Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- firewall {
- all-ping enable
- broadcast-ping disable
- group {
- address-group dangerous_machines {
- address 192.168.1.224
- description "Dangerous Machines"
- }
- }
- ipv6-receive-redirects disable
- ipv6-src-route disable
- ip-src-route disable
- log-martians enable
- modify SOURCE_ROUTE {
- rule 10 {
- description "Dangerous Machines through vtun0"
- modify {
- table 1
- }
- source {
- group {
- address-group dangerous_machines
- }
- }
- }
- rule 20 {
- description "Everything else through eth0"
- modify {
- table 2
- }
- source {
- address 0.0.0.0/0
- }
- }
- }
- name WAN_IN {
- default-action drop
- description "WAN to internal"
- rule 10 {
- action accept
- description "Allow established/related"
- state {
- established enable
- related enable
- }
- }
- rule 20 {
- action drop
- description "Drop invalid state"
- state {
- invalid enable
- }
- }
- }
- name WAN_LOCAL {
- default-action drop
- description "WAN to router"
- rule 10 {
- action accept
- description "Allow established/related"
- state {
- established enable
- related enable
- }
- }
- rule 20 {
- action drop
- description "Drop invalid state"
- state {
- invalid enable
- }
- }
- }
- receive-redirects disable
- send-redirects enable
- source-validation disable
- syn-cookies enable
- }
- interfaces {
- ethernet eth0 {
- address dhcp
- description Internet
- duplex auto
- firewall {
- local {
- name WAN_LOCAL
- }
- }
- speed auto
- }
- ethernet eth1 {
- description Local
- duplex auto
- speed auto
- }
- ethernet eth2 {
- description Local
- duplex auto
- speed auto
- }
- ethernet eth3 {
- description Local
- duplex auto
- speed auto
- }
- ethernet eth4 {
- description Local
- duplex auto
- speed auto
- }
- loopback lo {
- }
- openvpn vtun0 {
- config-file /config/auth/integrity/integrity.ovpn
- }
- switch switch0 {
- address 192.168.1.1/24
- description Local
- firewall {
- in {
- modify SOURCE_ROUTE
- }
- }
- mtu 1500
- switch-port {
- interface eth1
- interface eth2
- interface eth3
- interface eth4
- }
- }
- }
- port-forward {
- auto-firewall enable
- hairpin-nat enable
- lan-interface eth1
- lan-interface eth2
- lan-interface eth3
- lan-interface eth4
- lan-interface switch0
- wan-interface eth0
- }
- protocols {
- static {
- table 1 {
- interface-route 0.0.0.0/0 {
- next-hop-interface vtun0 {
- }
- }
- }
- table 2 {
- interface-route 0.0.0.0/0 {
- next-hop-interface eth0 {
- }
- }
- }
- }
- }
- service {
- dhcp-server {
- disabled false
- hostfile-update enable
- shared-network-name LAN {
- authoritative disable
- subnet 192.168.1.0/24 {
- default-router 192.168.1.1
- dns-server 192.168.1.1
- domain-name local
- lease 86400
- start 192.168.1.38 {
- stop 192.168.1.243
- }
- static-mapping dangerous1 {
- ip-address 192.168.1.224
- mac-address [redacted]
- }
- }
- }
- }
- dns {
- forwarding {
- cache-size 150
- listen-on switch0
- name-server 8.8.8.8
- name-server 8.8.4.4
- }
- }
- gui {
- https-port 443
- }
- nat {
- rule 5001 {
- description "Masquerade for VTUN0"
- log disable
- outbound-interface vtun0
- protocol all
- source {
- group {
- address-group dangerous_machines
- }
- }
- type masquerade
- }
- rule 5002 {
- description "Exclude dangerous machines from open internet"
- destination {
- group {
- }
- }
- exclude
- log disable
- outbound-interface eth0
- protocol all
- source {
- group {
- address-group dangerous_machines
- }
- }
- type masquerade
- }
- rule 5010 {
- description "masquerade for WAN"
- log disable
- outbound-interface eth0
- type masquerade
- }
- }
- ssh {
- port 22
- protocol-version v2
- }
- }
- system {
- host-name ubnt
- login {
- [redacted]
- }
- name-server 127.0.0.1
- ntp {
- server 0.ubnt.pool.ntp.org {
- }
- server 1.ubnt.pool.ntp.org {
- }
- server 2.ubnt.pool.ntp.org {
- }
- server 3.ubnt.pool.ntp.org {
- }
- }
- syslog {
- global {
- facility all {
- level notice
- }
- facility protocols {
- level debug
- }
- }
- }
- time-zone UTC
- }
- vpn {
- ipsec {
- ipsec-interfaces {
- interface eth0
- }
- nat-networks {
- allowed-network 10.0.0.0/8 {
- }
- allowed-network 172.16.0.0/12 {
- }
- allowed-network 192.168.0.0/16 {
- }
- }
- nat-traversal enable
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement