diff options
| author | Trygve Laugstøl <trygvis@inamo.no> | 2025-07-28 22:16:34 +0200 |
|---|---|---|
| committer | Trygve Laugstøl <trygvis@inamo.no> | 2025-07-28 22:17:11 +0200 |
| commit | 193e6366dce3566d5fe29efd53fb5e7460d8d011 (patch) | |
| tree | daede826626f9823d65ae3935b95157f99426c62 | |
| parent | 98564c4988cb0a0a0607f4ba456d212b5f0e1e45 (diff) | |
| download | infra-193e6366dce3566d5fe29efd53fb5e7460d8d011.tar.gz infra-193e6366dce3566d5fe29efd53fb5e7460d8d011.tar.bz2 infra-193e6366dce3566d5fe29efd53fb5e7460d8d011.tar.xz infra-193e6366dce3566d5fe29efd53fb5e7460d8d011.zip | |
lhn2ix
| -rw-r--r-- | config/lhn2ix.txt | 99 |
1 files changed, 99 insertions, 0 deletions
diff --git a/config/lhn2ix.txt b/config/lhn2ix.txt index 93c4f83..b05d5d9 100644 --- a/config/lhn2ix.txt +++ b/config/lhn2ix.txt @@ -1,3 +1,98 @@ +set firewall all-ping enable +set firewall broadcast-ping disable +set firewall ipv6-name DN42v6_IN default-action drop +set firewall ipv6-name DN42v6_IN description 'DN42 traffic through the router' +set firewall ipv6-name DN42v6_IN enable-default-log +set firewall ipv6-name DN42v6_IN rule 10 action accept +set firewall ipv6-name DN42v6_IN rule 10 description 'Allow established/related sessions' +set firewall ipv6-name DN42v6_IN rule 10 state established enable +set firewall ipv6-name DN42v6_IN rule 10 state related enable +set firewall ipv6-name DN42v6_IN rule 20 action drop +set firewall ipv6-name DN42v6_IN rule 20 description 'Drop invalid state' +set firewall ipv6-name DN42v6_IN rule 20 state invalid enable +set firewall ipv6-name DN42v6_IN rule 30 action accept +set firewall ipv6-name DN42v6_IN rule 30 description 'Allow IPv6 icmp' +set firewall ipv6-name DN42v6_IN rule 30 protocol ipv6-icmp +set firewall ipv6-name DN42v6_IN rule 100 action accept +set firewall ipv6-name DN42v6_IN rule 100 description 'Allow anything from tnet (tcp)' +set firewall ipv6-name DN42v6_IN rule 100 protocol tcp +set firewall ipv6-name DN42v6_IN rule 100 source address 'fdb1:4242:3538:2000::/52' +set firewall ipv6-name DN42v6_IN rule 101 action accept +set firewall ipv6-name DN42v6_IN rule 101 description 'Allow anything from tnet (udp)' +set firewall ipv6-name DN42v6_IN rule 101 protocol udp +set firewall ipv6-name DN42v6_IN rule 101 source address 'fdb1:4242:3538:2000::/52' +set firewall ipv6-name DN42v6_IN rule 200 action accept +set firewall ipv6-name DN42v6_IN rule 200 description 'Allow SSH' +set firewall ipv6-name DN42v6_IN rule 200 destination port 22 +set firewall ipv6-name DN42v6_IN rule 200 protocol tcp +set firewall ipv6-name DN42v6_IN rule 201 action accept +set firewall ipv6-name DN42v6_IN rule 201 description 'Allow HTTP' +set firewall ipv6-name DN42v6_IN rule 201 destination port 80 +set firewall ipv6-name DN42v6_IN rule 201 protocol tcp +set firewall ipv6-name DN42v6_IN rule 202 action accept +set firewall ipv6-name DN42v6_IN rule 202 description 'Allow HTTPS' +set firewall ipv6-name DN42v6_IN rule 202 destination port https +set firewall ipv6-name DN42v6_IN rule 202 protocol tcp +set firewall ipv6-name DN42v6_LOCAL default-action drop +set firewall ipv6-name DN42v6_LOCAL description 'DN42 inbound traffic to the router' +set firewall ipv6-name DN42v6_LOCAL enable-default-log +set firewall ipv6-name DN42v6_LOCAL rule 10 action accept +set firewall ipv6-name DN42v6_LOCAL rule 10 description 'Allow established/related sessions' +set firewall ipv6-name DN42v6_LOCAL rule 10 state established enable +set firewall ipv6-name DN42v6_LOCAL rule 10 state related enable +set firewall ipv6-name DN42v6_LOCAL rule 20 action drop +set firewall ipv6-name DN42v6_LOCAL rule 20 description 'Drop invalid state' +set firewall ipv6-name DN42v6_LOCAL rule 20 state invalid enable +set firewall ipv6-name DN42v6_LOCAL rule 30 action accept +set firewall ipv6-name DN42v6_LOCAL rule 30 description 'Allow IPv6 icmp' +set firewall ipv6-name DN42v6_LOCAL rule 30 protocol ipv6-icmp +set firewall ipv6-name DN42v6_LOCAL rule 40 action accept +set firewall ipv6-name DN42v6_LOCAL rule 40 description 'Allow SSH' +set firewall ipv6-name DN42v6_LOCAL rule 40 destination port 22 +set firewall ipv6-name DN42v6_LOCAL rule 40 protocol tcp +set firewall ipv6-name DN42v6_LOCAL rule 50 action accept +set firewall ipv6-name DN42v6_LOCAL rule 50 description 'Allow BGP' +set firewall ipv6-name DN42v6_LOCAL rule 50 destination port 179 +set firewall ipv6-name DN42v6_LOCAL rule 50 protocol tcp +set firewall ipv6-name WANv6_IN default-action drop +set firewall ipv6-name WANv6_IN description 'WAN inbound traffic forwarded to LAN' +set firewall ipv6-name WANv6_IN rule 10 action accept +set firewall ipv6-name WANv6_IN rule 10 description 'Allow established/related sessions' +set firewall ipv6-name WANv6_IN rule 10 state established enable +set firewall ipv6-name WANv6_IN rule 10 state related enable +set firewall ipv6-name WANv6_IN rule 20 action drop +set firewall ipv6-name WANv6_IN rule 20 description 'Drop invalid state' +set firewall ipv6-name WANv6_IN rule 20 state invalid enable +set firewall ipv6-name WANv6_LOCAL default-action drop +set firewall ipv6-name WANv6_LOCAL description 'WAN inbound traffic to the router' +set firewall ipv6-name WANv6_LOCAL enable-default-log +set firewall ipv6-name WANv6_LOCAL rule 10 action accept +set firewall ipv6-name WANv6_LOCAL rule 10 description 'Allow established/related sessions' +set firewall ipv6-name WANv6_LOCAL rule 10 state established enable +set firewall ipv6-name WANv6_LOCAL rule 10 state related enable +set firewall ipv6-name WANv6_LOCAL rule 20 action drop +set firewall ipv6-name WANv6_LOCAL rule 20 description 'Drop invalid state' +set firewall ipv6-name WANv6_LOCAL rule 20 state invalid enable +set firewall ipv6-name WANv6_LOCAL rule 30 action accept +set firewall ipv6-name WANv6_LOCAL rule 30 description 'Allow IPv6 icmp' +set firewall ipv6-name WANv6_LOCAL rule 30 protocol ipv6-icmp +set firewall ipv6-name WANv6_LOCAL rule 40 action accept +set firewall ipv6-name WANv6_LOCAL rule 40 description 'Allow DHCPv6' +set firewall ipv6-name WANv6_LOCAL rule 40 destination port 546 +set firewall ipv6-name WANv6_LOCAL rule 40 protocol udp +set firewall ipv6-name WANv6_LOCAL rule 40 source port 547 +set firewall ipv6-name WANv6_LOCAL rule 50 action accept +set firewall ipv6-name WANv6_LOCAL rule 50 description 'Allow SSH' +set firewall ipv6-name WANv6_LOCAL rule 50 destination port 22 +set firewall ipv6-name WANv6_LOCAL rule 50 protocol tcp +set firewall ipv6-receive-redirects disable +set firewall ipv6-src-route disable +set firewall ip-src-route disable +set firewall log-martians enable +set firewall receive-redirects disable +set firewall send-redirects enable +set firewall source-validation disable +set firewall syn-cookies enable set interfaces ethernet eth0 address dhcp set interfaces ethernet eth0 description Internet set interfaces ethernet eth0 dhcpv6-pd pd 0 interface switch0 host-address '::1' @@ -6,6 +101,8 @@ set interfaces ethernet eth0 dhcpv6-pd pd 0 interface switch0 service slaac set interfaces ethernet eth0 dhcpv6-pd pd 0 prefix-length 56 set interfaces ethernet eth0 dhcpv6-pd rapid-commit enable set interfaces ethernet eth0 duplex auto +set interfaces ethernet eth0 firewall in ipv6-name WANv6_IN +set interfaces ethernet eth0 firewall local ipv6-name WANv6_LOCAL set interfaces ethernet eth0 ipv6 address set interfaces ethernet eth0 ipv6 dup-addr-detect-transmits 1 set interfaces ethernet eth0 poe output off @@ -57,6 +154,8 @@ set interfaces switch switch0 switch-port interface eth4 set interfaces switch switch0 switch-port vlan-aware disable set interfaces wireguard wg1 address 'fdb1:4242:3538:2f02::b/64' set interfaces wireguard wg1 description tnet-knot +set interfaces wireguard wg1 firewall in ipv6-name DN42v6_IN +set interfaces wireguard wg1 firewall local ipv6-name DN42v6_LOCAL set interfaces wireguard wg1 mtu 1420 set interfaces wireguard wg1 peer Up8+DhBlMp+/fpaxyGDQBnH/4tZnHojcAKZWCr5sSAk= allowed-ips '::0/0' set interfaces wireguard wg1 peer Up8+DhBlMp+/fpaxyGDQBnH/4tZnHojcAKZWCr5sSAk= endpoint 'knot.inamo.no:51002' |