API tools faq
paste
Guest User

Untitled

a guest
Sep 24th, 2015
162
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 9.80 KB | None | 0 0
raw download clone embed print report
  1. firewall {
  2. all-ping enable
  3. broadcast-ping disable
  4. group {
  5. network-group LocalNetworks {
  6. description ""
  7. network 10.0.0.0/8
  8. network 172.16.0.0/12
  9. network 192.168.0.0/16
  10. }
  11. port-group UnwantedPorts {
  12. description ""
  13. port smtp
  14. port 67-68
  15. port 135-139
  16. port 213
  17. port 389
  18. port 445
  19. port 464
  20. }
  21. }
  22. ipv6-receive-redirects disable
  23. ipv6-src-route disable
  24. ip-src-route disable
  25. log-martians enable
  26. name WAN_IN {
  27. default-action drop
  28. description "WAN to Internal"
  29. enable-default-log
  30. rule 1 {
  31. action accept
  32. description "Allow established/related"
  33. log enable
  34. protocol all
  35. state {
  36. established enable
  37. invalid disable
  38. new disable
  39. related enable
  40. }
  41. }
  42. rule 3 {
  43. action drop
  44. description "Drop invalid state"
  45. log enable
  46. protocol all
  47. state {
  48. established disable
  49. invalid enable
  50. new disable
  51. related disable
  52. }
  53. }
  54. }
  55. name WAN_LOCAL {
  56. default-action drop
  57. description "WAN to router"
  58. enable-default-log
  59. rule 1 {
  60. action accept
  61. description "Allow established/related"
  62. log disable
  63. protocol all
  64. state {
  65. established enable
  66. invalid disable
  67. new disable
  68. related enable
  69. }
  70. }
  71. rule 2 {
  72. action accept
  73. description OpenVPN
  74. destination {
  75. port 1194
  76. }
  77. log disable
  78. protocol udp
  79. }
  80. rule 3 {
  81. action drop
  82. description "Drop invalid state"
  83. log disable
  84. protocol all
  85. state {
  86. established disable
  87. invalid enable
  88. new disable
  89. related disable
  90. }
  91. }
  92. }
  93. name WAN_OUT {
  94. default-action accept
  95. enable-default-log
  96. rule 1 {
  97. action accept
  98. description "Allow SMTP to KPN"
  99. destination {
  100. address x
  101. port 25
  102. }
  103. log disable
  104. protocol tcp
  105. source {
  106. address 192.168.1.0/26
  107. }
  108. }
  109. rule 2 {
  110. action drop
  111. description "Block unwanted outgoing traffic"
  112. destination {
  113. group {
  114. port-group UnwantedPorts
  115. }
  116. }
  117. log enable
  118. protocol tcp_udp
  119. }
  120. rule 3 {
  121. action drop
  122. description "Block private IP-spaces from entering WAN"
  123. destination {
  124. group {
  125. network-group LocalNetworks
  126. }
  127. }
  128. log enable
  129. protocol all
  130. }
  131. }
  132. options {
  133. }
  134. receive-redirects disable
  135. send-redirects enable
  136. source-validation disable
  137. syn-cookies enable
  138. }
  139. interfaces {
  140. ethernet eth0 {
  141. description "eth0 - NTU"
  142. duplex auto
  143. mtu 1512
  144. speed auto
  145. vif 4 {
  146. address dhcp
  147. description "VLAN 0.4 - IPTV"
  148. dhcp-options {
  149. client-option "send vendor-class-identifier "IPTV_RG";"
  150. client-option "request subnet-mask, routers, rfc3442-classless-static-routes;"
  151. default-route no-update
  152. default-route-distance 254
  153. name-server update
  154. }
  155. }
  156. vif 6 {
  157. description "VLAN 0.6 - Internet"
  158. firewall {
  159. }
  160. mtu 1508
  161. pppoe 0 {
  162. default-route auto
  163. firewall {
  164. in {
  165. name WAN_IN
  166. }
  167. local {
  168. name WAN_LOCAL
  169. }
  170. out {
  171. name WAN_OUT
  172. }
  173. }
  174. idle-timeout 180
  175. mtu 1500
  176. name-server auto
  177. password x
  178. user-id x
  179. }
  180. }
  181. }
  182. ethernet eth1 {
  183. address 192.168.1.1/26
  184. description "eth1 - LAN & IPTV"
  185. duplex auto
  186. speed auto
  187. }
  188. loopback lo {
  189. }
  190. openvpn vtun0 {
  191. encryption aes128
  192. mode server
  193. openvpn-option --tls-server
  194. openvpn-option "--proto udp"
  195. openvpn-option "--port 1194"
  196. openvpn-option "--tun-mtu 1500"
  197. openvpn-option --persist-key
  198. openvpn-option --persist-tun
  199. openvpn-option --persist-local-ip
  200. openvpn-option --persist-remote-ip
  201. openvpn-option "--keepalive 8 30"
  202. openvpn-option --duplicate-cn
  203. openvpn-option "--plugin /usr/lib/openvpn/openvpn-auth-pam.so login"
  204. openvpn-option "--client-cert-not-required --username-as-common-name"
  205. openvpn-option "--verb 1"
  206. openvpn-option --client-to-client
  207. openvpn-option "--push route 192.168.1.0 255.255.255.192"
  208. openvpn-option "--push dhcp-option DNS 192.168.1.1"
  209. openvpn-option "--fragment 0"
  210. openvpn-option "--mssfix 0"
  211. openvpn-option "--push redirect-gateway def1"
  212. server {
  213. subnet 192.168.2.0/26
  214. topology subnet
  215. }
  216. tls {
  217. ca-cert-file /config/auth/openvpn/keys/ca.crt
  218. cert-file /config/auth/openvpn/keys/gateway.MyDomain.com.crt
  219. dh-file /config/auth/openvpn/keys/dh2048.pem
  220. key-file /config/auth/openvpn/keys/gateway.MyDomain.com.key
  221. }
  222. }
  223. }
  224. port-forward {
  225. auto-firewall enable
  226. hairpin-nat enable
  227. lan-interface eth1
  228. wan-interface pppoe0
  229. }
  230. protocols {
  231. igmp-proxy {
  232. interface eth0.4 {
  233. alt-subnet 0.0.0.0/0
  234. role upstream
  235. threshold 1
  236. }
  237. interface eth1 {
  238. role downstream
  239. threshold 1
  240. }
  241. }
  242. static {
  243. route x {
  244. next-hop x {
  245. }
  246. }
  247. }
  248. }
  249. service {
  250. dhcp-server {
  251. disabled false
  252. global-parameters "option vendor-class-identifier code 60 = string;"
  253. global-parameters "option broadcast-address code 28 = ip-address;"
  254. hostfile-update disable
  255. shared-network-name LAN {
  256. authoritative enable
  257. subnet 192.168.1.0/26 {
  258. default-router 192.168.1.1
  259. dns-server 208.67.222.123
  260. dns-server 208.67.220.123
  261. lease 86400
  262. start 192.168.1.2 {
  263. stop 192.168.1.62
  264. }
  265. }
  266. }
  267. }
  268. dns {
  269. forwarding {
  270. cache-size 150
  271. listen-on eth1
  272. name-server 208.67.222.222
  273. name-server 8.8.8.8
  274. options listen-address=192.168.1.1
  275. }
  276. }
  277. gui {
  278. https-port 443
  279. }
  280. nat {
  281. rule 5000 {
  282. description IPTV
  283. destination {
  284. address x
  285. }
  286. log disable
  287. outbound-interface eth0.4
  288. protocol all
  289. source {
  290. }
  291. type masquerade
  292. }
  293. rule 5001 {
  294. description IPTV
  295. destination {
  296. address x
  297. }
  298. log disable
  299. outbound-interface eth0.4
  300. protocol all
  301. source {
  302. }
  303. type masquerade
  304. }
  305. rule 5002 {
  306. description Internet
  307. log enable
  308. outbound-interface pppoe0
  309. protocol all
  310. source {
  311. address 192.168.1.0/26
  312. }
  313. type masquerade
  314. }
  315. rule 5003 {
  316. description "Internet via VPN"
  317. log enable
  318. outbound-interface pppoe0
  319. protocol all
  320. source {
  321. address 192.168.2.0/26
  322. }
  323. type masquerade
  324. }
  325. }
  326. ssh {
  327. port 22
  328. protocol-version v2
  329. }
  330. }
  331. system {
  332. domain-name x
  333. host-name x
  334. login {
  335. user x {
  336. authentication {
  337. encrypted-password x
  338. }
  339. full-name Admin
  340. level admin
  341. }
  342. }
  343. ntp {
  344. server 0.ubnt.pool.ntp.org {
  345. }
  346. server 1.ubnt.pool.ntp.org {
  347. }
  348. server 2.ubnt.pool.ntp.org {
  349. }
  350. server 3.ubnt.pool.ntp.org {
  351. }
  352. }
  353. offload {
  354. ipv4 {
  355. forwarding enable
  356. pppoe enable
  357. vlan enable
  358. }
  359. }
  360. syslog {
  361. global {
  362. facility all {
  363. level notice
  364. }
  365. facility protocols {
  366. level debug
  367. }
  368. }
  369. }
  370. time-zone UTC
  371. traffic-analysis {
  372. dpi enable
  373. export enable
  374. }
  375. }
  376. }
  377.  
  378. /* Warning: Do not remove the following line. */
  379. /* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@4:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
  380. /* Release version: v1.7.0.4783374.150622.1534 */
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!