vyos fw

1. firewall {
2. all-ping enable
3. broadcast-ping disable
4. config-trap disable
5. group {
6. address-group ag-bcast_iot {
7. address 192.168.11.255
8. address 192.168.11.253
9. }
10. address-group ag-bcast_lan {
11. address 192.168.13.255
12. address 192.168.13.253
13. }
14. address-group ag-bcast_limit {
15. address 255.255.255.255
16. }
17. address-group ag-blueiris {
18. address 192.168.67.110
19. }
20. address-group ag-cert_issuer {
21. address 192.168.67.231
22. }
23. address-group ag-cert_web {
24. address 192.168.67.231
25. }
26. address-group ag-ct_sync {
27. address 224.0.0.50
28. }
29. address-group ag-dc {
30. address 192.168.67.241
31. address 192.168.67.242
32. }
33. address-group ag-dockerhosts {
34. address 192.168.7.195
35. address 192.168.67.196
36. address 192.168.7.196
37. address 192.168.67.195
38. }
39. address-group ag-docker_pub {
40. address 192.168.17.207
41. }
42. address-group ag-fileserver {
43. address 192.168.67.200
44. address 192.168.67.205
45. }
46. address-group ag-hypervisors {
47. address 192.168.7.10
48. address 192.168.7.11
49. address 192.168.7.12
50. address 192.168.7.15
51. address 192.168.7.16
52. }
53. address-group ag-igmp {
54. address 224.0.0.22
55. }
56. address-group ag-kms {
57. address 192.168.67.240
58. }
59. address-group ag-mdns {
60. address 224.0.0.251
61. address 192.168.11.252
62. address 192.168.11.254
63. address 192.168.13.254
64. address 192.168.13.252
65. address 192.168.13.253
66. address 192.168.11.253
67. address 192.168.131.253
68. address 192.168.131.252
69. address 192.168.131.254
70. }
71. address-group ag-media_player {
72. address 192.168.11.66
73. address 192.168.11.99
74. }
75. address-group ag-portainer {
76. address 192.168.7.196
77. }
78. address-group ag-printer {
79. address 192.168.13.210
80. }
81. address-group ag-testDNS_fw {
82. address 192.168.7.140
83. }
84. address-group ag-testNTP {
85. address 192.168.7.140
86. address 192.168.7.141
87. }
88. address-group ag-testWEB {
89. address 192.168.7.142
90. address 192.168.7.143
91. address 192.168.7.141
92. address 192.168.7.146
93. }
94. address-group ag-traccar_mysql {
95. address 192.168.67.195
96. }
97. address-group ag-traccar_srv {
98. address 192.168.17.207
99. }
100. address-group ag-tv_server {
101. address 192.168.11.196
102. }
103. address-group ag-unifi {
104. address 192.168.7.196
105. }
106. address-group ag-ups_mgmt {
107. address 192.168.7.100
108. }
109. address-group ag-vcenter {
110. address 192.168.7.15
111. }
112. address-group ag-vpn_bck {
113. address 192.168.17.100
114. }
115. address-group ag-vpn_pri {
116. address 192.168.17.100
117. }
118. address-group ag-vpn_servers {
119. address 192.168.17.100
120. }
121. address-group ag-vrrp {
122. address 224.0.0.18
123. }
124. address-group ag-vsphere {
125. address 192.168.7.15
126. }
127. address-group ag-wsus {
128. address 192.168.67.235
129. }
130. address-group ag-dhcp-isp {
131. address 172.17.0.1
132. address 172.23.0.1
133. }
134. address-group ag-dhcp-server {
135. address 192.168.67.241
136. address 192.168.67.242
137. }
138. address-group ag-dns-dc_main {
139. address 192.168.67.241
140. address 192.168.67.242
141. }
142. address-group ag-down-fileserver {
143. address 192.168.79.202
144. }
145. address-group ag-fw-iot {
146. address 192.168.11.253
147. }
148. address-group ag-fw-lan {
149. address 192.168.13.253
150. }
151. address-group ag-vrrp-cam {
152. address 192.168.53.252
153. address 192.168.53.254
154. }
155. address-group ag-vrrp-dmz {
156. address 192.168.67.252
157. address 192.168.67.254
158. }
159. address-group ag-vrrp-download {
160. address 192.168.79.252
161. address 192.168.79.254
162. }
163. address-group ag-vrrp-guest {
164. address 192.168.131.252
165. address 192.168.131.254
166. }
167. address-group ag-vrrp-iot {
168. address 192.168.11.252
169. address 192.168.11.254
170. }
171. address-group ag-vrrp-lan {
172. address 192.168.13.252
173. address 192.168.13.254
174. }
175. address-group ag-vrrp-mgmt {
176. address 192.168.7.252
177. address 192.168.7.254
178. }
179. address-group ag-vrrp-public {
180. address 192.168.17.252
181. address 192.168.17.254
182. }
183. address-group dns-piholes {
184. address 192.168.67.243
185. address 192.168.67.244
186. }
187. address-group dnsforwarders {
188. address 192.168.67.241
189. address 192.168.67.242
190. address 192.168.67.243
191. address 192.168.67.244
192. }
193. address-group mgmtfromlan {
194. address 192.168.13.15
195. address 192.168.13.85
196. address 192.168.13.43
197. address 192.168.13.95
198. address 192.168.13.44
199. address 192.168.13.86
200. }
201. address-group ntpservers {
202. address 192.168.67.241
203. address 192.168.67.242
204. }
205. address-group wifiaps {
206. address 192.168.7.210
207. address 192.168.7.247
208. address 192.168.7.248
209. }
210. network-group ng-guest {
211. network 192.168.131.0/24
212. }
213. network-group ng-lan {
214. network 192.168.13.0/24
215. }
216. network-group vpnusers {
217. network 10.168.17.0/24
218. network 10.168.19.0/24
219. }
220. port-group pg-agps {
221. port 7275
222. }
223. port-group pg-blueiris {
224. port 443
225. port 442
226. }
227. port-group pg-cam_onvif {
228. port 80
229. port 8999
230. }
231. port-group pg-cam_rtsp {
232. port 554
233. }
234. port-group pg-cert_issuer {
235. port 135
236. port 49152-65535
237. }
238. port-group pg-crashplan {
239. port 4287
240. }
241. port-group pg-ct_sync {
242. port 3780
243. }
244. port-group pg-dhcp {
245. port 67
246. port 68
247. }
248. port-group pg-dns {
249. port 53
250. }
251. port-group pg-dnsblock_admin {
252. port 3000
253. }
254. port-group pg-dns_tls {
255. port 853
256. }
257. port-group pg-domain {
258. port 389
259. port 88
260. port 445
261. port 636
262. port 3269
263. port 3268
264. port 135
265. port 49152-65535
266. }
267. port-group pg-ftp {
268. port 21
269. }
270. port-group pg-google_cast {
271. port 8008
272. port 8009
273. port 8443
274. }
275. port-group pg-google_cast_pic {
276. port 2346
277. }
278. port-group pg-google_fcm {
279. port 5228
280. port 5229
281. port 5230
282. }
283. port-group pg-google_quic {
284. port 443
285. port 19302-19309
286. }
287. port-group pg-iperf {
288. port 5201
289. }
290. port-group pg-iptv {
291. port 8086
292. port 8080
293. port 8000
294. port 9090
295. }
296. port-group pg-person2work_genesys {
297. port 16384-32768
298. }
299. port-group pg-person2work_webrtc {
300. port 3478
301. port 19302
302. }
303. port-group pg-kms {
304. port 1688
305. }
306. port-group pg-liam_work {
307. port 9993
308. }
309. port-group pg-person1work_lotusnotes {
310. port 1352
311. }
312. port-group pg-mdns {
313. port 5353
314. }
315. port-group pg-mysql {
316. port 3306
317. }
318. port-group pg-netbios {
319. port 137
320. port 138
321. port 139
322. }
323. port-group pg-ntp {
324. port 123
325. }
326. port-group pg-ocsp {
327. port 80
328. }
329. port-group pg-pia_ping {
330. port 8888
331. }
332. port-group pg-pia_wguard {
333. port 1337
334. }
335. port-group pg-pihole {
336. port 80
337. port 443
338. }
339. port-group pg-portainer {
340. port 9000
341. }
342. port-group pg-portainer_agent {
343. port 9001
344. }
345. port-group pg-printer_web {
346. port 443
347. }
348. port-group pg-rdp {
349. port 3389
350. }
351. port-group pg-skype {
352. port 3478
353. port 3479
354. port 3480
355. port 3481
356. }
357. port-group pg-smb {
358. port 445
359. }
360. port-group pg-solar {
361. port 54321
362. port 54320
363. port 54319
364. port 49049
365. }
366. port-group pg-solar2 {
367. port 50052
368. }
369. port-group pg-speedtest {
370. port 5060
371. port 8080
372. }
373. port-group pg-spotify {
374. port 4070
375. }
376. port-group pg-ssh {
377. port 22
378. }
379. port-group pg-traccar_srv {
380. port 8082
381. }
382. port-group pg-tvh_htsp {
383. port 9982
384. }
385. port-group pg-tvh_web {
386. port 9981
387. }
388. port-group pg-tv_discover {
389. port 65001
390. }
391. port-group pg-unifi {
392. port 8443
393. }
394. port-group pg-unifi_adapt {
395. port 10001
396. }
397. port-group pg-ups_web {
398. port 4679
399. port 4680
400. }
401. port-group pg-vcenter {
402. port 5480
403. }
404. port-group pg-vpn_bck {
405. port 443
406. }
407. port-group pg-vpn_globalprotect {
408. port 4501
409. port 500
410. port 4500
411. }
412. port-group pg-vpn_pri {
413. port 443
414. }
415. port-group pg-web {
416. port 80
417. port 443
418. }
419. port-group pg-webex {
420. port 9000
421. port 5004
422. port 33434-33598
423. }
424. port-group pg-whatsapp {
425. port 3478
426. }
427. port-group pg-wsus {
428. port 8530
429. }
430. port-group pg-xmpp {
431. port 5222
432. }
433. }
434. ipv6-receive-redirects disable
435. ipv6-src-route disable
436. ip-src-route disable
437. log-martians enable
438. name cam-dmz {
439. default-action drop
440. enable-default-log
441. rule 1 {
442. action accept
443. state {
444. established enable
445. related enable
446. }
447. }
448. rule 2 {
449. action drop
450. log enable
451. state {
452. invalid enable
453. }
454. }
455. rule 400 {
456. action accept
457. destination {
458. group {
459. address-group ntpservers
460. port-group pg-ntp
461. }
462. }
463. log enable
464. protocol udp
465. }
466. }
467. name cam-download {
468. default-action drop
469. enable-default-log
470. rule 1 {
471. action accept
472. state {
473. established enable
474. related enable
475. }
476. }
477. rule 2 {
478. action drop
479. log enable
480. state {
481. invalid enable
482. }
483. }
484. }
485. name cam-firewall {
486. default-action drop
487. enable-default-log
488. rule 1 {
489. action accept
490. state {
491. established enable
492. related enable
493. }
494. }
495. rule 2 {
496. action drop
497. log enable
498. state {
499. invalid enable
500. }
501. }
502. rule 10 {
503. action accept
504. destination {
505. group {
506. address-group ag-vrrp-cam
507. }
508. }
509. protocol vrrp
510. source {
511. group {
512. address-group ag-vrrp-cam
513. }
514. }
515. }
516. }
517. name cam-guest {
518. default-action drop
519. enable-default-log
520. rule 1 {
521. action accept
522. state {
523. established enable
524. related enable
525. }
526. }
527. rule 2 {
528. action drop
529. log enable
530. state {
531. invalid enable
532. }
533. }
534. }
535. name cam-lan {
536. default-action drop
537. enable-default-log
538. rule 1 {
539. action accept
540. state {
541. established enable
542. related enable
543. }
544. }
545. rule 2 {
546. action drop
547. log enable
548. state {
549. invalid enable
550. }
551. }
552. }
553. name cam-mgmt {
554. default-action drop
555. enable-default-log
556. rule 1 {
557. action accept
558. state {
559. established enable
560. related enable
561. }
562. }
563. rule 2 {
564. action drop
565. log enable
566. state {
567. invalid enable
568. }
569. }
570. }
571. name cam-public {
572. default-action drop
573. enable-default-log
574. rule 1 {
575. action accept
576. state {
577. established enable
578. related enable
579. }
580. }
581. rule 2 {
582. action drop
583. log enable
584. state {
585. invalid enable
586. }
587. }
588. }
589. name cam-wan {
590. default-action drop
591. enable-default-log
592. rule 1 {
593. action accept
594. state {
595. established enable
596. related enable
597. }
598. }
599. rule 2 {
600. action drop
601. log enable
602. state {
603. invalid enable
604. }
605. }
606. }
607. name dmz-cam {
608. default-action drop
609. enable-default-log
610. rule 1 {
611. action accept
612. state {
613. established enable
614. related enable
615. }
616. }
617. rule 2 {
618. action drop
619. log enable
620. state {
621. invalid enable
622. }
623. }
624. rule 380 {
625. action accept
626. destination {
627. group {
628. port-group pg-cam_rtsp
629. }
630. }
631. log enable
632. protocol tcp
633. source {
634. group {
635. address-group ag-blueiris
636. }
637. }
638. }
639. rule 381 {
640. action accept
641. destination {
642. group {
643. port-group pg-cam_onvif
644. }
645. }
646. log enable
647. protocol tcp
648. source {
649. group {
650. address-group ag-blueiris
651. }
652. }
653. }
654. }
655. name dmz-download {
656. default-action drop
657. enable-default-log
658. rule 1 {
659. action accept
660. state {
661. established enable
662. related enable
663. }
664. }
665. rule 2 {
666. action drop
667. log enable
668. state {
669. invalid enable
670. }
671. }
672. rule 100 {
673. action accept
674. log enable
675. protocol icmp
676. }
677. rule 300 {
678. action accept
679. destination {
680. group {
681. address-group ag-down-fileserver
682. port-group pg-smb
683. }
684. }
685. log enable
686. protocol tcp
687. source {
688. group {
689. address-group ag-fileserver
690. }
691. }
692. }
693. }
694. name dmz-firewall {
695. default-action drop
696. enable-default-log
697. rule 1 {
698. action accept
699. state {
700. established enable
701. related enable
702. }
703. }
704. rule 2 {
705. action drop
706. log enable
707. state {
708. invalid enable
709. }
710. }
711. rule 10 {
712. action accept
713. destination {
714. group {
715. address-group ag-vrrp-dmz
716. }
717. }
718. protocol vrrp
719. source {
720. group {
721. address-group ag-vrrp-dmz
722. }
723. }
724. }
725. rule 600 {
726. action accept
727. destination {
728. group {
729. port-group pg-dhcp
730. }
731. }
732. log enable
733. protocol udp
734. source {
735. group {
736. address-group ag-dhcp-server
737. }
738. }
739. }
740. rule 610 {
741. action drop
742. description "Drop Netbios traffic from logs"
743. destination {
744. group {
745. port-group pg-netbios
746. }
747. }
748. log disable
749. protocol udp
750. }
751. }
752. name dmz-guest {
753. default-action drop
754. enable-default-log
755. rule 1 {
756. action accept
757. state {
758. established enable
759. related enable
760. }
761. }
762. rule 2 {
763. action drop
764. log enable
765. state {
766. invalid enable
767. }
768. }
769. }
770. name dmz-iot {
771. default-action drop
772. enable-default-log
773. rule 1 {
774. action accept
775. state {
776. established enable
777. related enable
778. }
779. }
780. rule 2 {
781. action drop
782. log enable
783. state {
784. invalid enable
785. }
786. }
787. }
788. name dmz-lan {
789. default-action drop
790. enable-default-log
791. rule 1 {
792. action accept
793. state {
794. established enable
795. related enable
796. }
797. }
798. rule 2 {
799. action drop
800. log enable
801. state {
802. invalid enable
803. }
804. }
805. }
806. name dmz-mgmt {
807. default-action drop
808. enable-default-log
809. rule 1 {
810. action accept
811. state {
812. established enable
813. related enable
814. }
815. }
816. rule 2 {
817. action drop
818. log enable
819. state {
820. invalid enable
821. }
822. }
823. rule 100 {
824. action accept
825. log enable
826. protocol icmp
827. }
828. }
829. name dmz-public {
830. default-action drop
831. enable-default-log
832. rule 1 {
833. action accept
834. state {
835. established enable
836. related enable
837. }
838. }
839. rule 2 {
840. action drop
841. log enable
842. state {
843. invalid enable
844. }
845. }
846. }
847. name dmz-wan {
848. default-action drop
849. enable-default-log
850. rule 1 {
851. action accept
852. state {
853. established enable
854. related enable
855. }
856. }
857. rule 2 {
858. action drop
859. log enable
860. state {
861. invalid enable
862. }
863. }
864. rule 100 {
865. action accept
866. log enable
867. protocol icmp
868. }
869. rule 200 {
870. action accept
871. destination {
872. group {
873. port-group pg-web
874. }
875. }
876. log enable
877. protocol tcp
878. }
879. rule 205 {
880. action accept
881. destination {
882. group {
883. port-group pg-speedtest
884. }
885. }
886. log enable
887. protocol tcp
888. }
889. rule 400 {
890. action accept
891. destination {
892. group {
893. port-group pg-ntp
894. }
895. }
896. log enable
897. protocol udp
898. source {
899. group {
900. address-group ntpservers
901. }
902. }
903. }
904. rule 500 {
905. action accept
906. destination {
907. group {
908. port-group pg-dns
909. }
910. }
911. log enable
912. protocol tcp_udp
913. source {
914. group {
915. address-group dnsforwarders
916. }
917. }
918. }
919. rule 700 {
920. action accept
921. destination {
922. group {
923. port-group pg-ftp
924. }
925. }
926. log enable
927. protocol tcp
928. }
929. }
930. name download-cam {
931. default-action drop
932. enable-default-log
933. rule 1 {
934. action accept
935. state {
936. established enable
937. related enable
938. }
939. }
940. rule 2 {
941. action drop
942. log enable
943. state {
944. invalid enable
945. }
946. }
947. }
948. name download-dmz {
949. default-action drop
950. enable-default-log
951. rule 1 {
952. action accept
953. state {
954. established enable
955. related enable
956. }
957. }
958. rule 2 {
959. action drop
960. log enable
961. state {
962. invalid enable
963. }
964. }
965. rule 100 {
966. action accept
967. log enable
968. protocol icmp
969. }
970. rule 300 {
971. action accept
972. destination {
973. group {
974. address-group ag-fileserver
975. port-group pg-smb
976. }
977. }
978. log enable
979. protocol tcp
980. }
981. rule 400 {
982. action accept
983. destination {
984. group {
985. address-group ntpservers
986. port-group pg-ntp
987. }
988. }
989. log enable
990. protocol udp
991. }
992. rule 500 {
993. action accept
994. destination {
995. group {
996. address-group dnsforwarders
997. port-group pg-dns
998. }
999. }
1000. log enable
1001. protocol tcp_udp
1002. }
1003. rule 501 {
1004. action accept
1005. description "Allow pihole web interface"
1006. destination {
1007. group {
1008. address-group dns-piholes
1009. port-group pg-pihole
1010. }
1011. }
1012. log enable
1013. protocol tcp
1014. }
1015. rule 560 {
1016. action accept
1017. destination {
1018. group {
1019. address-group ag-wsus
1020. port-group pg-wsus
1021. }
1022. }
1023. log enable
1024. protocol tcp
1025. }
1026. }
1027. name download-firewall {
1028. default-action drop
1029. enable-default-log
1030. rule 1 {
1031. action accept
1032. state {
1033. established enable
1034. related enable
1035. }
1036. }
1037. rule 2 {
1038. action drop
1039. log enable
1040. state {
1041. invalid enable
1042. }
1043. }
1044. rule 10 {
1045. action accept
1046. destination {
1047. group {
1048. address-group ag-vrrp-download
1049. }
1050. }
1051. protocol vrrp
1052. source {
1053. group {
1054. address-group ag-vrrp-download
1055. }
1056. }
1057. }
1058. rule 610 {
1059. action drop
1060. description "Drop Netbios traffic from logs"
1061. destination {
1062. group {
1063. port-group pg-netbios
1064. }
1065. }
1066. log disable
1067. protocol udp
1068. }
1069. }
1070. name download-guest {
1071. default-action drop
1072. enable-default-log
1073. rule 1 {
1074. action accept
1075. state {
1076. established enable
1077. related enable
1078. }
1079. }
1080. rule 2 {
1081. action drop
1082. log enable
1083. state {
1084. invalid enable
1085. }
1086. }
1087. }
1088. name download-lan {
1089. default-action drop
1090. enable-default-log
1091. rule 1 {
1092. action accept
1093. state {
1094. established enable
1095. related enable
1096. }
1097. }
1098. rule 2 {
1099. action drop
1100. log enable
1101. state {
1102. invalid enable
1103. }
1104. }
1105. }
1106. name download-mgmt {
1107. default-action drop
1108. enable-default-log
1109. rule 1 {
1110. action accept
1111. state {
1112. established enable
1113. related enable
1114. }
1115. }
1116. rule 2 {
1117. action drop
1118. log enable
1119. state {
1120. invalid enable
1121. }
1122. }
1123. }
1124. name download-public {
1125. default-action drop
1126. enable-default-log
1127. rule 1 {
1128. action accept
1129. state {
1130. established enable
1131. related enable
1132. }
1133. }
1134. rule 2 {
1135. action drop
1136. log enable
1137. state {
1138. invalid enable
1139. }
1140. }
1141. }
1142. name download-wan {
1143. default-action drop
1144. enable-default-log
1145. rule 1 {
1146. action accept
1147. state {
1148. established enable
1149. related enable
1150. }
1151. }
1152. rule 2 {
1153. action drop
1154. log enable
1155. state {
1156. invalid enable
1157. }
1158. }
1159. rule 100 {
1160. action accept
1161. log enable
1162. protocol icmp
1163. }
1164. rule 200 {
1165. action accept
1166. destination {
1167. group {
1168. port-group pg-web
1169. }
1170. }
1171. log enable
1172. protocol tcp
1173. }
1174. rule 201 {
1175. action accept
1176. destination {
1177. group {
1178. port-group pg-pia_wguard
1179. }
1180. }
1181. log enable
1182. protocol tcp_udp
1183. }
1184. rule 202 {
1185. action accept
1186. destination {
1187. group {
1188. port-group pg-pia_wguard
1189. }
1190. }
1191. log enable
1192. protocol icmp
1193. }
1194. rule 700 {
1195. action accept
1196. destination {
1197. group {
1198. port-group pg-ftp
1199. }
1200. }
1201. log enable
1202. protocol tcp
1203. }
1204. rule 705 {
1205. action accept
1206. destination {
1207. group {
1208. port-group pg-pia_ping
1209. }
1210. }
1211. log enable
1212. protocol udp
1213. }
1214. }
1215. name firewall-cam {
1216. default-action drop
1217. enable-default-log
1218. rule 1 {
1219. action accept
1220. state {
1221. established enable
1222. related enable
1223. }
1224. }
1225. rule 2 {
1226. action drop
1227. log enable
1228. state {
1229. invalid enable
1230. }
1231. }
1232. rule 10 {
1233. action accept
1234. destination {
1235. group {
1236. address-group ag-vrrp
1237. }
1238. }
1239. protocol vrrp
1240. source {
1241. group {
1242. address-group ag-vrrp-cam
1243. }
1244. }
1245. }
1246. rule 100 {
1247. action accept
1248. log enable
1249. protocol icmp
1250. }
1251. }
1252. name firewall-dmz {
1253. default-action drop
1254. enable-default-log
1255. rule 1 {
1256. action accept
1257. state {
1258. established enable
1259. related enable
1260. }
1261. }
1262. rule 2 {
1263. action drop
1264. log enable
1265. state {
1266. invalid enable
1267. }
1268. }
1269. rule 10 {
1270. action accept
1271. destination {
1272. group {
1273. address-group ag-vrrp
1274. }
1275. }
1276. protocol vrrp
1277. source {
1278. group {
1279. address-group ag-vrrp-dmz
1280. }
1281. }
1282. }
1283. rule 100 {
1284. action accept
1285. log enable
1286. protocol icmp
1287. }
1288. rule 400 {
1289. action accept
1290. destination {
1291. group {
1292. address-group ntpservers
1293. port-group pg-ntp
1294. }
1295. }
1296. log enable
1297. protocol udp
1298. }
1299. rule 500 {
1300. action accept
1301. destination {
1302. group {
1303. address-group ag-dns-dc_main
1304. port-group pg-dns
1305. }
1306. }
1307. log enable
1308. protocol tcp_udp
1309. }
1310. rule 600 {
1311. action accept
1312. destination {
1313. group {
1314. address-group ag-dhcp-server
1315. port-group pg-dhcp
1316. }
1317. }
1318. log enable
1319. protocol udp
1320. }
1321. }
1322. name firewall-download {
1323. default-action drop
1324. enable-default-log
1325. rule 1 {
1326. action accept
1327. state {
1328. established enable
1329. related enable
1330. }
1331. }
1332. rule 2 {
1333. action drop
1334. log enable
1335. state {
1336. invalid enable
1337. }
1338. }
1339. rule 10 {
1340. action accept
1341. destination {
1342. group {
1343. address-group ag-vrrp
1344. }
1345. }
1346. protocol vrrp
1347. source {
1348. group {
1349. address-group ag-vrrp-download
1350. }
1351. }
1352. }
1353. rule 100 {
1354. action accept
1355. log enable
1356. protocol icmp
1357. }
1358. }
1359. name firewall-guest {
1360. default-action drop
1361. enable-default-log
1362. rule 1 {
1363. action accept
1364. state {
1365. established enable
1366. related enable
1367. }
1368. }
1369. rule 2 {
1370. action drop
1371. log enable
1372. state {
1373. invalid enable
1374. }
1375. }
1376. rule 10 {
1377. action accept
1378. destination {
1379. group {
1380. address-group ag-vrrp
1381. }
1382. }
1383. protocol vrrp
1384. source {
1385. group {
1386. address-group ag-vrrp-guest
1387. }
1388. }
1389. }
1390. rule 100 {
1391. action accept
1392. log enable
1393. protocol icmp
1394. }
1395. rule 602 {
1396. action accept
1397. destination {
1398. group {
1399. address-group ag-mdns
1400. port-group pg-mdns
1401. }
1402. }
1403. protocol udp
1404. }
1405. }
1406. name firewall-iot {
1407. default-action drop
1408. enable-default-log
1409. rule 1 {
1410. action accept
1411. state {
1412. established enable
1413. related enable
1414. }
1415. }
1416. rule 2 {
1417. action drop
1418. log enable
1419. state {
1420. invalid enable
1421. }
1422. }
1423. rule 10 {
1424. action accept
1425. destination {
1426. group {
1427. address-group ag-vrrp
1428. }
1429. }
1430. protocol vrrp
1431. source {
1432. group {
1433. address-group ag-vrrp-iot
1434. }
1435. }
1436. }
1437. rule 100 {
1438. action accept
1439. log enable
1440. protocol icmp
1441. }
1442. rule 602 {
1443. action accept
1444. destination {
1445. group {
1446. address-group ag-mdns
1447. port-group pg-mdns
1448. }
1449. }
1450. protocol udp
1451. }
1452. }
1453. name firewall-lan {
1454. default-action drop
1455. enable-default-log
1456. rule 1 {
1457. action accept
1458. state {
1459. established enable
1460. related enable
1461. }
1462. }
1463. rule 2 {
1464. action drop
1465. log enable
1466. state {
1467. invalid enable
1468. }
1469. }
1470. rule 10 {
1471. action accept
1472. destination {
1473. group {
1474. address-group ag-vrrp
1475. }
1476. }
1477. protocol vrrp
1478. source {
1479. group {
1480. address-group ag-vrrp-lan
1481. }
1482. }
1483. }
1484. rule 100 {
1485. action accept
1486. log enable
1487. protocol icmp
1488. }
1489. rule 602 {
1490. action accept
1491. destination {
1492. group {
1493. address-group ag-mdns
1494. port-group pg-mdns
1495. }
1496. }
1497. protocol udp
1498. }
1499. }
1500. name firewall-mgmt {
1501. default-action drop
1502. enable-default-log
1503. rule 1 {
1504. action accept
1505. state {
1506. established enable
1507. related enable
1508. }
1509. }
1510. rule 2 {
1511. action drop
1512. log enable
1513. state {
1514. invalid enable
1515. }
1516. }
1517. rule 10 {
1518. action accept
1519. destination {
1520. group {
1521. address-group ag-vrrp
1522. }
1523. }
1524. protocol vrrp
1525. source {
1526. group {
1527. address-group ag-vrrp-mgmt
1528. }
1529. }
1530. }
1531. rule 100 {
1532. action accept
1533. log enable
1534. protocol icmp
1535. }
1536. rule 650 {
1537. action accept
1538. description "Accept Conntrack Sync"
1539. destination {
1540. group {
1541. address-group ag-ct_sync
1542. port-group pg-ct_sync
1543. }
1544. }
1545. protocol udp
1546. source {
1547. group {
1548. address-group ag-vrrp-mgmt
1549. }
1550. }
1551. }
1552. rule 651 {
1553. action accept
1554. description "Allow IGMP for Conntrack Sync"
1555. destination {
1556. group {
1557. address-group ag-igmp
1558. }
1559. }
1560. protocol igmp
1561. source {
1562. group {
1563. address-group ag-vrrp-mgmt
1564. }
1565. }
1566. }
1567. }
1568. name firewall-public {
1569. default-action drop
1570. enable-default-log
1571. rule 1 {
1572. action accept
1573. state {
1574. established enable
1575. related enable
1576. }
1577. }
1578. rule 2 {
1579. action drop
1580. log enable
1581. state {
1582. invalid enable
1583. }
1584. }
1585. rule 10 {
1586. action accept
1587. destination {
1588. group {
1589. address-group ag-vrrp
1590. }
1591. }
1592. protocol vrrp
1593. source {
1594. group {
1595. address-group ag-vrrp-public
1596. }
1597. }
1598. }
1599. rule 100 {
1600. action accept
1601. log enable
1602. protocol icmp
1603. }
1604. }
1605. name firewall-wan {
1606. default-action drop
1607. enable-default-log
1608. rule 1 {
1609. action accept
1610. state {
1611. established enable
1612. related enable
1613. }
1614. }
1615. rule 2 {
1616. action drop
1617. log enable
1618. state {
1619. invalid enable
1620. }
1621. }
1622. rule 100 {
1623. action accept
1624. log enable
1625. protocol icmp
1626. }
1627. rule 200 {
1628. action accept
1629. description "Allow updating dynamic DNS"
1630. destination {
1631. group {
1632. port-group pg-web
1633. }
1634. }
1635. log enable
1636. protocol tcp
1637. }
1638. rule 600 {
1639. action accept
1640. destination {
1641. group {
1642. port-group pg-dhcp
1643. }
1644. }
1645. log enable
1646. protocol udp
1647. }
1648. }
1649. name guest-cam {
1650. default-action drop
1651. enable-default-log
1652. rule 1 {
1653. action accept
1654. state {
1655. established enable
1656. related enable
1657. }
1658. }
1659. rule 2 {
1660. action drop
1661. log enable
1662. state {
1663. invalid enable
1664. }
1665. }
1666. }
1667. name guest-dmz {
1668. default-action drop
1669. enable-default-log
1670. rule 1 {
1671. action accept
1672. state {
1673. established enable
1674. related enable
1675. }
1676. }
1677. rule 2 {
1678. action drop
1679. log enable
1680. state {
1681. invalid enable
1682. }
1683. }
1684. rule 400 {
1685. action accept
1686. destination {
1687. group {
1688. address-group ntpservers
1689. port-group pg-ntp
1690. }
1691. }
1692. log enable
1693. protocol udp
1694. }
1695. rule 500 {
1696. action accept
1697. destination {
1698. group {
1699. address-group dnsforwarders
1700. port-group pg-dns
1701. }
1702. }
1703. log enable
1704. protocol tcp_udp
1705. }
1706. rule 501 {
1707. action accept
1708. description "Allow HTTP for Pi-hole"
1709. destination {
1710. group {
1711. address-group dns-piholes
1712. port-group pg-pihole
1713. }
1714. }
1715. log enable
1716. protocol tcp
1717. }
1718. rule 600 {
1719. action accept
1720. destination {
1721. group {
1722. address-group ag-dhcp-server
1723. port-group pg-dhcp
1724. }
1725. }
1726. log enable
1727. protocol udp
1728. }
1729. }
1730. name guest-download {
1731. default-action drop
1732. enable-default-log
1733. rule 1 {
1734. action accept
1735. state {
1736. established enable
1737. related enable
1738. }
1739. }
1740. rule 2 {
1741. action drop
1742. log enable
1743. state {
1744. invalid enable
1745. }
1746. }
1747. }
1748. name guest-firewall {
1749. default-action drop
1750. enable-default-log
1751. rule 1 {
1752. action accept
1753. state {
1754. established enable
1755. related enable
1756. }
1757. }
1758. rule 2 {
1759. action drop
1760. log enable
1761. state {
1762. invalid enable
1763. }
1764. }
1765. rule 10 {
1766. action accept
1767. destination {
1768. group {
1769. address-group ag-vrrp-guest
1770. }
1771. }
1772. protocol vrrp
1773. source {
1774. group {
1775. address-group ag-vrrp-guest
1776. }
1777. }
1778. }
1779. rule 600 {
1780. action accept
1781. destination {
1782. group {
1783. port-group pg-dhcp
1784. }
1785. }
1786. log enable
1787. protocol udp
1788. }
1789. rule 602 {
1790. action accept
1791. destination {
1792. group {
1793. address-group ag-mdns
1794. port-group pg-mdns
1795. }
1796. }
1797. protocol udp
1798. }
1799. rule 605 {
1800. action accept
1801. description "Allow media/TV discovery (Direct)"
1802. destination {
1803. group {
1804. address-group ag-bcast_lan
1805. port-group pg-tv_discover
1806. }
1807. }
1808. log enable
1809. protocol udp
1810. }
1811. rule 606 {
1812. action accept
1813. description "Allow media/TV discovery (Limited)"
1814. destination {
1815. group {
1816. address-group ag-bcast_limit
1817. port-group pg-tv_discover
1818. }
1819. }
1820. log enable
1821. protocol udp
1822. }
1823. rule 610 {
1824. action drop
1825. description "Drop Netbios traffic from logs"
1826. destination {
1827. group {
1828. port-group pg-netbios
1829. }
1830. }
1831. log disable
1832. protocol udp
1833. }
1834. }
1835. name guest-iot {
1836. default-action drop
1837. enable-default-log
1838. rule 1 {
1839. action accept
1840. state {
1841. established enable
1842. related enable
1843. }
1844. }
1845. rule 2 {
1846. action drop
1847. log enable
1848. state {
1849. invalid enable
1850. }
1851. }
1852. rule 207 {
1853. action accept
1854. destination {
1855. group {
1856. port-group pg-google_cast
1857. }
1858. }
1859. log enable
1860. protocol tcp
1861. }
1862. rule 208 {
1863. action accept
1864. log enable
1865. protocol udp
1866. source {
1867. group {
1868. port-group pg-google_cast_pic
1869. }
1870. }
1871. }
1872. }
1873. name guest-lan {
1874. default-action drop
1875. enable-default-log
1876. rule 1 {
1877. action accept
1878. state {
1879. established enable
1880. related enable
1881. }
1882. }
1883. rule 2 {
1884. action drop
1885. log enable
1886. state {
1887. invalid enable
1888. }
1889. }
1890. }
1891. name guest-mgmt {
1892. default-action drop
1893. enable-default-log
1894. rule 1 {
1895. action accept
1896. state {
1897. established enable
1898. related enable
1899. }
1900. }
1901. rule 2 {
1902. action drop
1903. log enable
1904. state {
1905. invalid enable
1906. }
1907. }
1908. }
1909. name guest-public {
1910. default-action drop
1911. enable-default-log
1912. rule 1 {
1913. action accept
1914. state {
1915. established enable
1916. related enable
1917. }
1918. }
1919. rule 2 {
1920. action drop
1921. log enable
1922. state {
1923. invalid enable
1924. }
1925. }
1926. }
1927. name guest-wan {
1928. default-action drop
1929. enable-default-log
1930. rule 1 {
1931. action accept
1932. state {
1933. established enable
1934. related enable
1935. }
1936. }
1937. rule 2 {
1938. action drop
1939. log enable
1940. state {
1941. invalid enable
1942. }
1943. }
1944. rule 100 {
1945. action accept
1946. log enable
1947. protocol icmp
1948. }
1949. rule 200 {
1950. action accept
1951. destination {
1952. group {
1953. port-group pg-web
1954. }
1955. }
1956. log enable
1957. protocol tcp
1958. }
1959. rule 203 {
1960. action accept
1961. destination {
1962. group {
1963. port-group pg-google_quic
1964. }
1965. }
1966. log enable
1967. protocol udp
1968. }
1969. rule 204 {
1970. action accept
1971. destination {
1972. group {
1973. port-group pg-google_fcm
1974. }
1975. }
1976. log enable
1977. protocol tcp_udp
1978. }
1979. rule 205 {
1980. action accept
1981. destination {
1982. group {
1983. port-group pg-speedtest
1984. }
1985. }
1986. log enable
1987. protocol tcp
1988. }
1989. rule 208 {
1990. action accept
1991. destination {
1992. group {
1993. port-group pg-agps
1994. }
1995. }
1996. log enable
1997. protocol tcp
1998. }
1999. rule 209 {
2000. action accept
2001. destination {
2002. group {
2003. port-group pg-xmpp
2004. }
2005. }
2006. log enable
2007. protocol tcp
2008. }
2009. rule 215 {
2010. action accept
2011. destination {
2012. group {
2013. port-group pg-spotify
2014. }
2015. }
2016. log enable
2017. protocol tcp
2018. }
2019. rule 400 {
2020. action accept
2021. destination {
2022. group {
2023. port-group pg-ntp
2024. }
2025. }
2026. log enable
2027. protocol udp
2028. }
2029. rule 500 {
2030. action accept
2031. destination {
2032. group {
2033. port-group pg-dns
2034. }
2035. }
2036. log enable
2037. protocol tcp_udp
2038. }
2039. rule 630 {
2040. action accept
2041. destination {
2042. group {
2043. port-group pg-whatsapp
2044. }
2045. }
2046. log enable
2047. protocol udp
2048. }
2049. rule 631 {
2050. action accept
2051. destination {
2052. group {
2053. port-group pg-skype
2054. }
2055. }
2056. log enable
2057. protocol udp
2058. }
2059. rule 632 {
2060. action accept
2061. destination {
2062. group {
2063. port-group pg-webex
2064. }
2065. }
2066. log enable
2067. protocol tcp_udp
2068. }
2069. rule 635 {
2070. action accept
2071. destination {
2072. group {
2073. port-group pg-liam_work
2074. }
2075. }
2076. log enable
2077. protocol udp
2078. }
2079. rule 700 {
2080. action accept
2081. destination {
2082. group {
2083. port-group pg-ftp
2084. }
2085. }
2086. log enable
2087. protocol tcp
2088. }
2089. }
2090. name iot-dmz {
2091. default-action drop
2092. enable-default-log
2093. rule 1 {
2094. action accept
2095. state {
2096. established enable
2097. related enable
2098. }
2099. }
2100. rule 2 {
2101. action drop
2102. log enable
2103. state {
2104. invalid enable
2105. }
2106. }
2107. rule 100 {
2108. action accept
2109. destination {
2110. group {
2111. address-group dns-piholes
2112. }
2113. }
2114. log enable
2115. protocol icmp
2116. }
2117. rule 300 {
2118. action accept
2119. destination {
2120. group {
2121. address-group ag-fileserver
2122. port-group pg-smb
2123. }
2124. }
2125. log enable
2126. protocol tcp
2127. source {
2128. group {
2129. address-group ag-media_player
2130. }
2131. }
2132. }
2133. rule 400 {
2134. action accept
2135. destination {
2136. group {
2137. address-group ntpservers
2138. port-group pg-ntp
2139. }
2140. }
2141. log enable
2142. protocol udp
2143. }
2144. rule 500 {
2145. action accept
2146. destination {
2147. group {
2148. address-group dns-piholes
2149. port-group pg-dns
2150. }
2151. }
2152. log enable
2153. protocol tcp_udp
2154. }
2155. rule 501 {
2156. action accept
2157. description "Allow HTTP for Pi-hole"
2158. destination {
2159. group {
2160. address-group dns-piholes
2161. port-group pg-pihole
2162. }
2163. }
2164. log enable
2165. protocol tcp
2166. }
2167. rule 502 {
2168. action drop
2169. description "Disable DNS over TLS"
2170. destination {
2171. group {
2172. address-group dns-piholes
2173. port-group pg-dns_tls
2174. }
2175. }
2176. log enable
2177. protocol tcp
2178. }
2179. rule 600 {
2180. action accept
2181. destination {
2182. group {
2183. address-group ag-dhcp-server
2184. port-group pg-dhcp
2185. }
2186. }
2187. log enable
2188. protocol udp
2189. }
2190. }
2191. name iot-firewall {
2192. default-action drop
2193. enable-default-log
2194. rule 1 {
2195. action accept
2196. state {
2197. established enable
2198. related enable
2199. }
2200. }
2201. rule 2 {
2202. action drop
2203. log enable
2204. state {
2205. invalid enable
2206. }
2207. }
2208. rule 10 {
2209. action accept
2210. destination {
2211. group {
2212. address-group ag-vrrp-iot
2213. }
2214. }
2215. protocol vrrp
2216. source {
2217. group {
2218. address-group ag-vrrp-iot
2219. }
2220. }
2221. }
2222. rule 100 {
2223. action accept
2224. destination {
2225. group {
2226. address-group ag-fw-iot
2227. }
2228. }
2229. log enable
2230. protocol icmp
2231. }
2232. rule 371 {
2233. action accept
2234. description "Fronius solar 2"
2235. destination {
2236. address 192.168.11.255
2237. group {
2238. port-group pg-solar2
2239. }
2240. }
2241. log enable
2242. protocol udp
2243. }
2244. rule 600 {
2245. action accept
2246. destination {
2247. group {
2248. port-group pg-dhcp
2249. }
2250. }
2251. log enable
2252. protocol udp
2253. }
2254. rule 601 {
2255. action accept
2256. description "Allow direct bcast mDNS"
2257. destination {
2258. group {
2259. address-group ag-bcast_iot
2260. port-group pg-mdns
2261. }
2262. }
2263. log enable
2264. protocol udp
2265. }
2266. rule 602 {
2267. action accept
2268. destination {
2269. group {
2270. address-group ag-mdns
2271. port-group pg-mdns
2272. }
2273. }
2274. protocol udp
2275. }
2276. rule 605 {
2277. action accept
2278. description "Allow media/TV discovery (Direct)"
2279. destination {
2280. group {
2281. address-group ag-bcast_iot
2282. port-group pg-tv_discover
2283. }
2284. }
2285. log enable
2286. protocol udp
2287. }
2288. rule 606 {
2289. action accept
2290. description "Allow media/TV discovery (Limited)"
2291. destination {
2292. group {
2293. address-group ag-bcast_limit
2294. port-group pg-tv_discover
2295. }
2296. }
2297. log enable
2298. protocol udp
2299. }
2300. rule 610 {
2301. action drop
2302. description "Drop Netbios traffic from logs"
2303. destination {
2304. group {
2305. port-group pg-netbios
2306. }
2307. }
2308. log disable
2309. protocol udp
2310. }
2311. }
2312. name iot-guest {
2313. default-action drop
2314. enable-default-log
2315. rule 1 {
2316. action accept
2317. state {
2318. established enable
2319. related enable
2320. }
2321. }
2322. rule 2 {
2323. action drop
2324. log enable
2325. state {
2326. invalid enable
2327. }
2328. }
2329. rule 207 {
2330. action accept
2331. description "Allow Google Cast Returns"
2332. destination {
2333. group {
2334. network-group ng-guest
2335. }
2336. }
2337. log enable
2338. protocol tcp
2339. source {
2340. group {
2341. address-group ag-media_player
2342. port-group pg-google_cast
2343. }
2344. }
2345. }
2346. }
2347. name iot-lan {
2348. default-action drop
2349. enable-default-log
2350. rule 1 {
2351. action accept
2352. state {
2353. established enable
2354. related enable
2355. }
2356. }
2357. rule 2 {
2358. action drop
2359. log enable
2360. state {
2361. invalid enable
2362. }
2363. }
2364. rule 207 {
2365. action accept
2366. description "Allow Google Cast Returns"
2367. destination {
2368. group {
2369. network-group ng-lan
2370. }
2371. }
2372. log enable
2373. protocol tcp
2374. source {
2375. group {
2376. address-group ag-media_player
2377. port-group pg-google_cast
2378. }
2379. }
2380. }
2381. }
2382. name iot-wan {
2383. default-action drop
2384. enable-default-log
2385. rule 1 {
2386. action accept
2387. state {
2388. established enable
2389. related enable
2390. }
2391. }
2392. rule 2 {
2393. action drop
2394. log enable
2395. state {
2396. invalid enable
2397. }
2398. }
2399. rule 100 {
2400. action accept
2401. log enable
2402. protocol icmp
2403. }
2404. rule 200 {
2405. action accept
2406. destination {
2407. group {
2408. port-group pg-web
2409. }
2410. }
2411. log enable
2412. protocol tcp
2413. }
2414. rule 203 {
2415. action accept
2416. destination {
2417. group {
2418. port-group pg-google_quic
2419. }
2420. }
2421. log enable
2422. protocol udp
2423. }
2424. rule 204 {
2425. action accept
2426. destination {
2427. group {
2428. port-group pg-google_fcm
2429. }
2430. }
2431. log enable
2432. protocol tcp_udp
2433. }
2434. rule 209 {
2435. action accept
2436. destination {
2437. group {
2438. port-group pg-xmpp
2439. }
2440. }
2441. log enable
2442. protocol tcp
2443. }
2444. rule 370 {
2445. action accept
2446. description "Fronius solar"
2447. destination {
2448. group {
2449. port-group pg-solar
2450. }
2451. }
2452. log enable
2453. protocol udp
2454. }
2455. rule 400 {
2456. action accept
2457. destination {
2458. group {
2459. port-group pg-ntp
2460. }
2461. }
2462. log enable
2463. protocol udp
2464. }
2465. }
2466. name lan-cam {
2467. default-action drop
2468. enable-default-log
2469. rule 1 {
2470. action accept
2471. state {
2472. established enable
2473. related enable
2474. }
2475. }
2476. rule 2 {
2477. action drop
2478. log enable
2479. state {
2480. invalid enable
2481. }
2482. }
2483. rule 380 {
2484. action accept
2485. destination {
2486. group {
2487. port-group pg-cam_rtsp
2488. }
2489. }
2490. log enable
2491. protocol tcp
2492. source {
2493. group {
2494. address-group mgmtfromlan
2495. }
2496. }
2497. }
2498. rule 381 {
2499. action accept
2500. destination {
2501. group {
2502. port-group pg-cam_onvif
2503. }
2504. }
2505. log enable
2506. protocol tcp
2507. source {
2508. group {
2509. address-group mgmtfromlan
2510. }
2511. }
2512. }
2513. rule 900 {
2514. action accept
2515. destination {
2516. group {
2517. port-group pg-ssh
2518. }
2519. }
2520. log enable
2521. protocol tcp
2522. source {
2523. group {
2524. address-group mgmtfromlan
2525. }
2526. }
2527. }
2528. }
2529. name lan-dmz {
2530. default-action drop
2531. enable-default-log
2532. rule 1 {
2533. action accept
2534. state {
2535. established enable
2536. related enable
2537. }
2538. }
2539. rule 2 {
2540. action drop
2541. log enable
2542. state {
2543. invalid enable
2544. }
2545. }
2546. rule 100 {
2547. action accept
2548. log enable
2549. protocol icmp
2550. }
2551. rule 200 {
2552. action accept
2553. destination {
2554. group {
2555. port-group pg-web
2556. }
2557. }
2558. log enable
2559. protocol tcp
2560. source {
2561. group {
2562. address-group mgmtfromlan
2563. }
2564. }
2565. }
2566. rule 300 {
2567. action accept
2568. destination {
2569. group {
2570. address-group ag-fileserver
2571. port-group pg-smb
2572. }
2573. }
2574. log enable
2575. protocol tcp
2576. }
2577. rule 385 {
2578. action accept
2579. destination {
2580. group {
2581. address-group ag-blueiris
2582. port-group pg-blueiris
2583. }
2584. }
2585. log enable
2586. protocol tcp
2587. }
2588. rule 400 {
2589. action accept
2590. destination {
2591. group {
2592. address-group ntpservers
2593. port-group pg-ntp
2594. }
2595. }
2596. log enable
2597. protocol udp
2598. }
2599. rule 450 {
2600. action accept
2601. destination {
2602. group {
2603. address-group ag-dc
2604. port-group pg-domain
2605. }
2606. }
2607. log enable
2608. protocol tcp_udp
2609. }
2610. rule 500 {
2611. action accept
2612. destination {
2613. group {
2614. address-group dnsforwarders
2615. port-group pg-dns
2616. }
2617. }
2618. log enable
2619. protocol tcp_udp
2620. }
2621. rule 501 {
2622. action accept
2623. description "Allow HTTP for Pi-hole"
2624. destination {
2625. group {
2626. address-group dns-piholes
2627. port-group pg-pihole
2628. }
2629. }
2630. log enable
2631. protocol tcp
2632. }
2633. rule 505 {
2634. action accept
2635. description "Allow admin interface for DNS blocking services"
2636. destination {
2637. group {
2638. address-group dns-piholes
2639. port-group pg-dnsblock_admin
2640. }
2641. }
2642. log enable
2643. protocol tcp
2644. source {
2645. group {
2646. address-group mgmtfromlan
2647. }
2648. }
2649. }
2650. rule 560 {
2651. action accept
2652. destination {
2653. group {
2654. address-group ag-wsus
2655. port-group pg-wsus
2656. }
2657. }
2658. log enable
2659. protocol tcp
2660. }
2661. rule 600 {
2662. action accept
2663. destination {
2664. group {
2665. address-group ag-dhcp-server
2666. port-group pg-dhcp
2667. }
2668. }
2669. log enable
2670. protocol udp
2671. }
2672. rule 800 {
2673. action accept
2674. destination {
2675. group {
2676. port-group pg-rdp
2677. }
2678. }
2679. log enable
2680. protocol tcp_udp
2681. source {
2682. group {
2683. address-group mgmtfromlan
2684. }
2685. }
2686. }
2687. rule 900 {
2688. action accept
2689. destination {
2690. group {
2691. port-group pg-ssh
2692. }
2693. }
2694. log enable
2695. protocol tcp
2696. source {
2697. group {
2698. address-group mgmtfromlan
2699. }
2700. }
2701. }
2702. rule 950 {
2703. action accept
2704. destination {
2705. group {
2706. address-group ag-cert_web
2707. port-group pg-ocsp
2708. }
2709. }
2710. log enable
2711. protocol tcp
2712. }
2713. rule 951 {
2714. action accept
2715. destination {
2716. group {
2717. address-group ag-cert_issuer
2718. port-group pg-cert_issuer
2719. }
2720. }
2721. log enable
2722. protocol tcp
2723. }
2724. rule 960 {
2725. action accept
2726. destination {
2727. group {
2728. address-group ag-kms
2729. port-group pg-kms
2730. }
2731. }
2732. log enable
2733. protocol tcp
2734. }
2735. }
2736. name lan-download {
2737. default-action drop
2738. enable-default-log
2739. rule 1 {
2740. action accept
2741. state {
2742. established enable
2743. related enable
2744. }
2745. }
2746. rule 2 {
2747. action drop
2748. log enable
2749. state {
2750. invalid enable
2751. }
2752. }
2753. rule 100 {
2754. action accept
2755. log enable
2756. protocol icmp
2757. source {
2758. group {
2759. address-group mgmtfromlan
2760. }
2761. }
2762. }
2763. rule 300 {
2764. action accept
2765. destination {
2766. group {
2767. port-group pg-smb
2768. }
2769. }
2770. log enable
2771. protocol tcp
2772. source {
2773. group {
2774. address-group mgmtfromlan
2775. }
2776. }
2777. }
2778. rule 800 {
2779. action accept
2780. destination {
2781. group {
2782. port-group pg-rdp
2783. }
2784. }
2785. log enable
2786. protocol tcp_udp
2787. source {
2788. group {
2789. address-group mgmtfromlan
2790. }
2791. }
2792. }
2793. }
2794. name lan-firewall {
2795. default-action drop
2796. enable-default-log
2797. rule 1 {
2798. action accept
2799. state {
2800. established enable
2801. related enable
2802. }
2803. }
2804. rule 2 {
2805. action drop
2806. log enable
2807. state {
2808. invalid enable
2809. }
2810. }
2811. rule 10 {
2812. action accept
2813. destination {
2814. group {
2815. address-group ag-vrrp-lan
2816. }
2817. }
2818. protocol vrrp
2819. source {
2820. group {
2821. address-group ag-vrrp-lan
2822. }
2823. }
2824. }
2825. rule 100 {
2826. action accept
2827. destination {
2828. group {
2829. address-group ag-fw-lan
2830. }
2831. }
2832. log enable
2833. protocol icmp
2834. }
2835. rule 101 {
2836. action accept
2837. destination {
2838. group {
2839. address-group ag-vrrp-lan
2840. }
2841. }
2842. log enable
2843. protocol icmp
2844. }
2845. rule 455 {
2846. action accept
2847. destination {
2848. group {
2849. port-group pg-iperf
2850. }
2851. }
2852. log enable
2853. protocol tcp_udp
2854. }
2855. rule 600 {
2856. action accept
2857. destination {
2858. group {
2859. port-group pg-dhcp
2860. }
2861. }
2862. log enable
2863. protocol udp
2864. }
2865. rule 602 {
2866. action accept
2867. destination {
2868. group {
2869. address-group ag-mdns
2870. port-group pg-mdns
2871. }
2872. }
2873. protocol udp
2874. }
2875. rule 605 {
2876. action accept
2877. description "Allow media/TV discovery (Direct)"
2878. destination {
2879. group {
2880. address-group ag-bcast_lan
2881. port-group pg-tv_discover
2882. }
2883. }
2884. log enable
2885. protocol udp
2886. }
2887. rule 606 {
2888. action accept
2889. description "Allow media/TV discovery (Limited)"
2890. destination {
2891. group {
2892. address-group ag-bcast_limit
2893. port-group pg-tv_discover
2894. }
2895. }
2896. log enable
2897. protocol udp
2898. }
2899. rule 610 {
2900. action drop
2901. description "Drop Netbios traffic from logs"
2902. destination {
2903. group {
2904. port-group pg-netbios
2905. }
2906. }
2907. log disable
2908. protocol udp
2909. }
2910. rule 900 {
2911. action accept
2912. destination {
2913. group {
2914. port-group pg-ssh
2915. }
2916. }
2917. log enable
2918. protocol tcp
2919. source {
2920. group {
2921. address-group mgmtfromlan
2922. }
2923. }
2924. }
2925. }
2926. name lan-guest {
2927. default-action drop
2928. enable-default-log
2929. rule 1 {
2930. action accept
2931. state {
2932. established enable
2933. related enable
2934. }
2935. }
2936. rule 2 {
2937. action drop
2938. log enable
2939. state {
2940. invalid enable
2941. }
2942. }
2943. }
2944. name lan-iot {
2945. default-action drop
2946. enable-default-log
2947. rule 1 {
2948. action accept
2949. state {
2950. established enable
2951. related enable
2952. }
2953. }
2954. rule 2 {
2955. action drop
2956. log enable
2957. state {
2958. invalid enable
2959. }
2960. }
2961. rule 100 {
2962. action accept
2963. log enable
2964. protocol icmp
2965. }
2966. rule 207 {
2967. action accept
2968. destination {
2969. group {
2970. port-group pg-google_cast
2971. }
2972. }
2973. log enable
2974. protocol tcp
2975. }
2976. rule 208 {
2977. action accept
2978. log enable
2979. protocol udp
2980. source {
2981. group {
2982. port-group pg-google_cast_pic
2983. }
2984. }
2985. }
2986. rule 300 {
2987. action accept
2988. destination {
2989. group {
2990. address-group ag-media_player
2991. port-group pg-smb
2992. }
2993. }
2994. log enable
2995. protocol tcp
2996. source {
2997. group {
2998. address-group mgmtfromlan
2999. }
3000. }
3001. }
3002. rule 555 {
3003. action accept
3004. destination {
3005. group {
3006. address-group ag-tv_server
3007. port-group pg-tvh_web
3008. }
3009. }
3010. log enable
3011. protocol tcp
3012. }
3013. rule 556 {
3014. action accept
3015. destination {
3016. group {
3017. address-group ag-tv_server
3018. port-group pg-tvh_htsp
3019. }
3020. }
3021. log enable
3022. protocol tcp
3023. }
3024. }
3025. name lan-mgmt {
3026. default-action drop
3027. enable-default-log
3028. rule 1 {
3029. action accept
3030. state {
3031. established enable
3032. related enable
3033. }
3034. }
3035. rule 2 {
3036. action drop
3037. log enable
3038. state {
3039. invalid enable
3040. }
3041. }
3042. rule 100 {
3043. action accept
3044. log enable
3045. protocol icmp
3046. source {
3047. group {
3048. address-group mgmtfromlan
3049. }
3050. }
3051. }
3052. rule 200 {
3053. action accept
3054. destination {
3055. group {
3056. port-group pg-web
3057. }
3058. }
3059. log enable
3060. protocol tcp
3061. source {
3062. group {
3063. address-group mgmtfromlan
3064. }
3065. }
3066. }
3067. rule 230 {
3068. action accept
3069. destination {
3070. group {
3071. address-group ag-unifi
3072. port-group pg-unifi
3073. }
3074. }
3075. log enable
3076. protocol tcp
3077. source {
3078. group {
3079. address-group mgmtfromlan
3080. }
3081. }
3082. }
3083. rule 450 {
3084. action accept
3085. destination {
3086. group {
3087. address-group ag-dc
3088. port-group pg-domain
3089. }
3090. }
3091. log enable
3092. protocol tcp_udp
3093. }
3094. rule 455 {
3095. action accept
3096. destination {
3097. group {
3098. port-group pg-iperf
3099. }
3100. }
3101. log enable
3102. protocol tcp_udp
3103. }
3104. rule 456 {
3105. action accept
3106. destination {
3107. group {
3108. address-group ag-vcenter
3109. port-group pg-vcenter
3110. }
3111. }
3112. log enable
3113. protocol tcp
3114. source {
3115. group {
3116. address-group mgmtfromlan
3117. }
3118. }
3119. }
3120. rule 633 {
3121. action accept
3122. destination {
3123. group {
3124. address-group ag-portainer
3125. port-group pg-portainer
3126. }
3127. }
3128. log enable
3129. protocol tcp
3130. source {
3131. group {
3132. address-group mgmtfromlan
3133. }
3134. }
3135. }
3136. rule 800 {
3137. action accept
3138. destination {
3139. group {
3140. port-group pg-rdp
3141. }
3142. }
3143. log enable
3144. protocol tcp_udp
3145. source {
3146. group {
3147. address-group mgmtfromlan
3148. }
3149. }
3150. }
3151. rule 900 {
3152. action accept
3153. destination {
3154. group {
3155. port-group pg-ssh
3156. }
3157. }
3158. log enable
3159. protocol tcp
3160. source {
3161. group {
3162. address-group mgmtfromlan
3163. }
3164. }
3165. }
3166. }
3167. name lan-public {
3168. default-action drop
3169. enable-default-log
3170. rule 1 {
3171. action accept
3172. state {
3173. established enable
3174. related enable
3175. }
3176. }
3177. rule 2 {
3178. action drop
3179. log enable
3180. state {
3181. invalid enable
3182. }
3183. }
3184. rule 100 {
3185. action accept
3186. log enable
3187. protocol icmp
3188. source {
3189. group {
3190. address-group mgmtfromlan
3191. }
3192. }
3193. }
3194. rule 223 {
3195. action accept
3196. destination {
3197. group {
3198. address-group ag-traccar_srv
3199. port-group pg-traccar_srv
3200. }
3201. }
3202. log enable
3203. protocol tcp
3204. source {
3205. group {
3206. address-group mgmtfromlan
3207. }
3208. }
3209. }
3210. rule 900 {
3211. action accept
3212. destination {
3213. group {
3214. port-group pg-ssh
3215. }
3216. }
3217. log enable
3218. protocol tcp
3219. source {
3220. group {
3221. address-group mgmtfromlan
3222. }
3223. }
3224. }
3225. }
3226. name lan-wan {
3227. default-action drop
3228. enable-default-log
3229. rule 1 {
3230. action accept
3231. state {
3232. established enable
3233. related enable
3234. }
3235. }
3236. rule 2 {
3237. action drop
3238. log enable
3239. state {
3240. invalid enable
3241. }
3242. }
3243. rule 100 {
3244. action accept
3245. log enable
3246. protocol icmp
3247. }
3248. rule 200 {
3249. action accept
3250. destination {
3251. group {
3252. port-group pg-web
3253. }
3254. }
3255. log enable
3256. protocol tcp
3257. }
3258. rule 203 {
3259. action accept
3260. destination {
3261. group {
3262. port-group pg-google_quic
3263. }
3264. }
3265. log enable
3266. protocol udp
3267. }
3268. rule 204 {
3269. action accept
3270. destination {
3271. group {
3272. port-group pg-google_fcm
3273. }
3274. }
3275. log enable
3276. protocol tcp_udp
3277. }
3278. rule 205 {
3279. action accept
3280. destination {
3281. group {
3282. port-group pg-speedtest
3283. }
3284. }
3285. log enable
3286. protocol tcp
3287. }
3288. rule 208 {
3289. action accept
3290. destination {
3291. group {
3292. port-group pg-agps
3293. }
3294. }
3295. log enable
3296. protocol tcp
3297. }
3298. rule 209 {
3299. action accept
3300. destination {
3301. group {
3302. port-group pg-xmpp
3303. }
3304. }
3305. log enable
3306. protocol tcp
3307. }
3308. rule 215 {
3309. action accept
3310. destination {
3311. group {
3312. port-group pg-spotify
3313. }
3314. }
3315. log enable
3316. protocol tcp
3317. }
3318. rule 360 {
3319. action accept
3320. destination {
3321. group {
3322. port-group pg-iptv
3323. }
3324. }
3325. log enable
3326. protocol tcp
3327. }
3328. rule 400 {
3329. action accept
3330. destination {
3331. group {
3332. port-group pg-ntp
3333. }
3334. }
3335. log enable
3336. protocol udp
3337. }
3338. rule 500 {
3339. action accept
3340. destination {
3341. group {
3342. port-group pg-dns
3343. }
3344. }
3345. log enable
3346. protocol tcp_udp
3347. }
3348. rule 620 {
3349. action accept
3350. destination {
3351. group {
3352. port-group pg-crashplan
3353. }
3354. }
3355. log enable
3356. protocol tcp
3357. source {
3358. group {
3359. address-group mgmtfromlan
3360. }
3361. }
3362. }
3363. rule 630 {
3364. action accept
3365. destination {
3366. group {
3367. port-group pg-whatsapp
3368. }
3369. }
3370. log enable
3371. protocol udp
3372. }
3373. rule 631 {
3374. action accept
3375. destination {
3376. group {
3377. port-group pg-skype
3378. }
3379. }
3380. log enable
3381. protocol udp
3382. }
3383. rule 632 {
3384. action accept
3385. destination {
3386. group {
3387. port-group pg-webex
3388. }
3389. }
3390. log enable
3391. protocol tcp_udp
3392. }
3393. rule 634 {
3394. action accept
3395. destination {
3396. group {
3397. port-group pg-vpn_globalprotect
3398. }
3399. }
3400. log enable
3401. protocol udp
3402. }
3403. rule 635 {
3404. action accept
3405. destination {
3406. group {
3407. port-group pg-person2work_genesys
3408. }
3409. }
3410. log enable
3411. protocol udp
3412. }
3413. rule 636 {
3414. action accept
3415. destination {
3416. group {
3417. port-group pg-person2work_webrtc
3418. }
3419. }
3420. log enable
3421. protocol tcp_udp
3422. }
3423. rule 637 {
3424. action accept
3425. destination {
3426. group {
3427. port-group pg-person1work_lotusnotes
3428. }
3429. }
3430. log enable
3431. protocol tcp
3432. }
3433. rule 700 {
3434. action accept
3435. destination {
3436. group {
3437. port-group pg-ftp
3438. }
3439. }
3440. log enable
3441. protocol tcp
3442. }
3443. }
3444. name mgmt-cam {
3445. default-action drop
3446. enable-default-log
3447. rule 1 {
3448. action accept
3449. state {
3450. established enable
3451. related enable
3452. }
3453. }
3454. rule 2 {
3455. action drop
3456. log enable
3457. state {
3458. invalid enable
3459. }
3460. }
3461. }
3462. name mgmt-dmz {
3463. default-action drop
3464. enable-default-log
3465. rule 1 {
3466. action accept
3467. state {
3468. established enable
3469. related enable
3470. }
3471. }
3472. rule 2 {
3473. action drop
3474. log enable
3475. state {
3476. invalid enable
3477. }
3478. }
3479. rule 100 {
3480. action accept
3481. log enable
3482. protocol icmp
3483. }
3484. rule 300 {
3485. action accept
3486. destination {
3487. group {
3488. address-group ag-fileserver
3489. port-group pg-smb
3490. }
3491. }
3492. log enable
3493. protocol tcp
3494. source {
3495. group {
3496. address-group ag-hypervisors
3497. }
3498. }
3499. }
3500. rule 400 {
3501. action accept
3502. destination {
3503. group {
3504. address-group ntpservers
3505. port-group pg-ntp
3506. }
3507. }
3508. log enable
3509. protocol udp
3510. }
3511. rule 450 {
3512. action accept
3513. destination {
3514. group {
3515. address-group ag-dc
3516. port-group pg-domain
3517. }
3518. }
3519. log enable
3520. protocol tcp_udp
3521. }
3522. rule 500 {
3523. action accept
3524. destination {
3525. group {
3526. address-group dnsforwarders
3527. port-group pg-dns
3528. }
3529. }
3530. log enable
3531. protocol tcp_udp
3532. }
3533. rule 950 {
3534. action accept
3535. destination {
3536. group {
3537. address-group ag-cert_web
3538. port-group pg-ocsp
3539. }
3540. }
3541. log enable
3542. protocol tcp
3543. }
3544. rule 951 {
3545. action accept
3546. destination {
3547. group {
3548. address-group ag-cert_issuer
3549. port-group pg-cert_issuer
3550. }
3551. }
3552. log enable
3553. protocol tcp
3554. }
3555. rule 952 {
3556. action accept
3557. description "FOR SETTING UP MELLANOX SWITCHES - DELETE"
3558. destination {
3559. group {
3560. address-group ag-cert_web
3561. port-group pg-web
3562. }
3563. }
3564. log enable
3565. protocol tcp
3566. }
3567. }
3568. name mgmt-download {
3569. default-action drop
3570. enable-default-log
3571. rule 1 {
3572. action accept
3573. state {
3574. established enable
3575. related enable
3576. }
3577. }
3578. rule 2 {
3579. action drop
3580. log enable
3581. state {
3582. invalid enable
3583. }
3584. }
3585. }
3586. name mgmt-firewall {
3587. default-action drop
3588. enable-default-log
3589. rule 1 {
3590. action accept
3591. state {
3592. established enable
3593. related enable
3594. }
3595. }
3596. rule 2 {
3597. action drop
3598. log enable
3599. state {
3600. invalid enable
3601. }
3602. }
3603. rule 10 {
3604. action accept
3605. destination {
3606. group {
3607. address-group ag-vrrp-mgmt
3608. }
3609. }
3610. protocol vrrp
3611. source {
3612. group {
3613. address-group ag-vrrp-mgmt
3614. }
3615. }
3616. }
3617. rule 100 {
3618. action accept
3619. log enable
3620. protocol icmp
3621. }
3622. rule 231 {
3623. action accept
3624. description "Allow UniFi Controller Adaption"
3625. destination {
3626. group {
3627. address-group ag-bcast_limit
3628. port-group pg-unifi_adapt
3629. }
3630. }
3631. log enable
3632. protocol udp
3633. }
3634. rule 580 {
3635. action accept
3636. description "Allow UPS discover"
3637. destination {
3638. group {
3639. address-group ag-bcast_limit
3640. port-group pg-ups_web
3641. }
3642. }
3643. log enable
3644. protocol udp
3645. source {
3646. group {
3647. address-group ag-ups_mgmt
3648. }
3649. }
3650. }
3651. rule 600 {
3652. action accept
3653. description "Allow DHCP relay from WiFi AP"
3654. destination {
3655. group {
3656. address-group ag-bcast_limit
3657. port-group pg-dhcp
3658. }
3659. }
3660. log enable
3661. protocol udp
3662. }
3663. rule 610 {
3664. action drop
3665. description "Drop Netbios traffic from logs"
3666. destination {
3667. group {
3668. port-group pg-netbios
3669. }
3670. }
3671. log disable
3672. protocol udp
3673. }
3674. rule 650 {
3675. action accept
3676. description "Accept Conntrack Sync"
3677. destination {
3678. group {
3679. address-group ag-ct_sync
3680. port-group pg-ct_sync
3681. }
3682. }
3683. protocol udp
3684. source {
3685. group {
3686. address-group ag-vrrp-mgmt
3687. }
3688. }
3689. }
3690. rule 900 {
3691. action accept
3692. destination {
3693. group {
3694. port-group pg-ssh
3695. }
3696. }
3697. log enable
3698. protocol tcp
3699. }
3700. }
3701. name mgmt-guest {
3702. default-action drop
3703. enable-default-log
3704. rule 1 {
3705. action accept
3706. state {
3707. established enable
3708. related enable
3709. }
3710. }
3711. rule 2 {
3712. action drop
3713. log enable
3714. state {
3715. invalid enable
3716. }
3717. }
3718. }
3719. name mgmt-lan {
3720. default-action drop
3721. enable-default-log
3722. rule 1 {
3723. action accept
3724. state {
3725. established enable
3726. related enable
3727. }
3728. }
3729. rule 2 {
3730. action drop
3731. log enable
3732. state {
3733. invalid enable
3734. }
3735. }
3736. rule 100 {
3737. action accept
3738. log enable
3739. protocol icmp
3740. }
3741. }
3742. name mgmt-public {
3743. default-action drop
3744. enable-default-log
3745. rule 1 {
3746. action accept
3747. state {
3748. established enable
3749. related enable
3750. }
3751. }
3752. rule 2 {
3753. action drop
3754. log enable
3755. state {
3756. invalid enable
3757. }
3758. }
3759. rule 100 {
3760. action accept
3761. log enable
3762. protocol icmp
3763. }
3764. rule 224 {
3765. action accept
3766. destination {
3767. group {
3768. address-group ag-docker_pub
3769. port-group pg-portainer_agent
3770. }
3771. }
3772. log enable
3773. protocol tcp
3774. source {
3775. group {
3776. address-group ag-dockerhosts
3777. }
3778. }
3779. }
3780. }
3781. name mgmt-wan {
3782. default-action drop
3783. enable-default-log
3784. rule 1 {
3785. action accept
3786. state {
3787. established enable
3788. related enable
3789. }
3790. }
3791. rule 2 {
3792. action drop
3793. log enable
3794. state {
3795. invalid enable
3796. }
3797. }
3798. rule 100 {
3799. action accept
3800. log enable
3801. protocol icmp
3802. }
3803. rule 198 {
3804. action accept
3805. destination {
3806. group {
3807. port-group pg-web
3808. }
3809. }
3810. log enable
3811. protocol tcp
3812. source {
3813. group {
3814. address-group ag-hypervisors
3815. }
3816. }
3817. }
3818. rule 199 {
3819. action accept
3820. destination {
3821. group {
3822. port-group pg-web
3823. }
3824. }
3825. log enable
3826. protocol tcp
3827. source {
3828. group {
3829. address-group ag-dockerhosts
3830. }
3831. }
3832. }
3833. rule 200 {
3834. action accept
3835. destination {
3836. group {
3837. port-group pg-web
3838. }
3839. }
3840. log enable
3841. protocol tcp
3842. source {
3843. group {
3844. address-group wifiaps
3845. }
3846. }
3847. }
3848. rule 787 {
3849. action accept
3850. description "TEST Allow HTTP/HTTPS"
3851. destination {
3852. group {
3853. port-group pg-web
3854. }
3855. }
3856. log enable
3857. protocol tcp
3858. source {
3859. group {
3860. address-group ag-testWEB
3861. }
3862. }
3863. }
3864. rule 788 {
3865. action accept
3866. description "TEST Allow NTP"
3867. destination {
3868. group {
3869. port-group pg-ntp
3870. }
3871. }
3872. log enable
3873. protocol udp
3874. source {
3875. group {
3876. address-group ag-testNTP
3877. }
3878. }
3879. }
3880. rule 789 {
3881. action accept
3882. description "TEST Allow DNS"
3883. destination {
3884. group {
3885. port-group pg-dns
3886. }
3887. }
3888. log enable
3889. protocol tcp_udp
3890. source {
3891. group {
3892. address-group ag-testDNS_fw
3893. }
3894. }
3895. }
3896. }
3897. name public-cam {
3898. default-action drop
3899. enable-default-log
3900. rule 1 {
3901. action accept
3902. state {
3903. established enable
3904. related enable
3905. }
3906. }
3907. rule 2 {
3908. action drop
3909. log enable
3910. state {
3911. invalid enable
3912. }
3913. }
3914. }
3915. name public-dmz {
3916. default-action drop
3917. enable-default-log
3918. rule 1 {
3919. action accept
3920. state {
3921. established enable
3922. related enable
3923. }
3924. }
3925. rule 2 {
3926. action drop
3927. log enable
3928. state {
3929. invalid enable
3930. }
3931. }
3932. rule 100 {
3933. action accept
3934. log enable
3935. protocol icmp
3936. source {
3937. group {
3938. network-group vpnusers
3939. }
3940. }
3941. }
3942. rule 200 {
3943. action accept
3944. destination {
3945. group {
3946. port-group pg-web
3947. }
3948. }
3949. log enable
3950. protocol tcp
3951. source {
3952. group {
3953. network-group vpnusers
3954. }
3955. }
3956. }
3957. rule 222 {
3958. action accept
3959. destination {
3960. group {
3961. address-group ag-traccar_mysql
3962. port-group pg-mysql
3963. }
3964. }
3965. log enable
3966. protocol tcp
3967. source {
3968. group {
3969. address-group ag-traccar_srv
3970. }
3971. }
3972. }
3973. rule 300 {
3974. action accept
3975. destination {
3976. group {
3977. address-group ag-fileserver
3978. port-group pg-smb
3979. }
3980. }
3981. log enable
3982. protocol tcp
3983. source {
3984. group {
3985. network-group vpnusers
3986. }
3987. }
3988. }
3989. rule 385 {
3990. action accept
3991. destination {
3992. group {
3993. address-group ag-blueiris
3994. port-group pg-blueiris
3995. }
3996. }
3997. log enable
3998. protocol tcp
3999. source {
4000. group {
4001. network-group vpnusers
4002. }
4003. }
4004. }
4005. rule 400 {
4006. action accept
4007. destination {
4008. group {
4009. address-group ntpservers
4010. port-group pg-ntp
4011. }
4012. }
4013. log enable
4014. protocol udp
4015. }
4016. rule 500 {
4017. action accept
4018. destination {
4019. group {
4020. address-group dnsforwarders
4021. port-group pg-dns
4022. }
4023. }
4024. log enable
4025. protocol tcp_udp
4026. }
4027. rule 501 {
4028. action accept
4029. description "Allow HTTP for pihole interface"
4030. destination {
4031. group {
4032. address-group dns-piholes
4033. port-group pg-pihole
4034. }
4035. }
4036. log enable
4037. protocol tcp
4038. }
4039. rule 505 {
4040. action accept
4041. description "Allow admin interface for DNS blocking services"
4042. destination {
4043. group {
4044. address-group dns-piholes
4045. port-group pg-dnsblock_admin
4046. }
4047. }
4048. log enable
4049. protocol tcp
4050. source {
4051. group {
4052. network-group vpnusers
4053. }
4054. }
4055. }
4056. rule 800 {
4057. action accept
4058. destination {
4059. group {
4060. port-group pg-rdp
4061. }
4062. }
4063. log enable
4064. protocol tcp_udp
4065. source {
4066. group {
4067. network-group vpnusers
4068. }
4069. }
4070. }
4071. rule 950 {
4072. action accept
4073. destination {
4074. group {
4075. address-group ag-cert_web
4076. port-group pg-ocsp
4077. }
4078. }
4079. log enable
4080. protocol tcp
4081. source {
4082. group {
4083. network-group vpnusers
4084. }
4085. }
4086. }
4087. }
4088. name public-download {
4089. default-action drop
4090. enable-default-log
4091. rule 1 {
4092. action accept
4093. state {
4094. established enable
4095. related enable
4096. }
4097. }
4098. rule 2 {
4099. action drop
4100. log enable
4101. state {
4102. invalid enable
4103. }
4104. }
4105. rule 100 {
4106. action accept
4107. log enable
4108. protocol icmp
4109. source {
4110. group {
4111. network-group vpnusers
4112. }
4113. }
4114. }
4115. rule 800 {
4116. action accept
4117. destination {
4118. group {
4119. port-group pg-rdp
4120. }
4121. }
4122. log enable
4123. protocol tcp_udp
4124. source {
4125. group {
4126. network-group vpnusers
4127. }
4128. }
4129. }
4130. rule 900 {
4131. action accept
4132. destination {
4133. group {
4134. port-group pg-ssh
4135. }
4136. }
4137. log enable
4138. protocol tcp
4139. source {
4140. group {
4141. network-group vpnusers
4142. }
4143. }
4144. }
4145. }
4146. name public-firewall {
4147. default-action drop
4148. enable-default-log
4149. rule 1 {
4150. action accept
4151. state {
4152. established enable
4153. related enable
4154. }
4155. }
4156. rule 2 {
4157. action drop
4158. log enable
4159. state {
4160. invalid enable
4161. }
4162. }
4163. rule 10 {
4164. action accept
4165. destination {
4166. group {
4167. address-group ag-vrrp-public
4168. }
4169. }
4170. protocol vrrp
4171. source {
4172. group {
4173. address-group ag-vrrp-public
4174. }
4175. }
4176. }
4177. rule 900 {
4178. action accept
4179. destination {
4180. group {
4181. port-group pg-ssh
4182. }
4183. }
4184. log enable
4185. protocol tcp
4186. source {
4187. group {
4188. network-group vpnusers
4189. }
4190. }
4191. }
4192. }
4193. name public-guest {
4194. default-action drop
4195. enable-default-log
4196. rule 1 {
4197. action accept
4198. state {
4199. established enable
4200. related enable
4201. }
4202. }
4203. rule 2 {
4204. action drop
4205. log enable
4206. state {
4207. invalid enable
4208. }
4209. }
4210. }
4211. name public-iot {
4212. default-action drop
4213. rule 555 {
4214. action accept
4215. destination {
4216. group {
4217. address-group ag-tv_server
4218. port-group pg-tvh_web
4219. }
4220. }
4221. log enable
4222. protocol tcp
4223. source {
4224. group {
4225. network-group vpnusers
4226. }
4227. }
4228. }
4229. }
4230. name public-lan {
4231. default-action drop
4232. enable-default-log
4233. rule 1 {
4234. action accept
4235. state {
4236. established enable
4237. related enable
4238. }
4239. }
4240. rule 2 {
4241. action drop
4242. log enable
4243. state {
4244. invalid enable
4245. }
4246. }
4247. rule 777 {
4248. action accept
4249. destination {
4250. group {
4251. address-group ag-printer
4252. port-group pg-printer_web
4253. }
4254. }
4255. log enable
4256. protocol tcp
4257. source {
4258. group {
4259. network-group vpnusers
4260. }
4261. }
4262. }
4263. rule 800 {
4264. action accept
4265. destination {
4266. group {
4267. address-group mgmtfromlan
4268. port-group pg-rdp
4269. }
4270. }
4271. log enable
4272. protocol tcp_udp
4273. source {
4274. group {
4275. network-group vpnusers
4276. }
4277. }
4278. }
4279. }
4280. name public-mgmt {
4281. default-action drop
4282. enable-default-log
4283. rule 1 {
4284. action accept
4285. state {
4286. established enable
4287. related enable
4288. }
4289. }
4290. rule 2 {
4291. action drop
4292. log enable
4293. state {
4294. invalid enable
4295. }
4296. }
4297. rule 100 {
4298. action accept
4299. log enable
4300. protocol icmp
4301. source {
4302. group {
4303. network-group vpnusers
4304. }
4305. }
4306. }
4307. rule 200 {
4308. action accept
4309. destination {
4310. group {
4311. port-group pg-web
4312. }
4313. }
4314. log enable
4315. protocol tcp
4316. source {
4317. group {
4318. network-group vpnusers
4319. }
4320. }
4321. }
4322. rule 230 {
4323. action accept
4324. destination {
4325. group {
4326. address-group ag-unifi
4327. port-group pg-unifi
4328. }
4329. }
4330. log enable
4331. protocol tcp
4332. source {
4333. group {
4334. network-group vpnusers
4335. }
4336. }
4337. }
4338. rule 400 {
4339. action accept
4340. destination {
4341. group {
4342. address-group ntpservers
4343. port-group pg-ntp
4344. }
4345. }
4346. log enable
4347. protocol udp
4348. }
4349. rule 456 {
4350. action accept
4351. destination {
4352. group {
4353. address-group ag-vcenter
4354. port-group pg-vcenter
4355. }
4356. }
4357. log enable
4358. protocol tcp
4359. source {
4360. group {
4361. network-group vpnusers
4362. }
4363. }
4364. }
4365. rule 633 {
4366. action accept
4367. destination {
4368. group {
4369. address-group ag-portainer
4370. port-group pg-portainer
4371. }
4372. }
4373. log enable
4374. protocol tcp
4375. source {
4376. group {
4377. network-group vpnusers
4378. }
4379. }
4380. }
4381. rule 800 {
4382. action accept
4383. destination {
4384. group {
4385. port-group pg-rdp
4386. }
4387. }
4388. log enable
4389. protocol tcp_udp
4390. source {
4391. group {
4392. network-group vpnusers
4393. }
4394. }
4395. }
4396. rule 900 {
4397. action accept
4398. destination {
4399. group {
4400. port-group pg-ssh
4401. }
4402. }
4403. log enable
4404. protocol tcp
4405. source {
4406. group {
4407. network-group vpnusers
4408. }
4409. }
4410. }
4411. }
4412. name public-wan {
4413. default-action drop
4414. enable-default-log
4415. rule 1 {
4416. action accept
4417. state {
4418. established enable
4419. related enable
4420. }
4421. }
4422. rule 2 {
4423. action drop
4424. log enable
4425. state {
4426. invalid enable
4427. }
4428. }
4429. rule 100 {
4430. action accept
4431. log enable
4432. protocol icmp
4433. }
4434. rule 200 {
4435. action accept
4436. destination {
4437. group {
4438. port-group pg-web
4439. }
4440. }
4441. log enable
4442. protocol tcp
4443. source {
4444. group {
4445. address-group ag-vpn_servers
4446. }
4447. }
4448. }
4449. rule 221 {
4450. action accept
4451. destination {
4452. group {
4453. port-group pg-web
4454. }
4455. }
4456. log enable
4457. protocol tcp
4458. source {
4459. group {
4460. address-group ag-docker_pub
4461. }
4462. }
4463. }
4464. rule 700 {
4465. action accept
4466. destination {
4467. group {
4468. port-group pg-ftp
4469. }
4470. }
4471. log enable
4472. protocol tcp
4473. source {
4474. group {
4475. address-group ag-vpn_servers
4476. }
4477. }
4478. }
4479. }
4480. name wan-cam {
4481. default-action drop
4482. enable-default-log
4483. rule 1 {
4484. action accept
4485. state {
4486. established enable
4487. related enable
4488. }
4489. }
4490. rule 2 {
4491. action drop
4492. log enable
4493. state {
4494. invalid enable
4495. }
4496. }
4497. }
4498. name wan-dmz {
4499. default-action drop
4500. enable-default-log
4501. rule 1 {
4502. action accept
4503. state {
4504. established enable
4505. related enable
4506. }
4507. }
4508. rule 2 {
4509. action drop
4510. log enable
4511. state {
4512. invalid enable
4513. }
4514. }
4515. }
4516. name wan-download {
4517. default-action drop
4518. enable-default-log
4519. rule 1 {
4520. action accept
4521. state {
4522. established enable
4523. related enable
4524. }
4525. }
4526. rule 2 {
4527. action drop
4528. log enable
4529. state {
4530. invalid enable
4531. }
4532. }
4533. }
4534. name wan-firewall {
4535. default-action drop
4536. enable-default-log
4537. rule 1 {
4538. action accept
4539. state {
4540. established enable
4541. related enable
4542. }
4543. }
4544. rule 2 {
4545. action drop
4546. log enable
4547. state {
4548. invalid enable
4549. }
4550. }
4551. rule 600 {
4552. action drop
4553. description "Disable ISP DHCP and dont log it"
4554. destination {
4555. group {
4556. address-group ag-bcast_limit
4557. port-group pg-dhcp
4558. }
4559. }
4560. log disable
4561. protocol udp
4562. source {
4563. group {
4564. port-group pg-dhcp
4565. }
4566. }
4567. }
4568. }
4569. name wan-guest {
4570. default-action drop
4571. enable-default-log
4572. rule 1 {
4573. action accept
4574. state {
4575. established enable
4576. related enable
4577. }
4578. }
4579. rule 2 {
4580. action drop
4581. log enable
4582. state {
4583. invalid enable
4584. }
4585. }
4586. }
4587. name wan-iot {
4588. default-action drop
4589. enable-default-log
4590. rule 1 {
4591. action accept
4592. state {
4593. established enable
4594. related enable
4595. }
4596. }
4597. rule 2 {
4598. action drop
4599. log enable
4600. state {
4601. invalid enable
4602. }
4603. }
4604. }
4605. name wan-lan {
4606. default-action drop
4607. enable-default-log
4608. rule 1 {
4609. action accept
4610. state {
4611. established enable
4612. related enable
4613. }
4614. }
4615. rule 2 {
4616. action drop
4617. log enable
4618. state {
4619. invalid enable
4620. }
4621. }
4622. }
4623. name wan-mgmt {
4624. default-action drop
4625. enable-default-log
4626. rule 1 {
4627. action accept
4628. state {
4629. established enable
4630. related enable
4631. }
4632. }
4633. rule 2 {
4634. action drop
4635. log enable
4636. state {
4637. invalid enable
4638. }
4639. }
4640. }
4641. name wan-public {
4642. default-action drop
4643. enable-default-log
4644. rule 1 {
4645. action accept
4646. state {
4647. established enable
4648. related enable
4649. }
4650. }
4651. rule 2 {
4652. action drop
4653. log enable
4654. state {
4655. invalid enable
4656. }
4657. }
4658. rule 220 {
4659. action accept
4660. destination {
4661. group {
4662. address-group ag-vpn_pri
4663. port-group pg-vpn_pri
4664. }
4665. }
4666. log enable
4667. protocol tcp
4668. }
4669. rule 221 {
4670. action accept
4671. destination {
4672. group {
4673. address-group ag-vpn_bck
4674. port-group pg-vpn_bck
4675. }
4676. }
4677. log enable
4678. protocol udp
4679. }
4680. }
4681. receive-redirects disable
4682. send-redirects enable
4683. source-validation disable
4684. syn-cookies enable
4685. twa-hazards-protection disable
4686. }