API tools faq
paste
HellStorm666

ERPro

HellStorm666
May 2nd, 2016
276
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 61.31 KB | None | 0 0
raw download clone embed print report
  1. firewall {
  2. all-ping enable
  3. broadcast-ping disable
  4. group {
  5. address-group A4_BoekhSrv {
  6. address **.**.97.114
  7. address 192.168.13.10
  8. }
  9. address-group A4_BoekhWin7 {
  10. address 192.168.13.19
  11. address **.**.97.114
  12. }
  13. address-group A4_ELTO17 {
  14. address 192.168.16.17
  15. }
  16. address-group A4_ELTO23 {
  17. address 192.168.16.23
  18. }
  19. address-group A4_Files {
  20. address 192.168.16.5
  21. address **.**.97.115
  22. }
  23. address-group A4_NAS110J {
  24. address 192.168.16.16
  25. }
  26. address-group A4_NAS409 {
  27. address 192.168.16.13
  28. }
  29. address-group A4_OVPN {
  30. address **.**.97.117
  31. address 192.168.16.9
  32. }
  33. address-group A4_OpenVPN {
  34. address **.**.97.118
  35. address 192.168.16.4
  36. }
  37. address-group A4_PSP {
  38. address **.**.97.116
  39. address 192.168.16.20
  40. }
  41. address-group A4_SBS {
  42. address 192.168.16.8
  43. }
  44. address-group A4_Webserver {
  45. address 192.168.2.2
  46. address **.**.97.113
  47. }
  48. address-group FTP_Allow {
  49. address 84.53.201.130
  50. address 212.103.203.242
  51. address 193.246.249.90
  52. address 80.63.86.162
  53. address 120.195.221.83
  54. address 218.206.113.151
  55. address 120.195.221.126
  56. address 221.130.59.135
  57. address 221.130.59.136
  58. address 221.130.59.137
  59. address 182.236.7.6
  60. address 180.131.111.244
  61. }
  62. ipv6-address-group A6_BoekhSrv {
  63. description "Boekhoud Server IPv6"
  64. ipv6-address **:**:**:13::10
  65. }
  66. ipv6-address-group A6_BoekhWin7 {
  67. description "Boekhoud Win7 IPv6"
  68. ipv6-address **:**:**:13::19
  69. }
  70. ipv6-address-group A6_ELTO17 {
  71. description "ELTO17 IPv6"
  72. ipv6-address **:**:**:1::17
  73. }
  74. ipv6-address-group A6_ELTO23 {
  75. description "ELTO23 IPv6"
  76. ipv6-address **:**:**:1::23
  77. }
  78. ipv6-address-group A6_Files {
  79. description "Files IPv6"
  80. ipv6-address **:**:**:1::5
  81. }
  82. ipv6-address-group A6_NAS110J {
  83. description "NAS110J IPv6"
  84. ipv6-address **:**:**:1::16
  85. }
  86. ipv6-address-group A6_NAS409 {
  87. description "NAS409 IPv6"
  88. ipv6-address **:**:**:1::13
  89. }
  90. ipv6-address-group A6_OVPN {
  91. description "OVPN IPv6"
  92. ipv6-address **:**:**:1::9
  93. }
  94. ipv6-address-group A6_OpenVPN {
  95. description "OpenVPN IPv6"
  96. ipv6-address **:**:**:1::4
  97. }
  98. ipv6-address-group A6_PSP {
  99. description "PSP IPv6"
  100. ipv6-address **:**:**:1::20
  101. }
  102. ipv6-address-group A6_SBS {
  103. description "SBS IPv6"
  104. ipv6-address **:**:**:1::8
  105. }
  106. ipv6-address-group A6_Webserver {
  107. description "Webserver IPv6"
  108. ipv6-address **:**:**:2::2
  109. }
  110. ipv6-network-group GASTv6 {
  111. }
  112. ipv6-network-group LAN2v6 {
  113. description "Visitors IPv6"
  114. ipv6-network **:**:**:2::0/64
  115. }
  116. ipv6-network-group LAN13v6 {
  117. description "Boekh IPv6"
  118. ipv6-network **:**:**:13::0/64
  119. }
  120. ipv6-network-group LAN16v6 {
  121. description "Main IPv6"
  122. ipv6-network **:**:**:1::0/64
  123. }
  124. ipv6-network-group MGNTv6 {
  125. description "Management IPv6"
  126. ipv6-network **:**:**:99::0/64
  127. }
  128. network-group BOGONS {
  129. description "Invalid WAN networks"
  130. network 100.64.0.0/10
  131. network 127.0.0.0/8
  132. network 169.254.0.0/16
  133. network 172.16.0.0/12
  134. network 192.0.0.0/24
  135. network 192.0.2.0/24
  136. network 192.168.0.0/16
  137. network 198.18.0.0/15
  138. network 198.51.100.0/24
  139. network 203.0.113.0/24
  140. network 224.0.0.0/3
  141. network 10.0.0.0/8
  142. }
  143. network-group GAST {
  144. network 192.168.5.0/24
  145. }
  146. network-group LAN2 {
  147. description Visitors
  148. network 192.168.2.0/24
  149. }
  150. network-group LAN13 {
  151. description Boekh
  152. network 192.168.13.0/24
  153. }
  154. network-group LAN16 {
  155. description Main
  156. network 192.168.16.0/24
  157. }
  158. network-group MGNT {
  159. description Management
  160. network 192.168.1.0/24
  161. }
  162. network-group PRIVATE_NETS {
  163. network 192.168.0.0/16
  164. network 172.16.0.0/12
  165. network 10.0.0.0/8
  166. }
  167. port-group P_BoekhSrv {
  168. port 80
  169. }
  170. port-group P_BoekhWin7 {
  171. port 3389
  172. }
  173. port-group P_ELTO17 {
  174. port 3389
  175. }
  176. port-group P_ELTO23 {
  177. port 3389
  178. }
  179. port-group P_Files {
  180. port 80
  181. port 443
  182. }
  183. port-group P_NAS110J {
  184. }
  185. port-group P_NAS409 {
  186. port 21
  187. port 55536-55567
  188. }
  189. port-group P_OpenVPN {
  190. port 443
  191. port 943
  192. port 1194
  193. }
  194. port-group P_PSP {
  195. port 80
  196. port 443
  197. }
  198. port-group P_SBS {
  199. port 25
  200. port 80
  201. port 443
  202. port 987
  203. port 287
  204. }
  205. port-group P_Webserver {
  206. port 80
  207. port 443
  208. }
  209. }
  210. ipv6-name GASTv6_IN {
  211. default-action drop
  212. rule 1 {
  213. action accept
  214. description "Allow established related"
  215. state {
  216. established enable
  217. new enable
  218. related enable
  219. }
  220. }
  221. rule 2 {
  222. action drop
  223. state {
  224. invalid enable
  225. }
  226. }
  227. rule 3 {
  228. action accept
  229. description Files
  230. destination {
  231. group {
  232. ipv6-address-group A6_Files
  233. port-group P_Files
  234. }
  235. }
  236. protocol tcp_udp
  237. }
  238. rule 4 {
  239. action drop
  240. description "Block LAN13"
  241. destination {
  242. group {
  243. ipv6-network-group LAN13v6
  244. }
  245. }
  246. protocol all
  247. }
  248. rule 5 {
  249. action drop
  250. description "Block LAN16"
  251. destination {
  252. group {
  253. ipv6-network-group LAN16v6
  254. }
  255. }
  256. protocol all
  257. }
  258. rule 6 {
  259. action drop
  260. description "Block MGNT"
  261. destination {
  262. group {
  263. ipv6-network-group MGNTv6
  264. }
  265. }
  266. protocol all
  267. }
  268. rule 7 {
  269. action accept
  270. description ipv6-icmp
  271. protocol ipv6-icmp
  272. }
  273. }
  274. ipv6-name GASTv6_LOCAL {
  275. default-action drop
  276. rule 1 {
  277. action accept
  278. description "Allow established related"
  279. state {
  280. established enable
  281. new enable
  282. related enable
  283. }
  284. }
  285. rule 2 {
  286. action drop
  287. state {
  288. invalid enable
  289. }
  290. }
  291. rule 3 {
  292. action accept
  293. description DNS_DHCP
  294. destination {
  295. port 53,67
  296. }
  297. protocol udp
  298. }
  299. rule 4 {
  300. action accept
  301. description ipv6-icmp
  302. protocol ipv6-icmp
  303. }
  304. }
  305. ipv6-name LAN2v6_IN {
  306. default-action drop
  307. rule 1 {
  308. action accept
  309. description "Allow established related"
  310. state {
  311. established enable
  312. new enable
  313. related enable
  314. }
  315. }
  316. rule 2 {
  317. action drop
  318. description "Drop invalid"
  319. state {
  320. invalid enable
  321. }
  322. }
  323. rule 3 {
  324. action drop
  325. description "Drop to GAST"
  326. destination {
  327. group {
  328. ipv6-network-group GASTv6
  329. }
  330. }
  331. protocol all
  332. }
  333. rule 4 {
  334. action drop
  335. description "Drop to LAN13"
  336. destination {
  337. group {
  338. ipv6-network-group LAN13v6
  339. }
  340. }
  341. protocol all
  342. }
  343. rule 5 {
  344. action drop
  345. description "Drop to LAN16"
  346. destination {
  347. group {
  348. ipv6-network-group LAN16v6
  349. }
  350. }
  351. protocol all
  352. }
  353. rule 6 {
  354. action drop
  355. description "Drop to LAN MGNT"
  356. destination {
  357. group {
  358. ipv6-network-group MGNTv6
  359. }
  360. }
  361. protocol all
  362. }
  363. rule 7 {
  364. action accept
  365. description ipv6-icmp
  366. protocol ipv6-icmp
  367. }
  368. }
  369. ipv6-name LAN2v6_LOCAL {
  370. default-action drop
  371. rule 1 {
  372. action accept
  373. description "Allow established related"
  374. state {
  375. established enable
  376. related enable
  377. }
  378. }
  379. rule 2 {
  380. action drop
  381. description "Drop invalid"
  382. state {
  383. invalid enable
  384. }
  385. }
  386. rule 3 {
  387. action accept
  388. description "DNS DHCP"
  389. destination {
  390. port 53,67
  391. }
  392. protocol udp
  393. }
  394. rule 4 {
  395. action accept
  396. description ipv6-icmp
  397. protocol ipv6-icmp
  398. }
  399. }
  400. ipv6-name LAN13v6_OUT {
  401. default-action drop
  402. rule 1 {
  403. action accept
  404. description "Allow established related"
  405. state {
  406. established enable
  407. related enable
  408. }
  409. }
  410. rule 2 {
  411. action reject
  412. state {
  413. invalid enable
  414. }
  415. }
  416. rule 3 {
  417. action accept
  418. destination {
  419. group {
  420. ipv6-address-group A6_BoekhSrv
  421. port-group P_BoekhSrv
  422. }
  423. }
  424. }
  425. rule 4 {
  426. action accept
  427. description ipv6-icmp
  428. protocol ipv6-icmp
  429. }
  430. rule 5 {
  431. action accept
  432. description BoekhWin7
  433. destination {
  434. group {
  435. ipv6-address-group A6_BoekhWin7
  436. port-group P_BoekhWin7
  437. }
  438. }
  439. protocol tcp
  440. }
  441. }
  442. ipv6-name LAN16v6_IN {
  443. default-action reject
  444. rule 1 {
  445. action accept
  446. description "Allow established related"
  447. state {
  448. established enable
  449. new enable
  450. related enable
  451. }
  452. }
  453. rule 2 {
  454. action reject
  455. state {
  456. invalid enable
  457. }
  458. }
  459. rule 30 {
  460. action accept
  461. protocol ipv6-icmp
  462. }
  463. rule 31 {
  464. action accept
  465. destination {
  466. group {
  467. ipv6-address-group A6_BoekhSrv
  468. port-group P_BoekhSrv
  469. }
  470. }
  471. protocol tcp
  472. }
  473. rule 32 {
  474. action accept
  475. destination {
  476. group {
  477. ipv6-address-group A6_Webserver
  478. }
  479. }
  480. protocol tcp_udp
  481. }
  482. rule 50 {
  483. action drop
  484. destination {
  485. group {
  486. ipv6-network-group LAN13v6
  487. }
  488. }
  489. }
  490. }
  491. ipv6-name LAN16v6_LOCAL {
  492. default-action reject
  493. rule 1 {
  494. action accept
  495. description "Allow established related"
  496. state {
  497. established enable
  498. new enable
  499. related enable
  500. }
  501. }
  502. rule 2 {
  503. action reject
  504. state {
  505. invalid enable
  506. }
  507. }
  508. rule 30 {
  509. action accept
  510. protocol ipv6-icmp
  511. }
  512. rule 40 {
  513. action accept
  514. destination {
  515. port 546
  516. }
  517. protocol udp
  518. source {
  519. port 547
  520. }
  521. }
  522. }
  523. ipv6-name MGNTv6_IN {
  524. default-action accept
  525. }
  526. ipv6-name MGNTv6_LOCAL {
  527. default-action accept
  528. }
  529. ipv6-name WANv6_IN {
  530. default-action drop
  531. rule 10 {
  532. action accept
  533. description "Allow established related"
  534. state {
  535. established enable
  536. related enable
  537. }
  538. }
  539. rule 20 {
  540. action drop
  541. description "Drop invalid state"
  542. state {
  543. invalid enable
  544. }
  545. }
  546. rule 30 {
  547. action accept
  548. description "ICMP v6"
  549. protocol ipv6-icmp
  550. }
  551. rule 40 {
  552. action accept
  553. description Webserver
  554. destination {
  555. group {
  556. ipv6-address-group A6_Webserver
  557. port-group P_Webserver
  558. }
  559. }
  560. protocol tcp_udp
  561. }
  562. rule 41 {
  563. action accept
  564. description Files
  565. destination {
  566. group {
  567. ipv6-address-group A6_Files
  568. port-group P_Files
  569. }
  570. }
  571. protocol tcp_udp
  572. }
  573. rule 42 {
  574. action accept
  575. description BoekhSrv
  576. destination {
  577. group {
  578. ipv6-address-group A6_BoekhSrv
  579. port-group P_BoekhSrv
  580. }
  581. }
  582. protocol tcp
  583. }
  584. rule 43 {
  585. action accept
  586. description PSP
  587. destination {
  588. group {
  589. ipv6-address-group A6_PSP
  590. port-group P_PSP
  591. }
  592. }
  593. protocol tcp_udp
  594. }
  595. rule 44 {
  596. action accept
  597. description SBS
  598. destination {
  599. group {
  600. ipv6-address-group A6_SBS
  601. port-group P_SBS
  602. }
  603. }
  604. }
  605. rule 45 {
  606. action accept
  607. description OVPN
  608. destination {
  609. group {
  610. ipv6-address-group A6_OVPN
  611. port-group P_OpenVPN
  612. }
  613. }
  614. protocol tcp_udp
  615. }
  616. rule 46 {
  617. action accept
  618. description OpenVPN
  619. destination {
  620. group {
  621. ipv6-address-group A6_OpenVPN
  622. port-group P_OpenVPN
  623. }
  624. }
  625. protocol tcp_udp
  626. }
  627. rule 47 {
  628. action accept
  629. description BoekhWin7
  630. destination {
  631. group {
  632. ipv6-address-group A6_BoekhWin7
  633. port-group P_BoekhWin7
  634. }
  635. }
  636. protocol all
  637. }
  638. rule 48 {
  639. action accept
  640. description NAS409
  641. destination {
  642. group {
  643. ipv6-address-group A6_NAS409
  644. port-group P_NAS409
  645. }
  646. }
  647. }
  648. rule 49 {
  649. action accept
  650. description ELTO17
  651. destination {
  652. group {
  653. ipv6-address-group A6_ELTO17
  654. port-group P_ELTO17
  655. }
  656. }
  657. protocol all
  658. }
  659. rule 50 {
  660. action accept
  661. description ELTO23
  662. destination {
  663. group {
  664. ipv6-address-group A6_ELTO23
  665. port-group P_ELTO23
  666. }
  667. }
  668. protocol all
  669. }
  670. }
  671. ipv6-name WANv6_LOCAL {
  672. default-action drop
  673. rule 10 {
  674. action accept
  675. description "Allow established related"
  676. state {
  677. established enable
  678. related enable
  679. }
  680. }
  681. rule 20 {
  682. action drop
  683. description "drop invalid state"
  684. state {
  685. invalid enable
  686. }
  687. }
  688. rule 30 {
  689. action accept
  690. description "allow ipv6 icmp"
  691. protocol ipv6-icmp
  692. }
  693. rule 40 {
  694. action accept
  695. description "allow dhcpv6"
  696. destination {
  697. port 546
  698. }
  699. protocol udp
  700. source {
  701. port 547
  702. }
  703. }
  704. }
  705. ipv6-receive-redirects disable
  706. ipv6-src-route disable
  707. ip-src-route disable
  708. log-martians enable
  709. modify balance {
  710. rule 10 {
  711. action modify
  712. description "do NOT load balance lan to lan"
  713. destination {
  714. group {
  715. network-group PRIVATE_NETS
  716. }
  717. }
  718. modify {
  719. table main
  720. }
  721. }
  722. rule 20 {
  723. action modify
  724. description "do NOT load balance destination public address"
  725. destination {
  726. group {
  727. address-group ADDRv4_pppoe0
  728. }
  729. }
  730. modify {
  731. table main
  732. }
  733. }
  734. rule 30 {
  735. action modify
  736. description "do NOT load balance destination public address"
  737. destination {
  738. group {
  739. address-group ADDRv4_eth2
  740. }
  741. }
  742. modify {
  743. table main
  744. }
  745. }
  746. rule 40 {
  747. action modify
  748. modify {
  749. lb-group G
  750. }
  751. }
  752. }
  753. name GAST_IN {
  754. default-action drop
  755. rule 1 {
  756. action accept
  757. description "Allow established related"
  758. log disable
  759. protocol all
  760. state {
  761. established enable
  762. invalid disable
  763. new enable
  764. related enable
  765. }
  766. }
  767. rule 2 {
  768. action drop
  769. log disable
  770. protocol all
  771. state {
  772. established disable
  773. invalid enable
  774. new disable
  775. related disable
  776. }
  777. }
  778. rule 3 {
  779. action accept
  780. description Files
  781. destination {
  782. group {
  783. address-group A4_Files
  784. port-group P_Files
  785. }
  786. }
  787. log disable
  788. protocol tcp_udp
  789. }
  790. rule 4 {
  791. action accept
  792. description Webserver
  793. destination {
  794. group {
  795. address-group A4_Webserver
  796. port-group P_Webserver
  797. }
  798. }
  799. log disable
  800. protocol tcp_udp
  801. }
  802. rule 6 {
  803. action drop
  804. description "Block LAN13"
  805. destination {
  806. group {
  807. network-group LAN13
  808. }
  809. }
  810. log disable
  811. protocol all
  812. }
  813. rule 7 {
  814. action drop
  815. description "Block LAN16"
  816. destination {
  817. group {
  818. network-group LAN16
  819. }
  820. }
  821. log disable
  822. protocol all
  823. }
  824. rule 8 {
  825. action drop
  826. description "Block MGNT"
  827. destination {
  828. group {
  829. network-group MGNT
  830. }
  831. }
  832. log disable
  833. protocol all
  834. }
  835. rule 9 {
  836. action accept
  837. description "Naar XS4All"
  838. destination {
  839. group {
  840. address-group ADDRv4_pppoe0
  841. }
  842. }
  843. log disable
  844. protocol all
  845. source {
  846. group {
  847. network-group LAN2
  848. }
  849. }
  850. }
  851. rule 10 {
  852. action accept
  853. description "Naar Ziggo"
  854. destination {
  855. group {
  856. address-group ADDRv4_eth2
  857. }
  858. }
  859. log disable
  860. protocol all
  861. source {
  862. group {
  863. network-group LAN2
  864. }
  865. }
  866. }
  867. }
  868. name GAST_LOCAL {
  869. default-action drop
  870. rule 1 {
  871. action accept
  872. description "Allow established related"
  873. log disable
  874. protocol all
  875. state {
  876. established enable
  877. invalid disable
  878. new disable
  879. related enable
  880. }
  881. }
  882. rule 2 {
  883. action drop
  884. log disable
  885. protocol all
  886. state {
  887. established disable
  888. invalid enable
  889. new disable
  890. related disable
  891. }
  892. }
  893. rule 3 {
  894. action accept
  895. description "Allow DNS"
  896. destination {
  897. port 53
  898. }
  899. log disable
  900. protocol udp
  901. }
  902. rule 4 {
  903. action accept
  904. description "Allow DHCP"
  905. destination {
  906. port 67
  907. }
  908. log disable
  909. protocol udp
  910. }
  911. }
  912. name LAN2_IN {
  913. default-action drop
  914. rule 1 {
  915. action accept
  916. description "Allow established related"
  917. state {
  918. established enable
  919. new enable
  920. related enable
  921. }
  922. }
  923. rule 2 {
  924. action drop
  925. description "Drop Invalid"
  926. log disable
  927. state {
  928. invalid enable
  929. }
  930. }
  931. rule 3 {
  932. action drop
  933. description "Block GAST"
  934. destination {
  935. group {
  936. network-group GAST
  937. }
  938. }
  939. protocol all
  940. }
  941. rule 4 {
  942. action drop
  943. description "Block LAN13"
  944. destination {
  945. group {
  946. network-group LAN13
  947. }
  948. }
  949. protocol all
  950. }
  951. rule 5 {
  952. action drop
  953. description "Block LAN16"
  954. destination {
  955. group {
  956. network-group LAN16
  957. }
  958. }
  959. protocol all
  960. }
  961. rule 6 {
  962. action drop
  963. description "Block MGNT"
  964. destination {
  965. group {
  966. network-group MGNT
  967. }
  968. }
  969. protocol all
  970. }
  971. rule 7 {
  972. action accept
  973. description "Allow to XS4All"
  974. destination {
  975. group {
  976. address-group ADDRv4_pppoe0
  977. }
  978. }
  979. log disable
  980. protocol all
  981. }
  982. rule 8 {
  983. action accept
  984. description "Allow to Ziggo"
  985. destination {
  986. group {
  987. address-group ADDRv4_eth2
  988. }
  989. }
  990. log disable
  991. protocol all
  992. }
  993. }
  994. name LAN2_LOCAL {
  995. default-action drop
  996. rule 1 {
  997. action accept
  998. description "Allow established related"
  999. state {
  1000. established enable
  1001. related enable
  1002. }
  1003. }
  1004. rule 2 {
  1005. action drop
  1006. description "Drop invalid"
  1007. state {
  1008. invalid enable
  1009. }
  1010. }
  1011. rule 3 {
  1012. action accept
  1013. description "DHCP DNS"
  1014. destination {
  1015. port 53,67
  1016. }
  1017. protocol udp
  1018. }
  1019. }
  1020. name LAN13_OUT {
  1021. default-action reject
  1022. rule 1 {
  1023. action accept
  1024. description "Allow established related"
  1025. log disable
  1026. protocol all
  1027. state {
  1028. established enable
  1029. invalid disable
  1030. new disable
  1031. related enable
  1032. }
  1033. }
  1034. rule 2 {
  1035. action reject
  1036. log disable
  1037. protocol all
  1038. state {
  1039. established disable
  1040. invalid enable
  1041. new disable
  1042. related disable
  1043. }
  1044. }
  1045. rule 3 {
  1046. action accept
  1047. description Weburen
  1048. destination {
  1049. group {
  1050. address-group A4_BoekhSrv
  1051. port-group P_BoekhSrv
  1052. }
  1053. }
  1054. log disable
  1055. protocol tcp
  1056. }
  1057. rule 4 {
  1058. action accept
  1059. description BoekhWin7
  1060. destination {
  1061. group {
  1062. address-group A4_BoekhWin7
  1063. port-group P_BoekhWin7
  1064. }
  1065. }
  1066. log disable
  1067. protocol tcp
  1068. }
  1069. }
  1070. name LAN16_IN {
  1071. default-action reject
  1072. rule 1 {
  1073. action accept
  1074. description "Allow established related"
  1075. log disable
  1076. protocol all
  1077. state {
  1078. established enable
  1079. invalid disable
  1080. new enable
  1081. related enable
  1082. }
  1083. }
  1084. rule 2 {
  1085. action reject
  1086. log disable
  1087. protocol all
  1088. state {
  1089. established disable
  1090. invalid enable
  1091. new disable
  1092. related disable
  1093. }
  1094. }
  1095. rule 3 {
  1096. action accept
  1097. description Webserver
  1098. destination {
  1099. group {
  1100. address-group A4_Webserver
  1101. port-group P_Webserver
  1102. }
  1103. }
  1104. log disable
  1105. protocol tcp_udp
  1106. }
  1107. rule 4 {
  1108. action accept
  1109. description Weburen
  1110. destination {
  1111. group {
  1112. address-group A4_BoekhSrv
  1113. port-group P_BoekhSrv
  1114. }
  1115. }
  1116. log disable
  1117. protocol tcp
  1118. }
  1119. rule 5 {
  1120. action accept
  1121. description BoekhWin7
  1122. destination {
  1123. group {
  1124. address-group A4_BoekhWin7
  1125. port-group P_BoekhWin7
  1126. }
  1127. }
  1128. log disable
  1129. protocol tcp
  1130. }
  1131. rule 6 {
  1132. action accept
  1133. description "Naar XS4All"
  1134. destination {
  1135. group {
  1136. address-group ADDRv4_pppoe0
  1137. }
  1138. }
  1139. log disable
  1140. protocol all
  1141. source {
  1142. group {
  1143. network-group LAN16
  1144. }
  1145. }
  1146. }
  1147. rule 7 {
  1148. action accept
  1149. description "Naar Ziggo"
  1150. destination {
  1151. group {
  1152. address-group ADDRv4_eth2
  1153. }
  1154. }
  1155. log disable
  1156. protocol all
  1157. source {
  1158. group {
  1159. network-group LAN16
  1160. }
  1161. }
  1162. }
  1163. }
  1164. name LAN16_LOCAL {
  1165. default-action reject
  1166. rule 1 {
  1167. action accept
  1168. description "Allow established related"
  1169. log disable
  1170. protocol all
  1171. state {
  1172. established enable
  1173. invalid disable
  1174. new enable
  1175. related enable
  1176. }
  1177. }
  1178. rule 2 {
  1179. action reject
  1180. log disable
  1181. protocol all
  1182. state {
  1183. established disable
  1184. invalid enable
  1185. new disable
  1186. related disable
  1187. }
  1188. }
  1189. rule 3 {
  1190. action accept
  1191. description DNS_DHCP
  1192. destination {
  1193. port 53,67
  1194. }
  1195. log disable
  1196. protocol udp
  1197. }
  1198. rule 4 {
  1199. action accept
  1200. description "443 en ssh"
  1201. destination {
  1202. port 22,443
  1203. }
  1204. log disable
  1205. protocol tcp_udp
  1206. source {
  1207. group {
  1208. network-group LAN16
  1209. }
  1210. }
  1211. }
  1212. }
  1213. name MGT_IN {
  1214. default-action accept
  1215. }
  1216. name MGT_LOCAL {
  1217. default-action accept
  1218. description "Management eth0"
  1219. }
  1220. name WAN_IN {
  1221. default-action drop
  1222. description "WAN to internal"
  1223. rule 1 {
  1224. action accept
  1225. description "Allow established/related"
  1226. state {
  1227. established enable
  1228. related enable
  1229. }
  1230. }
  1231. rule 2 {
  1232. action drop
  1233. description "Drop invalid state"
  1234. state {
  1235. invalid enable
  1236. }
  1237. }
  1238. rule 3 {
  1239. action drop
  1240. description "drop BOGON source"
  1241. protocol all
  1242. source {
  1243. group {
  1244. network-group BOGONS
  1245. }
  1246. }
  1247. }
  1248. rule 4 {
  1249. action accept
  1250. description Webserver
  1251. destination {
  1252. group {
  1253. address-group A4_Webserver
  1254. port-group P_Webserver
  1255. }
  1256. }
  1257. protocol tcp_udp
  1258. }
  1259. rule 5 {
  1260. action accept
  1261. description SBS
  1262. destination {
  1263. group {
  1264. address-group A4_SBS
  1265. port-group P_SBS
  1266. }
  1267. }
  1268. log disable
  1269. protocol tcp_udp
  1270. }
  1271. rule 6 {
  1272. action accept
  1273. description "File server"
  1274. destination {
  1275. group {
  1276. address-group A4_Files
  1277. port-group P_Files
  1278. }
  1279. }
  1280. log disable
  1281. protocol tcp_udp
  1282. }
  1283. rule 7 {
  1284. action accept
  1285. description BoekhSrv
  1286. destination {
  1287. group {
  1288. address-group A4_BoekhSrv
  1289. port-group P_BoekhSrv
  1290. }
  1291. }
  1292. log disable
  1293. protocol tcp
  1294. }
  1295. rule 8 {
  1296. action accept
  1297. description BoekhWin7
  1298. destination {
  1299. group {
  1300. address-group A4_BoekhWin7
  1301. port-group P_BoekhWin7
  1302. }
  1303. }
  1304. log disable
  1305. protocol all
  1306. }
  1307. rule 9 {
  1308. action accept
  1309. description PSP
  1310. destination {
  1311. group {
  1312. address-group A4_PSP
  1313. port-group P_PSP
  1314. }
  1315. }
  1316. log disable
  1317. protocol tcp_udp
  1318. }
  1319. rule 10 {
  1320. action accept
  1321. description OVPN
  1322. destination {
  1323. group {
  1324. address-group A4_OVPN
  1325. port-group P_OpenVPN
  1326. }
  1327. }
  1328. log disable
  1329. protocol tcp_udp
  1330. }
  1331. rule 11 {
  1332. action accept
  1333. description OpenVPN
  1334. destination {
  1335. group {
  1336. address-group A4_OpenVPN
  1337. port-group P_OpenVPN
  1338. }
  1339. }
  1340. log disable
  1341. protocol tcp_udp
  1342. }
  1343. rule 12 {
  1344. action accept
  1345. description NAS409
  1346. destination {
  1347. group {
  1348. address-group A4_NAS409
  1349. port-group P_NAS409
  1350. }
  1351. }
  1352. log disable
  1353. protocol tcp
  1354. source {
  1355. group {
  1356. address-group FTP_Allow
  1357. }
  1358. }
  1359. }
  1360. rule 14 {
  1361. action accept
  1362. description ELTO17
  1363. destination {
  1364. group {
  1365. address-group A4_ELTO17
  1366. port-group P_ELTO17
  1367. }
  1368. }
  1369. log disable
  1370. protocol tcp
  1371. }
  1372. }
  1373. name WAN_LOCAL {
  1374. default-action drop
  1375. description "WAN to router"
  1376. rule 1 {
  1377. action accept
  1378. description "Allow established/related"
  1379. state {
  1380. established enable
  1381. related enable
  1382. }
  1383. }
  1384. rule 2 {
  1385. action drop
  1386. description "Drop invalid state"
  1387. state {
  1388. invalid enable
  1389. }
  1390. }
  1391. rule 3 {
  1392. action accept
  1393. description "Allow L2TP"
  1394. destination {
  1395. port 500,1701,4500
  1396. }
  1397. log disable
  1398. protocol udp
  1399. }
  1400. rule 4 {
  1401. action accept
  1402. description "Allow ESP for VPN"
  1403. log disable
  1404. protocol esp
  1405. }
  1406. rule 5 {
  1407. action accept
  1408. description ICMP
  1409. limit {
  1410. burst 1
  1411. rate 50/minute
  1412. }
  1413. log disable
  1414. protocol icmp
  1415. }
  1416. rule 6 {
  1417. action drop
  1418. description "drop BOGON source"
  1419. protocol all
  1420. source {
  1421. group {
  1422. network-group BOGONS
  1423. }
  1424. }
  1425. }
  1426. rule 7 {
  1427. action drop
  1428. description "Drop 443 en 22"
  1429. destination {
  1430. port 443,22
  1431. }
  1432. log disable
  1433. protocol tcp_udp
  1434. }
  1435. }
  1436. options {
  1437. mss-clamp {
  1438. mss 1412
  1439. }
  1440. }
  1441. receive-redirects disable
  1442. send-redirects enable
  1443. source-validation disable
  1444. syn-cookies enable
  1445. }
  1446. interfaces {
  1447. ethernet eth0 {
  1448. address 192.168.1.1/24
  1449. address **:**:**:99::1/64
  1450. address 10.10.10.10/24
  1451. description Management
  1452. duplex auto
  1453. firewall {
  1454. in {
  1455. ipv6-name MGNTv6_IN
  1456. modify balance
  1457. name MGT_IN
  1458. }
  1459. local {
  1460. ipv6-name MGNTv6_LOCAL
  1461. name MGT_LOCAL
  1462. }
  1463. }
  1464. ipv6 {
  1465. dup-addr-detect-transmits 1
  1466. router-advert {
  1467. cur-hop-limit 64
  1468. link-mtu 0
  1469. managed-flag false
  1470. max-interval 600
  1471. name-server **:**:**:99::1
  1472. other-config-flag false
  1473. prefix **:**:**:99::/64 {
  1474. autonomous-flag true
  1475. on-link-flag true
  1476. valid-lifetime 2592000
  1477. }
  1478. radvd-options "RDNSS **:**:**:99::1{};"
  1479. reachable-time 0
  1480. retrans-timer 0
  1481. send-advert true
  1482. }
  1483. }
  1484. mtu 1500
  1485. speed auto
  1486. }
  1487. ethernet eth1 {
  1488. description "FTTH - XS4All"
  1489. duplex auto
  1490. mtu 1512
  1491. speed auto
  1492. vif 6 {
  1493. description VLAN6
  1494. mtu 1508
  1495. pppoe 0 {
  1496. default-route none
  1497. description "Internet - XS4All"
  1498. dhcpv6-pd {
  1499. no-dns
  1500. pd 0 {
  1501. interface eth0 {
  1502. host-address ::1
  1503. prefix-id :99
  1504. service slaac
  1505. }
  1506. interface eth4 {
  1507. host-address ::1
  1508. prefix-id :5
  1509. service slaac
  1510. }
  1511. interface eth5 {
  1512. host-address ::1
  1513. prefix-id :2
  1514. service slaac
  1515. }
  1516. interface eth6 {
  1517. host-address ::1
  1518. prefix-id :1
  1519. service slaac
  1520. }
  1521. interface eth7 {
  1522. host-address ::1
  1523. prefix-id :13
  1524. service slaac
  1525. }
  1526. prefix-length /48
  1527. }
  1528. prefix-only
  1529. rapid-commit enable
  1530. }
  1531. firewall {
  1532. in {
  1533. ipv6-name WANv6_IN
  1534. name WAN_IN
  1535. }
  1536. local {
  1537. ipv6-name WANv6_LOCAL
  1538. name WAN_LOCAL
  1539. }
  1540. }
  1541. idle-timeout 180
  1542. ipv6 {
  1543. address {
  1544. autoconf
  1545. secondary **:**:**::1/48
  1546. }
  1547. dup-addr-detect-transmits 1
  1548. enable {
  1549. }
  1550. }
  1551. mtu 1500
  1552. name-server none
  1553. password 123456
  1554. user-id ***@xs4all.nl
  1555. }
  1556. }
  1557. }
  1558. ethernet eth2 {
  1559. address dhcp
  1560. address dhcpv6
  1561. description "Internet - Ziggo"
  1562. dhcp-options {
  1563. default-route no-update
  1564. default-route-distance 210
  1565. name-server no-update
  1566. }
  1567. duplex auto
  1568. firewall {
  1569. in {
  1570. ipv6-name WANv6_IN
  1571. name WAN_IN
  1572. }
  1573. local {
  1574. ipv6-name WANv6_LOCAL
  1575. name WAN_LOCAL
  1576. }
  1577. }
  1578. speed auto
  1579. }
  1580. ethernet eth3 {
  1581. duplex auto
  1582. speed auto
  1583. }
  1584. ethernet eth4 {
  1585. address 192.168.5.1/24
  1586. address **:**:**:5::1/64
  1587. description "LAN Gast"
  1588. duplex auto
  1589. firewall {
  1590. in {
  1591. ipv6-name GASTv6_IN
  1592. modify balance
  1593. name GAST_IN
  1594. }
  1595. local {
  1596. ipv6-name GASTv6_LOCAL
  1597. name GAST_LOCAL
  1598. }
  1599. }
  1600. ipv6 {
  1601. dup-addr-detect-transmits 1
  1602. router-advert {
  1603. cur-hop-limit 64
  1604. link-mtu 0
  1605. managed-flag false
  1606. max-interval 600
  1607. name-server **:**:**:5::1
  1608. other-config-flag false
  1609. prefix **:**:**:5::/64 {
  1610. autonomous-flag true
  1611. on-link-flag true
  1612. valid-lifetime 2592000
  1613. }
  1614. radvd-options "RDNSS **:**:**:5::1 {};"
  1615. reachable-time 0
  1616. retrans-timer 0
  1617. send-advert true
  1618. }
  1619. }
  1620. mtu 1500
  1621. speed auto
  1622. }
  1623. ethernet eth5 {
  1624. address 192.168.2.1/24
  1625. address **:**:**:2::1/64
  1626. description LAN2
  1627. duplex auto
  1628. firewall {
  1629. in {
  1630. ipv6-name LAN2v6_IN
  1631. modify balance
  1632. name LAN2_IN
  1633. }
  1634. local {
  1635. ipv6-name LAN2v6_LOCAL
  1636. name LAN2_LOCAL
  1637. }
  1638. }
  1639. ipv6 {
  1640. dup-addr-detect-transmits 1
  1641. router-advert {
  1642. cur-hop-limit 64
  1643. link-mtu 0
  1644. managed-flag false
  1645. max-interval 600
  1646. name-server **:**:**:2::1
  1647. other-config-flag false
  1648. prefix **:**:**:2::/64 {
  1649. autonomous-flag true
  1650. on-link-flag true
  1651. valid-lifetime 2592000
  1652. }
  1653. radvd-options "RDNSS **:**:**:2::1{};"
  1654. reachable-time 0
  1655. retrans-timer 0
  1656. send-advert true
  1657. }
  1658. }
  1659. mtu 1500
  1660. speed auto
  1661. }
  1662. ethernet eth6 {
  1663. address 192.168.16.1/24
  1664. address **:**:**:1::1/64
  1665. description LAN16
  1666. duplex auto
  1667. firewall {
  1668. in {
  1669. ipv6-name LAN16v6_IN
  1670. modify balance
  1671. name LAN16_IN
  1672. }
  1673. local {
  1674. ipv6-name LAN16v6_LOCAL
  1675. name LAN16_LOCAL
  1676. }
  1677. }
  1678. ipv6 {
  1679. dup-addr-detect-transmits 1
  1680. router-advert {
  1681. cur-hop-limit 64
  1682. link-mtu 0
  1683. managed-flag false
  1684. max-interval 600
  1685. name-server **:**:**:1::8
  1686. other-config-flag false
  1687. prefix **:**:**:1::/64 {
  1688. autonomous-flag true
  1689. on-link-flag true
  1690. valid-lifetime 2592000
  1691. }
  1692. radvd-options "RDNSS **:**:**:1::8{};"
  1693. reachable-time 0
  1694. retrans-timer 0
  1695. send-advert true
  1696. }
  1697. }
  1698. mtu 1500
  1699. speed auto
  1700. }
  1701. ethernet eth7 {
  1702. address 192.168.13.1/24
  1703. address **:**:**:13::1/64
  1704. description LAN13
  1705. duplex auto
  1706. firewall {
  1707. in {
  1708. modify balance
  1709. }
  1710. out {
  1711. ipv6-name LAN13v6_OUT
  1712. name LAN13_OUT
  1713. }
  1714. }
  1715. ipv6 {
  1716. dup-addr-detect-transmits 1
  1717. router-advert {
  1718. cur-hop-limit 64
  1719. link-mtu 0
  1720. managed-flag false
  1721. max-interval 600
  1722. name-server **:**:**:13::10
  1723. other-config-flag false
  1724. prefix **:**:**:13::/64 {
  1725. autonomous-flag true
  1726. on-link-flag true
  1727. valid-lifetime 2592000
  1728. }
  1729. radvd-options "RDNSS **:**:**:13::10 {};"
  1730. reachable-time 0
  1731. retrans-timer 0
  1732. send-advert true
  1733. }
  1734. }
  1735. mtu 1500
  1736. speed auto
  1737. }
  1738. loopback lo {
  1739. }
  1740. }
  1741. load-balance {
  1742. group G {
  1743. interface eth2 {
  1744. failover-only
  1745. }
  1746. interface pppoe0 {
  1747. }
  1748. transition-script /config/scripts/wlb-transition
  1749. }
  1750. }
  1751. protocols {
  1752. static {
  1753. interface-route 0.0.0.0/0 {
  1754. next-hop-interface pppoe0 {
  1755. }
  1756. }
  1757. interface-route6 ::/0 {
  1758. next-hop-interface pppoe0 {
  1759. }
  1760. }
  1761. }
  1762. }
  1763. service {
  1764. dhcp-server {
  1765. disabled false
  1766. hostfile-update disable
  1767. shared-network-name GAST {
  1768. authoritative disable
  1769. subnet 192.168.5.0/24 {
  1770. default-router 192.168.5.1
  1771. dns-server 192.168.5.1
  1772. lease 86400
  1773. start 192.168.5.10 {
  1774. stop 192.168.5.150
  1775. }
  1776. }
  1777. }
  1778. shared-network-name LAN2 {
  1779. authoritative disable
  1780. subnet 192.168.2.0/24 {
  1781. default-router 192.168.2.1
  1782. dns-server 192.168.2.1
  1783. lease 86400
  1784. start 192.168.2.100 {
  1785. stop 192.168.2.200
  1786. }
  1787. static-mapping ubuntuserver {
  1788. ip-address 192.168.2.2
  1789. mac-address 00:0c:29:c8:c9:03
  1790. }
  1791. }
  1792. }
  1793. shared-network-name MGNT {
  1794. authoritative enable
  1795. subnet 192.168.1.0/24 {
  1796. default-router 192.168.1.1
  1797. dns-server 192.168.1.1
  1798. lease 86400
  1799. start 192.168.1.38 {
  1800. stop 192.168.1.243
  1801. }
  1802. }
  1803. }
  1804. }
  1805. dns {
  1806. dynamic {
  1807. interface eth2 {
  1808. service dyndns {
  1809. host-name ***.gotdns.com
  1810. host-name **.dnsalias.com
  1811. login *****
  1812. password ****
  1813. protocol dyndns2
  1814. }
  1815. web dyndns
  1816. }
  1817. interface pppoe0 {
  1818. service dyndns {
  1819. host-name ***.gotdns.com
  1820. login ****
  1821. password ****
  1822. protocol dyndns1
  1823. }
  1824. web dyndns
  1825. }
  1826. }
  1827. forwarding {
  1828. cache-size 150
  1829. listen-on eth0
  1830. listen-on eth5
  1831. listen-on l2tp0
  1832. listen-on eth4
  1833. }
  1834. }
  1835. gui {
  1836. https-port 443
  1837. listen-address 192.168.1.1
  1838. listen-address 10.10.10.10
  1839. listen-address 192.168.16.1
  1840. }
  1841. lldp {
  1842. interface all {
  1843. location {
  1844. civic-based {
  1845. ca-type 0 {
  1846. ca-value dutch
  1847. }
  1848. ca-type 2 {
  1849. ca-value Netherlands
  1850. }
  1851. ca-type 3 {
  1852. ca-value *****
  1853. }
  1854. ca-type 6 {
  1855. ca-value "D****"
  1856. }
  1857. ca-type 19 {
  1858. ca-value 33
  1859. }
  1860. ca-type 23 {
  1861. ca-value "****."
  1862. }
  1863. ca-type 24 {
  1864. ca-value ****
  1865. }
  1866. country-code NL
  1867. }
  1868. }
  1869. }
  1870. interface eth2 {
  1871. }
  1872. interface eth5 {
  1873. }
  1874. interface eth6 {
  1875. }
  1876. interface eth7 {
  1877. }
  1878. management-address 192.168.1.1
  1879. }
  1880. nat {
  1881. rule 2 {
  1882. description "XS4All - Webserver"
  1883. destination {
  1884. group {
  1885. address-group A4_Webserver
  1886. port-group P_Webserver
  1887. }
  1888. }
  1889. inbound-interface pppoe0
  1890. inside-address {
  1891. address 192.168.2.2
  1892. }
  1893. log disable
  1894. protocol tcp_udp
  1895. type destination
  1896. }
  1897. rule 3 {
  1898. description "XS4All - BoekhSrv"
  1899. destination {
  1900. group {
  1901. address-group A4_BoekhSrv
  1902. port-group P_BoekhSrv
  1903. }
  1904. }
  1905. inbound-interface pppoe0
  1906. inside-address {
  1907. address 192.168.13.10
  1908. }
  1909. log disable
  1910. protocol tcp
  1911. type destination
  1912. }
  1913. rule 4 {
  1914. description "XS4All - BoekhWin7"
  1915. destination {
  1916. group {
  1917. address-group A4_BoekhWin7
  1918. port-group P_BoekhWin7
  1919. }
  1920. }
  1921. inbound-interface pppoe0
  1922. inside-address {
  1923. address 192.168.13.19
  1924. }
  1925. log disable
  1926. protocol tcp
  1927. type destination
  1928. }
  1929. rule 5 {
  1930. description "XS4All - Files"
  1931. destination {
  1932. group {
  1933. address-group A4_Files
  1934. port-group P_Files
  1935. }
  1936. }
  1937. inbound-interface pppoe0
  1938. inside-address {
  1939. address 192.168.16.5
  1940. }
  1941. log disable
  1942. protocol tcp_udp
  1943. type destination
  1944. }
  1945. rule 6 {
  1946. description "XS4All - PSP"
  1947. destination {
  1948. group {
  1949. address-group A4_PSP
  1950. port-group P_PSP
  1951. }
  1952. }
  1953. inbound-interface pppoe0
  1954. inside-address {
  1955. address 192.168.16.20
  1956. }
  1957. log disable
  1958. protocol tcp_udp
  1959. type destination
  1960. }
  1961. rule 7 {
  1962. description "XS4All - OVPN"
  1963. destination {
  1964. group {
  1965. address-group A4_OVPN
  1966. port-group P_OpenVPN
  1967. }
  1968. }
  1969. inbound-interface pppoe0
  1970. inside-address {
  1971. address 192.168.16.9
  1972. }
  1973. log disable
  1974. protocol tcp_udp
  1975. type destination
  1976. }
  1977. rule 8 {
  1978. description "XS4All - OpenVPN"
  1979. destination {
  1980. group {
  1981. address-group A4_OpenVPN
  1982. port-group P_OpenVPN
  1983. }
  1984. }
  1985. inbound-interface pppoe0
  1986. inside-address {
  1987. address 192.168.16.4
  1988. }
  1989. log disable
  1990. protocol tcp_udp
  1991. type destination
  1992. }
  1993. rule 9 {
  1994. description "XS4All - NAS409"
  1995. destination {
  1996. group {
  1997. address-group ADDRv4_pppoe0
  1998. port-group P_NAS409
  1999. }
  2000. }
  2001. inbound-interface pppoe0
  2002. inside-address {
  2003. address 192.168.16.13
  2004. }
  2005. log disable
  2006. protocol tcp
  2007. source {
  2008. group {
  2009. address-group FTP_Allow
  2010. }
  2011. }
  2012. type destination
  2013. }
  2014. rule 10 {
  2015. description "XS4All - SBS"
  2016. destination {
  2017. group {
  2018. address-group ADDRv4_pppoe0
  2019. port-group P_SBS
  2020. }
  2021. }
  2022. inbound-interface pppoe0
  2023. inside-address {
  2024. address 192.168.16.8
  2025. }
  2026. log disable
  2027. protocol tcp
  2028. source {
  2029. group {
  2030. }
  2031. }
  2032. type destination
  2033. }
  2034. rule 11 {
  2035. description "XS4All - ELTO17"
  2036. destination {
  2037. group {
  2038. address-group ADDRv4_pppoe0
  2039. port-group P_ELTO17
  2040. }
  2041. }
  2042. inbound-interface pppoe0
  2043. inside-address {
  2044. address 192.168.16.17
  2045. }
  2046. log disable
  2047. protocol tcp
  2048. source {
  2049. group {
  2050. }
  2051. }
  2052. type destination
  2053. }
  2054. rule 12 {
  2055. description "Ziggo - SBS"
  2056. destination {
  2057. group {
  2058. port-group P_SBS
  2059. }
  2060. }
  2061. inbound-interface eth2
  2062. inside-address {
  2063. address 192.168.16.8
  2064. }
  2065. log disable
  2066. protocol tcp_udp
  2067. type destination
  2068. }
  2069. rule 13 {
  2070. description "Ziggo - Files"
  2071. destination {
  2072. group {
  2073. }
  2074. port 442
  2075. }
  2076. inbound-interface eth2
  2077. inside-address {
  2078. address 192.168.16.5
  2079. port 443
  2080. }
  2081. log disable
  2082. protocol tcp_udp
  2083. type destination
  2084. }
  2085. rule 14 {
  2086. description "Ziggo - Webserver"
  2087. destination {
  2088. group {
  2089. }
  2090. port 444
  2091. }
  2092. inbound-interface eth2
  2093. inside-address {
  2094. address 192.168.2.2
  2095. port 443
  2096. }
  2097. log disable
  2098. protocol tcp_udp
  2099. type destination
  2100. }
  2101. rule 15 {
  2102. description "Ziggo - Weburen"
  2103. destination {
  2104. group {
  2105. }
  2106. port 81
  2107. }
  2108. inbound-interface eth2
  2109. inside-address {
  2110. address 192.168.13.10
  2111. port 80
  2112. }
  2113. log disable
  2114. protocol tcp
  2115. type destination
  2116. }
  2117. rule 16 {
  2118. description "Ziggo - FTP"
  2119. destination {
  2120. group {
  2121. }
  2122. port 21,55536-55567
  2123. }
  2124. inbound-interface eth2
  2125. inside-address {
  2126. address 192.168.16.13
  2127. }
  2128. log disable
  2129. protocol tcp_udp
  2130. source {
  2131. group {
  2132. address-group FTP_Allow
  2133. }
  2134. }
  2135. type destination
  2136. }
  2137. rule 17 {
  2138. description "Ziggo - OpenVPN"
  2139. destination {
  2140. group {
  2141. }
  2142. port 943,1194
  2143. }
  2144. inbound-interface eth2
  2145. inside-address {
  2146. address 192.168.16.4
  2147. }
  2148. log disable
  2149. protocol tcp_udp
  2150. type destination
  2151. }
  2152. rule 18 {
  2153. description "Ziggo - ELTO17"
  2154. destination {
  2155. group {
  2156. port-group P_ELTO17
  2157. }
  2158. }
  2159. inbound-interface eth2
  2160. inside-address {
  2161. address 192.168.16.17
  2162. }
  2163. log disable
  2164. protocol tcp
  2165. type destination
  2166. }
  2167. rule 5001 {
  2168. description "masquerade for WAN"
  2169. log disable
  2170. outbound-interface pppoe0
  2171. protocol all
  2172. type masquerade
  2173. }
  2174. rule 5002 {
  2175. description "masquerade for WAN 2"
  2176. outbound-interface eth2
  2177. type masquerade
  2178. }
  2179. }
  2180. ssh {
  2181. listen-address 192.168.16.1
  2182. listen-address 192.168.1.1
  2183. listen-address 10.10.10.10
  2184. port 22
  2185. protocol-version v2
  2186. }
  2187. ubnt-discover {
  2188. }
  2189. }
  2190. system {
  2191. conntrack {
  2192. expect-table-size 4096
  2193. hash-size 4096
  2194. table-size 32768
  2195. tcp {
  2196. half-open-connections 512
  2197. loose enable
  2198. max-retrans 3
  2199. }
  2200. }
  2201. domain-name ****.com
  2202. host-name ubnt
  2203. login {
  2204. banner {
  2205. post-login "Welkom op de EdgeRouter Pro van **** B.V.\n\neth0 = mngt = 192.168.1.1 + DHCP Server en 10.10.10.10 (L2TP)\neth1 = WAN XS4All - vif6 - pppoe0\neth2 = WAN Ziggo - DHCP\neth5 = LAN2 = 192.168.2.1 + DHCP Server\neth6 = LAN16 = 192.168.16.1\neth7 = LAN13 = 192.168.13.1\n\n"
  2206. pre-login "\nWelcome \nPlease login.\n\n"
  2207. }
  2208. user **** {
  2209. authentication {
  2210. encrypted-password *********.SHa0
  2211. }
  2212. level admin
  2213. }
  2214. }
  2215. name-server 208.67.222.222
  2216. name-server 8.8.8.8
  2217. name-server 2620:0:ccc::2
  2218. name-server 2001:4860:4860::8888
  2219. ntp {
  2220. server 0.ubnt.pool.ntp.org {
  2221. }
  2222. server 1.ubnt.pool.ntp.org {
  2223. }
  2224. server 2.ubnt.pool.ntp.org {
  2225. }
  2226. server 3.ubnt.pool.ntp.org {
  2227. }
  2228. }
  2229. offload {
  2230. ipsec enable
  2231. ipv4 {
  2232. forwarding enable
  2233. gre enable
  2234. pppoe enable
  2235. vlan enable
  2236. }
  2237. ipv6 {
  2238. forwarding enable
  2239. pppoe enable
  2240. }
  2241. }
  2242. package {
  2243. repository wheezy {
  2244. components "main contrib non-free"
  2245. distribution wheezy
  2246. password ""
  2247. url http://ftp.nl.debian.org/debian
  2248. username ""
  2249. }
  2250. repository wheezy-backport {
  2251. components main
  2252. distribution wheezy-backports
  2253. password ""
  2254. url http://ftp.nl.debian.org/debian
  2255. username ""
  2256. }
  2257. repository wheezy-security {
  2258. components main
  2259. distribution wheezy/updates
  2260. password ""
  2261. url http://security.debian.org
  2262. username ""
  2263. }
  2264. }
  2265. static-host-mapping {
  2266. host-name files.***.com {
  2267. inet 192.168.16.5
  2268. inet **:**:**:1::5
  2269. }
  2270. host-name openvpn.***.com {
  2271. inet 192.168.16.4
  2272. }
  2273. host-name ovpn.***.com {
  2274. inet 192.168.16.9
  2275. }
  2276. host-name psp.***.com {
  2277. inet 192.168.16.20
  2278. inet **:**:**:1::20
  2279. }
  2280. host-name ubnt.***.com {
  2281. inet 192.168.1.1
  2282. inet 10.10.10.10
  2283. }
  2284. host-name webmail.***.com {
  2285. alias vacation.***.com
  2286. alias remote.***.com
  2287. inet 192.168.16.8
  2288. inet **:**:**:1::8
  2289. }
  2290. host-name weburen.***.com {
  2291. inet 192.168.13.10
  2292. inet **:**:**:13::10
  2293. }
  2294. host-name www.***.com {
  2295. alias ***.com
  2296. alias v3.***.com
  2297. alias next.***.com
  2298. inet 192.168.2.2
  2299. inet **:**:**:2::2
  2300. }
  2301. }
  2302. syslog {
  2303. global {
  2304. facility all {
  2305. level notice
  2306. }
  2307. facility protocols {
  2308. level debug
  2309. }
  2310. }
  2311. host 192.168.16.13 {
  2312. facility all {
  2313. level err
  2314. }
  2315. }
  2316. }
  2317. time-zone Europe/Amsterdam
  2318. traffic-analysis {
  2319. dpi enable
  2320. export enable
  2321. }
  2322. }
  2323. vpn {
  2324. ipsec {
  2325. auto-firewall-nat-exclude enable
  2326. ipsec-interfaces {
  2327. interface eth0
  2328. interface pppoe0
  2329. interface eth2
  2330. }
  2331. nat-networks {
  2332. allowed-network 0.0.0.0/0 {
  2333. }
  2334. }
  2335. nat-traversal enable
  2336. }
  2337. l2tp {
  2338. remote-access {
  2339. authentication {
  2340. local-users {
  2341. username *** {
  2342. password ***
  2343. }
  2344. username *** {
  2345. password ***
  2346. }
  2347. }
  2348. mode local
  2349. }
  2350. client-ip-pool {
  2351. start 10.10.10.101
  2352. stop 10.10.10.110
  2353. }
  2354. dns-servers {
  2355. server-1 10.10.10.10
  2356. }
  2357. ipsec-settings {
  2358. authentication {
  2359. mode pre-shared-secret
  2360. pre-shared-secret ****
  2361. }
  2362. ike-lifetime 3600
  2363. }
  2364. mtu 1492
  2365. outside-address 0.0.0.0
  2366. }
  2367. }
  2368. }
  2369.  
  2370.  
  2371. /* Warning: Do not remove the following line. */
  2372. /* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
  2373. /* Release version: v1.8.0.4853089.160219.1614 */
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!