firewall { global-options { state-policy { establishe

1. firewall {
2. global-options {
3. state-policy {
4. established {
5. action "accept"
6. }
7. invalid {
8. action "drop"
9. }
10. related {
11. action "accept"
12. }
13. }
14. }
15. group {
16. interface-group IOT {
17. interface "eth2"
18. }
19. interface-group LAN {
20. interface "eth1"
21. }
22. interface-group WAN {
23. interface "eth0"
24. }
25. network-group NET-INSIDE-v4 {
26. network "192.168.10.0/24"
27. network "192.168.11.0/24"
28. }
29. }
30. ipv4 {
31. forward {
32. filter {
33. rule 100 {
34. action "jump"
35. destination {
36. group {
37. network-group "NET-INSIDE-v4"
38. }
39. }
40. inbound-interface {
41. group "WAN"
42. }
43. jump-target "OUTSIDE-IN"
44. }
45. rule 500 {
46. action "reject"
47. inbound-interface {
48. group "LAN"
49. }
50. outbound-interface {
51. group "IOT"
52. }
53. }
54. }
55. }
56. input {
57. filter {
58. default-action "drop"
59. rule 20 {
60. action "jump"
61. destination {
62. port "22"
63. }
64. jump-target "VyOS_MANAGEMENT"
65. protocol "tcp"
66. }
67. rule 30 {
68. action "accept"
69. icmp {
70. type-name "echo-request"
71. }
72. protocol "icmp"
73. state "new"
74. }
75. rule 40 {
76. action "accept"
77. destination {
78. port "53"
79. }
80. protocol "tcp_udp"
81. source {
82. group {
83. network-group "NET-INSIDE-v4"
84. }
85. }
86. }
87. rule 50 {
88. action "accept"
89. source {
90. address "127.0.0.0/8"
91. }
92. }
93. }
94. }
95. name OUTSIDE-IN {
96. default-action "drop"
97. }
98. name VyOS_MANAGEMENT {
99. default-action "return"
100. rule 15 {
101. action "accept"
102. inbound-interface {
103. group "LAN"
104. }
105. }
106. rule 20 {
107. action "drop"
108. inbound-interface {
109. group "WAN"
110. }
111. recent {
112. count "4"
113. time "minute"
114. }
115. state "new"
116. }
117. rule 21 {
118. action "accept"
119. inbound-interface {
120. group "WAN"
121. }
122. state "new"
123. }
124. }
125. }
126. }
127. interfaces {
128. ethernet eth0 {
129. address "192.168.1.2/24"
130. hw-id "52:54:00:9f:c6:cd"
131. }
132. ethernet eth1 {
133. address "192.168.10.1/24"
134. description "lan"
135. hw-id "52:54:00:e9:60:fd"
136. }
137. ethernet eth2 {
138. address "192.168.11.1/24"
139. description "IOT"
140. hw-id "52:54:00:8b:e9:1d"
141. }
142. loopback lo {
143. }
144. }
145. nat {
146. source {
147. rule 100 {
148. outbound-interface {
149. name "eth0"
150. }
151. source {
152. address "192.168.10.0/24"
153. }
154. translation {
155. address "masquerade"
156. }
157. }
158. rule 101 {
159. outbound-interface {
160. name "eth0"
161. }
162. source {
163. address "192.168.11.0/24"
164. }
165. translation {
166. address "masquerade"
167. }
168. }
169. }
170. }
171. protocols {
172. static {
173. route 0.0.0.0/0 {
174. next-hop 192.168.1.1 {
175. }
176. }
177. }
178. }
179. service {
180. dhcp-server {
181. shared-network-name IOT {
182. subnet 192.168.11.0/24 {
183. lease "86400"
184. option {
185. default-router "192.168.11.1"
186. name-server "192.168.11.1"
187. }
188. range 0 {
189. start "192.168.11.20"
190. stop "192.168.11.200"
191. }
192. subnet-id "11"
193. }
194. }
195. shared-network-name LAN {
196. subnet 192.168.10.0/24 {
197. option {
198. default-router "192.168.10.1"
199. name-server "192.168.10.1"
200. }
201. range 0 {
202. start "192.168.10.20"
203. stop "192.168.10.200"
204. }
205. subnet-id "1"
206. }
207. }
208. }
209. dns {
210. forwarding {
211. allow-from "192.168.10.0/24"
212. allow-from "192.168.11.0/24"
213. cache-size "0"
214. listen-address "192.168.10.1"
215. listen-address "192.168.11.1"
216. name-server 1.0.0.1 {
217. }
218. name-server 1.1.1.1 {
219. }
220. name-server 8.8.4.4 {
221. }
222. name-server 8.8.8.8 {
223. }
224. }
225. }
226. ntp {
227. allow-client {
228. address "127.0.0.0/8"
229. address "169.254.0.0/16"
230. address "10.0.0.0/8"
231. address "172.16.0.0/12"
232. address "192.168.0.0/16"
233. address "::1/128"
234. address "fe80::/10"
235. address "fc00::/7"
236. }
237. server time1.vyos.net {
238. }
239. server time2.vyos.net {
240. }
241. server time3.vyos.net {
242. }
243. }
244. ssh {
245. port "22"
246. }
247. }
248. system {
249. config-management {
250. commit-revisions "100"
251. }
252. conntrack {
253. modules {
254. ftp
255. h323
256. nfs
257. pptp
258. sip
259. sqlnet
260. tftp
261. }
262. }
263. console {
264. device ttyS0 {
265. speed "115200"
266. }
267. }
268. host-name "vyos"
269. login {
270. user vyos {
271. authentication {
272. encrypted-password
273. plaintext-password ""
274. }
275. }
276. }
277. name-server "192.168.10.1"
278. syslog {
279. global {
280. facility all {
281. level "info"
282. }
283. facility local7 {
284. level "debug"
285. }
286. }
287. }
288. }
289.  
290.  
291. // Warning: Do not remove the following line.
292. // vyos-config-version: "bgp@5:broadcast-relay@1:cluster@2:config-management@1:conntrack@5:conntrack-sync@2:container@2:dhcp-relay@2:dhcp-server@11:dhcpv6-server@5:dns-dynamic@4:dns-forwarding@4:firewall@15:flow-accounting@1:https@6:ids@1:interfaces@32:ipoe-server@3:ipsec@13:isis@3:l2tp@9:lldp@2:mdns@1:monitoring@1:nat@7:nat66@3:ntp@3:openconnect@2:openvpn@1:ospf@2:pim@1:policy@8:pppoe-server@9:pptp@5:qos@2:quagga@11:rip@1:rpki@2:salt@1:snmp@3:ssh@2:sstp@6:system@27:vrf@3:vrrp@4:vyos-accel-ppp@2:wanloadbalance@3:webproxy@2"
293. // Release version: 1.5-rolling-202404280021
294.