API tools faq
paste
Guest User

Untitled

a guest
Oct 4th, 2017
321
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 18.88 KB | None | 0 0
raw download clone embed print report
  1. firewall {
  2. all-ping enable
  3. broadcast-ping disable
  4. group {
  5. address-group LAN_adresgroep {
  6. address 192.168.2.1-192.168.2.254
  7. description ""
  8. }
  9. address-group Shodan {
  10. address 208.180.20.97
  11. address 198.20.69.74
  12. address 198.20.69.98
  13. address 198.20.70.114
  14. address 198.20.99.130
  15. address 93.120.27.62
  16. address 66.240.236.119
  17. address 71.6.135.131
  18. address 66.240.192.138
  19. address 71.6.167.142
  20. address 82.221.105.6
  21. address 82.221.105.7
  22. address 71.6.165.200
  23. address 188.138.9.50
  24. address 85.25.103.50
  25. address 85.25.43.94
  26. address 71.6.146.185
  27. address 71.6.158.166
  28. address 198.20.87.98
  29. address 66.240.219.146
  30. address 209.126.110.38
  31. address 104.236.198.48
  32. address 184.105.247.196
  33. address 141.212.122.112
  34. address 125.237.220.106
  35. address 192.81.128.37
  36. address 74.82.47.2
  37. address 216.218.206.66
  38. address 37.187.114.171
  39. address 184.105.139.67
  40. address 54.81.158.232
  41. address 141.212.122.144
  42. address 141.212.122.128
  43. address 54.206.70.29
  44. description "Shodan and other scanners"
  45. }
  46. network-group BOGONS {
  47. description BOGONS
  48. network 10.0.0.0/8
  49. network 100.64.0.0/10
  50. network 127.0.0.0/8
  51. network 169.254.0.0/16
  52. network 172.16.0.0/12
  53. network 192.0.0.0/24
  54. network 192.0.2.0/24
  55. network 192.168.0.0/16
  56. network 198.18.0.0/15
  57. network 198.51.100.0/24
  58. network 203.0.113.0/24
  59. network 224.0.0.0/3
  60. }
  61. network-group Blocklist {
  62. description "Block scanners by CIDR"
  63. network 74.82.47.0/24
  64. network 184.105.139.0/24
  65. network 184.105.247.0/24
  66. network 216.218.206.0/24
  67. network 185.35.62.0/24
  68. network 185.35.63.0/24
  69. }
  70. network-group Gasten {
  71. description ""
  72. network 192.168.10.0/24
  73. }
  74. network-group LAN {
  75. description ""
  76. network 192.168.2.0/24
  77. }
  78. port-group Router_poorten {
  79. description "Router Poorten"
  80. port ssh
  81. port https
  82. port telnet
  83. port http
  84. port ftp
  85. }
  86. }
  87. ipv6-name WANv6_IN {
  88. default-action drop
  89. description "WAN inbound traffic forwarded to LAN"
  90. enable-default-log
  91. rule 10 {
  92. action accept
  93. description "Allow established/related sessions"
  94. state {
  95. established enable
  96. related enable
  97. }
  98. }
  99. rule 20 {
  100. action drop
  101. description "Drop invalid state"
  102. state {
  103. invalid enable
  104. }
  105. }
  106. }
  107. ipv6-name WANv6_LOCAL {
  108. default-action drop
  109. description "WAN inbound traffic to the router"
  110. enable-default-log
  111. rule 10 {
  112. action accept
  113. description "Allow established/related sessions"
  114. state {
  115. established enable
  116. related enable
  117. }
  118. }
  119. rule 20 {
  120. action drop
  121. description "Drop invalid state"
  122. state {
  123. invalid enable
  124. }
  125. }
  126. rule 30 {
  127. action accept
  128. description "Allow IPv6 icmp"
  129. protocol ipv6-icmp
  130. }
  131. rule 40 {
  132. action accept
  133. description "allow dhcpv6"
  134. destination {
  135. port 546
  136. }
  137. protocol udp
  138. source {
  139. port 547
  140. }
  141. }
  142. }
  143. ipv6-receive-redirects disable
  144. ipv6-src-route disable
  145. ip-src-route disable
  146. log-martians enable
  147. name Gasten_IN {
  148. default-action accept
  149. description Gasten_IN
  150. rule 10 {
  151. action accept
  152. description "Accept Established/Related"
  153. log disable
  154. protocol all
  155. state {
  156. established enable
  157. invalid disable
  158. new disable
  159. related enable
  160. }
  161. }
  162. rule 20 {
  163. action drop
  164. description "DROP to LAN"
  165. destination {
  166. address 192.168.2.254/24
  167. }
  168. log disable
  169. protocol all
  170. }
  171. rule 30 {
  172. action drop
  173. description "DROP to LAN"
  174. destination {
  175. address 192.168.2.0/24
  176. }
  177. log disable
  178. protocol all
  179. }
  180. rule 40 {
  181. action drop
  182. description "DROP access to LAN"
  183. destination {
  184. group {
  185. network-group LAN
  186. }
  187. }
  188. log disable
  189. protocol all
  190. }
  191. }
  192. name Gasten_LOCAL {
  193. default-action drop
  194. description Gasten_LOCAL
  195. rule 10 {
  196. action accept
  197. description "ACCEPT access to DNS"
  198. destination {
  199. port 53
  200. }
  201. log disable
  202. protocol udp
  203. }
  204. rule 20 {
  205. action accept
  206. description "ACCEPT access to DHCP"
  207. destination {
  208. port 67
  209. }
  210. log disable
  211. protocol udp
  212. }
  213. rule 40 {
  214. action drop
  215. description "DROP access to router"
  216. destination {
  217. group {
  218. port-group Router_poorten
  219. }
  220. }
  221. log disable
  222. protocol all
  223. }
  224. }
  225. name LAN_LOCAL {
  226. default-action drop
  227. description LAN_LOCAL
  228. rule 20 {
  229. action accept
  230. description "PC to router"
  231. destination {
  232. address 192.168.2.254
  233. }
  234. log disable
  235. protocol all
  236. source {
  237. address 192.168.2.50
  238. mac-address
  239. }
  240. }
  241. rule 30 {
  242. action accept
  243. description "iPhone to router"
  244. destination {
  245. address 192.168.2.254
  246. }
  247. log disable
  248. protocol all
  249. source {
  250. mac-address
  251. }
  252. }
  253. }
  254. name WAN_IN {
  255. default-action drop
  256. description "WAN to Internal"
  257. enable-default-log
  258. rule 10 {
  259. action accept
  260. description "Allow established/related"
  261. log enable
  262. protocol all
  263. state {
  264. established enable
  265. invalid disable
  266. new disable
  267. related enable
  268. }
  269. }
  270. rule 20 {
  271. action drop
  272. description "Drop invalid state"
  273. log enable
  274. protocol all
  275. state {
  276. established disable
  277. invalid enable
  278. new disable
  279. related disable
  280. }
  281. }
  282. rule 21 {
  283. action drop
  284. description "DROP Bogons"
  285. log enable
  286. protocol all
  287. source {
  288. group {
  289. network-group BOGONS
  290. }
  291. }
  292. }
  293. rule 22 {
  294. action drop
  295. description "DROP CIDRs scanners"
  296. log enable
  297. protocol all
  298. source {
  299. group {
  300. network-group Blocklist
  301. }
  302. }
  303. }
  304. rule 23 {
  305. action drop
  306. description "DROP Shodan scanners"
  307. log enable
  308. protocol all
  309. source {
  310. group {
  311. address-group Shodan
  312. }
  313. }
  314. }
  315. }
  316. name WAN_LOCAL {
  317. default-action drop
  318. description "WAN to router"
  319. enable-default-log
  320. rule 10 {
  321. action accept
  322. description "Allow established/related"
  323. log disable
  324. protocol all
  325. state {
  326. established enable
  327. invalid disable
  328. new disable
  329. related enable
  330. }
  331. }
  332. rule 20 {
  333. action drop
  334. description "Drop invalid state"
  335. log disable
  336. protocol all
  337. state {
  338. established disable
  339. invalid enable
  340. new disable
  341. related disable
  342. }
  343. }
  344. rule 21 {
  345. action drop
  346. description "Drop Shodan scanners"
  347. log enable
  348. protocol all
  349. source {
  350. group {
  351. address-group Shodan
  352. }
  353. }
  354. }
  355. rule 22 {
  356. action drop
  357. description "DROP Bogons"
  358. log enable
  359. protocol all
  360. source {
  361. group {
  362. network-group BOGONS
  363. }
  364. }
  365. }
  366. rule 23 {
  367. action drop
  368. description "DROP CIDRs scanners"
  369. log enable
  370. protocol all
  371. source {
  372. group {
  373. network-group Blocklist
  374. }
  375. }
  376. }
  377. }
  378. options {
  379. }
  380. receive-redirects disable
  381. send-redirects enable
  382. source-validation disable
  383. syn-cookies enable
  384. }
  385. interfaces {
  386. bridge br0 {
  387. aging 300
  388. bridged-conntrack disable
  389. description "br0 - Telefonie"
  390. hello-time 2
  391. max-age 20
  392. priority 32768
  393. promiscuous disable
  394. stp false
  395. }
  396. ethernet eth0 {
  397. description "eth0 - FTTH"
  398. duplex auto
  399. mtu 1512
  400. speed auto
  401. vif 4 {
  402. address dhcp
  403. description "eth0.4 - IPTV"
  404. dhcp-options {
  405. client-option "send vendor-class-identifier "IPTV_RG";"
  406. client-option "request subnet-mask, routers, rfc3442-classless-static-routes;"
  407. default-route no-update
  408. default-route-distance 210
  409. name-server update
  410. }
  411. }
  412. vif 6 {
  413. description "eth0.6 - Internet"
  414. mtu 1508
  415. pppoe 0 {
  416. default-route auto
  417. dhcpv6-pd {
  418. no-dns
  419. pd 0 {
  420. interface eth1 {
  421. prefix-id :1
  422. service slaac
  423. }
  424. prefix-length /48
  425. }
  426. rapid-commit disable
  427. }
  428. firewall {
  429. in {
  430. ipv6-name WANv6_IN
  431. name WAN_IN
  432. }
  433. local {
  434. ipv6-name WANv6_LOCAL
  435. name WAN_LOCAL
  436. }
  437. }
  438. idle-timeout 180
  439. ipv6 {
  440. address {
  441. autoconf
  442. }
  443. dup-addr-detect-transmits 1
  444. enable {
  445. }
  446. }
  447. mtu 1500
  448. name-server auto
  449. password ppp
  450. user-id mac@internet
  451. }
  452. }
  453. vif 7 {
  454. bridge-group {
  455. bridge br0
  456. }
  457. description "eth0.7 - Telefonie"
  458. mtu 1500
  459. }
  460. }
  461. ethernet eth1 {
  462. address 192.168.2.254/24
  463. description "eth1 - LAN"
  464. duplex auto
  465. firewall {
  466. in {
  467. }
  468. local {
  469. name LAN_LOCAL
  470. }
  471. }
  472. ipv6 {
  473. dup-addr-detect-transmits 1
  474. router-advert {
  475. cur-hop-limit 64
  476. link-mtu 0
  477. managed-flag false
  478. max-interval 600
  479. name-server 2001:1608:10:25::1c04:b12f
  480. name-server 2001:1608:10:25::9249:d69b
  481. other-config-flag false
  482. prefix ::/64 {
  483. autonomous-flag true
  484. on-link-flag true
  485. valid-lifetime 2592000
  486. }
  487. radvd-options "RDNSS 2001:1608:10:25::1c04:b12f 2001:1608:10:25::9249:d69b {};"
  488. reachable-time 0
  489. retrans-timer 0
  490. send-advert true
  491. }
  492. }
  493. speed auto
  494. vif 10 {
  495. address 192.168.10.254/24
  496. description "eth1.10 - Gasten"
  497. firewall {
  498. in {
  499. name Gasten_IN
  500. }
  501. local {
  502. name Gasten_LOCAL
  503. }
  504. }
  505. mtu 1500
  506. }
  507. }
  508. ethernet eth2 {
  509. description "eth2 - ExperiaBox"
  510. duplex auto
  511. speed auto
  512. vif 7 {
  513. bridge-group {
  514. bridge br0
  515. }
  516. description "eth2.7 - ExperiaBox VOIP"
  517. mtu 1500
  518. }
  519. }
  520. loopback lo {
  521. }
  522. }
  523. port-forward {
  524. auto-firewall enable
  525. hairpin-nat enable
  526. lan-interface eth1
  527. wan-interface pppoe0
  528. }
  529. protocols {
  530. igmp-proxy {
  531. interface eth0 {
  532. role downstream
  533. threshold 1
  534. }
  535. interface eth1.4 {
  536. alt-subnet 10.16.12.0/16
  537. alt-subnet 213.75.0.0/16
  538. role upstream
  539. threshold 1
  540. }
  541. }
  542. static {
  543. interface-route6 ::/0 {
  544. next-hop-interface pppoe0 {
  545. }
  546. }
  547. route 213.75.112.0/21 {
  548. next-hop 10.200.180.1 {
  549. }
  550. }
  551. }
  552. }
  553. service {
  554. dhcp-server {
  555. disabled false
  556. global-parameters "option vendor-class-identifier code 60 = string;"
  557. global-parameters "option broadcast-address code 28 = ip-address;"
  558. hostfile-update disable
  559. shared-network-name Gasten {
  560. authoritative disable
  561. subnet 192.168.10.0/24 {
  562. default-router 192.168.10.254
  563. dns-server 84.200.69.80
  564. dns-server 84.200.70.40
  565. lease 86400
  566. start 192.168.10.50 {
  567. stop 192.168.10.200
  568. }
  569. }
  570. }
  571. shared-network-name LAN {
  572. authoritative enable
  573. subnet 192.168.2.0/24 {
  574. default-router 192.168.2.254
  575. dns-server 84.200.69.80
  576. dns-server 84.200.70.40
  577. lease 86400
  578. start 192.168.2.50 {
  579. stop 192.168.2.200
  580. }
  581. static-mapping PC {
  582. ip-address 192.168.2.50
  583. mac-address
  584. }
  585. static-mapping UniFi {
  586. ip-address 192.168.2.250
  587. mac-address
  588. }
  589. static-mapping UniFi {
  590. ip-address 192.168.2.251
  591. mac-address
  592. }
  593. }
  594. }
  595. use-dnsmasq disable
  596. }
  597. dns {
  598. forwarding {
  599. cache-size 150
  600. listen-on eth1
  601. listen-on eth1.10
  602. name-server 84.200.69.80
  603. name-server 84.200.70.40
  604. options listen-address=192.168.2.254
  605. }
  606. }
  607. gui {
  608. http-port 80
  609. https-port 443
  610. older-ciphers enable
  611. }
  612. nat {
  613. rule 5000 {
  614. description IPTV
  615. destination {
  616. address 213.75.112.0/21
  617. }
  618. log disable
  619. outbound-interface eth0.4
  620. protocol all
  621. source {
  622. }
  623. type masquerade
  624. }
  625. rule 5001 {
  626. description IPTV
  627. destination {
  628. address 10.16.0.0/16
  629. }
  630. log disable
  631. outbound-interface eth0.4
  632. protocol all
  633. source {
  634. }
  635. type masquerade
  636. }
  637. rule 5002 {
  638. description "KPN Internet"
  639. log enable
  640. outbound-interface pppoe0
  641. protocol all
  642. source {
  643. address 192.168.2.0/24
  644. }
  645. type masquerade
  646. }
  647. rule 5003 {
  648. description "Gasten Internet"
  649. log enable
  650. outbound-interface pppoe0
  651. protocol all
  652. source {
  653. address 192.168.10.0/24
  654. }
  655. type masquerade
  656. }
  657. }
  658. ssh {
  659. port 22
  660. protocol-version v2
  661. }
  662. }
  663. system {
  664. host-name ubnt
  665. login {
  666. user ubnt {
  667. authentication {
  668. encrypted-password
  669. plaintext-password ""
  670. }
  671. full-name Hendrik
  672. level admin
  673. }
  674. }
  675. name-server 2001:1608:10:25::1c04:b12f
  676. name-server 2001:1608:10:25::9249:d69b
  677. name-server 84.200.69.80
  678. name-server 84.200.70.40
  679. ntp {
  680. server 0.ubnt.pool.ntp.org {
  681. }
  682. server 1.ubnt.pool.ntp.org {
  683. }
  684. server 2.ubnt.pool.ntp.org {
  685. }
  686. server 3.ubnt.pool.ntp.org {
  687. }
  688. }
  689. offload {
  690. hwnat disable
  691. ipv4 {
  692. forwarding enable
  693. pppoe enable
  694. vlan enable
  695. }
  696. ipv6 {
  697. forwarding enable
  698. pppoe enable
  699. }
  700. }
  701. syslog {
  702. global {
  703. facility all {
  704. level notice
  705. }
  706. facility protocols {
  707. level debug
  708. }
  709. }
  710. }
  711. time-zone Europe/Amsterdam
  712. traffic-analysis {
  713. dpi enable
  714. export enable
  715. }
  716. }
  717. vpn {
  718. }
  719.  
  720.  
  721. /* Warning: Do not remove the following line. */
  722. /* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-unms@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
  723. /* Release version: v1.9.7+hotfix.3.5013619.170830.0242 */
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!