Skip to content

Instantly share code, notes, and snippets.

@wassupdoc

wassupdoc/zone firewall

Created November 7, 2016 23:10
Show Gist options
  • Save wassupdoc/8d35157e84884e4b77539290de3ec2ce to your computer and use it in GitHub Desktop.
Save wassupdoc/8d35157e84884e4b77539290de3ec2ce to your computer and use it in GitHub Desktop.
Download ZIP
Raw
zone firewall
all-ping enable
broadcast-ping disable
ipv6-name allow-all-6 {
default-action accept
rule 1 {
action accept
state {
established enable
related enable
}
}
rule 2 {
action drop
log enable
state {
invalid enable
}
}
rule 100 {
action accept
protocol ipv6-icmp
}
}
ipv6-name allow-est-drop-inv-6 {
default-action drop
enable-default-log
rule 1 {
action accept
state {
established enable
related enable
}
}
rule 2 {
action drop
log enable
state {
invalid enable
}
}
rule 100 {
action accept
protocol ipv6-icmp
}
}
ipv6-name lan-local-6 {
default-action drop
enable-default-log
rule 1 {
action accept
state {
established enable
related enable
}
}
rule 2 {
action drop
log enable
state {
invalid enable
}
}
rule 100 {
action accept
protocol ipv6-icmp
}
rule 200 {
action accept
description "Allow HTTP/HTTPS"
destination {
port 80,443,8443
}
protocol tcp
}
rule 600 {
action accept
description "Allow DNS"
destination {
port 53
}
protocol tcp_udp
}
rule 700 {
action accept
description "Allow DHCP"
destination {
port 67,68
}
protocol udp
}
rule 800 {
action accept
description "Allow SSH"
destination {
port 22
}
protocol tcp
}
}
ipv6-name wan-local-6 {
default-action drop
enable-default-log
rule 1 {
action accept
state {
established enable
related enable
}
}
rule 2 {
action drop
log enable
state {
invalid enable
}
}
rule 50 {
action accept
description "Allow OpenVPN connections"
destination {
port 443
}
protocol tcp
}
rule 100 {
action accept
protocol ipv6-icmp
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name allow-all {
default-action accept
rule 1 {
action accept
state {
established enable
related enable
}
}
rule 2 {
action drop
log enable
state {
invalid enable
}
}
}
name allow-est-drop-inv {
default-action drop
enable-default-log
rule 1 {
action accept
state {
established enable
related enable
}
}
rule 2 {
action drop
log enable
state {
invalid enable
}
}
}
name lan-local {
default-action drop
enable-default-log
rule 1 {
action accept
state {
established enable
related enable
}
}
rule 2 {
action drop
log enable
state {
invalid enable
}
}
rule 100 {
action accept
protocol icmp
}
rule 200 {
action accept
description "Allow HTTP/HTTPS"
destination {
port 80,443,8443
}
protocol tcp
}
rule 600 {
action accept
description "Allow DNS"
destination {
port 53
}
protocol tcp_udp
}
rule 700 {
action accept
description "Allow DHCP"
destination {
port 67,68
}
protocol udp
}
rule 800 {
action accept
description "Allow SSH"
destination {
port 22
}
protocol tcp
}
}
name wan-local {
default-action drop
enable-default-log
rule 1 {
action accept
state {
established enable
related enable
}
}
rule 2 {
action drop
log enable
state {
invalid enable
}
}
rule 50 {
action accept
description "Allow OpenVPN connections"
destination {
port 443
}
protocol tcp
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment