE-v6

	set firewall name PUBLIC-from-DMZ-v4 default-action accept
	set firewall name PUBLIC-from-DMZ-v4 rule 1010 action accept
	set firewall name PUBLIC-from-DMZ-v4 rule 1010 state established enable
	set firewall name PUBLIC-from-DMZ-v4 rule 1010 state related enable
	set firewall name PUBLIC-from-DMZ-v4 rule 1020 action drop
	set firewall name PUBLIC-from-DMZ-v4 rule 1020 state invalid enable
	set firewall ipv6-name PUBLIC-from-DMZ-v6 default-action accept
	set firewall ipv6-name PUBLIC-from-DMZ-v6 rule 1010 action accept
	set firewall ipv6-name PUBLIC-from-DMZ-v6 rule 1010 state established enable
	set firewall ipv6-name PUBLIC-from-DMZ-v6 rule 1010 state related enable
	set firewall ipv6-name PUBLIC-from-DMZ-v6 rule 1020 action drop
	set firewall ipv6-name PUBLIC-from-DMZ-v6 rule 1020 state invalid enable
	set zone-policy zone PUBLIC from DMZ firewall name PUBLIC-from-DMZ-v4
	set zone-policy zone PUBLIC from DMZ firewall ipv6-name PUBLIC-from-DMZ-v6

	set firewall name PUBLIC-from-LOCAL-v4 default-action accept
	set firewall name PUBLIC-from-LOCAL-v4 rule 1010 action accept
	set firewall name PUBLIC-from-LOCAL-v4 rule 1010 state established enable
	set firewall name PUBLIC-from-LOCAL-v4 rule 1010 state related enable
	set firewall name PUBLIC-from-LOCAL-v4 rule 1020 action drop
	set firewall name PUBLIC-from-LOCAL-v4 rule 1020 state invalid enable
	set firewall ipv6-name PUBLIC-from-LOCAL-v6 default-action accept
	set firewall ipv6-name PUBLIC-from-LOCAL-v6 rule 1010 action accept
	set firewall ipv6-name PUBLIC-from-LOCAL-v6 rule 1010 state established enable
	set firewall ipv6-name PUBLIC-from-LOCAL-v6 rule 1010 state related enable
	set firewall ipv6-name PUBLIC-from-LOCAL-v6 rule 1020 action drop
	set firewall ipv6-name PUBLIC-from-LOCAL-v6 rule 1020 state invalid enable
	set zone-policy zone PUBLIC from LOCAL firewall name PUBLIC-from-LOCAL-v4
	set zone-policy zone PUBLIC from LOCAL firewall ipv6-name PUBLIC-from-LOCAL-v6


	# Zone DMZ
	set zone-policy zone DMZ description 'Dmz Zone'
	set zone-policy zone DMZ interface eth2
	set firewall name DMZ-from-PRIVATE-v4 default-action accept
	set firewall name DMZ-from-PRIVATE-v4 rule 1010 action accept
	set firewall name DMZ-from-PRIVATE-v4 rule 1010 state established enable
	set firewall name DMZ-from-PRIVATE-v4 rule 1010 state related enable
	set firewall name DMZ-from-PRIVATE-v4 rule 1020 action drop
	set firewall name DMZ-from-PRIVATE-v4 rule 1020 state invalid enable
	set firewall ipv6-name DMZ-from-PRIVATE-v6 default-action accept
	set firewall ipv6-name DMZ-from-PRIVATE-v6 rule 1010 action accept
	set firewall ipv6-name DMZ-from-PRIVATE-v6 rule 1010 state established enable
	set firewall ipv6-name DMZ-from-PRIVATE-v6 rule 1010 state related enable
	set firewall ipv6-name DMZ-from-PRIVATE-v6 rule 1020 action drop
	set firewall ipv6-name DMZ-from-PRIVATE-v6 rule 1020 state invalid enable
	set zone-policy zone DMZ from PRIVATE firewall name DMZ-from-PRIVATE-v4
	set zone-policy zone DMZ from PRIVATE firewall ipv6-name DMZ-from-PRIVATE-v6

	set firewall name DMZ-from-PUBLIC-v4 default-action reject
	set firewall name DMZ-from-PUBLIC-v4 rule 1010 action accept
	set firewall name DMZ-from-PUBLIC-v4 rule 1010 state established enable
	set firewall name DMZ-from-PUBLIC-v4 rule 1010 state related enable
	set firewall name DMZ-from-PUBLIC-v4 rule 1020 action drop
	set firewall name DMZ-from-PUBLIC-v4 rule 1020 state invalid enable
	set firewall ipv6-name DMZ-from-PUBLIC-v6 default-action reject
	set firewall ipv6-name DMZ-from-PUBLIC-v6 rule 1010 action accept
	set firewall ipv6-name DMZ-from-PUBLIC-v6 rule 1010 state established enable
	set firewall ipv6-name DMZ-from-PUBLIC-v6 rule 1010 state related enable
	set firewall ipv6-name DMZ-from-PUBLIC-v6 rule 1020 action drop
	set firewall ipv6-name DMZ-from-PUBLIC-v6 rule 1020 state invalid enable
	set zone-policy zone DMZ from PUBLIC firewall name DMZ-from-PUBLIC-v4
	set zone-policy zone DMZ from PUBLIC firewall ipv6-name DMZ-from-PUBLIC-v6

	set firewall name DMZ-from-LOCAL-v4 default-action reject
	set firewall name DMZ-from-LOCAL-v4 rule 1010 action accept
	set firewall name DMZ-from-LOCAL-v4 rule 1010 state established enable
	set firewall name DMZ-from-LOCAL-v4 rule 1010 state related enable
	set firewall name DMZ-from-LOCAL-v4 rule 1020 action drop
	set firewall name DMZ-from-LOCAL-v4 rule 1020 state invalid enable
	set firewall ipv6-name DMZ-from-LOCAL-v6 default-action reject
	set firewall ipv6-name DMZ-from-LOCAL-v6 rule 1010 action accept
	set firewall ipv6-name DMZ-from-LOCAL-v6 rule 1010 state established enable
	set firewall ipv6-name DMZ-from-LOCAL-v6 rule 1010 state related enable
	set firewall ipv6-name DMZ-from-LOCAL-v6 rule 1020 action drop
	set firewall ipv6-name DMZ-from-LOCAL-v6 rule 1020 state invalid enable
	set zone-policy zone DMZ from LOCAL firewall name DMZ-from-LOCAL-v4
	set zone-policy zone DMZ from LOCAL firewall ipv6-name DMZ-from-LOCAL-v6


	# Zone LOCAL
	set zone-policy zone LOCAL description 'Local Zone'
	set zone-policy zone LOCAL local-zone
	set firewall name LOCAL-from-PRIVATE-v4 default-action accept
	set firewall name LOCAL-from-PRIVATE-v4 rule 1010 action accept
	set firewall name LOCAL-from-PRIVATE-v4 rule 1010 state established enable
	set firewall name LOCAL-from-PRIVATE-v4 rule 1010 state related enable
	set firewall name LOCAL-from-PRIVATE-v4 rule 1020 action drop
	set firewall name LOCAL-from-PRIVATE-v4 rule 1020 state invalid enable
	set firewall ipv6-name LOCAL-from-PRIVATE-v6 default-action accept
	set firewall ipv6-name LOCAL-from-PRIVATE-v6 rule 1010 action accept
	set firewall ipv6-name LOCAL-from-PRIVATE-v6 rule 1010 state established enable
	set firewall ipv6-name LOCAL-from-PRIVATE-v6 rule 1010 state related enable
	set firewall ipv6-name LOCAL-from-PRIVATE-v6 rule 1020 action drop
	set firewall ipv6-name LOCAL-from-PRIVATE-v6 rule 1020 state invalid enable
	set zone-policy zone LOCAL from PRIVATE firewall name LOCAL-from-PRIVATE-v4
	set zone-policy zone LOCAL from PRIVATE firewall ipv6-name LOCAL-from-PRIVATE-v6

	set firewall name LOCAL-from-PUBLIC-v4 default-action reject
	set firewall name LOCAL-from-PUBLIC-v4 rule 1010 action accept
	set firewall name LOCAL-from-PUBLIC-v4 rule 1010 state established enable
	set firewall name LOCAL-from-PUBLIC-v4 rule 1010 state related enable
	set firewall name LOCAL-from-PUBLIC-v4 rule 1020 action drop
	set firewall name LOCAL-from-PUBLIC-v4 rule 1020 state invalid enable
	set firewall ipv6-name LOCAL-from-PUBLIC-v6 default-action reject
	set firewall ipv6-name LOCAL-from-PUBLIC-v6 rule 1010 action accept
	set firewall ipv6-name LOCAL-from-PUBLIC-v6 rule 1010 state established enable
	set firewall ipv6-name LOCAL-from-PUBLIC-v6 rule 1010 state related enable
	set firewall ipv6-name LOCAL-from-PUBLIC-v6 rule 1020 action drop
	set firewall ipv6-name LOCAL-from-PUBLIC-v6 rule 1020 state invalid enable
	set zone-policy zone LOCAL from PUBLIC firewall name LOCAL-from-PUBLIC-v4
	set zone-policy zone LOCAL from PUBLIC firewall ipv6-name LOCAL-from-PUBLIC-v6

	set firewall name LOCAL-from-DMZ-v4 default-action reject
	set firewall name LOCAL-from-DMZ-v4 rule 1010 action accept
	set firewall name LOCAL-from-DMZ-v4 rule 1010 state established enable
	set firewall name LOCAL-from-DMZ-v4 rule 1010 state related enable
	set firewall name LOCAL-from-DMZ-v4 rule 1020 action drop
	set firewall name LOCAL-from-DMZ-v4 rule 1020 state invalid enable
	set firewall ipv6-name LOCAL-from-DMZ-v6 default-action reject
	set firewall ipv6-name LOCAL-from-DMZ-v6 rule 1010 action accept
	set firewall ipv6-name LOCAL-from-DMZ-v6 rule 1010 state established enable
	set firewall ipv6-name LOCAL-from-DMZ-v6 rule 1010 state related enable
	set firewall ipv6-name LOCAL-from-DMZ-v6 rule 1020 action drop
	set firewall ipv6-name LOCAL-from-DMZ-v6 rule 1020 state invalid enable
	set zone-policy zone LOCAL from DMZ firewall name LOCAL-from-DMZ-v4
	set zone-policy zone LOCAL from DMZ firewall ipv6-name LOCAL-from-DMZ-v6