Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- firewall {
- all-ping enable
- broadcast-ping disable
- group {
- ipv6-network-group Nets6-BlackList {
- description "Blacklisted IPv6 Sources"
- }
- network-group Nets4-BlackList {
- description "Blacklisted IPv4 Sources"
- }
- }
- ipv6-name WANv6_IN {
- default-action drop
- description "WAN inbound traffic forwarded to LAN"
- enable-default-log
- rule 10 {
- action drop
- protocol all
- source {
- group {
- ipv6-network-group Nets6-BlackList
- }
- }
- }
- rule 20 {
- action accept
- description "Allow established/related sessions"
- log disable
- state {
- established enable
- related enable
- }
- }
- rule 30 {
- action drop
- description "Drop invalid state"
- state {
- invalid enable
- }
- }
- rule 40 {
- action accept
- description "Allow IPv6 icmp"
- log disable
- protocol ipv6-icmp
- }
- }
- ipv6-name WANv6_LOCAL {
- default-action drop
- description "WAN inbound traffic to the router"
- enable-default-log
- rule 10 {
- action drop
- protocol all
- source {
- group {
- ipv6-network-group Nets6-BlackList
- }
- }
- }
- rule 20 {
- action accept
- description "Allow established/related sessions"
- log disable
- state {
- established enable
- related enable
- }
- }
- rule 30 {
- action drop
- description "Drop invalid state"
- state {
- invalid enable
- }
- }
- rule 40 {
- action accept
- description "Allow IPv6 icmp"
- log disable
- protocol ipv6-icmp
- }
- rule 50 {
- action accept
- description "allow dhcpv6"
- destination {
- port 546
- }
- log disable
- protocol udp
- source {
- port 547
- }
- }
- }
- ipv6-receive-redirects disable
- ipv6-src-route disable
- ip-src-route disable
- log-martians enable
- name WAN_IN {
- default-action drop
- description "WAN to Internal"
- enable-default-log
- rule 10 {
- action drop
- log disable
- protocol all
- source {
- group {
- network-group Nets4-BlackList
- }
- }
- }
- rule 20 {
- action accept
- description "Allow established/related"
- log disable
- protocol all
- state {
- established enable
- invalid disable
- new disable
- related enable
- }
- }
- rule 30 {
- action drop
- description "Drop invalid state"
- log disable
- protocol all
- state {
- established disable
- invalid enable
- new disable
- related disable
- }
- }
- }
- name WAN_LOCAL {
- default-action drop
- description "WAN to router"
- enable-default-log
- rule 10 {
- action drop
- log disable
- protocol all
- source {
- group {
- network-group Nets4-BlackList
- }
- }
- }
- rule 20 {
- action accept
- description "Allow established/related"
- log disable
- protocol all
- state {
- established enable
- invalid disable
- new disable
- related enable
- }
- }
- rule 30 {
- action drop
- description "Drop invalid state"
- log disable
- protocol all
- state {
- established disable
- invalid enable
- new disable
- related disable
- }
- }
- }
- receive-redirects disable
- send-redirects enable
- source-validation loose
- syn-cookies enable
- }
- interfaces {
- ethernet eth0 {
- description "eth0 - FTTH"
- duplex auto
- mtu 1512
- speed auto
- vif 4 {
- address dhcp
- description "eth0.4 - IPTV"
- dhcp-options {
- client-option "send vendor-class-identifier "IPTV_RG";"
- client-option "request subnet-mask, routers, rfc3442-classless-static-routes;"
- default-route no-update
- default-route-distance 210
- name-server update
- }
- }
- vif 6 {
- description "eth0.6 - Internet"
- mtu 1508
- pppoe 0 {
- default-route auto
- dhcpv6-pd {
- no-dns
- pd 0 {
- interface eth1 {
- prefix-id :1
- service slaac
- }
- interface eth2 {
- prefix-id :2
- service slaac
- }
- prefix-length /48
- }
- rapid-commit disable
- }
- firewall {
- in {
- ipv6-name WANv6_IN
- name WAN_IN
- }
- local {
- ipv6-name WANv6_LOCAL
- name WAN_LOCAL
- }
- }
- idle-timeout 180
- ipv6 {
- address {
- autoconf
- }
- dup-addr-detect-transmits 1
- enable {
- }
- }
- mtu 1500
- name-server auto
- password kpn
- user-id kpn
- }
- }
- }
- ethernet eth1 {
- address 192.168.1.1/24
- description "eth1 - LAN"
- duplex auto
- ipv6 {
- dup-addr-detect-transmits 1
- router-advert {
- cur-hop-limit 64
- link-mtu 0
- managed-flag false
- max-interval 600
- name-server xxxx:xxxx:xxxx:2::3
- other-config-flag false
- prefix ::/64 {
- autonomous-flag true
- on-link-flag true
- valid-lifetime 2592000
- }
- radvd-options "RDNSS xxxx:xxxx:xxxx:2::3 {};"
- reachable-time 0
- retrans-timer 0
- send-advert true
- }
- }
- speed auto
- }
- ethernet eth2 {
- address 192.168.2.1/24
- description "eth2 - LAN"
- duplex auto
- ipv6 {
- dup-addr-detect-transmits 1
- router-advert {
- cur-hop-limit 64
- link-mtu 0
- managed-flag false
- max-interval 600
- name-server xxxx:xxxx:xxxx:2::3
- other-config-flag false
- prefix ::/64 {
- autonomous-flag true
- on-link-flag true
- valid-lifetime 2592000
- }
- radvd-options "RDNSS xxxx:xxxx:xxxx:2::3 {};"
- reachable-time 0
- retrans-timer 0
- send-advert true
- }
- }
- speed auto
- }
- loopback lo {
- }
- }
- port-forward {
- auto-firewall enable
- hairpin-nat enable
- lan-interface eth1
- rule 1 {
- description webserver
- forward-to {
- address 192.168.1.40
- port 80
- }
- original-port 80
- protocol tcp
- }
- wan-interface pppoe0
- }
- protocols {
- igmp-proxy {
- interface eth0.4 {
- alt-subnet 0.0.0.0/0
- role upstream
- threshold 1
- }
- interface eth1 {
- role downstream
- threshold 1
- }
- interface eth2 {
- role downstream
- threshold 1
- }
- }
- static {
- interface-route6 ::/0 {
- next-hop-interface pppoe0 {
- }
- }
- route 213.75.112.0/21 {
- next-hop 10.170.128.1 {
- }
- }
- }
- }
- service {
- dhcp-server {
- disabled false
- global-parameters "option vendor-class-identifier code 60 = string;"
- global-parameters "option broadcast-address code 28 = ip-address;"
- hostfile-update disable
- shared-network-name LAN {
- authoritative disable
- subnet 192.168.1.0/24 {
- default-router 192.168.1.1
- dns-server 192.168.2.3
- domain-name local
- lease 86400
- start 192.168.1.100 {
- stop 192.168.1.254
- }
- }
- }
- shared-network-name LAN2 {
- authoritative disable
- subnet 192.168.2.0/24 {
- default-router 192.168.2.1
- dns-server 192.168.2.3
- domain-name local
- lease 86400
- start 192.168.2.25 {
- stop 192.168.2.254
- }
- }
- }
- static-arp disable
- use-dnsmasq enable
- }
- dns {
- forwarding {
- cache-size 150
- listen-on eth1
- listen-on eth2
- name-server 1.1.1.1
- name-server 1.0.0.1
- options listen-address=192.168.1.1
- options listen-address=192.168.2.1
- }
- }
- gui {
- http-port 80
- https-port 443
- older-ciphers enable
- }
- nat {
- rule 5000 {
- description IPTV
- destination {
- address 213.75.112.0/21
- }
- log disable
- outbound-interface eth0.4
- protocol all
- source {
- }
- type masquerade
- }
- rule 5001 {
- description IPTV
- destination {
- address 10.16.0.0/16
- }
- log disable
- outbound-interface eth0.4
- protocol all
- type masquerade
- }
- rule 5002 {
- description "KPN Internet LAN"
- log disable
- outbound-interface pppoe0
- protocol all
- source {
- address 192.168.1.0/24
- }
- type masquerade
- }
- rule 5003 {
- description "KPN Internet LAN2"
- log disable
- outbound-interface pppoe0
- protocol all
- source {
- address 192.168.2.0/24
- }
- type masquerade
- }
- }
- ssh {
- port 22
- protocol-version v2
- }
- unms {
- connection wss://192.168.1.21:443
- }
- }
- system {
- domain-name local
- host-name ubnt
- login {
- user xxxxxxxxx {
- authentication {
- encrypted-password xxxxxxxxxxxxxxxxxxxxx
- plaintext-password ""
- }
- full-name ""
- level admin
- }
- }
- name-server 1.1.1.1
- name-server 1.0.0.1
- name-server 2606:4700:4700::1111
- name-server 2606:4700:4700::1001
- ntp {
- server 0.ubnt.pool.ntp.org {
- }
- server 1.ubnt.pool.ntp.org {
- }
- server 2.ubnt.pool.ntp.org {
- }
- server 3.ubnt.pool.ntp.org {
- }
- }
- offload {
- hwnat disable
- ipsec enable
- ipv4 {
- forwarding enable
- gre enable
- pppoe enable
- vlan enable
- }
- ipv6 {
- forwarding enable
- pppoe enable
- vlan disable
- }
- }
- package {
- repository wheezy {
- components "main contrib non-free"
- distribution wheezy
- password ""
- url http://mirror.leaseweb.com/debian
- username ""
- }
- repository wheezy-security {
- components main
- distribution wheezy/updates
- password ""
- url http://security.debian.org
- username ""
- }
- }
- syslog {
- global {
- facility all {
- level notice
- }
- facility protocols {
- level debug
- }
- }
- }
- task-scheduler {
- task Update-Blacklists {
- executable {
- path /config/scripts/updBlackList.sh
- }
- interval 12h
- }
- }
- time-zone Europe/Amsterdam
- traffic-analysis {
- dpi disable
- export disable
- }
- }
Add Comment
Please, Sign In to add comment