smuda/gist:02f831386c68733412b526347119fe7c

## gistfile1.txt
// create a name for the LAN networks
configure
set firewall group network-group LAN_NETWORKS
set firewall group network-group LAN_NETWORKS description "LAN Networks"
set firewall group network-group LAN_NETWORKS network 192.168.0.0/16
commit

// Create a rule to accept all already established connections (for example from LAN)
configure
set firewall name PROTECT_IOT default-action accept
set firewall name PROTECT_IOT rule 10 action accept
set firewall name PROTECT_IOT rule 10 description "Accept Established/Related"
set firewall name PROTECT_IOT rule 10 protocol all
set firewall name PROTECT_IOT rule 10 state established enable
set firewall name PROTECT_IOT rule 10 state related enable

// Now create a firewall rule to block all traffic from IOT network to the LAN networks.
set firewall name PROTECT_IOT rule 20 action drop
set firewall name PROTECT_IOT rule 20 description "Drop LAN_NETWORKS"
set firewall name PROTECT_IOT rule 20 destination group network-group LAN_NETWORKS
set firewall name PROTECT_IOT rule 20 protocol all
commit

// Create a firewall rule to allow access to router for DHCP and DNS
configure
set firewall name IOT_TO_FW
set firewall name IOT_TO_FW default-action drop
set firewall name IOT_TO_FW rule 10 action accept
set firewall name IOT_TO_FW rule 10 description "Accept DNS"
set firewall name IOT_TO_FW rule 10 destination port 53
set firewall name IOT_TO_FW rule 10 protocol udp

set firewall name IOT_TO_FW rule 20 action accept
set firewall name IOT_TO_FW rule 20 description "Accept DHCP"
set firewall name IOT_TO_FW rule 20 destination port 67
set firewall name IOT_TO_FW rule 20 protocol udp
commit

// Now connect the rulesets to interfaces
configure
set interfaces ethernet eth1 vif 42 firewall in name PROTECT_IOT
set interfaces ethernet eth1 vif 42 firewall local name IOT_TO_FW
commit
	// create a name for the LAN networks
	configure
	set firewall group network-group LAN_NETWORKS
	set firewall group network-group LAN_NETWORKS description "LAN Networks"
	set firewall group network-group LAN_NETWORKS network 192.168.0.0/16
	commit

	// Create a rule to accept all already established connections (for example from LAN)
	configure
	set firewall name PROTECT_IOT default-action accept
	set firewall name PROTECT_IOT rule 10 action accept
	set firewall name PROTECT_IOT rule 10 description "Accept Established/Related"
	set firewall name PROTECT_IOT rule 10 protocol all
	set firewall name PROTECT_IOT rule 10 state established enable
	set firewall name PROTECT_IOT rule 10 state related enable

	// Now create a firewall rule to block all traffic from IOT network to the LAN networks.
	set firewall name PROTECT_IOT rule 20 action drop
	set firewall name PROTECT_IOT rule 20 description "Drop LAN_NETWORKS"
	set firewall name PROTECT_IOT rule 20 destination group network-group LAN_NETWORKS
	set firewall name PROTECT_IOT rule 20 protocol all
	commit

	// Create a firewall rule to allow access to router for DHCP and DNS
	configure
	set firewall name IOT_TO_FW
	set firewall name IOT_TO_FW default-action drop
	set firewall name IOT_TO_FW rule 10 action accept
	set firewall name IOT_TO_FW rule 10 description "Accept DNS"
	set firewall name IOT_TO_FW rule 10 destination port 53
	set firewall name IOT_TO_FW rule 10 protocol udp

	set firewall name IOT_TO_FW rule 20 action accept
	set firewall name IOT_TO_FW rule 20 description "Accept DHCP"
	set firewall name IOT_TO_FW rule 20 destination port 67
	set firewall name IOT_TO_FW rule 20 protocol udp
	commit

	// Now connect the rulesets to interfaces
	configure
	set interfaces ethernet eth1 vif 42 firewall in name PROTECT_IOT
	set interfaces ethernet eth1 vif 42 firewall local name IOT_TO_FW
	commit