Page Menu
Home
VyOS Platform
Search
Configure Global Search
Log In
Files
F287432
vyos_firewall_sredirects_enable.txt
All Users
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Authored By
zsdc
Dec 24 2018, 9:29 PM
2018-12-24 21:29:16 (UTC+0)
Size
9 KB
Referenced Files
None
Subscribers
None
vyos_firewall_sredirects_enable.txt
View Options
firewall {
all-ping enable
broadcast-ping disable
config-trap disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name FW_ALLOW_ALL {
default-action accept
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
twa-hazards-protection disable
}
high-availability {
vrrp {
group sentrium-internal-01 {
advertise-interval 1
health-check {
failure-count 1
interval 4
}
hello-source-address xxx.xxx.100.1
interface eth1
peer-address xxx.xxx.100.2
priority 200
virtual-address xxx.xxx.100.254/24
vrid 26
}
}
}
interfaces {
ethernet eth0 {
address dhcp
duplex auto
hw-id XX:XX:XX:4b:33:e5
smp-affinity auto
speed auto
}
ethernet eth1 {
address xxx.xxx.100.1/24
duplex auto
hw-id XX:XX:XX:01:da:89
smp-affinity auto
speed auto
}
ethernet eth2 {
duplex auto
hw-id XX:XX:XX:2d:07:cb
smp-affinity auto
speed auto
}
loopback lo {
}
}
nat {
destination {
rule 10 {
inbound-interface eth2
source {
address xxx.xxx.55.0/24
}
translation {
address xxx.xxx.1.1
}
}
}
source {
rule 10 {
outbound-interface eth1
source {
address xxx.xxx.60.0/24
}
translation {
address masquerade
}
}
rule 100 {
outbound-interface eth1
source {
address xxx.xxx.56.0/24
}
translation {
address xxx.xxx.21.0/24
}
}
rule 200 {
outbound-interface eth+
source {
address xxx.xxx.100.0/24
}
translation {
address masquerade
}
}
rule 201 {
outbound-interface eth+
source {
address xxx.xxx.201.0/24
}
translation {
address masquerade
}
}
}
}
policy {
prefix-list DEFAULT-ROUTE {
rule 10 {
action permit
prefix xxx.xxx.0.0/0
}
}
route-map ALLOW-DEFAULT {
rule 10 {
action permit
match {
ip {
address {
prefix-list DEFAULT-ROUTE
}
}
}
}
}
}
protocols {
bgp XXXXXX {
address-family {
ipv4-unicast {
redistribute {
kernel {
}
static {
}
}
}
}
neighbor xxx.xxx.100.2 {
address-family {
ipv4-unicast {
default-originate {
route-map ALLOW-DEFAULT
}
nexthop-self
soft-reconfiguration {
inbound
}
}
}
passive
remote-as XXXXXX
}
}
static {
interface-route6 xxxx:xxxx:0:70::/60 {
next-hop-interface eth2 {
}
}
route xxx.xxx.4.4/32 {
next-hop xxx.xxx.2.2 {
}
}
route xxx.xxx.8.8/32 {
next-hop xxx.xxx.20.1 {
}
}
table 10 {
route xxx.xxx.15.0/24 {
next-hop xxx.xxx.20.1 {
}
}
}
}
}
service {
https {
http-redirect enable
listen-address xxx.xxx.56.101
}
ssh {
}
}
system {
config-management {
commit-revisions 100
}
console {
device ttyS0 {
speed 9600
}
}
host-name xxxxxx
login {
user xxxxxx {
authentication {
encrypted-password xxxxxx
plaintext-password xxxxxx
}
level admin
}
}
name-server xxx.xxx.8.8
ntp {
server xxxxx.tld {
}
server xxxxx.tld {
}
server xxxxx.tld {
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone Europe/Kiev
}
traffic-policy {
drop-tail dt01 {
queue-limit 10000
}
fair-queue fair-queue1 {
hash-interval 30
queue-limit 20
}
network-emulator nem1 {
bandwidth 10mbit
burst 15k
network-delay 10ms
packet-reordering 20
queue-limit 1033
}
priority-queue prio1 {
default {
queue-type random-detect
}
}
random-detect rad1 {
bandwidth 10mbit
precedence 0 {
average-packet 750
mark-probability 50
maximum-threshold 3000
minimum-threshold 1000
queue-limit 50000
}
}
rate-control ratecon1 {
bandwidth 10mbit
burst 0.1mb
latency 50ms
}
round-robin rr1 {
default {
quantum 1514
queue-type fq-codel
}
}
shaper shaper1 {
bandwidth 100mbps
class 2 {
bandwidth 20000
burst 15k
match class2match {
ip {
source {
address xxx.xxx.0.0/24
}
}
}
queue-type fair-queue
}
class 3 {
bandwidth 30000
burst 15k
match class3match {
ip {
source {
address xxx.xxx.0.0/24
}
}
}
priority 6
queue-type fair-queue
}
default {
bandwidth 15000
burst 15k
queue-type fair-queue
}
}
}
vpn {
ipsec {
esp-group office-srv-esp {
compression disable
lifetime 1800
mode tunnel
pfs enable
proposal 1 {
encryption aes256
hash sha1
}
}
ike-group office-srv-ike {
ikev2-reauth no
key-exchange ikev1
lifetime 3600
proposal 1 {
dh-group 2
encryption aes256
hash sha1
}
}
ipsec-interfaces {
interface eth1
}
site-to-site {
peer xxxxx.tld {
authentication {
mode pre-shared-secret
pre-shared-secret xxxxxx
}
connection-type initiate
ike-group office-srv-ike
ikev2-reauth inherit
local-address xxx.xxx.100.1
tunnel 0 {
allow-nat-networks disable
allow-public-networks disable
esp-group office-srv-esp
local {
prefix xxx.xxx.20.0/24
}
remote {
prefix xxx.xxx.201.0/24
}
}
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
esp-group office-srv-esp
local {
prefix xxx.xxx.20.0/24
}
remote {
prefix xxx.xxx.202.0/24
}
}
}
}
}
}
zone-policy {
zone zone-eth0 {
default-action drop
from zone-eth1 {
firewall {
name FW_ALLOW_ALL
}
}
from zone-local {
firewall {
name FW_ALLOW_ALL
}
}
interface eth0
}
zone zone-eth1 {
default-action drop
from zone-eth0 {
firewall {
name FW_ALLOW_ALL
}
}
from zone-local {
firewall {
name FW_ALLOW_ALL
}
}
interface eth1
}
zone zone-eth2 {
default-action drop
interface eth2
}
zone zone-local {
default-action drop
from zone-eth0 {
firewall {
name FW_ALLOW_ALL
}
}
from zone-eth1 {
firewall {
name FW_ALLOW_ALL
}
}
from zone-eth2 {
firewall {
name FW_ALLOW_ALL
}
}
local-zone
}
}
File Metadata
Details
Attached
Mime Type
text/plain
Storage Engine
local-disk
Storage Format
Raw Data
Storage Handle
a0/4c/067d53b0051505e6fa2d9189d488
Default Alt Text
vyos_firewall_sredirects_enable.txt (9 KB)
Attached To
Mode
T1135: "firewall send-redirects enable" works only after switching from disabled state on running system
Attached
Detach File
Event Timeline
Log In to Comment