Page Menu
Home
VyOS Platform
Search
Configure Global Search
Log In
Files
F2727108
private.cfg
All Users
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Flag For Later
Award Token
Authored By
panachoi
May 27 2022, 4:51 AM
2022-05-27 04:51:26 (UTC+0)
Size
127 KB
Referenced Files
None
Subscribers
None
private.cfg
View Options
firewall {
all-ping enable
broadcast-ping disable
config-trap disable
group {
address-group BareOS_Servers {
address xxx.xxx.141.13
address xxx.xxx.141.2
}
address-group Chollo {
address xxx.xxx.130.178
address xxx.xxx.130.179
address xxx.xxx.130.180
address xxx.xxx.130.185
address xxx.xxx.130.177
address xxx.xxx.130.181
}
address-group Chusma {
address xxx.xxx.130.172-xxx.xxx.130.175
}
address-group children {
address xxx.xxx.130.172-xxx.xxx.130.180
}
address-group deb-ubu-mirrors {
address xxx.xxx.53.171
address xxx.xxx.132.32
address xxx.xxx.242.89
address xxx.xxx.132.250
address xxx.xxx.149.233
address xxx.xxx.112.204
description "Debian/Ubuntu Mirrors"
}
address-group dmz_dns_ntp {
address xxx.xxx.129.2
address xxx.xxx.129.6
address xxx.xxx.129.1
address xxx.xxx.129.5
}
address-group dmz_infra_servers {
address xxx.xxx.129.2
address xxx.xxx.129.5
}
address-group fileservers {
address xxx.xxx.141.8
address xxx.xxx.141.1
}
address-group google_dns {
address xxx.xxx.8.8
address xxx.xxx.4.4
}
address-group int_dns_servers {
address xxx.xxx.141.3
address xxx.xxx.141.15
address xxx.xxx.141.20
address xxx.xxx.141.1
address xxx.xxx.141.8
}
address-group int_ntp_servers {
address xxx.xxx.141.23-xxx.xxx.141.27
address xxx.xxx.141.5-xxx.xxx.141.6
address xxx.xxx.141.13
description "Internal NTP Servers"
}
address-group kids_allowed_sites {
address xxx.xxx.73.6
address xxx.xxx.250.108
address xxx.xxx.129.2
address xxx.xxx.73.26
address xxx.xxx.210.28-xxx.xxx.210.30
address xxx.xxx.121.147
address xxx.xxx.87.51
address xxx.xxx.194.31
address xxx.xxx.157.111
address xxx.xxx.11.203
address xxx.xxx.201.147
address xxx.xxx.116.200
address xxx.xxx.223.41
address xxx.xxx.168.12
address xxx.xxx.43.217
address xxx.xxx.157.112
address xxx.xxx.40.64-xxx.xxx.40.90
description "Permitted Sites for Kids"
}
address-group kids_banned_sites {
address xxx.xxx.162.5
address xxx.xxx.35.232
address xxx.xxx.139.0-xxx.xxx.139.255
description "Sites that are banned for Kids"
}
address-group moxa_allowed_hosts {
address xxx.xxx.141.0-xxx.xxx.141.254
address xxx.xxx.4.5
address xxx.xxx.128.242-xxx.xxx.128.254
description "Hosts allowed access to MOXA Serial Device Servers"
}
address-group moxa_nports {
address xxx.xxx.143.244
address xxx.xxx.143.248
description "MOXA Nport Serial Device Addresses"
}
address-group package_servers {
address xxx.xxx.10.36
address xxx.xxx.103.38
address xxx.xxx.103.41
address xxx.xxx.13.129
description "Package servers for Vyatta/Debian"
}
address-group radius_servers {
address xxx.xxx.141.20
address xxx.xxx.141.62
address xxx.xxx.141.8
address xxx.xxx.141.1
description "Internal RADIUS Servers"
}
address-group trusted_external_hosts {
address xxx.xxx.4.5
address xxx.xxx.128.242-xxx.xxx.128.254
address xxx.xxx.44.193-xxx.xxx.44.206
address xxx.xxx.157.133
address xxx.xxx.238.193-xxx.xxx.238.195
address xxx.xxx.238.225
address xxx.xxx.162.10
address xxx.xxx.4.247
address xxx.xxx.188.7
description "Trusted External Hosts"
}
address-group ubiquiti {
address xxx.xxx.157.3
address xxx.xxx.83.111
address xxx.xxx.247.231
address xxx.xxx.148.35
address xxx.xxx.177.66
address xxx.xxx.121.9
description "Ubiquiti Networks Web"
}
network-group Martians {
description "Bogons from RFCs 1918 and 5735"
network xxx.xxx.0.0/8
network xxx.xxx.0.0/12
network xxx.xxx.0.0/16
network xxx.xxx.0.0/8
network xxx.xxx.0.0/16
network xxx.xxx.2.0/24
network xxx.xxx.0.0/15
network xxx.xxx.0.0/4
network xxx.xxx.0.0/24
network xxx.xxx.99.0/24
network xxx.xxx.100.0/24
network xxx.xxx.113.0/24
}
network-group Nets4-BlackList {
description "Blacklisted IPv4 Sources"
}
network-group amazonaws {
network xxx.xxx.192.0/19
network xxx.xxx.0.0/15
network xxx.xxx.141.53/32
}
network-group blocked_nets_in {
description "Blocked Networks inbound"
network xxx.xxx.212.0/22
network xxx.xxx.40.0/21
network xxx.xxx.222.0/23
network xxx.xxx.64.0/20
network xxx.xxx.160.0/24
network xxx.xxx.0.0/15
}
network-group facebook {
description "Facebook AS32934 Networks"
network xxx.xxx.96.0/22
network xxx.xxx.0.0/16
network xxx.xxx.64.0/18
network xxx.xxx.192.0/22
network xxx.xxx.216.0/22
network xxx.xxx.20.0/22
network xxx.xxx.64.0/18
network xxx.xxx.40.0/22
network xxx.xxx.144.0/20
network xxx.xxx.224.0/19
network xxx.xxx.176.0/20
network xxx.xxx.76.0/22
}
network-group gaming {
description "Game Hosting IPs"
}
network-group geoblock {
description "GeoBlocked Networks"
}
network-group icdc-networks {
description "ICDC Internal Networks for IPSec"
}
network-group kids-machines {
description "Subnet range for Kids Machines"
network xxx.xxx.130.176/28
}
network-group snort.org {
description "Snort.org C network"
network xxx.xxx.102.0/24
network xxx.xxx.192.0/19
network xxx.xxx.248.120/31
}
network-group trusted_networks {
description "Networks considered Trustworthy"
network xxx.xxx.128.240/28
network xxx.xxx.141.0/24
network xxx.xxx.188.0/24
network xxx.xxx.78.0/24
}
network-group wikipedia {
description "Wikipedia Servers"
network xxx.xxx.174.0/24
network xxx.xxx.152.0/22
}
port-group CAPWAPP {
description "Lightweight Access Point Traffic"
port 12222-12223
port 5246-5247
}
port-group RTP_Media {
description "RTP Media Ports"
}
port-group XMPP {
port 5222
port 5269
port 5280
port 443
port 993
port 5443
port 80
}
port-group cisco_ts_lines {
description "NM-32 Ports on Cisco Terminal Server"
port 2033-2064
port 23
}
port-group dmz_tcp_inbound {
description "Incoming TCP ports to DMZ"
port 25
port 465
port 80
port 993
port 587
}
port-group dmz_tcp_outbound {
description "Outgoing TCP ports from DMZ"
port 25
port 2703
port 465
port 80
port 443
}
port-group dmz_udp_outbound {
description "Outgoing UDP ports from DMZ"
port 123
port 53
port 6277
}
port-group fileservice_ports {
port 548
port 445
}
port-group internet_to_fts {
description "Allowed ports from Internet to xxx.xxx.44.192/28"
port 22
port 25
port 80
port 443
port 465
port 993
port 2022
port 8440-8450
port 12000
port 17283
port 9080-9082
port 5060-5061
port 4444
}
port-group mail {
description "Ports used for Mail"
port 25
port 465
port 587
port 993
}
port-group management {
description "Ports used for Management"
port 2022
port 22
port 443
port 8443-8445
}
port-group moxa_in {
description "MOXA Nport Inbound Ports for serial Communication"
port 966-969
port 950-953
}
port-group moxa_out {
description "MOXA Nport Outbound Ports for Serial Communication"
port 950-953
port 966-969
}
port-group radius_ports {
port 1812-1813
}
port-group steam {
port 27000-27040
port 4379-4380
port 3478
}
port-group telephony_signalling {
description "SIP and IAX Ports"
port 4569
port 5060-5080
}
port-group web_redirection_ports {
description "ports for HTTP redirection"
port 9080-9085
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name DMZ_In {
default-action drop
description "Permit Bareos to Internal Server"
enable-default-log
rule 10 {
action accept
description "Allow Return packets from Originated connections"
state {
established enable
related enable
}
}
rule 20 {
action accept
description "Allow TCP outbound from DNS/Mail Exchanger in DMZ"
destination {
group {
port-group dmz_tcp_outbound
}
}
protocol tcp
source {
address xxx.xxx.129.1-xxx.xxx.129.2
}
state {
established enable
new enable
related enable
}
}
rule 30 {
action accept
description "Allow UDP outbound from DMZ Hosts"
destination {
group {
}
port 53,123,6277
}
protocol udp
source {
group {
address-group dmz_dns_ntp
}
}
state {
established enable
new enable
related enable
}
}
rule 40 {
action accept
description "Permit DNS Zone Transfer from DMZ DNS"
destination {
port 53
}
protocol tcp
source {
address xxx.xxx.129.1-xxx.xxx.129.2
}
state {
established enable
new enable
related enable
}
}
rule 50 {
action accept
description "Permit SIP Signalling from PBX"
destination {
}
disable
protocol udp
source {
address xxx.xxx.129.3
port 5060
}
state {
established enable
new enable
related enable
}
}
rule 60 {
action accept
description "Permit IAX Signalling from PBX"
destination {
port 4569
}
disable
protocol tcp
source {
address xxx.xxx.129.3
}
state {
established enable
new enable
related enable
}
}
rule 70 {
action accept
description "Permit syslog from DMZ Network"
destination {
port 514
}
protocol udp
source {
address xxx.xxx.129.0/27
}
state {
new enable
}
}
rule 80 {
action accept
description "Permit Traffic from WWWDMZ"
destination {
port 80
}
protocol tcp
source {
address xxx.xxx.129.4-xxx.xxx.129.6
}
state {
established enable
new enable
related enable
}
}
rule 82 {
action accept
description "Permit Traffic from dmzservices"
destination {
address xxx.xxx.0.0/0
}
protocol tcp_udp
source {
address xxx.xxx.129.6
}
state {
established enable
new enable
related enable
}
}
rule 90 {
action accept
description "Allow TCP Outbound from PBXinaFlash"
destination {
port 80
}
protocol tcp
source {
address xxx.xxx.129.5
}
state {
established enable
new enable
related enable
}
}
rule 92 {
action accept
description "Permit SIP/IAX/RTP/UDPTL udp from PBXinaFlash"
protocol udp
source {
address xxx.xxx.129.5
port 4000-4999,4569,5060-5080,10000-20000
}
state {
established enable
new enable
related enable
}
}
rule 94 {
action accept
description "Permit IAX Signalling from PBX"
destination {
port 4569
}
disable
protocol udp
source {
address xxx.xxx.129.5
}
state {
established enable
new enable
related enable
}
}
rule 96 {
action accept
description "TCP Outbound from PBXinaFlash"
protocol tcp
source {
address xxx.xxx.129.5
}
state {
established enable
new enable
related enable
}
}
rule 98 {
action accept
description "UDP Outbound from PBXinaFlash"
destination {
port 53,123,3478
}
protocol udp
source {
address xxx.xxx.129.5
}
state {
established enable
new enable
related enable
}
}
rule 100 {
action accept
description "Permit BareOS to Internal Server"
destination {
group {
address-group BareOS_Servers
}
port 9101,9103
}
protocol tcp
source {
address xxx.xxx.129.0/27
}
state {
new enable
}
}
rule 110 {
action accept
description "Permit PBX to send CID to MediaCenter"
destination {
address xxx.xxx.141.156
port 8080
}
protocol tcp
source {
address xxx.xxx.129.5/32
}
state {
new enable
}
}
rule 120 {
action accept
description "Permit PBX to send CID to dreambox"
destination {
address xxx.xxx.141.14
port 80
}
protocol tcp
source {
address xxx.xxx.129.5/32
}
state {
new enable
}
}
}
name DMZ_Out {
default-action drop
description "Traffic Inbound to DMZ"
enable-default-log
rule 10 {
action accept
description "Permit return packets from originated connections"
state {
established enable
related enable
}
}
rule 15 {
action accept
description "Permit management ports from Trusted"
destination {
address xxx.xxx.129.0/27
port 22,80,443,8083
}
protocol tcp
source {
group {
network-group trusted_networks
}
}
}
rule 20 {
action accept
description "Permit Inbound TCP to DNS/Mail Exchanger in DMZ"
destination {
address xxx.xxx.129.1-xxx.xxx.129.2
port 22,25,53,465,587,993
}
protocol tcp
state {
established enable
new enable
related enable
}
}
rule 24 {
action accept
description "Permit Inbound TCP to PBXinaFlash in DMZ"
destination {
address xxx.xxx.129.5
port 22,80,443,5060-5065
}
protocol tcp
state {
established enable
new enable
related enable
}
}
rule 30 {
action accept
description "Permit Inbound UDP to DNS/Mail Exchanger in DMZ"
destination {
group {
address-group dmz_dns_ntp
}
port 53,123
}
protocol udp
state {
established enable
new enable
related enable
}
}
rule 40 {
action accept
description "permit DNS udp replies"
destination {
address xxx.xxx.129.2
}
protocol udp
source {
port 53
}
state {
established enable
related enable
}
}
rule 50 {
action accept
description "Permit Inbound SIP Signalling to PBX"
destination {
address xxx.xxx.129.3
port 5060-5080,10000-20000
}
disable
protocol udp
state {
established enable
new enable
related enable
}
}
rule 52 {
action accept
description "Permit Inbound SIP/IAX/RTP/UDPTL to PBXinaFlash"
destination {
address xxx.xxx.129.5
port 4000-4999,4569,5060-5080,10000-20000
}
protocol udp
state {
established enable
new enable
related enable
}
}
rule 60 {
action accept
description "Permit Inbound IAX Signalling to PBX"
destination {
address xxx.xxx.129.3
port 80,443,4569
}
disable
protocol tcp
state {
established enable
new enable
related enable
}
}
rule 70 {
action accept
description "Permit Traffic to DMZServices"
destination {
address xxx.xxx.129.6
port 53,80,443,993,5222,5269,5280,5443,8083,8888,9050
}
protocol tcp
state {
established enable
new enable
related enable
}
}
rule 80 {
action accept
description "Permit Traffic to WWWDMZ"
destination {
address xxx.xxx.129.4
port 22,80
}
protocol tcp
state {
established enable
new enable
related enable
}
}
rule 88 {
action accept
description "Permit SNMP from Internal for Monitoring"
destination {
address xxx.xxx.129.0/27
port 161
}
protocol udp
source {
address xxx.xxx.141.0/24
}
}
rule 90 {
action accept
description "Permit ICMP from internal for monitoring"
destination {
address xxx.xxx.129.0/27
}
icmp {
code 0
type 8
}
protocol icmp
source {
address xxx.xxx.141.0/24
}
}
rule 100 {
action accept
description "Permit bareos-dir to connnect to bareos-fd in DMZ"
destination {
address xxx.xxx.129.0/27
port 9102
}
protocol tcp
source {
group {
address-group BareOS_Servers
}
}
state {
established enable
new enable
related enable
}
}
}
name Internet2Local {
default-action drop
enable-default-log
rule 10 {
action drop
description "Drop DHCP Traffic"
destination {
port 68
}
protocol udp
source {
address xxx.xxx.0.1
port 67
}
state {
new enable
}
}
rule 20 {
action accept
description "Allow Incoming Path MTU Discovery (destination-unreachable/fragmentation-needed)"
icmp {
code 4
type 3
}
protocol icmp
state {
new enable
}
}
rule 22 {
action accept
description "Allow Incoming Source Quench"
icmp {
type-name source-quench
}
protocol icmp
state {
new enable
}
}
rule 24 {
action accept
description "Allow Inbound Echo-Request"
icmp {
type-name echo-request
}
protocol icmp
state {
new enable
}
}
rule 26 {
action accept
description "Allow Inbound Echo-Request"
protocol icmp
}
rule 86 {
action accept
description "Permit IPSec ESP"
protocol esp
state {
established enable
new enable
related enable
}
}
rule 88 {
action accept
description "Allow VPN Termination"
destination {
port 500,1194,4500,51820,51821
}
protocol udp
state {
established enable
new enable
related enable
}
}
rule 90 {
action accept
description "Permit IPSec Encapsulated Packets"
ipsec {
match-ipsec
}
}
rule 100 {
action accept
description "Allow Vyatta to do DNS lookups"
protocol udp
source {
port 53
}
state {
established enable
related enable
}
}
rule 120 {
action accept
description "Allow Vyatta to NTP on Internet"
protocol udp
source {
port 123
}
state {
established enable
related enable
}
}
rule 150 {
action accept
description "Allow Trusted External Hosts Management Access"
destination {
port 2022,8443
}
protocol tcp
source {
group {
address-group trusted_external_hosts
}
}
}
rule 160 {
action accept
description "Permit Download of Snort.org rulesets"
protocol tcp
source {
group {
network-group snort.org
}
port 80,443
}
}
rule 165 {
action accept
description "Permit http and https downloads"
protocol tcp
source {
port 43,80,443
}
state {
established enable
related enable
}
}
rule 170 {
action accept
disable
protocol tcp
source {
group {
address-group package_servers
}
port 80,443
}
state {
established enable
related enable
}
}
rule 180 {
action accept
description "Allow dynamic DNS replies from dynupdate.no-ip.com"
protocol tcp
source {
address xxx.xxx.224.120
port 443
}
state {
established enable
related enable
}
}
rule 185 {
action accept
description "Allow dynamic DNS replies from updates.dnsomatic.com"
protocol tcp
source {
address xxx.xxx.92.215
port 443
}
state {
established enable
related enable
}
}
rule 190 {
action accept
description "Permit Inbound OSCam"
destination {
port 17283
}
disable
protocol tcp
source {
address xxx.xxx.0.0/0
}
state {
new enable
}
}
rule 500 {
action accept
icmp {
type 8
}
protocol icmp
source {
address xxx.xxx.2.0/26
}
}
}
name Internet_In {
default-action drop
description "Traffic Permitted Inbound from Internet"
enable-default-log
rule 1 {
action accept
description "Allow Return packets from Originated connections"
disable
state {
established enable
related enable
}
}
rule 3 {
action drop
description "Block Networks based on Geo-Location"
protocol all
source {
group {
network-group geoblock
}
}
state {
established disable
new enable
related disable
}
}
rule 4 {
action drop
description "Block Networks on Blacklist"
protocol all
source {
group {
network-group Nets4-BlackList
}
}
state {
established disable
new enable
related disable
}
}
rule 5 {
action drop
description "Block Banned Networks"
protocol all
source {
group {
network-group blocked_nets_in
}
}
state {
established disable
new enable
related disable
}
}
rule 7 {
action drop
description "Drop SMTP to PBX"
destination {
address xxx.xxx.129.5
port 25
}
protocol tcp
}
rule 9 {
action drop
description "Drop Unwanted Packets"
destination {
port 23,135-139,445,1433,1434,3306
}
protocol tcp_udp
}
rule 10 {
action accept
description "Allow Return packets from Originated connections"
state {
established enable
related enable
}
}
rule 12 {
action accept
description "Allow ICMP Destination Unreachable"
icmp {
code 4
type 3
}
protocol icmp
state {
new enable
}
}
rule 14 {
action accept
description "Allow ICMP Source Quench"
icmp {
type-name source-quench
}
protocol icmp
state {
new enable
}
}
rule 16 {
action accept
description "Allow ICMP Echo-Request"
icmp {
type-name echo-request
}
protocol icmp
state {
new enable
}
}
rule 20 {
action accept
description "Allow ESP (IPsec) to FTS Public Internet"
destination {
address xxx.xxx.44.192/28
}
protocol esp
}
rule 22 {
action accept
description "Allow isakmp+openvpn to FTS Public Internet"
destination {
address xxx.xxx.44.192/28
port 500,1194
}
protocol udp
}
rule 26 {
action accept
description "Permit IPSec encapsulated packets from Apartment Spain"
destination {
address xxx.xxx.141.0/24
}
ipsec {
match-ipsec
}
source {
address xxx.xxx.79.0/24
}
state {
established enable
new enable
related enable
}
}
rule 28 {
action accept
description "Permit IPSec encapsulated packets from ADDM"
destination {
address xxx.xxx.141.0/24
}
ipsec {
match-ipsec
}
source {
address xxx.xxx.32.0/24
}
state {
established enable
new enable
related enable
}
}
rule 30 {
action accept
description "Permit IPSec encapsulated packets from ICDC"
destination {
address xxx.xxx.141.0/24
}
ipsec {
match-ipsec
}
source {
address xxx.xxx.45.0/22
group {
}
}
state {
established enable
new enable
related enable
}
}
rule 32 {
action accept
description "Permit IPSec encapsulated packets from DiCandilo Berwyn"
destination {
address xxx.xxx.141.0/24
}
ipsec {
match-ipsec
}
source {
address xxx.xxx.1.0/24
group {
}
}
state {
established enable
new enable
related enable
}
}
rule 34 {
action accept
description "Permit IPSec encapsulated packets from Securosys"
destination {
address xxx.xxx.141.0/24
}
ipsec {
match-ipsec
}
source {
address xxx.xxx.171.0/24
}
state {
established enable
new enable
related enable
}
}
rule 36 {
action accept
description "Permit IPSec encapsulated packets from test networks xxx.xxx.176.0/20"
destination {
address xxx.xxx.141.0/24
}
ipsec {
match-ipsec
}
source {
address xxx.xxx.176.0/20
}
state {
established enable
new enable
related enable
}
}
rule 37 {
action accept
description "Permit IPSec encap packets from ACP AG Internal"
destination {
address xxx.xxx.141.0/24
}
ipsec {
match-ipsec
}
source {
address xxx.xxx.2.0/23
}
state {
established enable
new enable
related enable
}
}
rule 38 {
action accept
description "Permit IPSec encap packets from ACP AG DMZ"
destination {
address xxx.xxx.141.0/24
}
ipsec {
match-ipsec
}
source {
address xxx.xxx.7.0/24
}
state {
established enable
new enable
related enable
}
}
rule 40 {
action accept
description "Allow DNS UDP traffic to FTS Public Internet"
destination {
address xxx.xxx.44.192/28
port 53
}
protocol udp
state {
established enable
new enable
related enable
}
}
rule 42 {
action accept
description "Allow DNS TCP traffic to FTS Public Internet"
destination {
address xxx.xxx.44.192/28
port 53
}
protocol tcp
state {
established enable
new enable
related enable
}
}
rule 44 {
action accept
destination {
address xxx.xxx.44.192/28
}
protocol udp
source {
port 53
}
state {
established enable
new enable
related enable
}
}
rule 46 {
action accept
destination {
address xxx.xxx.44.192/28
}
protocol tcp
source {
port 53
}
state {
established enable
new enable
related enable
}
}
rule 48 {
action accept
description "Allow DNS UDP to DMZ"
destination {
address xxx.xxx.129.2
port 53
}
protocol udp
state {
new enable
related enable
}
}
rule 49 {
action accept
description "Allow DNS TCP (Zone XFER) to DMZ"
destination {
address xxx.xxx.129.2
port 53
}
protocol tcp
state {
established enable
new enable
related enable
}
}
rule 50 {
action accept
description "Allow NTP Traffic to FTS Public Internet"
destination {
address xxx.xxx.44.192/28
port 123
}
protocol udp
state {
new enable
related enable
}
}
rule 52 {
action accept
destination {
address xxx.xxx.44.192/28
}
protocol udp
source {
port 123
}
state {
new enable
related enable
}
}
rule 54 {
action accept
description "Permit Inbound NTP to DMZ"
destination {
address xxx.xxx.129.1-xxx.xxx.129.2
port 123
}
protocol udp
state {
new enable
}
}
rule 56 {
action accept
description "Permit Inbound NTP to internal NTP server"
destination {
group {
address-group int_ntp_servers
}
port 123
}
protocol udp
state {
new enable
}
}
rule 60 {
action accept
description "TCP Traffic Inbound Permitted to xxx.xxx.44.192/28"
destination {
address xxx.xxx.44.192/28
group {
port-group internet_to_fts
}
}
protocol tcp
state {
established enable
new enable
related enable
}
}
rule 62 {
action accept
description "Allow access to Minecraft server"
destination {
address xxx.xxx.141.158
port 25565
}
protocol tcp
state {
established enable
new enable
related enable
}
}
rule 70 {
action accept
description "Allow SIP/IAX2/RTP Incoming"
destination {
address xxx.xxx.44.192/28
port 4569,5060-5080,10000-20000
}
protocol udp
state {
established enable
new enable
related enable
}
}
rule 72 {
action accept
description "Permit Inbound SIP/IAX/RTP/UDPTL to PBX in DMZ UDP"
destination {
address xxx.xxx.129.5
port 4000-4999,4569,5060-5080,10000-20000
}
protocol udp
state {
established enable
new enable
related enable
}
}
rule 74 {
action accept
description "Permit Inbound TCP SIP/SIP-TLS to PBX in DMZ"
destination {
address xxx.xxx.129.5
port 5060-5065
}
protocol tcp
state {
established enable
new enable
related enable
}
}
rule 76 {
action accept
description "Permit RTP Audio Inbound"
destination {
group {
port-group RTP_Media
}
}
protocol udp
state {
established enable
new enable
related enable
}
}
rule 80 {
action accept
description "Permit Inbound Mail Traffic to Mail Server DMZ"
destination {
address xxx.xxx.129.1-xxx.xxx.129.2
group {
port-group mail
}
}
protocol tcp
state {
established enable
new enable
related enable
}
}
rule 82 {
action accept
description "Permit ssh to Mail Exchange"
destination {
address xxx.xxx.129.2
port 22
}
protocol tcp
source {
group {
address-group trusted_external_hosts
}
}
state {
established enable
new enable
related enable
}
}
rule 84 {
action accept
description "Permit Trusted External hosts Askozia Management(Https)"
destination {
address xxx.xxx.129.3
port 80,443
}
disable
protocol tcp
source {
group {
address-group trusted_external_hosts
}
}
state {
established enable
new enable
related enable
}
}
rule 85 {
action accept
description "Permit Trusted External hosts PBXinaFlash Management"
destination {
address xxx.xxx.129.5
port 22,80,443,9001
}
protocol tcp
source {
group {
address-group trusted_external_hosts
}
}
state {
established enable
new enable
related enable
}
}
rule 86 {
action accept
description "Permit Inbound WWW to DMZ WWW"
destination {
address xxx.xxx.129.4
port 80
}
disable
protocol tcp
state {
established enable
new enable
related enable
}
}
rule 90 {
action accept
description "Permit XMPP/Jabber to DMZServices"
destination {
address xxx.xxx.129.6
group {
port-group XMPP
}
}
protocol tcp
state {
established enable
new enable
related enable
}
}
rule 92 {
action accept
description "Pemit access to TOR Proxy from Trusted External Hosts"
destination {
address xxx.xxx.129.6
port 9050
}
protocol tcp
source {
group {
address-group trusted_external_hosts
}
}
state {
established enable
new enable
related enable
}
}
rule 100 {
action accept
description "Allow ICMP Echo Requests from ETH (Smokeping)"
destination {
address xxx.xxx.44.192/28
}
icmp {
type 8
}
protocol icmp
source {
address xxx.xxx.2.0/26
}
}
rule 110 {
action accept
description "Allow ICMP Echo Replies"
destination {
address xxx.xxx.44.192/28
}
icmp {
type 0
}
protocol icmp
}
rule 150 {
action accept
description "Permit Inbound Web Redirection (Zenoss)"
destination {
address xxx.xxx.141.30
port 8080
}
disable
protocol tcp
source {
group {
address-group trusted_external_hosts
}
}
state {
established enable
new enable
related enable
}
}
rule 154 {
action accept
description "Permit Inbound Web Redirection (New Server)"
destination {
address xxx.xxx.141.3
port 80
}
disable
protocol tcp
source {
group {
address-group trusted_external_hosts
}
}
state {
established enable
new enable
related enable
}
}
rule 158 {
action accept
description "Permit Inbound Web Redirection"
destination {
address xxx.xxx.141.114
port 80
}
disable
protocol tcp
source {
group {
address-group trusted_external_hosts
}
}
state {
established enable
new enable
related enable
}
}
rule 165 {
action accept
description "Permit Inbound MOXA Nport Redirection"
destination {
group {
address-group moxa_nports
}
port 950-969
}
protocol tcp
source {
group {
address-group trusted_external_hosts
}
}
state {
established enable
new enable
related enable
}
}
rule 900 {
action accept
description "Permit Inbound NewCS Cardsharing"
destination {
address xxx.xxx.141.3
port 12000
}
protocol tcp
state {
established enable
new enable
related enable
}
}
rule 910 {
action accept
description "Permit IMAP/S Test to vmail"
destination {
address xxx.xxx.141.17
port 993
}
protocol tcp
state {
established enable
new enable
related enable
}
}
}
name Internet_Out {
default-action drop
description "Traffic Permitted Outbound to Internet"
enable-default-log
rule 4 {
action drop
description "Deny Kids Banned Sites"
destination {
group {
address-group kids_banned_sites
}
}
}
rule 6 {
action drop
description "Deny Oubound Minecraft"
destination {
port 25565
}
log enable
protocol tcp
}
rule 10 {
action drop
description "Drop Facebook"
destination {
group {
network-group facebook
}
}
disable
log enable
}
rule 15 {
action drop
description "Drop Gaming"
destination {
group {
network-group gaming
}
}
log enable
time {
starttime xxxx
:
xxxx:00
stoptime xxxx
:
xxxx:00
weekdays Mon,Tue,Wed,Thu,Fri
}
}
rule 99 {
action accept
description "Allow outgoing connections originated through firewall"
state {
established enable
new enable
related enable
}
}
rule 100 {
action accept
description "Permit traffic to ADDM"
destination {
address xxx.xxx.32.0/24
}
source {
address xxx.xxx.141.0/24
}
state {
established enable
new enable
related enable
}
}
rule 110 {
action accept
description "Permit traffic to ICDC"
destination {
address xxx.xxx.47.0/22
group {
}
}
source {
address xxx.xxx.141.0/24
}
state {
established enable
new enable
related enable
}
}
rule 120 {
action accept
description "Permit traffic to Securosys"
destination {
address xxx.xxx.171.0/24
}
source {
address xxx.xxx.141.0/24
}
state {
established enable
new enable
related enable
}
}
rule 9000 {
action accept
log enable
source {
address xxx.xxx.44.192/28
}
state {
established enable
new enable
related enable
}
}
}
name Management_In {
default-action drop
enable-default-log
rule 20 {
action drop
description "Drop UPnP"
destination {
address xxx.xxx.0.0/0
}
protocol udp
source {
address xxx.xxx.143.0/24
port 1900
}
state {
established enable
new enable
related enable
}
}
rule 30 {
action accept
description "Allow return packets from UniFi Controller to OpenHAB"
destination {
address xxx.xxx.142.5
}
protocol tcp
source {
address xxx.xxx.143.129
port 8443
}
state {
established enable
related enable
}
}
rule 40 {
action accept
description "Allow RTP/RTSP Streams from Cameras"
destination {
address xxx.xxx.141.0/24
}
protocol tcp
source {
address xxx.xxx.143.0/24
}
state {
established enable
new enable
related enable
}
}
rule 50 {
action accept
description "Allow NTP queries from Management hosts"
destination {
group {
address-group int_ntp_servers
}
port 123
}
protocol udp
source {
address xxx.xxx.143.0/24
}
state {
established enable
new enable
related enable
}
}
rule 60 {
action accept
description "Allow DNS queries from Management hosts"
destination {
group {
address-group int_dns_servers
}
port 53
}
protocol udp
source {
address xxx.xxx.143.0/24
}
state {
established enable
new enable
related enable
}
}
rule 70 {
action accept
description "Allow Managment hosts to send email alerts via DNS SMTP"
destination {
address xxx.xxx.129.2
port 25
}
protocol tcp
source {
address xxx.xxx.143.0/24
}
state {
established enable
new enable
related enable
}
}
rule 80 {
action accept
description "Allow SNMP query return packets"
destination {
address xxx.xxx.141.0/24
}
protocol udp
source {
address xxx.xxx.143.0/24
port 161
}
state {
established enable
related enable
}
}
rule 82 {
action accept
description "Allow Management Hosts to send SNMP Traps/Syslog/SFlow packets"
destination {
address xxx.xxx.141.0/24
port 162,514,6343
}
protocol udp
source {
address xxx.xxx.143.0/24
}
state {
established enable
new enable
related enable
}
}
rule 84 {
action accept
description "Allow icmp replies to internal"
destination {
address xxx.xxx.141.0/24
}
protocol icmp
source {
address xxx.xxx.143.0/24
}
state {
established enable
related enable
}
}
rule 86 {
action accept
description "Allow return packets from management ports on Management Network"
destination {
group {
network-group trusted_networks
}
}
protocol tcp
source {
address xxx.xxx.143.0/24
port 22,23,80,443,7578,8080,8443,9292
}
state {
established enable
related enable
}
}
rule 88 {
action accept
destination {
address xxx.xxx.141.0/24
}
protocol tcp
source {
address xxx.xxx.143.251
group {
port-group cisco_ts_lines
}
}
state {
established enable
related enable
}
}
rule 90 {
action accept
destination {
group {
address-group radius_servers
port-group radius_ports
}
}
protocol udp
source {
address xxx.xxx.143.0/24
}
state {
established enable
new enable
related enable
}
}
rule 100 {
action accept
destination {
address xxx.xxx.47.0/24
}
source {
address xxx.xxx.143.0/24
}
state {
established enable
new enable
related enable
}
}
rule 110 {
action accept
destination {
address xxx.xxx.32.0/24
}
source {
address xxx.xxx.143.0/24
}
state {
established enable
new enable
related enable
}
}
rule 120 {
action accept
description "Allow IPMI KVMoverIP"
destination {
group {
network-group trusted_networks
}
}
protocol tcp
source {
address xxx.xxx.143.0/24
port 5900-5901,5120
}
state {
established enable
new enable
related enable
}
}
rule 122 {
action accept
description "Allow IPMI Serial over IP"
destination {
group {
network-group trusted_networks
}
}
protocol udp
source {
address xxx.xxx.143.0/24
port 623
}
state {
established enable
new enable
related enable
}
}
rule 160 {
action accept
destination {
group {
address-group moxa_allowed_hosts
}
}
protocol tcp
source {
group {
address-group moxa_nports
port-group moxa_in
}
}
state {
established enable
new enable
related enable
}
}
rule 170 {
action accept
description "Allow Management access to LDAP,KRB5,SMB"
destination {
group {
network-group trusted_networks
}
port 88,464,445
}
protocol tcp
source {
address xxx.xxx.143.0/24
}
state {
established enable
new enable
related enable
}
}
rule 200 {
action accept
description "Allow Management Access to Debian/Ubuntu Mirrors"
destination {
group {
address-group deb-ubu-mirrors
}
port 80,443
}
protocol tcp
source {
address xxx.xxx.143.0/24
}
state {
established enable
new enable
related enable
}
}
rule 210 {
action accept
description "Allow Unifi Server access to UBNT Mirrors"
destination {
group {
address-group ubiquiti
}
port 80,443
}
protocol tcp
source {
address xxx.xxx.143.129
}
state {
established enable
new enable
related enable
}
}
}
name Management_Out {
default-action drop
enable-default-log
rule 10 {
action accept
description "Allow Establed and Related Connections"
destination {
address xxx.xxx.143.0/24
}
protocol all
source {
address xxx.xxx.0.0/0
}
state {
established enable
related enable
}
}
rule 60 {
action accept
description "Permit Access from OpenHAB to UniFi Controller"
destination {
address xxx.xxx.143.129
port 8443
}
protocol tcp
source {
address xxx.xxx.142.5
}
state {
established enable
new enable
related enable
}
}
rule 70 {
action accept
description "Permit return SMTP packets"
destination {
address xxx.xxx.143.0/24
}
protocol tcp
source {
address xxx.xxx.129.2
port 25
}
state {
established enable
related enable
}
}
rule 80 {
action accept
description "Permit SNMP access to subnet"
destination {
address xxx.xxx.143.0/24
port 161,554,5556,5557
}
protocol udp
source {
address xxx.xxx.141.0/24
}
state {
established enable
new enable
related enable
}
}
rule 82 {
action accept
description "Allow ICMP from Internal"
destination {
address xxx.xxx.143.0/24
}
protocol icmp
source {
address xxx.xxx.141.0/24
}
state {
established enable
new enable
related enable
}
}
rule 84 {
action accept
description "Permit access to management ports on mangement network"
destination {
address xxx.xxx.143.0/24
port 22,23,80,443,8080,8443,9292,554,5556,5557
}
protocol tcp
source {
group {
network-group trusted_networks
}
}
state {
established enable
new enable
related enable
}
}
rule 85 {
action accept
destination {
address xxx.xxx.143.251
group {
port-group cisco_ts_lines
}
}
protocol tcp
source {
address xxx.xxx.141.0/24
}
state {
established enable
new enable
related enable
}
}
rule 90 {
action accept
destination {
address xxx.xxx.143.0/24
}
log enable
protocol udp
source {
group {
address-group radius_servers
}
port 1812
}
state {
established enable
related enable
}
}
rule 95 {
action accept
description "Permit OpenVPN clients access to Management Network"
destination {
address xxx.xxx.143.0/24
}
source {
group {
network-group trusted_networks
}
}
state {
established enable
new enable
related enable
}
}
rule 100 {
action accept
destination {
address xxx.xxx.143.0/24
}
ipsec {
match-ipsec
}
source {
address xxx.xxx.47.0/24
}
state {
established enable
new enable
related enable
}
}
rule 110 {
action accept
destination {
address xxx.xxx.143.0/24
}
ipsec {
match-ipsec
}
source {
address xxx.xxx.32.0/24
}
state {
established enable
new enable
related enable
}
}
rule 120 {
action accept
description "Permit NTP return packets"
destination {
address xxx.xxx.143.0/24
}
protocol udp
source {
port 123
}
state {
established enable
new enable
related enable
}
}
rule 160 {
action accept
description "Allow Trusted External Hosts access to MOXA Serial Ports"
destination {
group {
address-group moxa_nports
port-group moxa_out
}
}
protocol tcp
source {
group {
address-group moxa_allowed_hosts
}
}
state {
established enable
new enable
related enable
}
}
}
name PublicAccess_In {
default-action drop
description "Traffic from PublicAccess Outbound"
enable-default-log
rule 35 {
action drop
description "Disable UPnP Discovery"
destination {
port 1900
}
protocol udp
source {
address xxx.xxx.130.0/24
}
state {
established enable
new enable
related enable
}
}
rule 36 {
action drop
description "Drop Google DNS Queries"
destination {
group {
address-group google_dns
}
port 53
}
protocol tcp_udp
source {
address xxx.xxx.130.0/24
}
state {
new enable
}
}
rule 42 {
action accept
description "Allow access to proxy in DMZ"
destination {
address xxx.xxx.129.6
port 80,443,9050
}
protocol tcp
source {
address xxx.xxx.130.0/24
}
state {
new enable
}
}
rule 44 {
action accept
description "Allow Access to Fileservers"
destination {
group {
address-group fileservers
port-group fileservice_ports
}
}
protocol tcp
source {
address xxx.xxx.130.0/24
}
state {
established enable
new enable
related enable
}
}
rule 48 {
action accept
description "Allow access to Jellyfin Server"
destination {
address xxx.xxx.141.2
port 8096
}
protocol tcp
source {
address xxx.xxx.130.0/24
}
state {
established enable
new enable
related enable
}
}
rule 50 {
action drop
description "Time-based Permit for Chollo Gamer PC"
destination {
address xxx.xxx.0.0/0
}
log disable
source {
address xxx.xxx.130.179
}
state {
established enable
new enable
related enable
}
time {
starttime xxxx
:
xxxx:00
stoptime xxxx
:
xxxx:00
weekdays Sun,Mon,Tue,Wed,Thu,Fri,Sat
}
}
rule 54 {
action drop
description "Block Steam Gaming"
destination {
address xxx.xxx.0.0/0
group {
port-group steam
}
}
disable
log enable
protocol all
source {
group {
address-group Chollo
}
}
state {
new enable
}
}
rule 65 {
action accept
description "Open access for xxx.xxx.130.224/27"
destination {
address xxx.xxx.0.0/0
}
protocol all
source {
address xxx.xxx.130.224/27
}
state {
established enable
new enable
related enable
}
}
rule 70 {
action accept
description "Allow return packets from Web Servers on Public_Access net"
destination {
address xxx.xxx.141.0/24
}
protocol tcp
source {
address xxx.xxx.130.0/24
port 23,80
}
state {
established enable
new enable
related enable
}
}
rule 80 {
action accept
description "Allow management (UDP) traffic out"
destination {
address xxx.xxx.141.0/24
}
protocol udp
source {
address xxx.xxx.130.0/24
port 161,514
}
state {
established enable
new enable
related enable
}
}
rule 90 {
action accept
description "Allow APs to speak LWAPP/CAPWAP to Cisco WLC Controller"
destination {
address xxx.xxx.141.244
group {
port-group CAPWAPP
}
}
disable
protocol udp
source {
address xxx.xxx.130.0/24
}
state {
new enable
}
}
rule 100 {
action drop
description "Deny Children after 11pm Schoolnights"
destination {
address xxx.xxx.0.0/0
}
disable
log enable
source {
group {
address-group children
}
}
state {
established enable
new enable
related enable
}
time {
starttime xxxx
:
xxxx:00
stoptime xxxx
:
xxxx:00
weekdays !Fri,Sat
}
}
rule 102 {
action drop
description "Deny Children LateNight"
destination {
address xxx.xxx.0.0/0
}
disable
log enable
source {
group {
address-group children
}
}
state {
established enable
new enable
related enable
}
time {
starttime xxxx
:
xxxx:00
stoptime xxxx
:
xxxx:00
}
}
rule 115 {
action accept
description "Allow Outbound UDP (DNS/NTP/DHCP/IAX)"
destination {
address xxx.xxx.0.0/0
port 53,67,68,123,4569
}
protocol udp
source {
address xxx.xxx.130.0/24
}
state {
established enable
new enable
related enable
}
}
rule 200 {
action accept
description "Allow access to Google Play Services"
destination {
address xxx.xxx.0.0/0
port 5228
}
disable
protocol tcp_udp
source {
address xxx.xxx.130.0/24
}
state {
established enable
new enable
related enable
}
}
rule 1006 {
action accept
description "Allow Chusma"
destination {
address xxx.xxx.0.0/0
}
protocol all
source {
group {
address-group Chusma
}
}
state {
established enable
new enable
related enable
}
}
rule 1008 {
action accept
description "Allow Chollo"
destination {
address xxx.xxx.0.0/0
}
protocol all
source {
group {
address-group Chollo
}
}
state {
established enable
new enable
related enable
}
}
rule 1030 {
action accept
description "Weekday Time-based Permit for Chollo"
destination {
address xxx.xxx.0.0/0
}
disable
log disable
source {
group {
address-group Chollo
}
}
state {
established enable
new enable
related enable
}
time {
starttime xxxx
:
xxxx:00
stoptime xxxx
:
xxxx:00
weekdays Mon,Tue,Wed,Thu,Fri
}
}
rule 1035 {
action accept
description "Weekend Time-based Permit for Chollo"
destination {
address xxx.xxx.0.0/0
}
disable
log disable
source {
group {
address-group Chollo
}
}
state {
established enable
new enable
related enable
}
time {
starttime xxxx
:
xxxx:00
stoptime xxxx
:
xxxx:00
weekdays Sat,Sun
}
}
rule 1040 {
action accept
description "Allowed outbound for Chollo"
destination {
address xxx.xxx.0.0/0
port 80,443,587,993,5222
}
log disable
protocol tcp
source {
group {
address-group Chollo
}
}
state {
established enable
new enable
}
}
rule 9000 {
action accept
description "Allow Random DHCP Clients"
destination {
address xxx.xxx.0.0/0
}
protocol all
source {
address xxx.xxx.130.192-xxx.xxx.130.221
}
state {
established enable
new enable
related enable
}
}
}
name PublicAccess_Out {
default-action drop
description "Traffic Inbound to PublicAccess"
enable-default-log
rule 100 {
action accept
description "Permit return packets from originated connections"
state {
established enable
related enable
}
}
rule 500 {
action accept
destination {
address xxx.xxx.130.0/24
}
protocol all
source {
address xxx.xxx.141.0/24
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
state-policy {
invalid {
action drop
}
}
syn-cookies enable
twa-hazards-protection disable
}
interfaces {
ethernet eth0 {
address xxx.xxx.129.30/27
description DMZ
duplex auto
firewall {
in {
name DMZ_In
}
out {
name DMZ_Out
}
}
hw-id XX
:
XX:XX:XX:XX:30
mtu 9000
smp-affinity auto
speed auto
}
ethernet eth1 {
address xxx.xxx.130.254/24
description "Public Access"
duplex auto
firewall {
in {
name PublicAccess_In
}
out {
name PublicAccess_Out
}
}
hw-id XX
:
XX:XX:XX:XX:31
mtu 9000
smp-affinity auto
speed auto
traffic-policy {
out ShapePublicOutbound
}
}
ethernet eth2 {
address xxx.xxx.141.254/24
description Internal
duplex auto
hw-id XX
:
XX:XX:XX:XX:32
mtu 9000
smp-affinity auto
speed auto
}
ethernet eth3 {
address xxx.xxx.143.254/24
description Management
duplex auto
firewall {
in {
name Management_In
}
out {
name Management_Out
}
}
hw-id XX
:
XX:XX:XX:XX:33
mtu 9000
smp-affinity auto
speed auto
}
ethernet eth4 {
address xxx.xxx.44.193/28
address xxx.xxx.44.200/28
address xxx.xxx.44.201/28
address xxx.xxx.44.197/28
description "FTS Public Internet Subnet"
duplex auto
hw-id XX
:
XX:XX:XX:XX:34
mtu 9000
smp-affinity auto
speed auto
}
ethernet eth5 {
address xxx.xxx.62.21/27
description InternetUplink
duplex auto
firewall {
in {
name Internet_In
}
local {
name Internet2Local
}
out {
name Internet_Out
}
}
hw-id XX
:
XX:XX:XX:XX:35
mtu 9000
smp-affinity auto
speed auto
}
ethernet eth6 {
address xxx.xxx.142.254/24
description IoT
duplex auto
hw-id XX
:
XX:XX:XX:XX:36
mtu 9000
smp-affinity auto
speed auto
}
loopback lo {
}
openvpn vtun0 {
description "OpenVPN Endpoint"
encryption aes256
hash sha512
local-host xxxxx.tld
local-port 1194
mode server
openvpn-option "--comp-lzo --push dhcp-option DOMAIN feigin.com --push dhcp-option DNS xxx.xxx.141.20 --push route xxx.xxx.140.0 xxx.xxx.252.0 --push route xxx.xxx.130.0 xxx.xxx.255.0 --push route xxx.xxx.129.0 xxx.xxx.255.224"
protocol udp
server {
subnet xxx.xxx.128.240/28
}
tls {
ca-cert-file xxxxxx
cert-file xxxxxx
dh-file xxxxxx
key-file xxxxxx
}
}
wireguard wg01 {
address xxx.xxx.188.1/24
description "Wireguard Endpoint"
peer GalaxyS7 {
allowed-ips xxx.xxx.188.3/32
persistent-keepalive 15
pubkey ****************
}
peer Hospitalet {
allowed-ips xxx.xxx.78.0/24
allowed-ips xxx.xxx.188.2/32
persistent-keepalive 15
preshared-key ****************
pubkey ****************
}
peer OpenWRT-Test {
allowed-ips xxx.xxx.188.9/32
allowed-ips xxx.xxx.83.0/24
persistent-keepalive 15
preshared-key ****************
pubkey ****************
}
peer OpenWRT-zbt826 {
allowed-ips xxx.xxx.188.6/32
allowed-ips xxx.xxx.84.0/24
persistent-keepalive 15
preshared-key ****************
pubkey ****************
}
peer PocoF3 {
allowed-ips xxx.xxx.188.4/32
persistent-keepalive 15
preshared-key ****************
pubkey ****************
}
peer XiaoMiNote5 {
allowed-ips xxx.xxx.188.5/32
persistent-keepalive 15
preshared-key ****************
pubkey ****************
}
peer ayahuasca {
allowed-ips xxx.xxx.188.7/32
persistent-keepalive 15
preshared-key ****************
pubkey ****************
}
peer x230 {
allowed-ips xxx.xxx.188.10/32
persistent-keepalive 15
preshared-key ****************
pubkey ****************
}
port 51820
}
wireguard wg02 {
address xxx.xxx.0.2/24
description "ACP site-to-site"
peer xxxxx.tld {
allowed-ips xxx.xxx.0.0/24
allowed-ips xxx.xxx.2.0/23
allowed-ips xxx.xxx.7.0/24
preshared-key ****************
pubkey ****************
}
port 51821
}
}
nat {
destination {
rule 20 {
description "Redirect Inbound SMTP"
destination {
address xxx.xxx.44.193
port 25
}
inbound-interface eth5
protocol tcp
translation {
address xxx.xxx.129.2
port 25
}
}
rule 22 {
description "Redirect Inbound SMTP/S"
destination {
address xxx.xxx.44.193
port 465
}
inbound-interface eth5
protocol tcp
translation {
address xxx.xxx.129.2
port 465
}
}
rule 23 {
description "Redirect Inbound SMTP Submission"
destination {
address xxx.xxx.44.193
port 587
}
inbound-interface eth5
protocol tcp
translation {
address xxx.xxx.129.2
port 587
}
}
rule 24 {
description "Redirect Inbound IMAPS"
destination {
address xxx.xxx.44.193
port 993
}
inbound-interface eth5
protocol tcp
translation {
address xxx.xxx.141.17
port 993
}
}
rule 26 {
description "Redirect inbound SSH"
destination {
address xxx.xxx.44.193
port 22
}
inbound-interface eth5
protocol tcp
translation {
address xxx.xxx.129.2
port 22
}
}
rule 30 {
description "Redirect Inbound HTTPS to xxx.xxx.62.21"
destination {
address xxx.xxx.62.21
port 443
}
inbound-interface eth5
protocol tcp
translation {
address xxx.xxx.129.6
port 443
}
}
rule 32 {
description "Redirect Inbound HTTPS for xxx.xxx.44.193"
destination {
address xxx.xxx.44.193
port 443
}
inbound-interface eth5
protocol tcp
translation {
address xxx.xxx.129.6
port 443
}
}
rule 34 {
description "Redirect Inbound HTTP for xxx.xxx.62.21"
destination {
address xxx.xxx.62.21
port 80
}
inbound-interface eth5
protocol tcp
translation {
address xxx.xxx.129.6
port 80
}
}
rule 36 {
description "Redirect Inbound HTTP for xxx.xxx.44.193"
destination {
address xxx.xxx.44.193
port 80
}
inbound-interface eth5
protocol tcp
translation {
address xxx.xxx.129.6
port 80
}
}
rule 40 {
description "Redirect Inbound DNS UDP"
destination {
address xxx.xxx.44.193
port 53
}
inbound-interface eth5
protocol udp
translation {
address xxx.xxx.129.2
port 53
}
}
rule 42 {
description "Redirect Inbound DNS TCP"
destination {
address xxx.xxx.44.193
port 53
}
inbound-interface eth5
protocol tcp
translation {
address xxx.xxx.129.2
port 53
}
}
rule 44 {
description "Redirect Inbound NTP"
destination {
address xxx.xxx.62.21
port 123
}
inbound-interface eth5
protocol udp
translation {
address xxx.xxx.141.13
port 123
}
}
rule 50 {
description "Inbound Web Redirect 9080"
destination {
address xxx.xxx.44.193
port 9080
}
inbound-interface eth5
protocol tcp
translation {
address xxx.xxx.141.3
port 80
}
}
rule 52 {
description "Inbound Web Redirect 9081->8080(Zenoss)"
destination {
address xxx.xxx.44.193
port 9081
}
inbound-interface eth5
protocol tcp
translation {
address xxx.xxx.141.30
port 8080
}
}
rule 54 {
description "Inbound Web Redirect 9082 -> Test MythTV Backend"
destination {
address xxx.xxx.44.193
port 9082
}
inbound-interface eth5
protocol tcp
translation {
address xxx.xxx.141.114
port 80
}
}
rule 56 {
description "Inbound Web Redirect 9083 -> OSCam"
destination {
address xxx.xxx.44.193
port 9083
}
inbound-interface eth5
protocol tcp
translation {
address xxx.xxx.141.3
port 8443
}
}
rule 60 {
description "Redirect Inbound DNS for old server (Temporary)"
destination {
address xxx.xxx.44.194
port 53
}
inbound-interface eth5
protocol udp
translation {
address xxx.xxx.129.2
port 53
}
}
rule 76 {
description "1
:
1 Inbound NAT PBXinaFlash"
destination {
address xxx.xxx.44.201
}
inbound-interface eth5
translation {
address xxx.xxx.129.5
}
}
rule 78 {
description "1
:
1 Inbound NAT PBXinaFlash for FTS Subnet"
destination {
address xxx.xxx.44.201
}
inbound-interface eth4
translation {
address xxx.xxx.129.5
}
}
rule 84 {
description "Reflection Rule Inside->Outside
:
SMTP"
destination {
address xxx.xxx.44.193
port 25
}
inbound-interface eth2
protocol tcp
source {
address xxx.xxx.141.0/24
}
translation {
address xxx.xxx.129.2
port 25
}
}
rule 85 {
description "Reflection Rule Inside->Outside
:
Submission"
destination {
address xxx.xxx.44.193
port 587
}
inbound-interface eth2
protocol tcp
source {
address xxx.xxx.141.0/24
}
translation {
address xxx.xxx.129.2
port 587
}
}
rule 86 {
description "Reflection Rule Inside->Outside
:
SMTP/S"
destination {
address xxx.xxx.44.193
port 465
}
inbound-interface eth2
protocol tcp
source {
address xxx.xxx.141.0/24
}
translation {
address xxx.xxx.129.2
port 465
}
}
rule 88 {
description "Reflection Rule Public->Outside
:
SMTP"
destination {
address xxx.xxx.44.193
port 25
}
inbound-interface eth1
protocol tcp
source {
address xxx.xxx.130.0/24
}
translation {
address xxx.xxx.129.2
port 25
}
}
rule 89 {
description "Reflection Rule Public->Outside
:
Submission"
destination {
address xxx.xxx.44.193
port 587
}
inbound-interface eth1
protocol tcp
source {
address xxx.xxx.130.0/24
}
translation {
address xxx.xxx.129.2
port 587
}
}
rule 90 {
description "Reflection Rule Internal->Outside
:
IMAPS"
destination {
address xxx.xxx.44.193
port 993
}
inbound-interface eth2
protocol tcp
source {
address xxx.xxx.141.0/24
}
translation {
address xxx.xxx.129.2
port 993
}
}
rule 92 {
description "Reflection Rule Public->Outside
:
IMAPS"
destination {
address xxx.xxx.44.193
port 993
}
inbound-interface eth1
protocol tcp
source {
address xxx.xxx.130.0/24
}
translation {
address xxx.xxx.141.17
port 993
}
}
rule 94 {
description "Reflection Rule Public->Outside
:
IAX"
destination {
address xxx.xxx.44.201
port 4569
}
inbound-interface eth1
protocol udp
source {
address xxx.xxx.130.0/24
}
translation {
address xxx.xxx.129.5
port 4569
}
}
rule 96 {
description "Reflection Rule Public->Inside
:
https for cloud"
destination {
address xxx.xxx.62.21
port 443
}
inbound-interface eth1
protocol tcp
source {
address xxx.xxx.130.0/24
}
translation {
address xxx.xxx.141.53
port 443
}
}
rule 102 {
description "Reflection Rule Public ->Outside
:
SIP"
destination {
address xxx.xxx.44.201
port 5060
}
inbound-interface eth1
protocol tcp_udp
source {
address xxx.xxx.130.0/24
}
translation {
address xxx.xxx.129.5
port 5060
}
}
rule 110 {
description "Inbound Redirect for XMPP port 5222"
destination {
address xxx.xxx.62.21
port 5222
}
inbound-interface eth5
protocol tcp
translation {
address xxx.xxx.129.6
port 5222
}
}
rule 112 {
description "Inbound Redirect for XMPP port 5269"
destination {
address xxx.xxx.62.21
port 5269
}
inbound-interface eth5
protocol tcp
translation {
address xxx.xxx.129.6
port 5269
}
}
rule 114 {
description "Inbound Redirect for XMPP port 5280"
destination {
address xxx.xxx.62.21
port 5280
}
inbound-interface eth5
protocol tcp
translation {
address xxx.xxx.129.6
port 5280
}
}
rule 116 {
description "Inbound Redirect for XMPP http_upload port 5443"
destination {
address xxx.xxx.62.21
port 5443
}
inbound-interface eth5
protocol tcp
translation {
address xxx.xxx.129.6
port 5443
}
}
rule 120 {
description "Reflection Rule Public->Outside
:
XMPP-5222"
destination {
address xxx.xxx.62.21
port 5222
}
inbound-interface eth1
protocol tcp
translation {
address xxx.xxx.129.6
port 5222
}
}
rule 122 {
description "Reflection Rule Public->Outside
:
XMPP-5269"
destination {
address xxx.xxx.62.21
port 5269
}
inbound-interface eth1
protocol tcp
translation {
address xxx.xxx.129.6
port 5269
}
}
rule 124 {
description "Reflection Rule Public->Outside
:
XMPP-5280"
destination {
address xxx.xxx.62.21
port 5280
}
inbound-interface eth1
protocol tcp
translation {
address xxx.xxx.129.6
port 5280
}
}
rule 126 {
description "Reflection Rule Public->Outside
:
XMPP-5443"
destination {
address xxx.xxx.62.21
port 5443
}
inbound-interface eth1
protocol tcp
translation {
address xxx.xxx.129.6
port 5443
}
}
rule 128 {
description "Reflection Rule Public->Outside
:
HTTPS"
destination {
address xxx.xxx.62.21
port 443
}
inbound-interface eth1
protocol tcp
translation {
address xxx.xxx.129.6
port 443
}
}
rule 140 {
description "Test Redirect HAPROXY IMAPS"
destination {
address xxx.xxx.62.21
port 993
}
inbound-interface eth5
protocol tcp
translation {
address xxx.xxx.129.6
port 993
}
}
rule 156 {
description "Inbound Redirect for Minecraft"
destination {
address xxx.xxx.44.193
port 25565
}
disable
inbound-interface eth5
protocol tcp
translation {
address xxx.xxx.141.158
port 25565
}
}
rule 160 {
description "Inbound Redirect for MOXA Serial Server"
destination {
address xxx.xxx.44.193
port 950-969
}
disable
inbound-interface eth5
protocol tcp
translation {
address xxx.xxx.143.244
port 950-969
}
}
}
source {
rule 30 {
description "Source NAT for Outbound SMTP"
destination {
}
outbound-interface eth0
protocol tcp
source {
address xxx.xxx.129.2
port 25
}
translation {
address xxx.xxx.44.193
}
}
rule 992 {
description "1
:
1 Outbound for PBXinaFlash"
outbound-interface eth5
source {
address xxx.xxx.129.5
}
translation {
address xxx.xxx.44.201
}
}
rule 4991 {
description "Exclude Test Networks from NAT"
destination {
address xxx.xxx.93.0/24
}
exclude
outbound-interface eth4
source {
address xxx.xxx.141.0/24
}
translation {
address masquerade
}
}
rule 4992 {
description "Exclude Apartment Spain Internal Network from NAT"
destination {
address xxx.xxx.79.0/24
}
disable
exclude
outbound-interface eth5
source {
address xxx.xxx.141.0/24
}
translation {
address masquerade
}
}
rule 4993 {
description "Exclude ACP Internal Network from NAT"
destination {
address xxx.xxx.2.0/23
}
exclude
outbound-interface eth5
source {
address xxx.xxx.141.0/24
}
translation {
address masquerade
}
}
rule 4994 {
description "Exclude ACP DMZ Network from NAT"
destination {
address xxx.xxx.7.0/24
}
exclude
outbound-interface eth5
source {
address xxx.xxx.141.0/24
}
translation {
address masquerade
}
}
rule 4995 {
description "Exclude SecuroSys Network from NAT"
destination {
address xxx.xxx.171.0/24
}
disable
exclude
outbound-interface eth5
source {
address xxx.xxx.141.0/24
}
translation {
address masquerade
}
}
rule 4996 {
description "Exclude Test Networks from NAT"
destination {
address xxx.xxx.176.0/20
}
exclude
outbound-interface eth4
source {
address xxx.xxx.141.0/24
}
translation {
address masquerade
}
}
rule 4997 {
description "Exclude DiCandilo Berwyn Network from NAT"
destination {
address xxx.xxx.1.0/24
}
exclude
outbound-interface eth5
source {
address xxx.xxx.141.0/24
}
translation {
address masquerade
}
}
rule 4998 {
description "Exclude ADDM Network From NAT"
destination {
address xxx.xxx.32.0/24
}
exclude
outbound-interface eth5
source {
address xxx.xxx.141.0/24
}
translation {
address masquerade
}
}
rule 4999 {
description "Exclude ICDC Network from NAT"
destination {
address xxx.xxx.47.0/22
}
disable
exclude
outbound-interface eth5
source {
address xxx.xxx.141.0/24
}
translation {
address masquerade
}
}
rule 9000 {
description "Masquerade Internal on FTS Internet Segment"
destination {
address xxx.xxx.44.192/28
}
outbound-interface eth4
source {
address xxx.xxx.141.0/24
}
translation {
address xxx.xxx.44.193
}
}
rule 9005 {
description "Masquerade Internal"
destination {
address xxx.xxx.0.0/0
}
outbound-interface eth5
source {
address xxx.xxx.141.0/24
}
translation {
address xxx.xxx.44.193
}
}
rule 9010 {
description "Masquerade DMZ"
destination {
address xxx.xxx.0.0/0
}
outbound-interface eth5
source {
address xxx.xxx.129.0/27
}
translation {
address xxx.xxx.44.193
}
}
rule 9020 {
description "Masquerade Public"
destination {
address xxx.xxx.0.0/0
}
outbound-interface eth5
source {
address xxx.xxx.130.0/24
}
translation {
address xxx.xxx.44.197
}
}
rule 9030 {
description "Masquerade IoT & Management"
outbound-interface eth5
source {
address xxx.xxx.142.0/23
}
translation {
address xxx.xxx.44.193
}
}
}
}
protocols {
igmp-proxy {
interface eth2 {
role downstream
threshold 1
}
interface eth5 {
role upstream
threshold 1
}
}
static {
interface-route xxx.xxx.188.0/24 {
next-hop-interface wg01 {
}
}
interface-route xxx.xxx.2.0/23 {
next-hop-interface wg02 {
}
}
interface-route xxx.xxx.7.0/24 {
next-hop-interface wg02 {
}
}
interface-route xxx.xxx.78.0/24 {
next-hop-interface wg01 {
}
}
interface-route xxx.xxx.83.0/24 {
next-hop-interface wg01 {
}
}
interface-route xxx.xxx.84.0/24 {
next-hop-interface wg01 {
}
}
route xxx.xxx.0.0/0 {
next-hop xxx.xxx.62.1 {
}
}
route xxx.xxx.53.0/27 {
blackhole {
}
}
route xxx.xxx.1.47/32 {
next-hop xxx.xxx.128.242 {
}
}
route xxx.xxx.0.0/16 {
blackhole {
}
}
route xxx.xxx.0.0/15 {
blackhole {
}
}
route xxx.xxx.0.0/15 {
blackhole {
}
}
route xxx.xxx.128.0/28 {
next-hop xxx.xxx.141.251 {
}
}
route xxx.xxx.131.0/24 {
next-hop xxx.xxx.141.222 {
}
}
route xxx.xxx.0.0/17 {
blackhole {
}
}
}
}
service {
dhcp-relay {
interface eth1
interface eth3
interface eth4
interface eth6
interface eth2
relay-options {
relay-agents-packets discard
}
server xxxxx.tld
}
mdns {
repeater {
interface eth2
interface wg01
}
}
snmp {
community public {
authorization ro
network xxx.xxx.141.0/24
}
contact "Adam Feigin"
listen-address xxx.xxx.141.254 {
port 161
}
location xxxxxx 235"
trap-target xxx.xxx.141.30 {
}
}
ssh {
port 2022
}
}
system {
config-management {
commit-archive {
location xxxxxx
}
commit-revisions 50
}
conntrack {
expect-table-size 4096
hash-size 4096
modules {
sip {
disable
}
}
table-size 32768
}
console {
device ttyS0 {
speed 9600
}
}
domain-name xxxxxx
flow-accounting {
disable-imt
interface eth5
interface eth4
interface eth2
interface eth1
interface eth0
netflow {
engine-id 2
sampling-rate 64
server xxxxx.tld {
port 9995
}
timeout {
expiry-interval 60
flow-generic 60
icmp 300
max-active-life 60
tcp-fin 60
tcp-generic 60
tcp-rst 60
udp 60
}
version 5
}
sflow {
agent-address xxx.xxx.141.254
sampling-rate 64
server xxxxx.tld {
port 6343
}
}
syslog-facility daemon
}
host-name xxxxxx
ipv6 {
}
login {
radius-server xxx.xxx.141.20 {
port 1812
secret xxxxxxxxxxxx
timeout 3
}
radius-source-address xxx.xxx.143.254
user xxxxxx {
authentication {
encrypted-password xxxxxx
plaintext-password xxxxxx
public-keys xxxx@xxx.xxx {
key xxxxxx
type ssh-rsa
}
public-keys xxxx@xxx.xxx {
key xxxxxx
type ssh-rsa
}
public-keys xxxx@xxx.xxx {
key xxxxxx
type ssh-rsa
}
public-keys xxxx@xxx.xxx {
key xxxxxx
type ssh-rsa
}
}
full-name xxxxxx
level admin
}
user xxxxxx {
authentication {
encrypted-password xxxxxx
plaintext-password xxxxxx
public-keys xxxx@xxx.xxx {
key xxxxxx
type ssh-rsa
}
}
level admin
}
user xxxxxx {
authentication {
encrypted-password xxxxxx
plaintext-password xxxxxx
public-keys xxxx@xxx.xxx {
key xxxxxx
type ssh-rsa
}
public-keys xxxx@xxx.xxx {
key xxxxxx
type ssh-rsa
}
}
level admin
}
user xxxxxx {
authentication {
encrypted-password xxxxxx
plaintext-password xxxxxx
}
level admin
}
}
name-server xxx.xxx.141.3
name-server xxx.xxx.40.2
name-server xxx.xxx.40.34
name-server xxx.xxx.141.20
ntp {
allow-clients {
address xxx.xxx.143.0/24
address xxx.xxx.142.0/24
address xxx.xxx.141.0/24
address xxx.xxx.130.0/24
address xxx.xxx.129.0/24
}
listen-address xxx.xxx.141.254
listen-address xxx.xxx.130.254
listen-address xxx.xxx.129.254
listen-address xxx.xxx.142.254
listen-address xxx.xxx.143.254
server xxxxx.tld {
}
server xxxxx.tld {
}
server xxxxx.tld {
}
server xxxxx.tld {
}
server xxxxx.tld {
}
}
syslog {
file messages {
archive {
}
}
global {
archive {
size 8192
}
facility all {
level notice
}
facility protocols {
level debug
}
}
}
task-scheduler {
task Update-Blacklists {
executable {
path /config/scripts/updBlackList.sh
}
interval 12h
}
}
time-zone Europe/Zurich
}
traffic-policy {
limiter LimitChildrenOutBound {
class 10 {
bandwidth 512
burst 2048
match Children {
ip {
source {
address xxx.xxx.130.175/27
}
}
}
priority 20
}
}
shaper ShapeInternalOutbound {
bandwidth 1gibps
class 10 {
bandwidth 128kibit
burst 15k
ceiling 16384kibit
match JohanaRestricted {
ip {
destination {
address xxx.xxx.141.188/30
}
}
}
queue-type fair-queue
}
default {
bandwidth 1gibps
burst 15k
ceiling 100%
queue-type fair-queue
}
}
shaper ShapePublicOutbound {
bandwidth 20mibit
class 10 {
bandwidth 1kibit
burst 15k
ceiling 4096kibit
description "Chusmas Devices"
match Chusma {
ip {
destination {
address xxx.xxx.130.172/30
}
}
}
queue-type fair-queue
}
class 20 {
bandwidth 1kibit
burst 15k
ceiling 16384kibit
description "Chollos Devices"
match Chollo {
ip {
destination {
address xxx.xxx.130.176/29
}
}
}
queue-type fair-queue
}
class 30 {
bandwidth 1kibit
burst 15k
ceiling 64kibit
match mbpgen2-wlan {
ip {
destination {
address xxx.xxx.130.242/32
}
}
}
queue-type fair-queue
}
class 40 {
bandwidth 1kibit
burst 15k
ceiling 8192kibit
description "Sony PS4 Traffic"
match sonyps4 {
ip {
destination {
address xxx.xxx.130.185/32
}
}
}
queue-type fair-queue
}
class 120 {
bandwidth 100%
burst 15k
queue-type fair-queue
}
default {
bandwidth 10mibit
burst 15k
ceiling 100%
queue-type fair-queue
}
description "QoS Policy for Public"
}
shaper VoIP-DSCP {
bandwidth 5mbit
class 10 {
bandwidth 20%
burst 15k
ceiling 40%
match VoIP-RTP {
description "RTP Audio Packets (with dscp set to 46)"
ip {
dscp 46
}
}
priority 7
queue-type fair-queue
}
class 20 {
bandwidth 10%
burst 15k
ceiling 20%
description "SIP Signalling (with dscp set to 26)"
match VoIP-SIP {
ip {
dscp 26
}
}
priority 4
queue-type fair-queue
}
default {
bandwidth 70%
burst 15k
ceiling 100%
queue-type fair-queue
}
description "VoIP Traffic Shaping based on DSCP"
}
}
vpn {
ipsec {
esp-group ACP-ESP {
compression disable
lifetime 3600
mode tunnel
pfs dh-group18
proposal 1 {
encryption aes256
hash sha512
}
proposal 2 {
encryption aes128
hash sha512
}
}
esp-group CiscoESP {
compression disable
lifetime 3600
mode tunnel
pfs enable
proposal 1 {
encryption aes128
hash sha1
}
}
esp-group DiCandilo-PA-ESP {
compression disable
lifetime 3600
mode tunnel
pfs enable
proposal 1 {
encryption 3des
hash sha1
}
}
esp-group OPNSenseESP {
compression disable
lifetime 3600
mode tunnel
pfs dh-group18
proposal 1 {
encryption aes256
hash sha512
}
proposal 2 {
encryption aes128
hash sha512
}
}
esp-group OpenWRT-ESP {
compression enable
lifetime 3600
mode tunnel
pfs dh-group14
proposal 1 {
encryption aes256
hash sha512
}
proposal 2 {
encryption aes256
hash sha256
}
proposal 3 {
encryption aes128
hash sha512
}
proposal 4 {
encryption aes128
hash sha256
}
}
esp-group PFSenseESP {
compression disable
lifetime 3600
mode tunnel
pfs dh-group18
proposal 1 {
encryption aes256
hash sha512
}
proposal 2 {
encryption aes128
hash sha1
}
}
esp-group SecuroSysESP {
compression disable
lifetime 3600
mode tunnel
pfs dh-group18
proposal 1 {
encryption aes256
hash sha512
}
proposal 2 {
encryption aes128
hash sha1
}
}
esp-group SophosUTM-ESP {
compression disable
lifetime 3600
mode tunnel
pfs dh-group16
proposal 1 {
encryption aes256
hash sha512
}
proposal 2 {
encryption aes128
hash sha1
}
}
esp-group StonegateESP {
compression disable
lifetime 3600
mode tunnel
pfs enable
proposal 1 {
encryption aes128
hash sha1
}
}
ike-group CiscoIKE {
close-action none
dead-peer-detection {
action restart
interval 30
timeout 120
}
ikev2-reauth no
key-exchange ikev1
lifetime 28800
proposal 1 {
dh-group 2
encryption aes128
hash sha1
}
proposal 2 {
dh-group 2
encryption aes256
hash sha1
}
}
ike-group DiCandilo-PA-IKE {
close-action none
ikev2-reauth no
key-exchange ikev1
lifetime 28800
proposal 1 {
dh-group 5
encryption 3des
hash sha1
}
}
ike-group OPNSenseIKEv2 {
close-action none
dead-peer-detection {
action hold
interval 30
timeout 120
}
ikev2-reauth no
key-exchange ikev2
lifetime 28800
proposal 1 {
dh-group 18
encryption aes256
hash sha512
}
proposal 2 {
dh-group 24
encryption aes128
hash sha512
}
}
ike-group OpenWRT-IKEv1 {
close-action none
dead-peer-detection {
action restart
interval 30
timeout 120
}
ikev2-reauth no
key-exchange ikev1
lifetime 3600
proposal 1 {
dh-group 2
encryption aes256
hash sha1
}
}
ike-group OpenWRT-IKEv2 {
close-action none
dead-peer-detection {
action restart
interval 30
timeout 120
}
ikev2-reauth no
key-exchange ikev2
lifetime 3600
mobike enable
proposal 1 {
dh-group 14
encryption aes256
hash sha512
}
proposal 2 {
dh-group 14
encryption aes256
hash sha256
}
proposal 3 {
dh-group 14
encryption aes128
hash sha512
}
proposal 4 {
dh-group 14
encryption aes128
hash sha256
}
}
ike-group PFSenseIKE {
close-action none
dead-peer-detection {
action restart
interval 30
timeout 120
}
ikev2-reauth no
key-exchange ikev1
lifetime 28800
proposal 1 {
dh-group 18
encryption aes256
hash sha512
}
proposal 2 {
dh-group 2
encryption aes128
hash sha1
}
}
ike-group SecuroSysIKE {
close-action none
dead-peer-detection {
action restart
interval 30
timeout 120
}
ikev2-reauth no
key-exchange ikev1
lifetime 28800
proposal 1 {
dh-group 18
encryption aes256
hash sha512
}
proposal 2 {
dh-group 2
encryption aes128
hash sha1
}
}
ike-group SophosUTM-IKE {
close-action none
dead-peer-detection {
action restart
interval 30
timeout 120
}
ikev2-reauth no
key-exchange ikev1
lifetime 28800
proposal 1 {
dh-group 16
encryption aes256
hash sha512
}
proposal 2 {
dh-group 2
encryption aes128
hash sha1
}
}
ike-group StonegateIKE {
close-action none
ikev2-reauth no
key-exchange ikev1
lifetime 3600
proposal 1 {
dh-group 2
encryption aes128
hash sha1
}
}
ipsec-interfaces {
interface eth5
}
nat-networks {
allowed-network xxx.xxx.1.0/24 {
}
allowed-network xxx.xxx.2.0/23 {
}
allowed-network xxx.xxx.7.0/24 {
}
allowed-network xxx.xxx.32.0/24 {
}
allowed-network xxx.xxx.45.0/24 {
}
allowed-network xxx.xxx.46.0/24 {
}
allowed-network xxx.xxx.47.0/24 {
}
allowed-network xxx.xxx.79.0/24 {
}
allowed-network xxx.xxx.93.0/24 {
}
allowed-network xxx.xxx.113.0/24 {
}
allowed-network xxx.xxx.141.0/24 {
}
allowed-network xxx.xxx.143.0/24 {
}
allowed-network xxx.xxx.171.0/24 {
}
allowed-network xxx.xxx.176.0/20 {
}
}
nat-traversal enable
site-to-site {
peer xxxxx.tld {
authentication {
mode pre-shared-secret
pre-shared-secret xxxxxx
}
connection-type initiate
description "Aviq Systems AG PFSense"
ike-group PFSenseIKE
ikev2-reauth inherit
local-address xxx.xxx.62.21
tunnel 1 {
allow-nat-networks disable
allow-public-networks enable
disable
esp-group PFSenseESP
local {
prefix xxx.xxx.141.0/24
}
remote {
prefix xxx.xxx.1.0/24
}
}
}
peer xxxxx.tld {
authentication {
mode pre-shared-secret
pre-shared-secret xxxxxx
}
connection-type initiate
description "Adi Doerflinger Cisco"
ike-group CiscoIKE
ikev2-reauth inherit
local-address xxx.xxx.62.21
tunnel 1 {
allow-nat-networks disable
allow-public-networks enable
disable
esp-group CiscoESP
local {
prefix xxx.xxx.141.0/24
}
remote {
prefix xxx.xxx.32.0/24
}
}
}
peer xxxxx.tld {
authentication {
mode pre-shared-secret
pre-shared-secret xxxxxx
}
connection-type respond
default-esp-group DiCandilo-PA-ESP
description "DiCandilo Berwyn"
ike-group DiCandilo-PA-IKE
ikev2-reauth inherit
local-address xxx.xxx.62.21
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
local {
prefix xxx.xxx.141.0/24
}
remote {
prefix xxx.xxx.1.0/24
}
}
}
peer xxxxx.tld {
authentication {
mode pre-shared-secret
pre-shared-secret xxxxxx
}
connection-type initiate
description "ACP AG OPNSense"
ike-group OPNSenseIKEv2
ikev2-reauth inherit
local-address xxx.xxx.62.21
tunnel 1 {
allow-nat-networks disable
allow-public-networks enable
disable
esp-group OPNSenseESP
local {
prefix xxx.xxx.141.0/24
}
remote {
prefix xxx.xxx.2.0/23
}
}
tunnel 2 {
allow-nat-networks disable
allow-public-networks enable
disable
esp-group OPNSenseESP
local {
prefix xxx.xxx.141.0/24
}
remote {
prefix xxx.xxx.7.0/24
}
}
}
peer xxxxx.tld {
authentication {
mode pre-shared-secret
pre-shared-secret xxxxxx
}
connection-type respond
description "ICDC-CBCDG Stonegate"
ike-group StonegateIKE
ikev2-reauth inherit
local-address xxx.xxx.62.21
tunnel 1 {
allow-nat-networks disable
allow-public-networks enable
disable
esp-group StonegateESP
local {
prefix xxx.xxx.141.0/24
}
remote {
prefix xxx.xxx.47.0/24
}
}
tunnel 2 {
allow-nat-networks disable
allow-public-networks enable
disable
esp-group StonegateESP
local {
prefix xxx.xxx.141.0/24
}
remote {
prefix xxx.xxx.46.0/24
}
}
}
peer xxxxx.tld {
authentication {
mode pre-shared-secret
pre-shared-secret xxxxxx
}
connection-type initiate
description "Sophos UTM Test Gateway"
ike-group SophosUTM-IKE
ikev2-reauth inherit
local-address xxx.xxx.44.193
tunnel 1 {
allow-nat-networks disable
allow-public-networks enable
disable
esp-group SophosUTM-ESP
local {
prefix xxx.xxx.141.0/24
}
remote {
prefix xxx.xxx.178.0/24
}
}
}
peer xxxxx.tld {
authentication {
mode pre-shared-secret
pre-shared-secret xxxxxx
}
connection-type initiate
description "OPNSense Test"
ike-group OPNSenseIKEv2
ikev2-reauth inherit
local-address xxx.xxx.44.193
tunnel 1 {
allow-nat-networks disable
allow-public-networks enable
disable
esp-group OPNSenseESP
local {
prefix xxx.xxx.141.0/24
}
remote {
prefix xxx.xxx.93.0/24
}
}
}
peer xxxxx.tld {
authentication {
id @xxx.xxx.62.21
mode pre-shared-secret
pre-shared-secret xxxxxx
remote-id @awfhospitalet.dyndns.org
}
connection-type respond
description "Apartment Spain VPN"
ike-group OpenWRT-IKEv2
ikev2-reauth inherit
local-address xxx.xxx.62.21
tunnel 1 {
allow-nat-networks disable
allow-public-networks enable
disable
esp-group OpenWRT-ESP
local {
prefix xxx.xxx.141.0/24
}
remote {
prefix xxx.xxx.79.0/24
}
}
}
}
}
}
File Metadata
Details
Attached
Mime Type
text/plain
Storage Engine
local-disk
Storage Format
Raw Data
Storage Handle
b5/30/6b9678ad7f8068eaa0658e8ba9e9
Default Alt Text
private.cfg (127 KB)
Attached To
Mode
T1230: Improving Boot Time for Large Firewall Configurations
Attached
Detach File
Event Timeline
Log In to Comment