firewall { | |
all-ping enable | |
broadcast-ping disable | |
config-trap disable | |
group { | |
address-group BareOS_Servers { | |
address xxx.xxx.141.13 | |
address xxx.xxx.141.2 | |
} | |
address-group Chollo { | |
address xxx.xxx.130.178 | |
address xxx.xxx.130.179 | |
address xxx.xxx.130.180 | |
address xxx.xxx.130.185 | |
address xxx.xxx.130.177 | |
address xxx.xxx.130.181 | |
} | |
address-group Chusma { | |
address xxx.xxx.130.172-xxx.xxx.130.175 | |
} | |
address-group children { | |
address xxx.xxx.130.172-xxx.xxx.130.180 | |
} | |
address-group deb-ubu-mirrors { | |
address xxx.xxx.53.171 | |
address xxx.xxx.132.32 | |
address xxx.xxx.242.89 | |
address xxx.xxx.132.250 | |
address xxx.xxx.149.233 | |
address xxx.xxx.112.204 | |
description "Debian/Ubuntu Mirrors" | |
} | |
address-group dmz_dns_ntp { | |
address xxx.xxx.129.2 | |
address xxx.xxx.129.6 | |
address xxx.xxx.129.1 | |
address xxx.xxx.129.5 | |
} | |
address-group dmz_infra_servers { | |
address xxx.xxx.129.2 | |
address xxx.xxx.129.5 | |
} | |
address-group fileservers { | |
address xxx.xxx.141.8 | |
address xxx.xxx.141.1 | |
} | |
address-group google_dns { | |
address xxx.xxx.8.8 | |
address xxx.xxx.4.4 | |
} | |
address-group int_dns_servers { | |
address xxx.xxx.141.3 | |
address xxx.xxx.141.15 | |
address xxx.xxx.141.20 | |
address xxx.xxx.141.1 | |
address xxx.xxx.141.8 | |
} | |
address-group int_ntp_servers { | |
address xxx.xxx.141.23-xxx.xxx.141.27 | |
address xxx.xxx.141.5-xxx.xxx.141.6 | |
address xxx.xxx.141.13 | |
description "Internal NTP Servers" | |
} | |
address-group kids_allowed_sites { | |
address xxx.xxx.73.6 | |
address xxx.xxx.250.108 | |
address xxx.xxx.129.2 | |
address xxx.xxx.73.26 | |
address xxx.xxx.210.28-xxx.xxx.210.30 | |
address xxx.xxx.121.147 | |
address xxx.xxx.87.51 | |
address xxx.xxx.194.31 | |
address xxx.xxx.157.111 | |
address xxx.xxx.11.203 | |
address xxx.xxx.201.147 | |
address xxx.xxx.116.200 | |
address xxx.xxx.223.41 | |
address xxx.xxx.168.12 | |
address xxx.xxx.43.217 | |
address xxx.xxx.157.112 | |
address xxx.xxx.40.64-xxx.xxx.40.90 | |
description "Permitted Sites for Kids" | |
} | |
address-group kids_banned_sites { | |
address xxx.xxx.162.5 | |
address xxx.xxx.35.232 | |
address xxx.xxx.139.0-xxx.xxx.139.255 | |
description "Sites that are banned for Kids" | |
} | |
address-group moxa_allowed_hosts { | |
address xxx.xxx.141.0-xxx.xxx.141.254 | |
address xxx.xxx.4.5 | |
address xxx.xxx.128.242-xxx.xxx.128.254 | |
description "Hosts allowed access to MOXA Serial Device Servers" | |
} | |
address-group moxa_nports { | |
address xxx.xxx.143.244 | |
address xxx.xxx.143.248 | |
description "MOXA Nport Serial Device Addresses" | |
} | |
address-group package_servers { | |
address xxx.xxx.10.36 | |
address xxx.xxx.103.38 | |
address xxx.xxx.103.41 | |
address xxx.xxx.13.129 | |
description "Package servers for Vyatta/Debian" | |
} | |
address-group radius_servers { | |
address xxx.xxx.141.20 | |
address xxx.xxx.141.62 | |
address xxx.xxx.141.8 | |
address xxx.xxx.141.1 | |
description "Internal RADIUS Servers" | |
} | |
address-group trusted_external_hosts { | |
address xxx.xxx.4.5 | |
address xxx.xxx.128.242-xxx.xxx.128.254 | |
address xxx.xxx.44.193-xxx.xxx.44.206 | |
address xxx.xxx.157.133 | |
address xxx.xxx.238.193-xxx.xxx.238.195 | |
address xxx.xxx.238.225 | |
address xxx.xxx.162.10 | |
address xxx.xxx.4.247 | |
address xxx.xxx.188.7 | |
description "Trusted External Hosts" | |
} | |
address-group ubiquiti { | |
address xxx.xxx.157.3 | |
address xxx.xxx.83.111 | |
address xxx.xxx.247.231 | |
address xxx.xxx.148.35 | |
address xxx.xxx.177.66 | |
address xxx.xxx.121.9 | |
description "Ubiquiti Networks Web" | |
} | |
network-group Martians { | |
description "Bogons from RFCs 1918 and 5735" | |
network xxx.xxx.0.0/8 | |
network xxx.xxx.0.0/12 | |
network xxx.xxx.0.0/16 | |
network xxx.xxx.0.0/8 | |
network xxx.xxx.0.0/16 | |
network xxx.xxx.2.0/24 | |
network xxx.xxx.0.0/15 | |
network xxx.xxx.0.0/4 | |
network xxx.xxx.0.0/24 | |
network xxx.xxx.99.0/24 | |
network xxx.xxx.100.0/24 | |
network xxx.xxx.113.0/24 | |
} | |
network-group Nets4-BlackList { | |
description "Blacklisted IPv4 Sources" | |
} | |
network-group amazonaws { | |
network xxx.xxx.192.0/19 | |
network xxx.xxx.0.0/15 | |
network xxx.xxx.141.53/32 | |
} | |
network-group blocked_nets_in { | |
description "Blocked Networks inbound" | |
network xxx.xxx.212.0/22 | |
network xxx.xxx.40.0/21 | |
network xxx.xxx.222.0/23 | |
network xxx.xxx.64.0/20 | |
network xxx.xxx.160.0/24 | |
network xxx.xxx.0.0/15 | |
} | |
network-group facebook { | |
description "Facebook AS32934 Networks" | |
network xxx.xxx.96.0/22 | |
network xxx.xxx.0.0/16 | |
network xxx.xxx.64.0/18 | |
network xxx.xxx.192.0/22 | |
network xxx.xxx.216.0/22 | |
network xxx.xxx.20.0/22 | |
network xxx.xxx.64.0/18 | |
network xxx.xxx.40.0/22 | |
network xxx.xxx.144.0/20 | |
network xxx.xxx.224.0/19 | |
network xxx.xxx.176.0/20 | |
network xxx.xxx.76.0/22 | |
} | |
network-group gaming { | |
description "Game Hosting IPs" | |
} | |
network-group geoblock { | |
description "GeoBlocked Networks" | |
} | |
network-group icdc-networks { | |
description "ICDC Internal Networks for IPSec" | |
} | |
network-group kids-machines { | |
description "Subnet range for Kids Machines" | |
network xxx.xxx.130.176/28 | |
} | |
network-group snort.org { | |
description "Snort.org C network" | |
network xxx.xxx.102.0/24 | |
network xxx.xxx.192.0/19 | |
network xxx.xxx.248.120/31 | |
} | |
network-group trusted_networks { | |
description "Networks considered Trustworthy" | |
network xxx.xxx.128.240/28 | |
network xxx.xxx.141.0/24 | |
network xxx.xxx.188.0/24 | |
network xxx.xxx.78.0/24 | |
} | |
network-group wikipedia { | |
description "Wikipedia Servers" | |
network xxx.xxx.174.0/24 | |
network xxx.xxx.152.0/22 | |
} | |
port-group CAPWAPP { | |
description "Lightweight Access Point Traffic" | |
port 12222-12223 | |
port 5246-5247 | |
} | |
port-group RTP_Media { | |
description "RTP Media Ports" | |
} | |
port-group XMPP { | |
port 5222 | |
port 5269 | |
port 5280 | |
port 443 | |
port 993 | |
port 5443 | |
port 80 | |
} | |
port-group cisco_ts_lines { | |
description "NM-32 Ports on Cisco Terminal Server" | |
port 2033-2064 | |
port 23 | |
} | |
port-group dmz_tcp_inbound { | |
description "Incoming TCP ports to DMZ" | |
port 25 | |
port 465 | |
port 80 | |
port 993 | |
port 587 | |
} | |
port-group dmz_tcp_outbound { | |
description "Outgoing TCP ports from DMZ" | |
port 25 | |
port 2703 | |
port 465 | |
port 80 | |
port 443 | |
} | |
port-group dmz_udp_outbound { | |
description "Outgoing UDP ports from DMZ" | |
port 123 | |
port 53 | |
port 6277 | |
} | |
port-group fileservice_ports { | |
port 548 | |
port 445 | |
} | |
port-group internet_to_fts { | |
description "Allowed ports from Internet to xxx.xxx.44.192/28" | |
port 22 | |
port 25 | |
port 80 | |
port 443 | |
port 465 | |
port 993 | |
port 2022 | |
port 8440-8450 | |
port 12000 | |
port 17283 | |
port 9080-9082 | |
port 5060-5061 | |
port 4444 | |
} | |
port-group mail { | |
description "Ports used for Mail" | |
port 25 | |
port 465 | |
port 587 | |
port 993 | |
} | |
port-group management { | |
description "Ports used for Management" | |
port 2022 | |
port 22 | |
port 443 | |
port 8443-8445 | |
} | |
port-group moxa_in { | |
description "MOXA Nport Inbound Ports for serial Communication" | |
port 966-969 | |
port 950-953 | |
} | |
port-group moxa_out { | |
description "MOXA Nport Outbound Ports for Serial Communication" | |
port 950-953 | |
port 966-969 | |
} | |
port-group radius_ports { | |
port 1812-1813 | |
} | |
port-group steam { | |
port 27000-27040 | |
port 4379-4380 | |
port 3478 | |
} | |
port-group telephony_signalling { | |
description "SIP and IAX Ports" | |
port 4569 | |
port 5060-5080 | |
} | |
port-group web_redirection_ports { | |
description "ports for HTTP redirection" | |
port 9080-9085 | |
} | |
} | |
ipv6-receive-redirects disable | |
ipv6-src-route disable | |
ip-src-route disable | |
log-martians enable | |
name DMZ_In { | |
default-action drop | |
description "Permit Bareos to Internal Server" | |
enable-default-log | |
rule 10 { | |
action accept | |
description "Allow Return packets from Originated connections" | |
state { | |
established enable | |
related enable | |
} | |
} | |
rule 20 { | |
action accept | |
description "Allow TCP outbound from DNS/Mail Exchanger in DMZ" | |
destination { | |
group { | |
port-group dmz_tcp_outbound | |
} | |
} | |
protocol tcp | |
source { | |
address xxx.xxx.129.1-xxx.xxx.129.2 | |
} | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 30 { | |
action accept | |
description "Allow UDP outbound from DMZ Hosts" | |
destination { | |
group { | |
} | |
port 53,123,6277 | |
} | |
protocol udp | |
source { | |
group { | |
address-group dmz_dns_ntp | |
} | |
} | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 40 { | |
action accept | |
description "Permit DNS Zone Transfer from DMZ DNS" | |
destination { | |
port 53 | |
} | |
protocol tcp | |
source { | |
address xxx.xxx.129.1-xxx.xxx.129.2 | |
} | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 50 { | |
action accept | |
description "Permit SIP Signalling from PBX" | |
destination { | |
} | |
disable | |
protocol udp | |
source { | |
address xxx.xxx.129.3 | |
port 5060 | |
} | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 60 { | |
action accept | |
description "Permit IAX Signalling from PBX" | |
destination { | |
port 4569 | |
} | |
disable | |
protocol tcp | |
source { | |
address xxx.xxx.129.3 | |
} | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 70 { | |
action accept | |
description "Permit syslog from DMZ Network" | |
destination { | |
port 514 | |
} | |
protocol udp | |
source { | |
address xxx.xxx.129.0/27 | |
} | |
state { | |
new enable | |
} | |
} | |
rule 80 { | |
action accept | |
description "Permit Traffic from WWWDMZ" | |
destination { | |
port 80 | |
} | |
protocol tcp | |
source { | |
address xxx.xxx.129.4-xxx.xxx.129.6 | |
} | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 82 { | |
action accept | |
description "Permit Traffic from dmzservices" | |
destination { | |
address xxx.xxx.0.0/0 | |
} | |
protocol tcp_udp | |
source { | |
address xxx.xxx.129.6 | |
} | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 90 { | |
action accept | |
description "Allow TCP Outbound from PBXinaFlash" | |
destination { | |
port 80 | |
} | |
protocol tcp | |
source { | |
address xxx.xxx.129.5 | |
} | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 92 { | |
action accept | |
description "Permit SIP/IAX/RTP/UDPTL udp from PBXinaFlash" | |
protocol udp | |
source { | |
address xxx.xxx.129.5 | |
port 4000-4999,4569,5060-5080,10000-20000 | |
} | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 94 { | |
action accept | |
description "Permit IAX Signalling from PBX" | |
destination { | |
port 4569 | |
} | |
disable | |
protocol udp | |
source { | |
address xxx.xxx.129.5 | |
} | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 96 { | |
action accept | |
description "TCP Outbound from PBXinaFlash" | |
protocol tcp | |
source { | |
address xxx.xxx.129.5 | |
} | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 98 { | |
action accept | |
description "UDP Outbound from PBXinaFlash" | |
destination { | |
port 53,123,3478 | |
} | |
protocol udp | |
source { | |
address xxx.xxx.129.5 | |
} | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 100 { | |
action accept | |
description "Permit BareOS to Internal Server" | |
destination { | |
group { | |
address-group BareOS_Servers | |
} | |
port 9101,9103 | |
} | |
protocol tcp | |
source { | |
address xxx.xxx.129.0/27 | |
} | |
state { | |
new enable | |
} | |
} | |
rule 110 { | |
action accept | |
description "Permit PBX to send CID to MediaCenter" | |
destination { | |
address xxx.xxx.141.156 | |
port 8080 | |
} | |
protocol tcp | |
source { | |
address xxx.xxx.129.5/32 | |
} | |
state { | |
new enable | |
} | |
} | |
rule 120 { | |
action accept | |
description "Permit PBX to send CID to dreambox" | |
destination { | |
address xxx.xxx.141.14 | |
port 80 | |
} | |
protocol tcp | |
source { | |
address xxx.xxx.129.5/32 | |
} | |
state { | |
new enable | |
} | |
} | |
} | |
name DMZ_Out { | |
default-action drop | |
description "Traffic Inbound to DMZ" | |
enable-default-log | |
rule 10 { | |
action accept | |
description "Permit return packets from originated connections" | |
state { | |
established enable | |
related enable | |
} | |
} | |
rule 15 { | |
action accept | |
description "Permit management ports from Trusted" | |
destination { | |
address xxx.xxx.129.0/27 | |
port 22,80,443,8083 | |
} | |
protocol tcp | |
source { | |
group { | |
network-group trusted_networks | |
} | |
} | |
} | |
rule 20 { | |
action accept | |
description "Permit Inbound TCP to DNS/Mail Exchanger in DMZ" | |
destination { | |
address xxx.xxx.129.1-xxx.xxx.129.2 | |
port 22,25,53,465,587,993 | |
} | |
protocol tcp | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 24 { | |
action accept | |
description "Permit Inbound TCP to PBXinaFlash in DMZ" | |
destination { | |
address xxx.xxx.129.5 | |
port 22,80,443,5060-5065 | |
} | |
protocol tcp | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 30 { | |
action accept | |
description "Permit Inbound UDP to DNS/Mail Exchanger in DMZ" | |
destination { | |
group { | |
address-group dmz_dns_ntp | |
} | |
port 53,123 | |
} | |
protocol udp | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 40 { | |
action accept | |
description "permit DNS udp replies" | |
destination { | |
address xxx.xxx.129.2 | |
} | |
protocol udp | |
source { | |
port 53 | |
} | |
state { | |
established enable | |
related enable | |
} | |
} | |
rule 50 { | |
action accept | |
description "Permit Inbound SIP Signalling to PBX" | |
destination { | |
address xxx.xxx.129.3 | |
port 5060-5080,10000-20000 | |
} | |
disable | |
protocol udp | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 52 { | |
action accept | |
description "Permit Inbound SIP/IAX/RTP/UDPTL to PBXinaFlash" | |
destination { | |
address xxx.xxx.129.5 | |
port 4000-4999,4569,5060-5080,10000-20000 | |
} | |
protocol udp | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 60 { | |
action accept | |
description "Permit Inbound IAX Signalling to PBX" | |
destination { | |
address xxx.xxx.129.3 | |
port 80,443,4569 | |
} | |
disable | |
protocol tcp | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 70 { | |
action accept | |
description "Permit Traffic to DMZServices" | |
destination { | |
address xxx.xxx.129.6 | |
port 53,80,443,993,5222,5269,5280,5443,8083,8888,9050 | |
} | |
protocol tcp | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 80 { | |
action accept | |
description "Permit Traffic to WWWDMZ" | |
destination { | |
address xxx.xxx.129.4 | |
port 22,80 | |
} | |
protocol tcp | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 88 { | |
action accept | |
description "Permit SNMP from Internal for Monitoring" | |
destination { | |
address xxx.xxx.129.0/27 | |
port 161 | |
} | |
protocol udp | |
source { | |
address xxx.xxx.141.0/24 | |
} | |
} | |
rule 90 { | |
action accept | |
description "Permit ICMP from internal for monitoring" | |
destination { | |
address xxx.xxx.129.0/27 | |
} | |
icmp { | |
code 0 | |
type 8 | |
} | |
protocol icmp | |
source { | |
address xxx.xxx.141.0/24 | |
} | |
} | |
rule 100 { | |
action accept | |
description "Permit bareos-dir to connnect to bareos-fd in DMZ" | |
destination { | |
address xxx.xxx.129.0/27 | |
port 9102 | |
} | |
protocol tcp | |
source { | |
group { | |
address-group BareOS_Servers | |
} | |
} | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
} | |
name Internet2Local { | |
default-action drop | |
enable-default-log | |
rule 10 { | |
action drop | |
description "Drop DHCP Traffic" | |
destination { | |
port 68 | |
} | |
protocol udp | |
source { | |
address xxx.xxx.0.1 | |
port 67 | |
} | |
state { | |
new enable | |
} | |
} | |
rule 20 { | |
action accept | |
description "Allow Incoming Path MTU Discovery (destination-unreachable/fragmentation-needed)" | |
icmp { | |
code 4 | |
type 3 | |
} | |
protocol icmp | |
state { | |
new enable | |
} | |
} | |
rule 22 { | |
action accept | |
description "Allow Incoming Source Quench" | |
icmp { | |
type-name source-quench | |
} | |
protocol icmp | |
state { | |
new enable | |
} | |
} | |
rule 24 { | |
action accept | |
description "Allow Inbound Echo-Request" | |
icmp { | |
type-name echo-request | |
} | |
protocol icmp | |
state { | |
new enable | |
} | |
} | |
rule 26 { | |
action accept | |
description "Allow Inbound Echo-Request" | |
protocol icmp | |
} | |
rule 86 { | |
action accept | |
description "Permit IPSec ESP" | |
protocol esp | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 88 { | |
action accept | |
description "Allow VPN Termination" | |
destination { | |
port 500,1194,4500,51820,51821 | |
} | |
protocol udp | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 90 { | |
action accept | |
description "Permit IPSec Encapsulated Packets" | |
ipsec { | |
match-ipsec | |
} | |
} | |
rule 100 { | |
action accept | |
description "Allow Vyatta to do DNS lookups" | |
protocol udp | |
source { | |
port 53 | |
} | |
state { | |
established enable | |
related enable | |
} | |
} | |
rule 120 { | |
action accept | |
description "Allow Vyatta to NTP on Internet" | |
protocol udp | |
source { | |
port 123 | |
} | |
state { | |
established enable | |
related enable | |
} | |
} | |
rule 150 { | |
action accept | |
description "Allow Trusted External Hosts Management Access" | |
destination { | |
port 2022,8443 | |
} | |
protocol tcp | |
source { | |
group { | |
address-group trusted_external_hosts | |
} | |
} | |
} | |
rule 160 { | |
action accept | |
description "Permit Download of Snort.org rulesets" | |
protocol tcp | |
source { | |
group { | |
network-group snort.org | |
} | |
port 80,443 | |
} | |
} | |
rule 165 { | |
action accept | |
description "Permit http and https downloads" | |
protocol tcp | |
source { | |
port 43,80,443 | |
} | |
state { | |
established enable | |
related enable | |
} | |
} | |
rule 170 { | |
action accept | |
disable | |
protocol tcp | |
source { | |
group { | |
address-group package_servers | |
} | |
port 80,443 | |
} | |
state { | |
established enable | |
related enable | |
} | |
} | |
rule 180 { | |
action accept | |
description "Allow dynamic DNS replies from dynupdate.no-ip.com" | |
protocol tcp | |
source { | |
address xxx.xxx.224.120 | |
port 443 | |
} | |
state { | |
established enable | |
related enable | |
} | |
} | |
rule 185 { | |
action accept | |
description "Allow dynamic DNS replies from updates.dnsomatic.com" | |
protocol tcp | |
source { | |
address xxx.xxx.92.215 | |
port 443 | |
} | |
state { | |
established enable | |
related enable | |
} | |
} | |
rule 190 { | |
action accept | |
description "Permit Inbound OSCam" | |
destination { | |
port 17283 | |
} | |
disable | |
protocol tcp | |
source { | |
address xxx.xxx.0.0/0 | |
} | |
state { | |
new enable | |
} | |
} | |
rule 500 { | |
action accept | |
icmp { | |
type 8 | |
} | |
protocol icmp | |
source { | |
address xxx.xxx.2.0/26 | |
} | |
} | |
} | |
name Internet_In { | |
default-action drop | |
description "Traffic Permitted Inbound from Internet" | |
enable-default-log | |
rule 1 { | |
action accept | |
description "Allow Return packets from Originated connections" | |
disable | |
state { | |
established enable | |
related enable | |
} | |
} | |
rule 3 { | |
action drop | |
description "Block Networks based on Geo-Location" | |
protocol all | |
source { | |
group { | |
network-group geoblock | |
} | |
} | |
state { | |
established disable | |
new enable | |
related disable | |
} | |
} | |
rule 4 { | |
action drop | |
description "Block Networks on Blacklist" | |
protocol all | |
source { | |
group { | |
network-group Nets4-BlackList | |
} | |
} | |
state { | |
established disable | |
new enable | |
related disable | |
} | |
} | |
rule 5 { | |
action drop | |
description "Block Banned Networks" | |
protocol all | |
source { | |
group { | |
network-group blocked_nets_in | |
} | |
} | |
state { | |
established disable | |
new enable | |
related disable | |
} | |
} | |
rule 7 { | |
action drop | |
description "Drop SMTP to PBX" | |
destination { | |
address xxx.xxx.129.5 | |
port 25 | |
} | |
protocol tcp | |
} | |
rule 9 { | |
action drop | |
description "Drop Unwanted Packets" | |
destination { | |
port 23,135-139,445,1433,1434,3306 | |
} | |
protocol tcp_udp | |
} | |
rule 10 { | |
action accept | |
description "Allow Return packets from Originated connections" | |
state { | |
established enable | |
related enable | |
} | |
} | |
rule 12 { | |
action accept | |
description "Allow ICMP Destination Unreachable" | |
icmp { | |
code 4 | |
type 3 | |
} | |
protocol icmp | |
state { | |
new enable | |
} | |
} | |
rule 14 { | |
action accept | |
description "Allow ICMP Source Quench" | |
icmp { | |
type-name source-quench | |
} | |
protocol icmp | |
state { | |
new enable | |
} | |
} | |
rule 16 { | |
action accept | |
description "Allow ICMP Echo-Request" | |
icmp { | |
type-name echo-request | |
} | |
protocol icmp | |
state { | |
new enable | |
} | |
} | |
rule 20 { | |
action accept | |
description "Allow ESP (IPsec) to FTS Public Internet" | |
destination { | |
address xxx.xxx.44.192/28 | |
} | |
protocol esp | |
} | |
rule 22 { | |
action accept | |
description "Allow isakmp+openvpn to FTS Public Internet" | |
destination { | |
address xxx.xxx.44.192/28 | |
port 500,1194 | |
} | |
protocol udp | |
} | |
rule 26 { | |
action accept | |
description "Permit IPSec encapsulated packets from Apartment Spain" | |
destination { | |
address xxx.xxx.141.0/24 | |
} | |
ipsec { | |
match-ipsec | |
} | |
source { | |
address xxx.xxx.79.0/24 | |
} | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 28 { | |
action accept | |
description "Permit IPSec encapsulated packets from ADDM" | |
destination { | |
address xxx.xxx.141.0/24 | |
} | |
ipsec { | |
match-ipsec | |
} | |
source { | |
address xxx.xxx.32.0/24 | |
} | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 30 { | |
action accept | |
description "Permit IPSec encapsulated packets from ICDC" | |
destination { | |
address xxx.xxx.141.0/24 | |
} | |
ipsec { | |
match-ipsec | |
} | |
source { | |
address xxx.xxx.45.0/22 | |
group { | |
} | |
} | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 32 { | |
action accept | |
description "Permit IPSec encapsulated packets from DiCandilo Berwyn" | |
destination { | |
address xxx.xxx.141.0/24 | |
} | |
ipsec { | |
match-ipsec | |
} | |
source { | |
address xxx.xxx.1.0/24 | |
group { | |
} | |
} | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 34 { | |
action accept | |
description "Permit IPSec encapsulated packets from Securosys" | |
destination { | |
address xxx.xxx.141.0/24 | |
} | |
ipsec { | |
match-ipsec | |
} | |
source { | |
address xxx.xxx.171.0/24 | |
} | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 36 { | |
action accept | |
description "Permit IPSec encapsulated packets from test networks xxx.xxx.176.0/20" | |
destination { | |
address xxx.xxx.141.0/24 | |
} | |
ipsec { | |
match-ipsec | |
} | |
source { | |
address xxx.xxx.176.0/20 | |
} | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 37 { | |
action accept | |
description "Permit IPSec encap packets from ACP AG Internal" | |
destination { | |
address xxx.xxx.141.0/24 | |
} | |
ipsec { | |
match-ipsec | |
} | |
source { | |
address xxx.xxx.2.0/23 | |
} | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 38 { | |
action accept | |
description "Permit IPSec encap packets from ACP AG DMZ" | |
destination { | |
address xxx.xxx.141.0/24 | |
} | |
ipsec { | |
match-ipsec | |
} | |
source { | |
address xxx.xxx.7.0/24 | |
} | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 40 { | |
action accept | |
description "Allow DNS UDP traffic to FTS Public Internet" | |
destination { | |
address xxx.xxx.44.192/28 | |
port 53 | |
} | |
protocol udp | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 42 { | |
action accept | |
description "Allow DNS TCP traffic to FTS Public Internet" | |
destination { | |
address xxx.xxx.44.192/28 | |
port 53 | |
} | |
protocol tcp | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 44 { | |
action accept | |
destination { | |
address xxx.xxx.44.192/28 | |
} | |
protocol udp | |
source { | |
port 53 | |
} | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 46 { | |
action accept | |
destination { | |
address xxx.xxx.44.192/28 | |
} | |
protocol tcp | |
source { | |
port 53 | |
} | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 48 { | |
action accept | |
description "Allow DNS UDP to DMZ" | |
destination { | |
address xxx.xxx.129.2 | |
port 53 | |
} | |
protocol udp | |
state { | |
new enable | |
related enable | |
} | |
} | |
rule 49 { | |
action accept | |
description "Allow DNS TCP (Zone XFER) to DMZ" | |
destination { | |
address xxx.xxx.129.2 | |
port 53 | |
} | |
protocol tcp | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 50 { | |
action accept | |
description "Allow NTP Traffic to FTS Public Internet" | |
destination { | |
address xxx.xxx.44.192/28 | |
port 123 | |
} | |
protocol udp | |
state { | |
new enable | |
related enable | |
} | |
} | |
rule 52 { | |
action accept | |
destination { | |
address xxx.xxx.44.192/28 | |
} | |
protocol udp | |
source { | |
port 123 | |
} | |
state { | |
new enable | |
related enable | |
} | |
} | |
rule 54 { | |
action accept | |
description "Permit Inbound NTP to DMZ" | |
destination { | |
address xxx.xxx.129.1-xxx.xxx.129.2 | |
port 123 | |
} | |
protocol udp | |
state { | |
new enable | |
} | |
} | |
rule 56 { | |
action accept | |
description "Permit Inbound NTP to internal NTP server" | |
destination { | |
group { | |
address-group int_ntp_servers | |
} | |
port 123 | |
} | |
protocol udp | |
state { | |
new enable | |
} | |
} | |
rule 60 { | |
action accept | |
description "TCP Traffic Inbound Permitted to xxx.xxx.44.192/28" | |
destination { | |
address xxx.xxx.44.192/28 | |
group { | |
port-group internet_to_fts | |
} | |
} | |
protocol tcp | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 62 { | |
action accept | |
description "Allow access to Minecraft server" | |
destination { | |
address xxx.xxx.141.158 | |
port 25565 | |
} | |
protocol tcp | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 70 { | |
action accept | |
description "Allow SIP/IAX2/RTP Incoming" | |
destination { | |
address xxx.xxx.44.192/28 | |
port 4569,5060-5080,10000-20000 | |
} | |
protocol udp | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 72 { | |
action accept | |
description "Permit Inbound SIP/IAX/RTP/UDPTL to PBX in DMZ UDP" | |
destination { | |
address xxx.xxx.129.5 | |
port 4000-4999,4569,5060-5080,10000-20000 | |
} | |
protocol udp | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 74 { | |
action accept | |
description "Permit Inbound TCP SIP/SIP-TLS to PBX in DMZ" | |
destination { | |
address xxx.xxx.129.5 | |
port 5060-5065 | |
} | |
protocol tcp | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 76 { | |
action accept | |
description "Permit RTP Audio Inbound" | |
destination { | |
group { | |
port-group RTP_Media | |
} | |
} | |
protocol udp | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 80 { | |
action accept | |
description "Permit Inbound Mail Traffic to Mail Server DMZ" | |
destination { | |
address xxx.xxx.129.1-xxx.xxx.129.2 | |
group { | |
port-group mail | |
} | |
} | |
protocol tcp | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 82 { | |
action accept | |
description "Permit ssh to Mail Exchange" | |
destination { | |
address xxx.xxx.129.2 | |
port 22 | |
} | |
protocol tcp | |
source { | |
group { | |
address-group trusted_external_hosts | |
} | |
} | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 84 { | |
action accept | |
description "Permit Trusted External hosts Askozia Management(Https)" | |
destination { | |
address xxx.xxx.129.3 | |
port 80,443 | |
} | |
disable | |
protocol tcp | |
source { | |
group { | |
address-group trusted_external_hosts | |
} | |
} | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 85 { | |
action accept | |
description "Permit Trusted External hosts PBXinaFlash Management" | |
destination { | |
address xxx.xxx.129.5 | |
port 22,80,443,9001 | |
} | |
protocol tcp | |
source { | |
group { | |
address-group trusted_external_hosts | |
} | |
} | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 86 { | |
action accept | |
description "Permit Inbound WWW to DMZ WWW" | |
destination { | |
address xxx.xxx.129.4 | |
port 80 | |
} | |
disable | |
protocol tcp | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 90 { | |
action accept | |
description "Permit XMPP/Jabber to DMZServices" | |
destination { | |
address xxx.xxx.129.6 | |
group { | |
port-group XMPP | |
} | |
} | |
protocol tcp | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 92 { | |
action accept | |
description "Pemit access to TOR Proxy from Trusted External Hosts" | |
destination { | |
address xxx.xxx.129.6 | |
port 9050 | |
} | |
protocol tcp | |
source { | |
group { | |
address-group trusted_external_hosts | |
} | |
} | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 100 { | |
action accept | |
description "Allow ICMP Echo Requests from ETH (Smokeping)" | |
destination { | |
address xxx.xxx.44.192/28 | |
} | |
icmp { | |
type 8 | |
} | |
protocol icmp | |
source { | |
address xxx.xxx.2.0/26 | |
} | |
} | |
rule 110 { | |
action accept | |
description "Allow ICMP Echo Replies" | |
destination { | |
address xxx.xxx.44.192/28 | |
} | |
icmp { | |
type 0 | |
} | |
protocol icmp | |
} | |
rule 150 { | |
action accept | |
description "Permit Inbound Web Redirection (Zenoss)" | |
destination { | |
address xxx.xxx.141.30 | |
port 8080 | |
} | |
disable | |
protocol tcp | |
source { | |
group { | |
address-group trusted_external_hosts | |
} | |
} | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 154 { | |
action accept | |
description "Permit Inbound Web Redirection (New Server)" | |
destination { | |
address xxx.xxx.141.3 | |
port 80 | |
} | |
disable | |
protocol tcp | |
source { | |
group { | |
address-group trusted_external_hosts | |
} | |
} | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 158 { | |
action accept | |
description "Permit Inbound Web Redirection" | |
destination { | |
address xxx.xxx.141.114 | |
port 80 | |
} | |
disable | |
protocol tcp | |
source { | |
group { | |
address-group trusted_external_hosts | |
} | |
} | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 165 { | |
action accept | |
description "Permit Inbound MOXA Nport Redirection" | |
destination { | |
group { | |
address-group moxa_nports | |
} | |
port 950-969 | |
} | |
protocol tcp | |
source { | |
group { | |
address-group trusted_external_hosts | |
} | |
} | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 900 { | |
action accept | |
description "Permit Inbound NewCS Cardsharing" | |
destination { | |
address xxx.xxx.141.3 | |
port 12000 | |
} | |
protocol tcp | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 910 { | |
action accept | |
description "Permit IMAP/S Test to vmail" | |
destination { | |
address xxx.xxx.141.17 | |
port 993 | |
} | |
protocol tcp | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
} | |
name Internet_Out { | |
default-action drop | |
description "Traffic Permitted Outbound to Internet" | |
enable-default-log | |
rule 4 { | |
action drop | |
description "Deny Kids Banned Sites" | |
destination { | |
group { | |
address-group kids_banned_sites | |
} | |
} | |
} | |
rule 6 { | |
action drop | |
description "Deny Oubound Minecraft" | |
destination { | |
port 25565 | |
} | |
log enable | |
protocol tcp | |
} | |
rule 10 { | |
action drop | |
description "Drop Facebook" | |
destination { | |
group { | |
network-group facebook | |
} | |
} | |
disable | |
log enable | |
} | |
rule 15 { | |
action drop | |
description "Drop Gaming" | |
destination { | |
group { | |
network-group gaming | |
} | |
} | |
log enable | |
time { | |
starttime xxxx:xxxx:00 | |
stoptime xxxx:xxxx:00 | |
weekdays Mon,Tue,Wed,Thu,Fri | |
} | |
} | |
rule 99 { | |
action accept | |
description "Allow outgoing connections originated through firewall" | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 100 { | |
action accept | |
description "Permit traffic to ADDM" | |
destination { | |
address xxx.xxx.32.0/24 | |
} | |
source { | |
address xxx.xxx.141.0/24 | |
} | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 110 { | |
action accept | |
description "Permit traffic to ICDC" | |
destination { | |
address xxx.xxx.47.0/22 | |
group { | |
} | |
} | |
source { | |
address xxx.xxx.141.0/24 | |
} | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 120 { | |
action accept | |
description "Permit traffic to Securosys" | |
destination { | |
address xxx.xxx.171.0/24 | |
} | |
source { | |
address xxx.xxx.141.0/24 | |
} | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 9000 { | |
action accept | |
log enable | |
source { | |
address xxx.xxx.44.192/28 | |
} | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
} | |
name Management_In { | |
default-action drop | |
enable-default-log | |
rule 20 { | |
action drop | |
description "Drop UPnP" | |
destination { | |
address xxx.xxx.0.0/0 | |
} | |
protocol udp | |
source { | |
address xxx.xxx.143.0/24 | |
port 1900 | |
} | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 30 { | |
action accept | |
description "Allow return packets from UniFi Controller to OpenHAB" | |
destination { | |
address xxx.xxx.142.5 | |
} | |
protocol tcp | |
source { | |
address xxx.xxx.143.129 | |
port 8443 | |
} | |
state { | |
established enable | |
related enable | |
} | |
} | |
rule 40 { | |
action accept | |
description "Allow RTP/RTSP Streams from Cameras" | |
destination { | |
address xxx.xxx.141.0/24 | |
} | |
protocol tcp | |
source { | |
address xxx.xxx.143.0/24 | |
} | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 50 { | |
action accept | |
description "Allow NTP queries from Management hosts" | |
destination { | |
group { | |
address-group int_ntp_servers | |
} | |
port 123 | |
} | |
protocol udp | |
source { | |
address xxx.xxx.143.0/24 | |
} | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 60 { | |
action accept | |
description "Allow DNS queries from Management hosts" | |
destination { | |
group { | |
address-group int_dns_servers | |
} | |
port 53 | |
} | |
protocol udp | |
source { | |
address xxx.xxx.143.0/24 | |
} | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 70 { | |
action accept | |
description "Allow Managment hosts to send email alerts via DNS SMTP" | |
destination { | |
address xxx.xxx.129.2 | |
port 25 | |
} | |
protocol tcp | |
source { | |
address xxx.xxx.143.0/24 | |
} | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 80 { | |
action accept | |
description "Allow SNMP query return packets" | |
destination { | |
address xxx.xxx.141.0/24 | |
} | |
protocol udp | |
source { | |
address xxx.xxx.143.0/24 | |
port 161 | |
} | |
state { | |
established enable | |
related enable | |
} | |
} | |
rule 82 { | |
action accept | |
description "Allow Management Hosts to send SNMP Traps/Syslog/SFlow packets" | |
destination { | |
address xxx.xxx.141.0/24 | |
port 162,514,6343 | |
} | |
protocol udp | |
source { | |
address xxx.xxx.143.0/24 | |
} | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 84 { | |
action accept | |
description "Allow icmp replies to internal" | |
destination { | |
address xxx.xxx.141.0/24 | |
} | |
protocol icmp | |
source { | |
address xxx.xxx.143.0/24 | |
} | |
state { | |
established enable | |
related enable | |
} | |
} | |
rule 86 { | |
action accept | |
description "Allow return packets from management ports on Management Network" | |
destination { | |
group { | |
network-group trusted_networks | |
} | |
} | |
protocol tcp | |
source { | |
address xxx.xxx.143.0/24 | |
port 22,23,80,443,7578,8080,8443,9292 | |
} | |
state { | |
established enable | |
related enable | |
} | |
} | |
rule 88 { | |
action accept | |
destination { | |
address xxx.xxx.141.0/24 | |
} | |
protocol tcp | |
source { | |
address xxx.xxx.143.251 | |
group { | |
port-group cisco_ts_lines | |
} | |
} | |
state { | |
established enable | |
related enable | |
} | |
} | |
rule 90 { | |
action accept | |
destination { | |
group { | |
address-group radius_servers | |
port-group radius_ports | |
} | |
} | |
protocol udp | |
source { | |
address xxx.xxx.143.0/24 | |
} | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 100 { | |
action accept | |
destination { | |
address xxx.xxx.47.0/24 | |
} | |
source { | |
address xxx.xxx.143.0/24 | |
} | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 110 { | |
action accept | |
destination { | |
address xxx.xxx.32.0/24 | |
} | |
source { | |
address xxx.xxx.143.0/24 | |
} | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 120 { | |
action accept | |
description "Allow IPMI KVMoverIP" | |
destination { | |
group { | |
network-group trusted_networks | |
} | |
} | |
protocol tcp | |
source { | |
address xxx.xxx.143.0/24 | |
port 5900-5901,5120 | |
} | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 122 { | |
action accept | |
description "Allow IPMI Serial over IP" | |
destination { | |
group { | |
network-group trusted_networks | |
} | |
} | |
protocol udp | |
source { | |
address xxx.xxx.143.0/24 | |
port 623 | |
} | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 160 { | |
action accept | |
destination { | |
group { | |
address-group moxa_allowed_hosts | |
} | |
} | |
protocol tcp | |
source { | |
group { | |
address-group moxa_nports | |
port-group moxa_in | |
} | |
} | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 170 { | |
action accept | |
description "Allow Management access to LDAP,KRB5,SMB" | |
destination { | |
group { | |
network-group trusted_networks | |
} | |
port 88,464,445 | |
} | |
protocol tcp | |
source { | |
address xxx.xxx.143.0/24 | |
} | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 200 { | |
action accept | |
description "Allow Management Access to Debian/Ubuntu Mirrors" | |
destination { | |
group { | |
address-group deb-ubu-mirrors | |
} | |
port 80,443 | |
} | |
protocol tcp | |
source { | |
address xxx.xxx.143.0/24 | |
} | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 210 { | |
action accept | |
description "Allow Unifi Server access to UBNT Mirrors" | |
destination { | |
group { | |
address-group ubiquiti | |
} | |
port 80,443 | |
} | |
protocol tcp | |
source { | |
address xxx.xxx.143.129 | |
} | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
} | |
name Management_Out { | |
default-action drop | |
enable-default-log | |
rule 10 { | |
action accept | |
description "Allow Establed and Related Connections" | |
destination { | |
address xxx.xxx.143.0/24 | |
} | |
protocol all | |
source { | |
address xxx.xxx.0.0/0 | |
} | |
state { | |
established enable | |
related enable | |
} | |
} | |
rule 60 { | |
action accept | |
description "Permit Access from OpenHAB to UniFi Controller" | |
destination { | |
address xxx.xxx.143.129 | |
port 8443 | |
} | |
protocol tcp | |
source { | |
address xxx.xxx.142.5 | |
} | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 70 { | |
action accept | |
description "Permit return SMTP packets" | |
destination { | |
address xxx.xxx.143.0/24 | |
} | |
protocol tcp | |
source { | |
address xxx.xxx.129.2 | |
port 25 | |
} | |
state { | |
established enable | |
related enable | |
} | |
} | |
rule 80 { | |
action accept | |
description "Permit SNMP access to subnet" | |
destination { | |
address xxx.xxx.143.0/24 | |
port 161,554,5556,5557 | |
} | |
protocol udp | |
source { | |
address xxx.xxx.141.0/24 | |
} | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 82 { | |
action accept | |
description "Allow ICMP from Internal" | |
destination { | |
address xxx.xxx.143.0/24 | |
} | |
protocol icmp | |
source { | |
address xxx.xxx.141.0/24 | |
} | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 84 { | |
action accept | |
description "Permit access to management ports on mangement network" | |
destination { | |
address xxx.xxx.143.0/24 | |
port 22,23,80,443,8080,8443,9292,554,5556,5557 | |
} | |
protocol tcp | |
source { | |
group { | |
network-group trusted_networks | |
} | |
} | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 85 { | |
action accept | |
destination { | |
address xxx.xxx.143.251 | |
group { | |
port-group cisco_ts_lines | |
} | |
} | |
protocol tcp | |
source { | |
address xxx.xxx.141.0/24 | |
} | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 90 { | |
action accept | |
destination { | |
address xxx.xxx.143.0/24 | |
} | |
log enable | |
protocol udp | |
source { | |
group { | |
address-group radius_servers | |
} | |
port 1812 | |
} | |
state { | |
established enable | |
related enable | |
} | |
} | |
rule 95 { | |
action accept | |
description "Permit OpenVPN clients access to Management Network" | |
destination { | |
address xxx.xxx.143.0/24 | |
} | |
source { | |
group { | |
network-group trusted_networks | |
} | |
} | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 100 { | |
action accept | |
destination { | |
address xxx.xxx.143.0/24 | |
} | |
ipsec { | |
match-ipsec | |
} | |
source { | |
address xxx.xxx.47.0/24 | |
} | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 110 { | |
action accept | |
destination { | |
address xxx.xxx.143.0/24 | |
} | |
ipsec { | |
match-ipsec | |
} | |
source { | |
address xxx.xxx.32.0/24 | |
} | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 120 { | |
action accept | |
description "Permit NTP return packets" | |
destination { | |
address xxx.xxx.143.0/24 | |
} | |
protocol udp | |
source { | |
port 123 | |
} | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 160 { | |
action accept | |
description "Allow Trusted External Hosts access to MOXA Serial Ports" | |
destination { | |
group { | |
address-group moxa_nports | |
port-group moxa_out | |
} | |
} | |
protocol tcp | |
source { | |
group { | |
address-group moxa_allowed_hosts | |
} | |
} | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
} | |
name PublicAccess_In { | |
default-action drop | |
description "Traffic from PublicAccess Outbound" | |
enable-default-log | |
rule 35 { | |
action drop | |
description "Disable UPnP Discovery" | |
destination { | |
port 1900 | |
} | |
protocol udp | |
source { | |
address xxx.xxx.130.0/24 | |
} | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 36 { | |
action drop | |
description "Drop Google DNS Queries" | |
destination { | |
group { | |
address-group google_dns | |
} | |
port 53 | |
} | |
protocol tcp_udp | |
source { | |
address xxx.xxx.130.0/24 | |
} | |
state { | |
new enable | |
} | |
} | |
rule 42 { | |
action accept | |
description "Allow access to proxy in DMZ" | |
destination { | |
address xxx.xxx.129.6 | |
port 80,443,9050 | |
} | |
protocol tcp | |
source { | |
address xxx.xxx.130.0/24 | |
} | |
state { | |
new enable | |
} | |
} | |
rule 44 { | |
action accept | |
description "Allow Access to Fileservers" | |
destination { | |
group { | |
address-group fileservers | |
port-group fileservice_ports | |
} | |
} | |
protocol tcp | |
source { | |
address xxx.xxx.130.0/24 | |
} | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 48 { | |
action accept | |
description "Allow access to Jellyfin Server" | |
destination { | |
address xxx.xxx.141.2 | |
port 8096 | |
} | |
protocol tcp | |
source { | |
address xxx.xxx.130.0/24 | |
} | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 50 { | |
action drop | |
description "Time-based Permit for Chollo Gamer PC" | |
destination { | |
address xxx.xxx.0.0/0 | |
} | |
log disable | |
source { | |
address xxx.xxx.130.179 | |
} | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
time { | |
starttime xxxx:xxxx:00 | |
stoptime xxxx:xxxx:00 | |
weekdays Sun,Mon,Tue,Wed,Thu,Fri,Sat | |
} | |
} | |
rule 54 { | |
action drop | |
description "Block Steam Gaming" | |
destination { | |
address xxx.xxx.0.0/0 | |
group { | |
port-group steam | |
} | |
} | |
disable | |
log enable | |
protocol all | |
source { | |
group { | |
address-group Chollo | |
} | |
} | |
state { | |
new enable | |
} | |
} | |
rule 65 { | |
action accept | |
description "Open access for xxx.xxx.130.224/27" | |
destination { | |
address xxx.xxx.0.0/0 | |
} | |
protocol all | |
source { | |
address xxx.xxx.130.224/27 | |
} | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 70 { | |
action accept | |
description "Allow return packets from Web Servers on Public_Access net" | |
destination { | |
address xxx.xxx.141.0/24 | |
} | |
protocol tcp | |
source { | |
address xxx.xxx.130.0/24 | |
port 23,80 | |
} | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 80 { | |
action accept | |
description "Allow management (UDP) traffic out" | |
destination { | |
address xxx.xxx.141.0/24 | |
} | |
protocol udp | |
source { | |
address xxx.xxx.130.0/24 | |
port 161,514 | |
} | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 90 { | |
action accept | |
description "Allow APs to speak LWAPP/CAPWAP to Cisco WLC Controller" | |
destination { | |
address xxx.xxx.141.244 | |
group { | |
port-group CAPWAPP | |
} | |
} | |
disable | |
protocol udp | |
source { | |
address xxx.xxx.130.0/24 | |
} | |
state { | |
new enable | |
} | |
} | |
rule 100 { | |
action drop | |
description "Deny Children after 11pm Schoolnights" | |
destination { | |
address xxx.xxx.0.0/0 | |
} | |
disable | |
log enable | |
source { | |
group { | |
address-group children | |
} | |
} | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
time { | |
starttime xxxx:xxxx:00 | |
stoptime xxxx:xxxx:00 | |
weekdays !Fri,Sat | |
} | |
} | |
rule 102 { | |
action drop | |
description "Deny Children LateNight" | |
destination { | |
address xxx.xxx.0.0/0 | |
} | |
disable | |
log enable | |
source { | |
group { | |
address-group children | |
} | |
} | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
time { | |
starttime xxxx:xxxx:00 | |
stoptime xxxx:xxxx:00 | |
} | |
} | |
rule 115 { | |
action accept | |
description "Allow Outbound UDP (DNS/NTP/DHCP/IAX)" | |
destination { | |
address xxx.xxx.0.0/0 | |
port 53,67,68,123,4569 | |
} | |
protocol udp | |
source { | |
address xxx.xxx.130.0/24 | |
} | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 200 { | |
action accept | |
description "Allow access to Google Play Services" | |
destination { | |
address xxx.xxx.0.0/0 | |
port 5228 | |
} | |
disable | |
protocol tcp_udp | |
source { | |
address xxx.xxx.130.0/24 | |
} | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 1006 { | |
action accept | |
description "Allow Chusma" | |
destination { | |
address xxx.xxx.0.0/0 | |
} | |
protocol all | |
source { | |
group { | |
address-group Chusma | |
} | |
} | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 1008 { | |
action accept | |
description "Allow Chollo" | |
destination { | |
address xxx.xxx.0.0/0 | |
} | |
protocol all | |
source { | |
group { | |
address-group Chollo | |
} | |
} | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
rule 1030 { | |
action accept | |
description "Weekday Time-based Permit for Chollo" | |
destination { | |
address xxx.xxx.0.0/0 | |
} | |
disable | |
log disable | |
source { | |
group { | |
address-group Chollo | |
} | |
} | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
time { | |
starttime xxxx:xxxx:00 | |
stoptime xxxx:xxxx:00 | |
weekdays Mon,Tue,Wed,Thu,Fri | |
} | |
} | |
rule 1035 { | |
action accept | |
description "Weekend Time-based Permit for Chollo" | |
destination { | |
address xxx.xxx.0.0/0 | |
} | |
disable | |
log disable | |
source { | |
group { | |
address-group Chollo | |
} | |
} | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
time { | |
starttime xxxx:xxxx:00 | |
stoptime xxxx:xxxx:00 | |
weekdays Sat,Sun | |
} | |
} | |
rule 1040 { | |
action accept | |
description "Allowed outbound for Chollo" | |
destination { | |
address xxx.xxx.0.0/0 | |
port 80,443,587,993,5222 | |
} | |
log disable | |
protocol tcp | |
source { | |
group { | |
address-group Chollo | |
} | |
} | |
state { | |
established enable | |
new enable | |
} | |
} | |
rule 9000 { | |
action accept | |
description "Allow Random DHCP Clients" | |
destination { | |
address xxx.xxx.0.0/0 | |
} | |
protocol all | |
source { | |
address xxx.xxx.130.192-xxx.xxx.130.221 | |
} | |
state { | |
established enable | |
new enable | |
related enable | |
} | |
} | |
} | |
name PublicAccess_Out { | |
default-action drop | |
description "Traffic Inbound to PublicAccess" | |
enable-default-log | |
rule 100 { | |
action accept | |
description "Permit return packets from originated connections" | |
state { | |
established enable | |
related enable | |
} | |
} | |
rule 500 { | |
action accept | |
destination { | |
address xxx.xxx.130.0/24 | |
} | |
protocol all | |
source { | |
address xxx.xxx.141.0/24 | |
} | |
} | |
} | |
receive-redirects disable | |
send-redirects enable | |
source-validation disable | |
state-policy { | |
invalid { | |
action drop | |
} | |
} | |
syn-cookies enable | |
twa-hazards-protection disable | |
} | |
interfaces { | |
ethernet eth0 { | |
address xxx.xxx.129.30/27 | |
description DMZ | |
duplex auto | |
firewall { | |
in { | |
name DMZ_In | |
} | |
out { | |
name DMZ_Out | |
} | |
} | |
hw-id XX:XX:XX:XX:XX:30 | |
mtu 9000 | |
smp-affinity auto | |
speed auto | |
} | |
ethernet eth1 { | |
address xxx.xxx.130.254/24 | |
description "Public Access" | |
duplex auto | |
firewall { | |
in { | |
name PublicAccess_In | |
} | |
out { | |
name PublicAccess_Out | |
} | |
} | |
hw-id XX:XX:XX:XX:XX:31 | |
mtu 9000 | |
smp-affinity auto | |
speed auto | |
traffic-policy { | |
out ShapePublicOutbound | |
} | |
} | |
ethernet eth2 { | |
address xxx.xxx.141.254/24 | |
description Internal | |
duplex auto | |
hw-id XX:XX:XX:XX:XX:32 | |
mtu 9000 | |
smp-affinity auto | |
speed auto | |
} | |
ethernet eth3 { | |
address xxx.xxx.143.254/24 | |
description Management | |
duplex auto | |
firewall { | |
in { | |
name Management_In | |
} | |
out { | |
name Management_Out | |
} | |
} | |
hw-id XX:XX:XX:XX:XX:33 | |
mtu 9000 | |
smp-affinity auto | |
speed auto | |
} | |
ethernet eth4 { | |
address xxx.xxx.44.193/28 | |
address xxx.xxx.44.200/28 | |
address xxx.xxx.44.201/28 | |
address xxx.xxx.44.197/28 | |
description "FTS Public Internet Subnet" | |
duplex auto | |
hw-id XX:XX:XX:XX:XX:34 | |
mtu 9000 | |
smp-affinity auto | |
speed auto | |
} | |
ethernet eth5 { | |
address xxx.xxx.62.21/27 | |
description InternetUplink | |
duplex auto | |
firewall { | |
in { | |
name Internet_In | |
} | |
local { | |
name Internet2Local | |
} | |
out { | |
name Internet_Out | |
} | |
} | |
hw-id XX:XX:XX:XX:XX:35 | |
mtu 9000 | |
smp-affinity auto | |
speed auto | |
} | |
ethernet eth6 { | |
address xxx.xxx.142.254/24 | |
description IoT | |
duplex auto | |
hw-id XX:XX:XX:XX:XX:36 | |
mtu 9000 | |
smp-affinity auto | |
speed auto | |
} | |
loopback lo { | |
} | |
openvpn vtun0 { | |
description "OpenVPN Endpoint" | |
encryption aes256 | |
hash sha512 | |
local-host xxxxx.tld | |
local-port 1194 | |
mode server | |
openvpn-option "--comp-lzo --push dhcp-option DOMAIN feigin.com --push dhcp-option DNS xxx.xxx.141.20 --push route xxx.xxx.140.0 xxx.xxx.252.0 --push route xxx.xxx.130.0 xxx.xxx.255.0 --push route xxx.xxx.129.0 xxx.xxx.255.224" | |
protocol udp | |
server { | |
subnet xxx.xxx.128.240/28 | |
} | |
tls { | |
ca-cert-file xxxxxx | |
cert-file xxxxxx | |
dh-file xxxxxx | |
key-file xxxxxx | |
} | |
} | |
wireguard wg01 { | |
address xxx.xxx.188.1/24 | |
description "Wireguard Endpoint" | |
peer GalaxyS7 { | |
allowed-ips xxx.xxx.188.3/32 | |
persistent-keepalive 15 | |
pubkey **************** | |
} | |
peer Hospitalet { | |
allowed-ips xxx.xxx.78.0/24 | |
allowed-ips xxx.xxx.188.2/32 | |
persistent-keepalive 15 | |
preshared-key **************** | |
pubkey **************** | |
} | |
peer OpenWRT-Test { | |
allowed-ips xxx.xxx.188.9/32 | |
allowed-ips xxx.xxx.83.0/24 | |
persistent-keepalive 15 | |
preshared-key **************** | |
pubkey **************** | |
} | |
peer OpenWRT-zbt826 { | |
allowed-ips xxx.xxx.188.6/32 | |
allowed-ips xxx.xxx.84.0/24 | |
persistent-keepalive 15 | |
preshared-key **************** | |
pubkey **************** | |
} | |
peer PocoF3 { | |
allowed-ips xxx.xxx.188.4/32 | |
persistent-keepalive 15 | |
preshared-key **************** | |
pubkey **************** | |
} | |
peer XiaoMiNote5 { | |
allowed-ips xxx.xxx.188.5/32 | |
persistent-keepalive 15 | |
preshared-key **************** | |
pubkey **************** | |
} | |
peer ayahuasca { | |
allowed-ips xxx.xxx.188.7/32 | |
persistent-keepalive 15 | |
preshared-key **************** | |
pubkey **************** | |
} | |
peer x230 { | |
allowed-ips xxx.xxx.188.10/32 | |
persistent-keepalive 15 | |
preshared-key **************** | |
pubkey **************** | |
} | |
port 51820 | |
} | |
wireguard wg02 { | |
address xxx.xxx.0.2/24 | |
description "ACP site-to-site" | |
peer xxxxx.tld { | |
allowed-ips xxx.xxx.0.0/24 | |
allowed-ips xxx.xxx.2.0/23 | |
allowed-ips xxx.xxx.7.0/24 | |
preshared-key **************** | |
pubkey **************** | |
} | |
port 51821 | |
} | |
} | |
nat { | |
destination { | |
rule 20 { | |
description "Redirect Inbound SMTP" | |
destination { | |
address xxx.xxx.44.193 | |
port 25 | |
} | |
inbound-interface eth5 | |
protocol tcp | |
translation { | |
address xxx.xxx.129.2 | |
port 25 | |
} | |
} | |
rule 22 { | |
description "Redirect Inbound SMTP/S" | |
destination { | |
address xxx.xxx.44.193 | |
port 465 | |
} | |
inbound-interface eth5 | |
protocol tcp | |
translation { | |
address xxx.xxx.129.2 | |
port 465 | |
} | |
} | |
rule 23 { | |
description "Redirect Inbound SMTP Submission" | |
destination { | |
address xxx.xxx.44.193 | |
port 587 | |
} | |
inbound-interface eth5 | |
protocol tcp | |
translation { | |
address xxx.xxx.129.2 | |
port 587 | |
} | |
} | |
rule 24 { | |
description "Redirect Inbound IMAPS" | |
destination { | |
address xxx.xxx.44.193 | |
port 993 | |
} | |
inbound-interface eth5 | |
protocol tcp | |
translation { | |
address xxx.xxx.141.17 | |
port 993 | |
} | |
} | |
rule 26 { | |
description "Redirect inbound SSH" | |
destination { | |
address xxx.xxx.44.193 | |
port 22 | |
} | |
inbound-interface eth5 | |
protocol tcp | |
translation { | |
address xxx.xxx.129.2 | |
port 22 | |
} | |
} | |
rule 30 { | |
description "Redirect Inbound HTTPS to xxx.xxx.62.21" | |
destination { | |
address xxx.xxx.62.21 | |
port 443 | |
} | |
inbound-interface eth5 | |
protocol tcp | |
translation { | |
address xxx.xxx.129.6 | |
port 443 | |
} | |
} | |
rule 32 { | |
description "Redirect Inbound HTTPS for xxx.xxx.44.193" | |
destination { | |
address xxx.xxx.44.193 | |
port 443 | |
} | |
inbound-interface eth5 | |
protocol tcp | |
translation { | |
address xxx.xxx.129.6 | |
port 443 | |
} | |
} | |
rule 34 { | |
description "Redirect Inbound HTTP for xxx.xxx.62.21" | |
destination { | |
address xxx.xxx.62.21 | |
port 80 | |
} | |
inbound-interface eth5 | |
protocol tcp | |
translation { | |
address xxx.xxx.129.6 | |
port 80 | |
} | |
} | |
rule 36 { | |
description "Redirect Inbound HTTP for xxx.xxx.44.193" | |
destination { | |
address xxx.xxx.44.193 | |
port 80 | |
} | |
inbound-interface eth5 | |
protocol tcp | |
translation { | |
address xxx.xxx.129.6 | |
port 80 | |
} | |
} | |
rule 40 { | |
description "Redirect Inbound DNS UDP" | |
destination { | |
address xxx.xxx.44.193 | |
port 53 | |
} | |
inbound-interface eth5 | |
protocol udp | |
translation { | |
address xxx.xxx.129.2 | |
port 53 | |
} | |
} | |
rule 42 { | |
description "Redirect Inbound DNS TCP" | |
destination { | |
address xxx.xxx.44.193 | |
port 53 | |
} | |
inbound-interface eth5 | |
protocol tcp | |
translation { | |
address xxx.xxx.129.2 | |
port 53 | |
} | |
} | |
rule 44 { | |
description "Redirect Inbound NTP" | |
destination { | |
address xxx.xxx.62.21 | |
port 123 | |
} | |
inbound-interface eth5 | |
protocol udp | |
translation { | |
address xxx.xxx.141.13 | |
port 123 | |
} | |
} | |
rule 50 { | |
description "Inbound Web Redirect 9080" | |
destination { | |
address xxx.xxx.44.193 | |
port 9080 | |
} | |
inbound-interface eth5 | |
protocol tcp | |
translation { | |
address xxx.xxx.141.3 | |
port 80 | |
} | |
} | |
rule 52 { | |
description "Inbound Web Redirect 9081->8080(Zenoss)" | |
destination { | |
address xxx.xxx.44.193 | |
port 9081 | |
} | |
inbound-interface eth5 | |
protocol tcp | |
translation { | |
address xxx.xxx.141.30 | |
port 8080 | |
} | |
} | |
rule 54 { | |
description "Inbound Web Redirect 9082 -> Test MythTV Backend" | |
destination { | |
address xxx.xxx.44.193 | |
port 9082 | |
} | |
inbound-interface eth5 | |
protocol tcp | |
translation { | |
address xxx.xxx.141.114 | |
port 80 | |
} | |
} | |
rule 56 { | |
description "Inbound Web Redirect 9083 -> OSCam" | |
destination { | |
address xxx.xxx.44.193 | |
port 9083 | |
} | |
inbound-interface eth5 | |
protocol tcp | |
translation { | |
address xxx.xxx.141.3 | |
port 8443 | |
} | |
} | |
rule 60 { | |
description "Redirect Inbound DNS for old server (Temporary)" | |
destination { | |
address xxx.xxx.44.194 | |
port 53 | |
} | |
inbound-interface eth5 | |
protocol udp | |
translation { | |
address xxx.xxx.129.2 | |
port 53 | |
} | |
} | |
rule 76 { | |
description "1:1 Inbound NAT PBXinaFlash" | |
destination { | |
address xxx.xxx.44.201 | |
} | |
inbound-interface eth5 | |
translation { | |
address xxx.xxx.129.5 | |
} | |
} | |
rule 78 { | |
description "1:1 Inbound NAT PBXinaFlash for FTS Subnet" | |
destination { | |
address xxx.xxx.44.201 | |
} | |
inbound-interface eth4 | |
translation { | |
address xxx.xxx.129.5 | |
} | |
} | |
rule 84 { | |
description "Reflection Rule Inside->Outside:SMTP" | |
destination { | |
address xxx.xxx.44.193 | |
port 25 | |
} | |
inbound-interface eth2 | |
protocol tcp | |
source { | |
address xxx.xxx.141.0/24 | |
} | |
translation { | |
address xxx.xxx.129.2 | |
port 25 | |
} | |
} | |
rule 85 { | |
description "Reflection Rule Inside->Outside:Submission" | |
destination { | |
address xxx.xxx.44.193 | |
port 587 | |
} | |
inbound-interface eth2 | |
protocol tcp | |
source { | |
address xxx.xxx.141.0/24 | |
} | |
translation { | |
address xxx.xxx.129.2 | |
port 587 | |
} | |
} | |
rule 86 { | |
description "Reflection Rule Inside->Outside:SMTP/S" | |
destination { | |
address xxx.xxx.44.193 | |
port 465 | |
} | |
inbound-interface eth2 | |
protocol tcp | |
source { | |
address xxx.xxx.141.0/24 | |
} | |
translation { | |
address xxx.xxx.129.2 | |
port 465 | |
} | |
} | |
rule 88 { | |
description "Reflection Rule Public->Outside:SMTP" | |
destination { | |
address xxx.xxx.44.193 | |
port 25 | |
} | |
inbound-interface eth1 | |
protocol tcp | |
source { | |
address xxx.xxx.130.0/24 | |
} | |
translation { | |
address xxx.xxx.129.2 | |
port 25 | |
} | |
} | |
rule 89 { | |
description "Reflection Rule Public->Outside:Submission" | |
destination { | |
address xxx.xxx.44.193 | |
port 587 | |
} | |
inbound-interface eth1 | |
protocol tcp | |
source { | |
address xxx.xxx.130.0/24 | |
} | |
translation { | |
address xxx.xxx.129.2 | |
port 587 | |
} | |
} | |
rule 90 { | |
description "Reflection Rule Internal->Outside:IMAPS" | |
destination { | |
address xxx.xxx.44.193 | |
port 993 | |
} | |
inbound-interface eth2 | |
protocol tcp | |
source { | |
address xxx.xxx.141.0/24 | |
} | |
translation { | |
address xxx.xxx.129.2 | |
port 993 | |
} | |
} | |
rule 92 { | |
description "Reflection Rule Public->Outside:IMAPS" | |
destination { | |
address xxx.xxx.44.193 | |
port 993 | |
} | |
inbound-interface eth1 | |
protocol tcp | |
source { | |
address xxx.xxx.130.0/24 | |
} | |
translation { | |
address xxx.xxx.141.17 | |
port 993 | |
} | |
} | |
rule 94 { | |
description "Reflection Rule Public->Outside:IAX" | |
destination { | |
address xxx.xxx.44.201 | |
port 4569 | |
} | |
inbound-interface eth1 | |
protocol udp | |
source { | |
address xxx.xxx.130.0/24 | |
} | |
translation { | |
address xxx.xxx.129.5 | |
port 4569 | |
} | |
} | |
rule 96 { | |
description "Reflection Rule Public->Inside:https for cloud" | |
destination { | |
address xxx.xxx.62.21 | |
port 443 | |
} | |
inbound-interface eth1 | |
protocol tcp | |
source { | |
address xxx.xxx.130.0/24 | |
} | |
translation { | |
address xxx.xxx.141.53 | |
port 443 | |
} | |
} | |
rule 102 { | |
description "Reflection Rule Public ->Outside:SIP" | |
destination { | |
address xxx.xxx.44.201 | |
port 5060 | |
} | |
inbound-interface eth1 | |
protocol tcp_udp | |
source { | |
address xxx.xxx.130.0/24 | |
} | |
translation { | |
address xxx.xxx.129.5 | |
port 5060 | |
} | |
} | |
rule 110 { | |
description "Inbound Redirect for XMPP port 5222" | |
destination { | |
address xxx.xxx.62.21 | |
port 5222 | |
} | |
inbound-interface eth5 | |
protocol tcp | |
translation { | |
address xxx.xxx.129.6 | |
port 5222 | |
} | |
} | |
rule 112 { | |
description "Inbound Redirect for XMPP port 5269" | |
destination { | |
address xxx.xxx.62.21 | |
port 5269 | |
} | |
inbound-interface eth5 | |
protocol tcp | |
translation { | |
address xxx.xxx.129.6 | |
port 5269 | |
} | |
} | |
rule 114 { | |
description "Inbound Redirect for XMPP port 5280" | |
destination { | |
address xxx.xxx.62.21 | |
port 5280 | |
} | |
inbound-interface eth5 | |
protocol tcp | |
translation { | |
address xxx.xxx.129.6 | |
port 5280 | |
} | |
} | |
rule 116 { | |
description "Inbound Redirect for XMPP http_upload port 5443" | |
destination { | |
address xxx.xxx.62.21 | |
port 5443 | |
} | |
inbound-interface eth5 | |
protocol tcp | |
translation { | |
address xxx.xxx.129.6 | |
port 5443 | |
} | |
} | |
rule 120 { | |
description "Reflection Rule Public->Outside:XMPP-5222" | |
destination { | |
address xxx.xxx.62.21 | |
port 5222 | |
} | |
inbound-interface eth1 | |
protocol tcp | |
translation { | |
address xxx.xxx.129.6 | |
port 5222 | |
} | |
} | |
rule 122 { | |
description "Reflection Rule Public->Outside:XMPP-5269" | |
destination { | |
address xxx.xxx.62.21 | |
port 5269 | |
} | |
inbound-interface eth1 | |
protocol tcp | |
translation { | |
address xxx.xxx.129.6 | |
port 5269 | |
} | |
} | |
rule 124 { | |
description "Reflection Rule Public->Outside:XMPP-5280" | |
destination { | |
address xxx.xxx.62.21 | |
port 5280 | |
} | |
inbound-interface eth1 | |
protocol tcp | |
translation { | |
address xxx.xxx.129.6 | |
port 5280 | |
} | |
} | |
rule 126 { | |
description "Reflection Rule Public->Outside:XMPP-5443" | |
destination { | |
address xxx.xxx.62.21 | |
port 5443 | |
} | |
inbound-interface eth1 | |
protocol tcp | |
translation { | |
address xxx.xxx.129.6 | |
port 5443 | |
} | |
} | |
rule 128 { | |
description "Reflection Rule Public->Outside:HTTPS" | |
destination { | |
address xxx.xxx.62.21 | |
port 443 | |
} | |
inbound-interface eth1 | |
protocol tcp | |
translation { | |
address xxx.xxx.129.6 | |
port 443 | |
} | |
} | |
rule 140 { | |
description "Test Redirect HAPROXY IMAPS" | |
destination { | |
address xxx.xxx.62.21 | |
port 993 | |
} | |
inbound-interface eth5 | |
protocol tcp | |
translation { | |
address xxx.xxx.129.6 | |
port 993 | |
} | |
} | |
rule 156 { | |
description "Inbound Redirect for Minecraft" | |
destination { | |
address xxx.xxx.44.193 | |
port 25565 | |
} | |
disable | |
inbound-interface eth5 | |
protocol tcp | |
translation { | |
address xxx.xxx.141.158 | |
port 25565 | |
} | |
} | |
rule 160 { | |
description "Inbound Redirect for MOXA Serial Server" | |
destination { | |
address xxx.xxx.44.193 | |
port 950-969 | |
} | |
disable | |
inbound-interface eth5 | |
protocol tcp | |
translation { | |
address xxx.xxx.143.244 | |
port 950-969 | |
} | |
} | |
} | |
source { | |
rule 30 { | |
description "Source NAT for Outbound SMTP" | |
destination { | |
} | |
outbound-interface eth0 | |
protocol tcp | |
source { | |
address xxx.xxx.129.2 | |
port 25 | |
} | |
translation { | |
address xxx.xxx.44.193 | |
} | |
} | |
rule 992 { | |
description "1:1 Outbound for PBXinaFlash" | |
outbound-interface eth5 | |
source { | |
address xxx.xxx.129.5 | |
} | |
translation { | |
address xxx.xxx.44.201 | |
} | |
} | |
rule 4991 { | |
description "Exclude Test Networks from NAT" | |
destination { | |
address xxx.xxx.93.0/24 | |
} | |
exclude | |
outbound-interface eth4 | |
source { | |
address xxx.xxx.141.0/24 | |
} | |
translation { | |
address masquerade | |
} | |
} | |
rule 4992 { | |
description "Exclude Apartment Spain Internal Network from NAT" | |
destination { | |
address xxx.xxx.79.0/24 | |
} | |
disable | |
exclude | |
outbound-interface eth5 | |
source { | |
address xxx.xxx.141.0/24 | |
} | |
translation { | |
address masquerade | |
} | |
} | |
rule 4993 { | |
description "Exclude ACP Internal Network from NAT" | |
destination { | |
address xxx.xxx.2.0/23 | |
} | |
exclude | |
outbound-interface eth5 | |
source { | |
address xxx.xxx.141.0/24 | |
} | |
translation { | |
address masquerade | |
} | |
} | |
rule 4994 { | |
description "Exclude ACP DMZ Network from NAT" | |
destination { | |
address xxx.xxx.7.0/24 | |
} | |
exclude | |
outbound-interface eth5 | |
source { | |
address xxx.xxx.141.0/24 | |
} | |
translation { | |
address masquerade | |
} | |
} | |
rule 4995 { | |
description "Exclude SecuroSys Network from NAT" | |
destination { | |
address xxx.xxx.171.0/24 | |
} | |
disable | |
exclude | |
outbound-interface eth5 | |
source { | |
address xxx.xxx.141.0/24 | |
} | |
translation { | |
address masquerade | |
} | |
} | |
rule 4996 { | |
description "Exclude Test Networks from NAT" | |
destination { | |
address xxx.xxx.176.0/20 | |
} | |
exclude | |
outbound-interface eth4 | |
source { | |
address xxx.xxx.141.0/24 | |
} | |
translation { | |
address masquerade | |
} | |
} | |
rule 4997 { | |
description "Exclude DiCandilo Berwyn Network from NAT" | |
destination { | |
address xxx.xxx.1.0/24 | |
} | |
exclude | |
outbound-interface eth5 | |
source { | |
address xxx.xxx.141.0/24 | |
} | |
translation { | |
address masquerade | |
} | |
} | |
rule 4998 { | |
description "Exclude ADDM Network From NAT" | |
destination { | |
address xxx.xxx.32.0/24 | |
} | |
exclude | |
outbound-interface eth5 | |
source { | |
address xxx.xxx.141.0/24 | |
} | |
translation { | |
address masquerade | |
} | |
} | |
rule 4999 { | |
description "Exclude ICDC Network from NAT" | |
destination { | |
address xxx.xxx.47.0/22 | |
} | |
disable | |
exclude | |
outbound-interface eth5 | |
source { | |
address xxx.xxx.141.0/24 | |
} | |
translation { | |
address masquerade | |
} | |
} | |
rule 9000 { | |
description "Masquerade Internal on FTS Internet Segment" | |
destination { | |
address xxx.xxx.44.192/28 | |
} | |
outbound-interface eth4 | |
source { | |
address xxx.xxx.141.0/24 | |
} | |
translation { | |
address xxx.xxx.44.193 | |
} | |
} | |
rule 9005 { | |
description "Masquerade Internal" | |
destination { | |
address xxx.xxx.0.0/0 | |
} | |
outbound-interface eth5 | |
source { | |
address xxx.xxx.141.0/24 | |
} | |
translation { | |
address xxx.xxx.44.193 | |
} | |
} | |
rule 9010 { | |
description "Masquerade DMZ" | |
destination { | |
address xxx.xxx.0.0/0 | |
} | |
outbound-interface eth5 | |
source { | |
address xxx.xxx.129.0/27 | |
} | |
translation { | |
address xxx.xxx.44.193 | |
} | |
} | |
rule 9020 { | |
description "Masquerade Public" | |
destination { | |
address xxx.xxx.0.0/0 | |
} | |
outbound-interface eth5 | |
source { | |
address xxx.xxx.130.0/24 | |
} | |
translation { | |
address xxx.xxx.44.197 | |
} | |
} | |
rule 9030 { | |
description "Masquerade IoT & Management" | |
outbound-interface eth5 | |
source { | |
address xxx.xxx.142.0/23 | |
} | |
translation { | |
address xxx.xxx.44.193 | |
} | |
} | |
} | |
} | |
protocols { | |
igmp-proxy { | |
interface eth2 { | |
role downstream | |
threshold 1 | |
} | |
interface eth5 { | |
role upstream | |
threshold 1 | |
} | |
} | |
static { | |
interface-route xxx.xxx.188.0/24 { | |
next-hop-interface wg01 { | |
} | |
} | |
interface-route xxx.xxx.2.0/23 { | |
next-hop-interface wg02 { | |
} | |
} | |
interface-route xxx.xxx.7.0/24 { | |
next-hop-interface wg02 { | |
} | |
} | |
interface-route xxx.xxx.78.0/24 { | |
next-hop-interface wg01 { | |
} | |
} | |
interface-route xxx.xxx.83.0/24 { | |
next-hop-interface wg01 { | |
} | |
} | |
interface-route xxx.xxx.84.0/24 { | |
next-hop-interface wg01 { | |
} | |
} | |
route xxx.xxx.0.0/0 { | |
next-hop xxx.xxx.62.1 { | |
} | |
} | |
route xxx.xxx.53.0/27 { | |
blackhole { | |
} | |
} | |
route xxx.xxx.1.47/32 { | |
next-hop xxx.xxx.128.242 { | |
} | |
} | |
route xxx.xxx.0.0/16 { | |
blackhole { | |
} | |
} | |
route xxx.xxx.0.0/15 { | |
blackhole { | |
} | |
} | |
route xxx.xxx.0.0/15 { | |
blackhole { | |
} | |
} | |
route xxx.xxx.128.0/28 { | |
next-hop xxx.xxx.141.251 { | |
} | |
} | |
route xxx.xxx.131.0/24 { | |
next-hop xxx.xxx.141.222 { | |
} | |
} | |
route xxx.xxx.0.0/17 { | |
blackhole { | |
} | |
} | |
} | |
} | |
service { | |
dhcp-relay { | |
interface eth1 | |
interface eth3 | |
interface eth4 | |
interface eth6 | |
interface eth2 | |
relay-options { | |
relay-agents-packets discard | |
} | |
server xxxxx.tld | |
} | |
mdns { | |
repeater { | |
interface eth2 | |
interface wg01 | |
} | |
} | |
snmp { | |
community public { | |
authorization ro | |
network xxx.xxx.141.0/24 | |
} | |
contact "Adam Feigin" | |
listen-address xxx.xxx.141.254 { | |
port 161 | |
} | |
location xxxxxx 235" | |
trap-target xxx.xxx.141.30 { | |
} | |
} | |
ssh { | |
port 2022 | |
} | |
} | |
system { | |
config-management { | |
commit-archive { | |
location xxxxxx | |
} | |
commit-revisions 50 | |
} | |
conntrack { | |
expect-table-size 4096 | |
hash-size 4096 | |
modules { | |
sip { | |
disable | |
} | |
} | |
table-size 32768 | |
} | |
console { | |
device ttyS0 { | |
speed 9600 | |
} | |
} | |
domain-name xxxxxx | |
flow-accounting { | |
disable-imt | |
interface eth5 | |
interface eth4 | |
interface eth2 | |
interface eth1 | |
interface eth0 | |
netflow { | |
engine-id 2 | |
sampling-rate 64 | |
server xxxxx.tld { | |
port 9995 | |
} | |
timeout { | |
expiry-interval 60 | |
flow-generic 60 | |
icmp 300 | |
max-active-life 60 | |
tcp-fin 60 | |
tcp-generic 60 | |
tcp-rst 60 | |
udp 60 | |
} | |
version 5 | |
} | |
sflow { | |
agent-address xxx.xxx.141.254 | |
sampling-rate 64 | |
server xxxxx.tld { | |
port 6343 | |
} | |
} | |
syslog-facility daemon | |
} | |
host-name xxxxxx | |
ipv6 { | |
} | |
login { | |
radius-server xxx.xxx.141.20 { | |
port 1812 | |
secret xxxxxxxxxxxx | |
timeout 3 | |
} | |
radius-source-address xxx.xxx.143.254 | |
user xxxxxx { | |
authentication { | |
encrypted-password xxxxxx | |
plaintext-password xxxxxx | |
public-keys [email protected] { | |
key xxxxxx | |
type ssh-rsa | |
} | |
public-keys [email protected] { | |
key xxxxxx | |
type ssh-rsa | |
} | |
public-keys [email protected] { | |
key xxxxxx | |
type ssh-rsa | |
} | |
public-keys [email protected] { | |
key xxxxxx | |
type ssh-rsa | |
} | |
} | |
full-name xxxxxx | |
level admin | |
} | |
user xxxxxx { | |
authentication { | |
encrypted-password xxxxxx | |
plaintext-password xxxxxx | |
public-keys [email protected] { | |
key xxxxxx | |
type ssh-rsa | |
} | |
} | |
level admin | |
} | |
user xxxxxx { | |
authentication { | |
encrypted-password xxxxxx | |
plaintext-password xxxxxx | |
public-keys [email protected] { | |
key xxxxxx | |
type ssh-rsa | |
} | |
public-keys [email protected] { | |
key xxxxxx | |
type ssh-rsa | |
} | |
} | |
level admin | |
} | |
user xxxxxx { | |
authentication { | |
encrypted-password xxxxxx | |
plaintext-password xxxxxx | |
} | |
level admin | |
} | |
} | |
name-server xxx.xxx.141.3 | |
name-server xxx.xxx.40.2 | |
name-server xxx.xxx.40.34 | |
name-server xxx.xxx.141.20 | |
ntp { | |
allow-clients { | |
address xxx.xxx.143.0/24 | |
address xxx.xxx.142.0/24 | |
address xxx.xxx.141.0/24 | |
address xxx.xxx.130.0/24 | |
address xxx.xxx.129.0/24 | |
} | |
listen-address xxx.xxx.141.254 | |
listen-address xxx.xxx.130.254 | |
listen-address xxx.xxx.129.254 | |
listen-address xxx.xxx.142.254 | |
listen-address xxx.xxx.143.254 | |
server xxxxx.tld { | |
} | |
server xxxxx.tld { | |
} | |
server xxxxx.tld { | |
} | |
server xxxxx.tld { | |
} | |
server xxxxx.tld { | |
} | |
} | |
syslog { | |
file messages { | |
archive { | |
} | |
} | |
global { | |
archive { | |
size 8192 | |
} | |
facility all { | |
level notice | |
} | |
facility protocols { | |
level debug | |
} | |
} | |
} | |
task-scheduler { | |
task Update-Blacklists { | |
executable { | |
path /config/scripts/updBlackList.sh | |
} | |
interval 12h | |
} | |
} | |
time-zone Europe/Zurich | |
} | |
traffic-policy { | |
limiter LimitChildrenOutBound { | |
class 10 { | |
bandwidth 512 | |
burst 2048 | |
match Children { | |
ip { | |
source { | |
address xxx.xxx.130.175/27 | |
} | |
} | |
} | |
priority 20 | |
} | |
} | |
shaper ShapeInternalOutbound { | |
bandwidth 1gibps | |
class 10 { | |
bandwidth 128kibit | |
burst 15k | |
ceiling 16384kibit | |
match JohanaRestricted { | |
ip { | |
destination { | |
address xxx.xxx.141.188/30 | |
} | |
} | |
} | |
queue-type fair-queue | |
} | |
default { | |
bandwidth 1gibps | |
burst 15k | |
ceiling 100% | |
queue-type fair-queue | |
} | |
} | |
shaper ShapePublicOutbound { | |
bandwidth 20mibit | |
class 10 { | |
bandwidth 1kibit | |
burst 15k | |
ceiling 4096kibit | |
description "Chusmas Devices" | |
match Chusma { | |
ip { | |
destination { | |
address xxx.xxx.130.172/30 | |
} | |
} | |
} | |
queue-type fair-queue | |
} | |
class 20 { | |
bandwidth 1kibit | |
burst 15k | |
ceiling 16384kibit | |
description "Chollos Devices" | |
match Chollo { | |
ip { | |
destination { | |
address xxx.xxx.130.176/29 | |
} | |
} | |
} | |
queue-type fair-queue | |
} | |
class 30 { | |
bandwidth 1kibit | |
burst 15k | |
ceiling 64kibit | |
match mbpgen2-wlan { | |
ip { | |
destination { | |
address xxx.xxx.130.242/32 | |
} | |
} | |
} | |
queue-type fair-queue | |
} | |
class 40 { | |
bandwidth 1kibit | |
burst 15k | |
ceiling 8192kibit | |
description "Sony PS4 Traffic" | |
match sonyps4 { | |
ip { | |
destination { | |
address xxx.xxx.130.185/32 | |
} | |
} | |
} | |
queue-type fair-queue | |
} | |
class 120 { | |
bandwidth 100% | |
burst 15k | |
queue-type fair-queue | |
} | |
default { | |
bandwidth 10mibit | |
burst 15k | |
ceiling 100% | |
queue-type fair-queue | |
} | |
description "QoS Policy for Public" | |
} | |
shaper VoIP-DSCP { | |
bandwidth 5mbit | |
class 10 { | |
bandwidth 20% | |
burst 15k | |
ceiling 40% | |
match VoIP-RTP { | |
description "RTP Audio Packets (with dscp set to 46)" | |
ip { | |
dscp 46 | |
} | |
} | |
priority 7 | |
queue-type fair-queue | |
} | |
class 20 { | |
bandwidth 10% | |
burst 15k | |
ceiling 20% | |
description "SIP Signalling (with dscp set to 26)" | |
match VoIP-SIP { | |
ip { | |
dscp 26 | |
} | |
} | |
priority 4 | |
queue-type fair-queue | |
} | |
default { | |
bandwidth 70% | |
burst 15k | |
ceiling 100% | |
queue-type fair-queue | |
} | |
description "VoIP Traffic Shaping based on DSCP" | |
} | |
} | |
vpn { | |
ipsec { | |
esp-group ACP-ESP { | |
compression disable | |
lifetime 3600 | |
mode tunnel | |
pfs dh-group18 | |
proposal 1 { | |
encryption aes256 | |
hash sha512 | |
} | |
proposal 2 { | |
encryption aes128 | |
hash sha512 | |
} | |
} | |
esp-group CiscoESP { | |
compression disable | |
lifetime 3600 | |
mode tunnel | |
pfs enable | |
proposal 1 { | |
encryption aes128 | |
hash sha1 | |
} | |
} | |
esp-group DiCandilo-PA-ESP { | |
compression disable | |
lifetime 3600 | |
mode tunnel | |
pfs enable | |
proposal 1 { | |
encryption 3des | |
hash sha1 | |
} | |
} | |
esp-group OPNSenseESP { | |
compression disable | |
lifetime 3600 | |
mode tunnel | |
pfs dh-group18 | |
proposal 1 { | |
encryption aes256 | |
hash sha512 | |
} | |
proposal 2 { | |
encryption aes128 | |
hash sha512 | |
} | |
} | |
esp-group OpenWRT-ESP { | |
compression enable | |
lifetime 3600 | |
mode tunnel | |
pfs dh-group14 | |
proposal 1 { | |
encryption aes256 | |
hash sha512 | |
} | |
proposal 2 { | |
encryption aes256 | |
hash sha256 | |
} | |
proposal 3 { | |
encryption aes128 | |
hash sha512 | |
} | |
proposal 4 { | |
encryption aes128 | |
hash sha256 | |
} | |
} | |
esp-group PFSenseESP { | |
compression disable | |
lifetime 3600 | |
mode tunnel | |
pfs dh-group18 | |
proposal 1 { | |
encryption aes256 | |
hash sha512 | |
} | |
proposal 2 { | |
encryption aes128 | |
hash sha1 | |
} | |
} | |
esp-group SecuroSysESP { | |
compression disable | |
lifetime 3600 | |
mode tunnel | |
pfs dh-group18 | |
proposal 1 { | |
encryption aes256 | |
hash sha512 | |
} | |
proposal 2 { | |
encryption aes128 | |
hash sha1 | |
} | |
} | |
esp-group SophosUTM-ESP { | |
compression disable | |
lifetime 3600 | |
mode tunnel | |
pfs dh-group16 | |
proposal 1 { | |
encryption aes256 | |
hash sha512 | |
} | |
proposal 2 { | |
encryption aes128 | |
hash sha1 | |
} | |
} | |
esp-group StonegateESP { | |
compression disable | |
lifetime 3600 | |
mode tunnel | |
pfs enable | |
proposal 1 { | |
encryption aes128 | |
hash sha1 | |
} | |
} | |
ike-group CiscoIKE { | |
close-action none | |
dead-peer-detection { | |
action restart | |
interval 30 | |
timeout 120 | |
} | |
ikev2-reauth no | |
key-exchange ikev1 | |
lifetime 28800 | |
proposal 1 { | |
dh-group 2 | |
encryption aes128 | |
hash sha1 | |
} | |
proposal 2 { | |
dh-group 2 | |
encryption aes256 | |
hash sha1 | |
} | |
} | |
ike-group DiCandilo-PA-IKE { | |
close-action none | |
ikev2-reauth no | |
key-exchange ikev1 | |
lifetime 28800 | |
proposal 1 { | |
dh-group 5 | |
encryption 3des | |
hash sha1 | |
} | |
} | |
ike-group OPNSenseIKEv2 { | |
close-action none | |
dead-peer-detection { | |
action hold | |
interval 30 | |
timeout 120 | |
} | |
ikev2-reauth no | |
key-exchange ikev2 | |
lifetime 28800 | |
proposal 1 { | |
dh-group 18 | |
encryption aes256 | |
hash sha512 | |
} | |
proposal 2 { | |
dh-group 24 | |
encryption aes128 | |
hash sha512 | |
} | |
} | |
ike-group OpenWRT-IKEv1 { | |
close-action none | |
dead-peer-detection { | |
action restart | |
interval 30 | |
timeout 120 | |
} | |
ikev2-reauth no | |
key-exchange ikev1 | |
lifetime 3600 | |
proposal 1 { | |
dh-group 2 | |
encryption aes256 | |
hash sha1 | |
} | |
} | |
ike-group OpenWRT-IKEv2 { | |
close-action none | |
dead-peer-detection { | |
action restart | |
interval 30 | |
timeout 120 | |
} | |
ikev2-reauth no | |
key-exchange ikev2 | |
lifetime 3600 | |
mobike enable | |
proposal 1 { | |
dh-group 14 | |
encryption aes256 | |
hash sha512 | |
} | |
proposal 2 { | |
dh-group 14 | |
encryption aes256 | |
hash sha256 | |
} | |
proposal 3 { | |
dh-group 14 | |
encryption aes128 | |
hash sha512 | |
} | |
proposal 4 { | |
dh-group 14 | |
encryption aes128 | |
hash sha256 | |
} | |
} | |
ike-group PFSenseIKE { | |
close-action none | |
dead-peer-detection { | |
action restart | |
interval 30 | |
timeout 120 | |
} | |
ikev2-reauth no | |
key-exchange ikev1 | |
lifetime 28800 | |
proposal 1 { | |
dh-group 18 | |
encryption aes256 | |
hash sha512 | |
} | |
proposal 2 { | |
dh-group 2 | |
encryption aes128 | |
hash sha1 | |
} | |
} | |
ike-group SecuroSysIKE { | |
close-action none | |
dead-peer-detection { | |
action restart | |
interval 30 | |
timeout 120 | |
} | |
ikev2-reauth no | |
key-exchange ikev1 | |
lifetime 28800 | |
proposal 1 { | |
dh-group 18 | |
encryption aes256 | |
hash sha512 | |
} | |
proposal 2 { | |
dh-group 2 | |
encryption aes128 | |
hash sha1 | |
} | |
} | |
ike-group SophosUTM-IKE { | |
close-action none | |
dead-peer-detection { | |
action restart | |
interval 30 | |
timeout 120 | |
} | |
ikev2-reauth no | |
key-exchange ikev1 | |
lifetime 28800 | |
proposal 1 { | |
dh-group 16 | |
encryption aes256 | |
hash sha512 | |
} | |
proposal 2 { | |
dh-group 2 | |
encryption aes128 | |
hash sha1 | |
} | |
} | |
ike-group StonegateIKE { | |
close-action none | |
ikev2-reauth no | |
key-exchange ikev1 | |
lifetime 3600 | |
proposal 1 { | |
dh-group 2 | |
encryption aes128 | |
hash sha1 | |
} | |
} | |
ipsec-interfaces { | |
interface eth5 | |
} | |
nat-networks { | |
allowed-network xxx.xxx.1.0/24 { | |
} | |
allowed-network xxx.xxx.2.0/23 { | |
} | |
allowed-network xxx.xxx.7.0/24 { | |
} | |
allowed-network xxx.xxx.32.0/24 { | |
} | |
allowed-network xxx.xxx.45.0/24 { | |
} | |
allowed-network xxx.xxx.46.0/24 { | |
} | |
allowed-network xxx.xxx.47.0/24 { | |
} | |
allowed-network xxx.xxx.79.0/24 { | |
} | |
allowed-network xxx.xxx.93.0/24 { | |
} | |
allowed-network xxx.xxx.113.0/24 { | |
} | |
allowed-network xxx.xxx.141.0/24 { | |
} | |
allowed-network xxx.xxx.143.0/24 { | |
} | |
allowed-network xxx.xxx.171.0/24 { | |
} | |
allowed-network xxx.xxx.176.0/20 { | |
} | |
} | |
nat-traversal enable | |
site-to-site { | |
peer xxxxx.tld { | |
authentication { | |
mode pre-shared-secret | |
pre-shared-secret xxxxxx | |
} | |
connection-type initiate | |
description "Aviq Systems AG PFSense" | |
ike-group PFSenseIKE | |
ikev2-reauth inherit | |
local-address xxx.xxx.62.21 | |
tunnel 1 { | |
allow-nat-networks disable | |
allow-public-networks enable | |
disable | |
esp-group PFSenseESP | |
local { | |
prefix xxx.xxx.141.0/24 | |
} | |
remote { | |
prefix xxx.xxx.1.0/24 | |
} | |
} | |
} | |
peer xxxxx.tld { | |
authentication { | |
mode pre-shared-secret | |
pre-shared-secret xxxxxx | |
} | |
connection-type initiate | |
description "Adi Doerflinger Cisco" | |
ike-group CiscoIKE | |
ikev2-reauth inherit | |
local-address xxx.xxx.62.21 | |
tunnel 1 { | |
allow-nat-networks disable | |
allow-public-networks enable | |
disable | |
esp-group CiscoESP | |
local { | |
prefix xxx.xxx.141.0/24 | |
} | |
remote { | |
prefix xxx.xxx.32.0/24 | |
} | |
} | |
} | |
peer xxxxx.tld { | |
authentication { | |
mode pre-shared-secret | |
pre-shared-secret xxxxxx | |
} | |
connection-type respond | |
default-esp-group DiCandilo-PA-ESP | |
description "DiCandilo Berwyn" | |
ike-group DiCandilo-PA-IKE | |
ikev2-reauth inherit | |
local-address xxx.xxx.62.21 | |
tunnel 1 { | |
allow-nat-networks disable | |
allow-public-networks disable | |
local { | |
prefix xxx.xxx.141.0/24 | |
} | |
remote { | |
prefix xxx.xxx.1.0/24 | |
} | |
} | |
} | |
peer xxxxx.tld { | |
authentication { | |
mode pre-shared-secret | |
pre-shared-secret xxxxxx | |
} | |
connection-type initiate | |
description "ACP AG OPNSense" | |
ike-group OPNSenseIKEv2 | |
ikev2-reauth inherit | |
local-address xxx.xxx.62.21 | |
tunnel 1 { | |
allow-nat-networks disable | |
allow-public-networks enable | |
disable | |
esp-group OPNSenseESP | |
local { | |
prefix xxx.xxx.141.0/24 | |
} | |
remote { | |
prefix xxx.xxx.2.0/23 | |
} | |
} | |
tunnel 2 { | |
allow-nat-networks disable | |
allow-public-networks enable | |
disable | |
esp-group OPNSenseESP | |
local { | |
prefix xxx.xxx.141.0/24 | |
} | |
remote { | |
prefix xxx.xxx.7.0/24 | |
} | |
} | |
} | |
peer xxxxx.tld { | |
authentication { | |
mode pre-shared-secret | |
pre-shared-secret xxxxxx | |
} | |
connection-type respond | |
description "ICDC-CBCDG Stonegate" | |
ike-group StonegateIKE | |
ikev2-reauth inherit | |
local-address xxx.xxx.62.21 | |
tunnel 1 { | |
allow-nat-networks disable | |
allow-public-networks enable | |
disable | |
esp-group StonegateESP | |
local { | |
prefix xxx.xxx.141.0/24 | |
} | |
remote { | |
prefix xxx.xxx.47.0/24 | |
} | |
} | |
tunnel 2 { | |
allow-nat-networks disable | |
allow-public-networks enable | |
disable | |
esp-group StonegateESP | |
local { | |
prefix xxx.xxx.141.0/24 | |
} | |
remote { | |
prefix xxx.xxx.46.0/24 | |
} | |
} | |
} | |
peer xxxxx.tld { | |
authentication { | |
mode pre-shared-secret | |
pre-shared-secret xxxxxx | |
} | |
connection-type initiate | |
description "Sophos UTM Test Gateway" | |
ike-group SophosUTM-IKE | |
ikev2-reauth inherit | |
local-address xxx.xxx.44.193 | |
tunnel 1 { | |
allow-nat-networks disable | |
allow-public-networks enable | |
disable | |
esp-group SophosUTM-ESP | |
local { | |
prefix xxx.xxx.141.0/24 | |
} | |
remote { | |
prefix xxx.xxx.178.0/24 | |
} | |
} | |
} | |
peer xxxxx.tld { | |
authentication { | |
mode pre-shared-secret | |
pre-shared-secret xxxxxx | |
} | |
connection-type initiate | |
description "OPNSense Test" | |
ike-group OPNSenseIKEv2 | |
ikev2-reauth inherit | |
local-address xxx.xxx.44.193 | |
tunnel 1 { | |
allow-nat-networks disable | |
allow-public-networks enable | |
disable | |
esp-group OPNSenseESP | |
local { | |
prefix xxx.xxx.141.0/24 | |
} | |
remote { | |
prefix xxx.xxx.93.0/24 | |
} | |
} | |
} | |
peer xxxxx.tld { | |
authentication { | |
id @xxx.xxx.62.21 | |
mode pre-shared-secret | |
pre-shared-secret xxxxxx | |
remote-id @awfhospitalet.dyndns.org | |
} | |
connection-type respond | |
description "Apartment Spain VPN" | |
ike-group OpenWRT-IKEv2 | |
ikev2-reauth inherit | |
local-address xxx.xxx.62.21 | |
tunnel 1 { | |
allow-nat-networks disable | |
allow-public-networks enable | |
disable | |
esp-group OpenWRT-ESP | |
local { | |
prefix xxx.xxx.141.0/24 | |
} | |
remote { | |
prefix xxx.xxx.79.0/24 | |
} | |
} | |
} | |
} | |
} | |
} |
File Metadata
File Metadata
- Mime Type
- text/plain
- Storage Engine
- local-disk
- Storage Format
- Raw Data
- Storage Handle
- b5/30/6b9678ad7f8068eaa0658e8ba9e9
- Default Alt Text
- private.cfg (127 KB)