aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--config/lhn2ix.txt99
1 files changed, 99 insertions, 0 deletions
diff --git a/config/lhn2ix.txt b/config/lhn2ix.txt
index 93c4f83..b05d5d9 100644
--- a/config/lhn2ix.txt
+++ b/config/lhn2ix.txt
@@ -1,3 +1,98 @@
+set firewall all-ping enable
+set firewall broadcast-ping disable
+set firewall ipv6-name DN42v6_IN default-action drop
+set firewall ipv6-name DN42v6_IN description 'DN42 traffic through the router'
+set firewall ipv6-name DN42v6_IN enable-default-log
+set firewall ipv6-name DN42v6_IN rule 10 action accept
+set firewall ipv6-name DN42v6_IN rule 10 description 'Allow established/related sessions'
+set firewall ipv6-name DN42v6_IN rule 10 state established enable
+set firewall ipv6-name DN42v6_IN rule 10 state related enable
+set firewall ipv6-name DN42v6_IN rule 20 action drop
+set firewall ipv6-name DN42v6_IN rule 20 description 'Drop invalid state'
+set firewall ipv6-name DN42v6_IN rule 20 state invalid enable
+set firewall ipv6-name DN42v6_IN rule 30 action accept
+set firewall ipv6-name DN42v6_IN rule 30 description 'Allow IPv6 icmp'
+set firewall ipv6-name DN42v6_IN rule 30 protocol ipv6-icmp
+set firewall ipv6-name DN42v6_IN rule 100 action accept
+set firewall ipv6-name DN42v6_IN rule 100 description 'Allow anything from tnet (tcp)'
+set firewall ipv6-name DN42v6_IN rule 100 protocol tcp
+set firewall ipv6-name DN42v6_IN rule 100 source address 'fdb1:4242:3538:2000::/52'
+set firewall ipv6-name DN42v6_IN rule 101 action accept
+set firewall ipv6-name DN42v6_IN rule 101 description 'Allow anything from tnet (udp)'
+set firewall ipv6-name DN42v6_IN rule 101 protocol udp
+set firewall ipv6-name DN42v6_IN rule 101 source address 'fdb1:4242:3538:2000::/52'
+set firewall ipv6-name DN42v6_IN rule 200 action accept
+set firewall ipv6-name DN42v6_IN rule 200 description 'Allow SSH'
+set firewall ipv6-name DN42v6_IN rule 200 destination port 22
+set firewall ipv6-name DN42v6_IN rule 200 protocol tcp
+set firewall ipv6-name DN42v6_IN rule 201 action accept
+set firewall ipv6-name DN42v6_IN rule 201 description 'Allow HTTP'
+set firewall ipv6-name DN42v6_IN rule 201 destination port 80
+set firewall ipv6-name DN42v6_IN rule 201 protocol tcp
+set firewall ipv6-name DN42v6_IN rule 202 action accept
+set firewall ipv6-name DN42v6_IN rule 202 description 'Allow HTTPS'
+set firewall ipv6-name DN42v6_IN rule 202 destination port https
+set firewall ipv6-name DN42v6_IN rule 202 protocol tcp
+set firewall ipv6-name DN42v6_LOCAL default-action drop
+set firewall ipv6-name DN42v6_LOCAL description 'DN42 inbound traffic to the router'
+set firewall ipv6-name DN42v6_LOCAL enable-default-log
+set firewall ipv6-name DN42v6_LOCAL rule 10 action accept
+set firewall ipv6-name DN42v6_LOCAL rule 10 description 'Allow established/related sessions'
+set firewall ipv6-name DN42v6_LOCAL rule 10 state established enable
+set firewall ipv6-name DN42v6_LOCAL rule 10 state related enable
+set firewall ipv6-name DN42v6_LOCAL rule 20 action drop
+set firewall ipv6-name DN42v6_LOCAL rule 20 description 'Drop invalid state'
+set firewall ipv6-name DN42v6_LOCAL rule 20 state invalid enable
+set firewall ipv6-name DN42v6_LOCAL rule 30 action accept
+set firewall ipv6-name DN42v6_LOCAL rule 30 description 'Allow IPv6 icmp'
+set firewall ipv6-name DN42v6_LOCAL rule 30 protocol ipv6-icmp
+set firewall ipv6-name DN42v6_LOCAL rule 40 action accept
+set firewall ipv6-name DN42v6_LOCAL rule 40 description 'Allow SSH'
+set firewall ipv6-name DN42v6_LOCAL rule 40 destination port 22
+set firewall ipv6-name DN42v6_LOCAL rule 40 protocol tcp
+set firewall ipv6-name DN42v6_LOCAL rule 50 action accept
+set firewall ipv6-name DN42v6_LOCAL rule 50 description 'Allow BGP'
+set firewall ipv6-name DN42v6_LOCAL rule 50 destination port 179
+set firewall ipv6-name DN42v6_LOCAL rule 50 protocol tcp
+set firewall ipv6-name WANv6_IN default-action drop
+set firewall ipv6-name WANv6_IN description 'WAN inbound traffic forwarded to LAN'
+set firewall ipv6-name WANv6_IN rule 10 action accept
+set firewall ipv6-name WANv6_IN rule 10 description 'Allow established/related sessions'
+set firewall ipv6-name WANv6_IN rule 10 state established enable
+set firewall ipv6-name WANv6_IN rule 10 state related enable
+set firewall ipv6-name WANv6_IN rule 20 action drop
+set firewall ipv6-name WANv6_IN rule 20 description 'Drop invalid state'
+set firewall ipv6-name WANv6_IN rule 20 state invalid enable
+set firewall ipv6-name WANv6_LOCAL default-action drop
+set firewall ipv6-name WANv6_LOCAL description 'WAN inbound traffic to the router'
+set firewall ipv6-name WANv6_LOCAL enable-default-log
+set firewall ipv6-name WANv6_LOCAL rule 10 action accept
+set firewall ipv6-name WANv6_LOCAL rule 10 description 'Allow established/related sessions'
+set firewall ipv6-name WANv6_LOCAL rule 10 state established enable
+set firewall ipv6-name WANv6_LOCAL rule 10 state related enable
+set firewall ipv6-name WANv6_LOCAL rule 20 action drop
+set firewall ipv6-name WANv6_LOCAL rule 20 description 'Drop invalid state'
+set firewall ipv6-name WANv6_LOCAL rule 20 state invalid enable
+set firewall ipv6-name WANv6_LOCAL rule 30 action accept
+set firewall ipv6-name WANv6_LOCAL rule 30 description 'Allow IPv6 icmp'
+set firewall ipv6-name WANv6_LOCAL rule 30 protocol ipv6-icmp
+set firewall ipv6-name WANv6_LOCAL rule 40 action accept
+set firewall ipv6-name WANv6_LOCAL rule 40 description 'Allow DHCPv6'
+set firewall ipv6-name WANv6_LOCAL rule 40 destination port 546
+set firewall ipv6-name WANv6_LOCAL rule 40 protocol udp
+set firewall ipv6-name WANv6_LOCAL rule 40 source port 547
+set firewall ipv6-name WANv6_LOCAL rule 50 action accept
+set firewall ipv6-name WANv6_LOCAL rule 50 description 'Allow SSH'
+set firewall ipv6-name WANv6_LOCAL rule 50 destination port 22
+set firewall ipv6-name WANv6_LOCAL rule 50 protocol tcp
+set firewall ipv6-receive-redirects disable
+set firewall ipv6-src-route disable
+set firewall ip-src-route disable
+set firewall log-martians enable
+set firewall receive-redirects disable
+set firewall send-redirects enable
+set firewall source-validation disable
+set firewall syn-cookies enable
set interfaces ethernet eth0 address dhcp
set interfaces ethernet eth0 description Internet
set interfaces ethernet eth0 dhcpv6-pd pd 0 interface switch0 host-address '::1'
@@ -6,6 +101,8 @@ set interfaces ethernet eth0 dhcpv6-pd pd 0 interface switch0 service slaac
set interfaces ethernet eth0 dhcpv6-pd pd 0 prefix-length 56
set interfaces ethernet eth0 dhcpv6-pd rapid-commit enable
set interfaces ethernet eth0 duplex auto
+set interfaces ethernet eth0 firewall in ipv6-name WANv6_IN
+set interfaces ethernet eth0 firewall local ipv6-name WANv6_LOCAL
set interfaces ethernet eth0 ipv6 address
set interfaces ethernet eth0 ipv6 dup-addr-detect-transmits 1
set interfaces ethernet eth0 poe output off
@@ -57,6 +154,8 @@ set interfaces switch switch0 switch-port interface eth4
set interfaces switch switch0 switch-port vlan-aware disable
set interfaces wireguard wg1 address 'fdb1:4242:3538:2f02::b/64'
set interfaces wireguard wg1 description tnet-knot
+set interfaces wireguard wg1 firewall in ipv6-name DN42v6_IN
+set interfaces wireguard wg1 firewall local ipv6-name DN42v6_LOCAL
set interfaces wireguard wg1 mtu 1420
set interfaces wireguard wg1 peer Up8+DhBlMp+/fpaxyGDQBnH/4tZnHojcAKZWCr5sSAk= allowed-ips '::0/0'
set interfaces wireguard wg1 peer Up8+DhBlMp+/fpaxyGDQBnH/4tZnHojcAKZWCr5sSAk= endpoint 'knot.inamo.no:51002'
generated by cgit v1.2.3 (git 2.46.0) at 2025-08-01 16:41:15 +0000