Page MenuHomeVyOS Platform
Files F2727108

private.cfg
All Users
Actions

Authored By
panachoi
May 27 2022, 4:51 AM
Size
127 KB
Referenced Files
None
Subscribers
None

private.cfg
View Options

firewall {
all-ping enable
broadcast-ping disable
config-trap disable
group {
address-group BareOS_Servers {
address xxx.xxx.141.13
address xxx.xxx.141.2
}
address-group Chollo {
address xxx.xxx.130.178
address xxx.xxx.130.179
address xxx.xxx.130.180
address xxx.xxx.130.185
address xxx.xxx.130.177
address xxx.xxx.130.181
}
address-group Chusma {
address xxx.xxx.130.172-xxx.xxx.130.175
}
address-group children {
address xxx.xxx.130.172-xxx.xxx.130.180
}
address-group deb-ubu-mirrors {
address xxx.xxx.53.171
address xxx.xxx.132.32
address xxx.xxx.242.89
address xxx.xxx.132.250
address xxx.xxx.149.233
address xxx.xxx.112.204
description "Debian/Ubuntu Mirrors"
}
address-group dmz_dns_ntp {
address xxx.xxx.129.2
address xxx.xxx.129.6
address xxx.xxx.129.1
address xxx.xxx.129.5
}
address-group dmz_infra_servers {
address xxx.xxx.129.2
address xxx.xxx.129.5
}
address-group fileservers {
address xxx.xxx.141.8
address xxx.xxx.141.1
}
address-group google_dns {
address xxx.xxx.8.8
address xxx.xxx.4.4
}
address-group int_dns_servers {
address xxx.xxx.141.3
address xxx.xxx.141.15
address xxx.xxx.141.20
address xxx.xxx.141.1
address xxx.xxx.141.8
}
address-group int_ntp_servers {
address xxx.xxx.141.23-xxx.xxx.141.27
address xxx.xxx.141.5-xxx.xxx.141.6
address xxx.xxx.141.13
description "Internal NTP Servers"
}
address-group kids_allowed_sites {
address xxx.xxx.73.6
address xxx.xxx.250.108
address xxx.xxx.129.2
address xxx.xxx.73.26
address xxx.xxx.210.28-xxx.xxx.210.30
address xxx.xxx.121.147
address xxx.xxx.87.51
address xxx.xxx.194.31
address xxx.xxx.157.111
address xxx.xxx.11.203
address xxx.xxx.201.147
address xxx.xxx.116.200
address xxx.xxx.223.41
address xxx.xxx.168.12
address xxx.xxx.43.217
address xxx.xxx.157.112
address xxx.xxx.40.64-xxx.xxx.40.90
description "Permitted Sites for Kids"
}
address-group kids_banned_sites {
address xxx.xxx.162.5
address xxx.xxx.35.232
address xxx.xxx.139.0-xxx.xxx.139.255
description "Sites that are banned for Kids"
}
address-group moxa_allowed_hosts {
address xxx.xxx.141.0-xxx.xxx.141.254
address xxx.xxx.4.5
address xxx.xxx.128.242-xxx.xxx.128.254
description "Hosts allowed access to MOXA Serial Device Servers"
}
address-group moxa_nports {
address xxx.xxx.143.244
address xxx.xxx.143.248
description "MOXA Nport Serial Device Addresses"
}
address-group package_servers {
address xxx.xxx.10.36
address xxx.xxx.103.38
address xxx.xxx.103.41
address xxx.xxx.13.129
description "Package servers for Vyatta/Debian"
}
address-group radius_servers {
address xxx.xxx.141.20
address xxx.xxx.141.62
address xxx.xxx.141.8
address xxx.xxx.141.1
description "Internal RADIUS Servers"
}
address-group trusted_external_hosts {
address xxx.xxx.4.5
address xxx.xxx.128.242-xxx.xxx.128.254
address xxx.xxx.44.193-xxx.xxx.44.206
address xxx.xxx.157.133
address xxx.xxx.238.193-xxx.xxx.238.195
address xxx.xxx.238.225
address xxx.xxx.162.10
address xxx.xxx.4.247
address xxx.xxx.188.7
description "Trusted External Hosts"
}
address-group ubiquiti {
address xxx.xxx.157.3
address xxx.xxx.83.111
address xxx.xxx.247.231
address xxx.xxx.148.35
address xxx.xxx.177.66
address xxx.xxx.121.9
description "Ubiquiti Networks Web"
}
network-group Martians {
description "Bogons from RFCs 1918 and 5735"
network xxx.xxx.0.0/8
network xxx.xxx.0.0/12
network xxx.xxx.0.0/16
network xxx.xxx.0.0/8
network xxx.xxx.0.0/16
network xxx.xxx.2.0/24
network xxx.xxx.0.0/15
network xxx.xxx.0.0/4
network xxx.xxx.0.0/24
network xxx.xxx.99.0/24
network xxx.xxx.100.0/24
network xxx.xxx.113.0/24
}
network-group Nets4-BlackList {
description "Blacklisted IPv4 Sources"
}
network-group amazonaws {
network xxx.xxx.192.0/19
network xxx.xxx.0.0/15
network xxx.xxx.141.53/32
}
network-group blocked_nets_in {
description "Blocked Networks inbound"
network xxx.xxx.212.0/22
network xxx.xxx.40.0/21
network xxx.xxx.222.0/23
network xxx.xxx.64.0/20
network xxx.xxx.160.0/24
network xxx.xxx.0.0/15
}
network-group facebook {
description "Facebook AS32934 Networks"
network xxx.xxx.96.0/22
network xxx.xxx.0.0/16
network xxx.xxx.64.0/18
network xxx.xxx.192.0/22
network xxx.xxx.216.0/22
network xxx.xxx.20.0/22
network xxx.xxx.64.0/18
network xxx.xxx.40.0/22
network xxx.xxx.144.0/20
network xxx.xxx.224.0/19
network xxx.xxx.176.0/20
network xxx.xxx.76.0/22
}
network-group gaming {
description "Game Hosting IPs"
}
network-group geoblock {
description "GeoBlocked Networks"
}
network-group icdc-networks {
description "ICDC Internal Networks for IPSec"
}
network-group kids-machines {
description "Subnet range for Kids Machines"
network xxx.xxx.130.176/28
}
network-group snort.org {
description "Snort.org C network"
network xxx.xxx.102.0/24
network xxx.xxx.192.0/19
network xxx.xxx.248.120/31
}
network-group trusted_networks {
description "Networks considered Trustworthy"
network xxx.xxx.128.240/28
network xxx.xxx.141.0/24
network xxx.xxx.188.0/24
network xxx.xxx.78.0/24
}
network-group wikipedia {
description "Wikipedia Servers"
network xxx.xxx.174.0/24
network xxx.xxx.152.0/22
}
port-group CAPWAPP {
description "Lightweight Access Point Traffic"
port 12222-12223
port 5246-5247
}
port-group RTP_Media {
description "RTP Media Ports"
}
port-group XMPP {
port 5222
port 5269
port 5280
port 443
port 993
port 5443
port 80
}
port-group cisco_ts_lines {
description "NM-32 Ports on Cisco Terminal Server"
port 2033-2064
port 23
}
port-group dmz_tcp_inbound {
description "Incoming TCP ports to DMZ"
port 25
port 465
port 80
port 993
port 587
}
port-group dmz_tcp_outbound {
description "Outgoing TCP ports from DMZ"
port 25
port 2703
port 465
port 80
port 443
}
port-group dmz_udp_outbound {
description "Outgoing UDP ports from DMZ"
port 123
port 53
port 6277
}
port-group fileservice_ports {
port 548
port 445
}
port-group internet_to_fts {
description "Allowed ports from Internet to xxx.xxx.44.192/28"
port 22
port 25
port 80
port 443
port 465
port 993
port 2022
port 8440-8450
port 12000
port 17283
port 9080-9082
port 5060-5061
port 4444
}
port-group mail {
description "Ports used for Mail"
port 25
port 465
port 587
port 993
}
port-group management {
description "Ports used for Management"
port 2022
port 22
port 443
port 8443-8445
}
port-group moxa_in {
description "MOXA Nport Inbound Ports for serial Communication"
port 966-969
port 950-953
}
port-group moxa_out {
description "MOXA Nport Outbound Ports for Serial Communication"
port 950-953
port 966-969
}
port-group radius_ports {
port 1812-1813
}
port-group steam {
port 27000-27040
port 4379-4380
port 3478
}
port-group telephony_signalling {
description "SIP and IAX Ports"
port 4569
port 5060-5080
}
port-group web_redirection_ports {
description "ports for HTTP redirection"
port 9080-9085
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name DMZ_In {
default-action drop
description "Permit Bareos to Internal Server"
enable-default-log
rule 10 {
action accept
description "Allow Return packets from Originated connections"
state {
established enable
related enable
}
}
rule 20 {
action accept
description "Allow TCP outbound from DNS/Mail Exchanger in DMZ"
destination {
group {
port-group dmz_tcp_outbound
}
}
protocol tcp
source {
address xxx.xxx.129.1-xxx.xxx.129.2
}
state {
established enable
new enable
related enable
}
}
rule 30 {
action accept
description "Allow UDP outbound from DMZ Hosts"
destination {
group {
}
port 53,123,6277
}
protocol udp
source {
group {
address-group dmz_dns_ntp
}
}
state {
established enable
new enable
related enable
}
}
rule 40 {
action accept
description "Permit DNS Zone Transfer from DMZ DNS"
destination {
port 53
}
protocol tcp
source {
address xxx.xxx.129.1-xxx.xxx.129.2
}
state {
established enable
new enable
related enable
}
}
rule 50 {
action accept
description "Permit SIP Signalling from PBX"
destination {
}
disable
protocol udp
source {
address xxx.xxx.129.3
port 5060
}
state {
established enable
new enable
related enable
}
}
rule 60 {
action accept
description "Permit IAX Signalling from PBX"
destination {
port 4569
}
disable
protocol tcp
source {
address xxx.xxx.129.3
}
state {
established enable
new enable
related enable
}
}
rule 70 {
action accept
description "Permit syslog from DMZ Network"
destination {
port 514
}
protocol udp
source {
address xxx.xxx.129.0/27
}
state {
new enable
}
}
rule 80 {
action accept
description "Permit Traffic from WWWDMZ"
destination {
port 80
}
protocol tcp
source {
address xxx.xxx.129.4-xxx.xxx.129.6
}
state {
established enable
new enable
related enable
}
}
rule 82 {
action accept
description "Permit Traffic from dmzservices"
destination {
address xxx.xxx.0.0/0
}
protocol tcp_udp
source {
address xxx.xxx.129.6
}
state {
established enable
new enable
related enable
}
}
rule 90 {
action accept
description "Allow TCP Outbound from PBXinaFlash"
destination {
port 80
}
protocol tcp
source {
address xxx.xxx.129.5
}
state {
established enable
new enable
related enable
}
}
rule 92 {
action accept
description "Permit SIP/IAX/RTP/UDPTL udp from PBXinaFlash"
protocol udp
source {
address xxx.xxx.129.5
port 4000-4999,4569,5060-5080,10000-20000
}
state {
established enable
new enable
related enable
}
}
rule 94 {
action accept
description "Permit IAX Signalling from PBX"
destination {
port 4569
}
disable
protocol udp
source {
address xxx.xxx.129.5
}
state {
established enable
new enable
related enable
}
}
rule 96 {
action accept
description "TCP Outbound from PBXinaFlash"
protocol tcp
source {
address xxx.xxx.129.5
}
state {
established enable
new enable
related enable
}
}
rule 98 {
action accept
description "UDP Outbound from PBXinaFlash"
destination {
port 53,123,3478
}
protocol udp
source {
address xxx.xxx.129.5
}
state {
established enable
new enable
related enable
}
}
rule 100 {
action accept
description "Permit BareOS to Internal Server"
destination {
group {
address-group BareOS_Servers
}
port 9101,9103
}
protocol tcp
source {
address xxx.xxx.129.0/27
}
state {
new enable
}
}
rule 110 {
action accept
description "Permit PBX to send CID to MediaCenter"
destination {
address xxx.xxx.141.156
port 8080
}
protocol tcp
source {
address xxx.xxx.129.5/32
}
state {
new enable
}
}
rule 120 {
action accept
description "Permit PBX to send CID to dreambox"
destination {
address xxx.xxx.141.14
port 80
}
protocol tcp
source {
address xxx.xxx.129.5/32
}
state {
new enable
}
}
}
name DMZ_Out {
default-action drop
description "Traffic Inbound to DMZ"
enable-default-log
rule 10 {
action accept
description "Permit return packets from originated connections"
state {
established enable
related enable
}
}
rule 15 {
action accept
description "Permit management ports from Trusted"
destination {
address xxx.xxx.129.0/27
port 22,80,443,8083
}
protocol tcp
source {
group {
network-group trusted_networks
}
}
}
rule 20 {
action accept
description "Permit Inbound TCP to DNS/Mail Exchanger in DMZ"
destination {
address xxx.xxx.129.1-xxx.xxx.129.2
port 22,25,53,465,587,993
}
protocol tcp
state {
established enable
new enable
related enable
}
}
rule 24 {
action accept
description "Permit Inbound TCP to PBXinaFlash in DMZ"
destination {
address xxx.xxx.129.5
port 22,80,443,5060-5065
}
protocol tcp
state {
established enable
new enable
related enable
}
}
rule 30 {
action accept
description "Permit Inbound UDP to DNS/Mail Exchanger in DMZ"
destination {
group {
address-group dmz_dns_ntp
}
port 53,123
}
protocol udp
state {
established enable
new enable
related enable
}
}
rule 40 {
action accept
description "permit DNS udp replies"
destination {
address xxx.xxx.129.2
}
protocol udp
source {
port 53
}
state {
established enable
related enable
}
}
rule 50 {
action accept
description "Permit Inbound SIP Signalling to PBX"
destination {
address xxx.xxx.129.3
port 5060-5080,10000-20000
}
disable
protocol udp
state {
established enable
new enable
related enable
}
}
rule 52 {
action accept
description "Permit Inbound SIP/IAX/RTP/UDPTL to PBXinaFlash"
destination {
address xxx.xxx.129.5
port 4000-4999,4569,5060-5080,10000-20000
}
protocol udp
state {
established enable
new enable
related enable
}
}
rule 60 {
action accept
description "Permit Inbound IAX Signalling to PBX"
destination {
address xxx.xxx.129.3
port 80,443,4569
}
disable
protocol tcp
state {
established enable
new enable
related enable
}
}
rule 70 {
action accept
description "Permit Traffic to DMZServices"
destination {
address xxx.xxx.129.6
port 53,80,443,993,5222,5269,5280,5443,8083,8888,9050
}
protocol tcp
state {
established enable
new enable
related enable
}
}
rule 80 {
action accept
description "Permit Traffic to WWWDMZ"
destination {
address xxx.xxx.129.4
port 22,80
}
protocol tcp
state {
established enable
new enable
related enable
}
}
rule 88 {
action accept
description "Permit SNMP from Internal for Monitoring"
destination {
address xxx.xxx.129.0/27
port 161
}
protocol udp
source {
address xxx.xxx.141.0/24
}
}
rule 90 {
action accept
description "Permit ICMP from internal for monitoring"
destination {
address xxx.xxx.129.0/27
}
icmp {
code 0
type 8
}
protocol icmp
source {
address xxx.xxx.141.0/24
}
}
rule 100 {
action accept
description "Permit bareos-dir to connnect to bareos-fd in DMZ"
destination {
address xxx.xxx.129.0/27
port 9102
}
protocol tcp
source {
group {
address-group BareOS_Servers
}
}
state {
established enable
new enable
related enable
}
}
}
name Internet2Local {
default-action drop
enable-default-log
rule 10 {
action drop
description "Drop DHCP Traffic"
destination {
port 68
}
protocol udp
source {
address xxx.xxx.0.1
port 67
}
state {
new enable
}
}
rule 20 {
action accept
description "Allow Incoming Path MTU Discovery (destination-unreachable/fragmentation-needed)"
icmp {
code 4
type 3
}
protocol icmp
state {
new enable
}
}
rule 22 {
action accept
description "Allow Incoming Source Quench"
icmp {
type-name source-quench
}
protocol icmp
state {
new enable
}
}
rule 24 {
action accept
description "Allow Inbound Echo-Request"
icmp {
type-name echo-request
}
protocol icmp
state {
new enable
}
}
rule 26 {
action accept
description "Allow Inbound Echo-Request"
protocol icmp
}
rule 86 {
action accept
description "Permit IPSec ESP"
protocol esp
state {
established enable
new enable
related enable
}
}
rule 88 {
action accept
description "Allow VPN Termination"
destination {
port 500,1194,4500,51820,51821
}
protocol udp
state {
established enable
new enable
related enable
}
}
rule 90 {
action accept
description "Permit IPSec Encapsulated Packets"
ipsec {
match-ipsec
}
}
rule 100 {
action accept
description "Allow Vyatta to do DNS lookups"
protocol udp
source {
port 53
}
state {
established enable
related enable
}
}
rule 120 {
action accept
description "Allow Vyatta to NTP on Internet"
protocol udp
source {
port 123
}
state {
established enable
related enable
}
}
rule 150 {
action accept
description "Allow Trusted External Hosts Management Access"
destination {
port 2022,8443
}
protocol tcp
source {
group {
address-group trusted_external_hosts
}
}
}
rule 160 {
action accept
description "Permit Download of Snort.org rulesets"
protocol tcp
source {
group {
network-group snort.org
}
port 80,443
}
}
rule 165 {
action accept
description "Permit http and https downloads"
protocol tcp
source {
port 43,80,443
}
state {
established enable
related enable
}
}
rule 170 {
action accept
disable
protocol tcp
source {
group {
address-group package_servers
}
port 80,443
}
state {
established enable
related enable
}
}
rule 180 {
action accept
description "Allow dynamic DNS replies from dynupdate.no-ip.com"
protocol tcp
source {
address xxx.xxx.224.120
port 443
}
state {
established enable
related enable
}
}
rule 185 {
action accept
description "Allow dynamic DNS replies from updates.dnsomatic.com"
protocol tcp
source {
address xxx.xxx.92.215
port 443
}
state {
established enable
related enable
}
}
rule 190 {
action accept
description "Permit Inbound OSCam"
destination {
port 17283
}
disable
protocol tcp
source {
address xxx.xxx.0.0/0
}
state {
new enable
}
}
rule 500 {
action accept
icmp {
type 8
}
protocol icmp
source {
address xxx.xxx.2.0/26
}
}
}
name Internet_In {
default-action drop
description "Traffic Permitted Inbound from Internet"
enable-default-log
rule 1 {
action accept
description "Allow Return packets from Originated connections"
disable
state {
established enable
related enable
}
}
rule 3 {
action drop
description "Block Networks based on Geo-Location"
protocol all
source {
group {
network-group geoblock
}
}
state {
established disable
new enable
related disable
}
}
rule 4 {
action drop
description "Block Networks on Blacklist"
protocol all
source {
group {
network-group Nets4-BlackList
}
}
state {
established disable
new enable
related disable
}
}
rule 5 {
action drop
description "Block Banned Networks"
protocol all
source {
group {
network-group blocked_nets_in
}
}
state {
established disable
new enable
related disable
}
}
rule 7 {
action drop
description "Drop SMTP to PBX"
destination {
address xxx.xxx.129.5
port 25
}
protocol tcp
}
rule 9 {
action drop
description "Drop Unwanted Packets"
destination {
port 23,135-139,445,1433,1434,3306
}
protocol tcp_udp
}
rule 10 {
action accept
description "Allow Return packets from Originated connections"
state {
established enable
related enable
}
}
rule 12 {
action accept
description "Allow ICMP Destination Unreachable"
icmp {
code 4
type 3
}
protocol icmp
state {
new enable
}
}
rule 14 {
action accept
description "Allow ICMP Source Quench"
icmp {
type-name source-quench
}
protocol icmp
state {
new enable
}
}
rule 16 {
action accept
description "Allow ICMP Echo-Request"
icmp {
type-name echo-request
}
protocol icmp
state {
new enable
}
}
rule 20 {
action accept
description "Allow ESP (IPsec) to FTS Public Internet"
destination {
address xxx.xxx.44.192/28
}
protocol esp
}
rule 22 {
action accept
description "Allow isakmp+openvpn to FTS Public Internet"
destination {
address xxx.xxx.44.192/28
port 500,1194
}
protocol udp
}
rule 26 {
action accept
description "Permit IPSec encapsulated packets from Apartment Spain"
destination {
address xxx.xxx.141.0/24
}
ipsec {
match-ipsec
}
source {
address xxx.xxx.79.0/24
}
state {
established enable
new enable
related enable
}
}
rule 28 {
action accept
description "Permit IPSec encapsulated packets from ADDM"
destination {
address xxx.xxx.141.0/24
}
ipsec {
match-ipsec
}
source {
address xxx.xxx.32.0/24
}
state {
established enable
new enable
related enable
}
}
rule 30 {
action accept
description "Permit IPSec encapsulated packets from ICDC"
destination {
address xxx.xxx.141.0/24
}
ipsec {
match-ipsec
}
source {
address xxx.xxx.45.0/22
group {
}
}
state {
established enable
new enable
related enable
}
}
rule 32 {
action accept
description "Permit IPSec encapsulated packets from DiCandilo Berwyn"
destination {
address xxx.xxx.141.0/24
}
ipsec {
match-ipsec
}
source {
address xxx.xxx.1.0/24
group {
}
}
state {
established enable
new enable
related enable
}
}
rule 34 {
action accept
description "Permit IPSec encapsulated packets from Securosys"
destination {
address xxx.xxx.141.0/24
}
ipsec {
match-ipsec
}
source {
address xxx.xxx.171.0/24
}
state {
established enable
new enable
related enable
}
}
rule 36 {
action accept
description "Permit IPSec encapsulated packets from test networks xxx.xxx.176.0/20"
destination {
address xxx.xxx.141.0/24
}
ipsec {
match-ipsec
}
source {
address xxx.xxx.176.0/20
}
state {
established enable
new enable
related enable
}
}
rule 37 {
action accept
description "Permit IPSec encap packets from ACP AG Internal"
destination {
address xxx.xxx.141.0/24
}
ipsec {
match-ipsec
}
source {
address xxx.xxx.2.0/23
}
state {
established enable
new enable
related enable
}
}
rule 38 {
action accept
description "Permit IPSec encap packets from ACP AG DMZ"
destination {
address xxx.xxx.141.0/24
}
ipsec {
match-ipsec
}
source {
address xxx.xxx.7.0/24
}
state {
established enable
new enable
related enable
}
}
rule 40 {
action accept
description "Allow DNS UDP traffic to FTS Public Internet"
destination {
address xxx.xxx.44.192/28
port 53
}
protocol udp
state {
established enable
new enable
related enable
}
}
rule 42 {
action accept
description "Allow DNS TCP traffic to FTS Public Internet"
destination {
address xxx.xxx.44.192/28
port 53
}
protocol tcp
state {
established enable
new enable
related enable
}
}
rule 44 {
action accept
destination {
address xxx.xxx.44.192/28
}
protocol udp
source {
port 53
}
state {
established enable
new enable
related enable
}
}
rule 46 {
action accept
destination {
address xxx.xxx.44.192/28
}
protocol tcp
source {
port 53
}
state {
established enable
new enable
related enable
}
}
rule 48 {
action accept
description "Allow DNS UDP to DMZ"
destination {
address xxx.xxx.129.2
port 53
}
protocol udp
state {
new enable
related enable
}
}
rule 49 {
action accept
description "Allow DNS TCP (Zone XFER) to DMZ"
destination {
address xxx.xxx.129.2
port 53
}
protocol tcp
state {
established enable
new enable
related enable
}
}
rule 50 {
action accept
description "Allow NTP Traffic to FTS Public Internet"
destination {
address xxx.xxx.44.192/28
port 123
}
protocol udp
state {
new enable
related enable
}
}
rule 52 {
action accept
destination {
address xxx.xxx.44.192/28
}
protocol udp
source {
port 123
}
state {
new enable
related enable
}
}
rule 54 {
action accept
description "Permit Inbound NTP to DMZ"
destination {
address xxx.xxx.129.1-xxx.xxx.129.2
port 123
}
protocol udp
state {
new enable
}
}
rule 56 {
action accept
description "Permit Inbound NTP to internal NTP server"
destination {
group {
address-group int_ntp_servers
}
port 123
}
protocol udp
state {
new enable
}
}
rule 60 {
action accept
description "TCP Traffic Inbound Permitted to xxx.xxx.44.192/28"
destination {
address xxx.xxx.44.192/28
group {
port-group internet_to_fts
}
}
protocol tcp
state {
established enable
new enable
related enable
}
}
rule 62 {
action accept
description "Allow access to Minecraft server"
destination {
address xxx.xxx.141.158
port 25565
}
protocol tcp
state {
established enable
new enable
related enable
}
}
rule 70 {
action accept
description "Allow SIP/IAX2/RTP Incoming"
destination {
address xxx.xxx.44.192/28
port 4569,5060-5080,10000-20000
}
protocol udp
state {
established enable
new enable
related enable
}
}
rule 72 {
action accept
description "Permit Inbound SIP/IAX/RTP/UDPTL to PBX in DMZ UDP"
destination {
address xxx.xxx.129.5
port 4000-4999,4569,5060-5080,10000-20000
}
protocol udp
state {
established enable
new enable
related enable
}
}
rule 74 {
action accept
description "Permit Inbound TCP SIP/SIP-TLS to PBX in DMZ"
destination {
address xxx.xxx.129.5
port 5060-5065
}
protocol tcp
state {
established enable
new enable
related enable
}
}
rule 76 {
action accept
description "Permit RTP Audio Inbound"
destination {
group {
port-group RTP_Media
}
}
protocol udp
state {
established enable
new enable
related enable
}
}
rule 80 {
action accept
description "Permit Inbound Mail Traffic to Mail Server DMZ"
destination {
address xxx.xxx.129.1-xxx.xxx.129.2
group {
port-group mail
}
}
protocol tcp
state {
established enable
new enable
related enable
}
}
rule 82 {
action accept
description "Permit ssh to Mail Exchange"
destination {
address xxx.xxx.129.2
port 22
}
protocol tcp
source {
group {
address-group trusted_external_hosts
}
}
state {
established enable
new enable
related enable
}
}
rule 84 {
action accept
description "Permit Trusted External hosts Askozia Management(Https)"
destination {
address xxx.xxx.129.3
port 80,443
}
disable
protocol tcp
source {
group {
address-group trusted_external_hosts
}
}
state {
established enable
new enable
related enable
}
}
rule 85 {
action accept
description "Permit Trusted External hosts PBXinaFlash Management"
destination {
address xxx.xxx.129.5
port 22,80,443,9001
}
protocol tcp
source {
group {
address-group trusted_external_hosts
}
}
state {
established enable
new enable
related enable
}
}
rule 86 {
action accept
description "Permit Inbound WWW to DMZ WWW"
destination {
address xxx.xxx.129.4
port 80
}
disable
protocol tcp
state {
established enable
new enable
related enable
}
}
rule 90 {
action accept
description "Permit XMPP/Jabber to DMZServices"
destination {
address xxx.xxx.129.6
group {
port-group XMPP
}
}
protocol tcp
state {
established enable
new enable
related enable
}
}
rule 92 {
action accept
description "Pemit access to TOR Proxy from Trusted External Hosts"
destination {
address xxx.xxx.129.6
port 9050
}
protocol tcp
source {
group {
address-group trusted_external_hosts
}
}
state {
established enable
new enable
related enable
}
}
rule 100 {
action accept
description "Allow ICMP Echo Requests from ETH (Smokeping)"
destination {
address xxx.xxx.44.192/28
}
icmp {
type 8
}
protocol icmp
source {
address xxx.xxx.2.0/26
}
}
rule 110 {
action accept
description "Allow ICMP Echo Replies"
destination {
address xxx.xxx.44.192/28
}
icmp {
type 0
}
protocol icmp
}
rule 150 {
action accept
description "Permit Inbound Web Redirection (Zenoss)"
destination {
address xxx.xxx.141.30
port 8080
}
disable
protocol tcp
source {
group {
address-group trusted_external_hosts
}
}
state {
established enable
new enable
related enable
}
}
rule 154 {
action accept
description "Permit Inbound Web Redirection (New Server)"
destination {
address xxx.xxx.141.3
port 80
}
disable
protocol tcp
source {
group {
address-group trusted_external_hosts
}
}
state {
established enable
new enable
related enable
}
}
rule 158 {
action accept
description "Permit Inbound Web Redirection"
destination {
address xxx.xxx.141.114
port 80
}
disable
protocol tcp
source {
group {
address-group trusted_external_hosts
}
}
state {
established enable
new enable
related enable
}
}
rule 165 {
action accept
description "Permit Inbound MOXA Nport Redirection"
destination {
group {
address-group moxa_nports
}
port 950-969
}
protocol tcp
source {
group {
address-group trusted_external_hosts
}
}
state {
established enable
new enable
related enable
}
}
rule 900 {
action accept
description "Permit Inbound NewCS Cardsharing"
destination {
address xxx.xxx.141.3
port 12000
}
protocol tcp
state {
established enable
new enable
related enable
}
}
rule 910 {
action accept
description "Permit IMAP/S Test to vmail"
destination {
address xxx.xxx.141.17
port 993
}
protocol tcp
state {
established enable
new enable
related enable
}
}
}
name Internet_Out {
default-action drop
description "Traffic Permitted Outbound to Internet"
enable-default-log
rule 4 {
action drop
description "Deny Kids Banned Sites"
destination {
group {
address-group kids_banned_sites
}
}
}
rule 6 {
action drop
description "Deny Oubound Minecraft"
destination {
port 25565
}
log enable
protocol tcp
}
rule 10 {
action drop
description "Drop Facebook"
destination {
group {
network-group facebook
}
}
disable
log enable
}
rule 15 {
action drop
description "Drop Gaming"
destination {
group {
network-group gaming
}
}
log enable
time {
starttime xxxx:xxxx:00
stoptime xxxx:xxxx:00
weekdays Mon,Tue,Wed,Thu,Fri
}
}
rule 99 {
action accept
description "Allow outgoing connections originated through firewall"
state {
established enable
new enable
related enable
}
}
rule 100 {
action accept
description "Permit traffic to ADDM"
destination {
address xxx.xxx.32.0/24
}
source {
address xxx.xxx.141.0/24
}
state {
established enable
new enable
related enable
}
}
rule 110 {
action accept
description "Permit traffic to ICDC"
destination {
address xxx.xxx.47.0/22
group {
}
}
source {
address xxx.xxx.141.0/24
}
state {
established enable
new enable
related enable
}
}
rule 120 {
action accept
description "Permit traffic to Securosys"
destination {
address xxx.xxx.171.0/24
}
source {
address xxx.xxx.141.0/24
}
state {
established enable
new enable
related enable
}
}
rule 9000 {
action accept
log enable
source {
address xxx.xxx.44.192/28
}
state {
established enable
new enable
related enable
}
}
}
name Management_In {
default-action drop
enable-default-log
rule 20 {
action drop
description "Drop UPnP"
destination {
address xxx.xxx.0.0/0
}
protocol udp
source {
address xxx.xxx.143.0/24
port 1900
}
state {
established enable
new enable
related enable
}
}
rule 30 {
action accept
description "Allow return packets from UniFi Controller to OpenHAB"
destination {
address xxx.xxx.142.5
}
protocol tcp
source {
address xxx.xxx.143.129
port 8443
}
state {
established enable
related enable
}
}
rule 40 {
action accept
description "Allow RTP/RTSP Streams from Cameras"
destination {
address xxx.xxx.141.0/24
}
protocol tcp
source {
address xxx.xxx.143.0/24
}
state {
established enable
new enable
related enable
}
}
rule 50 {
action accept
description "Allow NTP queries from Management hosts"
destination {
group {
address-group int_ntp_servers
}
port 123
}
protocol udp
source {
address xxx.xxx.143.0/24
}
state {
established enable
new enable
related enable
}
}
rule 60 {
action accept
description "Allow DNS queries from Management hosts"
destination {
group {
address-group int_dns_servers
}
port 53
}
protocol udp
source {
address xxx.xxx.143.0/24
}
state {
established enable
new enable
related enable
}
}
rule 70 {
action accept
description "Allow Managment hosts to send email alerts via DNS SMTP"
destination {
address xxx.xxx.129.2
port 25
}
protocol tcp
source {
address xxx.xxx.143.0/24
}
state {
established enable
new enable
related enable
}
}
rule 80 {
action accept
description "Allow SNMP query return packets"
destination {
address xxx.xxx.141.0/24
}
protocol udp
source {
address xxx.xxx.143.0/24
port 161
}
state {
established enable
related enable
}
}
rule 82 {
action accept
description "Allow Management Hosts to send SNMP Traps/Syslog/SFlow packets"
destination {
address xxx.xxx.141.0/24
port 162,514,6343
}
protocol udp
source {
address xxx.xxx.143.0/24
}
state {
established enable
new enable
related enable
}
}
rule 84 {
action accept
description "Allow icmp replies to internal"
destination {
address xxx.xxx.141.0/24
}
protocol icmp
source {
address xxx.xxx.143.0/24
}
state {
established enable
related enable
}
}
rule 86 {
action accept
description "Allow return packets from management ports on Management Network"
destination {
group {
network-group trusted_networks
}
}
protocol tcp
source {
address xxx.xxx.143.0/24
port 22,23,80,443,7578,8080,8443,9292
}
state {
established enable
related enable
}
}
rule 88 {
action accept
destination {
address xxx.xxx.141.0/24
}
protocol tcp
source {
address xxx.xxx.143.251
group {
port-group cisco_ts_lines
}
}
state {
established enable
related enable
}
}
rule 90 {
action accept
destination {
group {
address-group radius_servers
port-group radius_ports
}
}
protocol udp
source {
address xxx.xxx.143.0/24
}
state {
established enable
new enable
related enable
}
}
rule 100 {
action accept
destination {
address xxx.xxx.47.0/24
}
source {
address xxx.xxx.143.0/24
}
state {
established enable
new enable
related enable
}
}
rule 110 {
action accept
destination {
address xxx.xxx.32.0/24
}
source {
address xxx.xxx.143.0/24
}
state {
established enable
new enable
related enable
}
}
rule 120 {
action accept
description "Allow IPMI KVMoverIP"
destination {
group {
network-group trusted_networks
}
}
protocol tcp
source {
address xxx.xxx.143.0/24
port 5900-5901,5120
}
state {
established enable
new enable
related enable
}
}
rule 122 {
action accept
description "Allow IPMI Serial over IP"
destination {
group {
network-group trusted_networks
}
}
protocol udp
source {
address xxx.xxx.143.0/24
port 623
}
state {
established enable
new enable
related enable
}
}
rule 160 {
action accept
destination {
group {
address-group moxa_allowed_hosts
}
}
protocol tcp
source {
group {
address-group moxa_nports
port-group moxa_in
}
}
state {
established enable
new enable
related enable
}
}
rule 170 {
action accept
description "Allow Management access to LDAP,KRB5,SMB"
destination {
group {
network-group trusted_networks
}
port 88,464,445
}
protocol tcp
source {
address xxx.xxx.143.0/24
}
state {
established enable
new enable
related enable
}
}
rule 200 {
action accept
description "Allow Management Access to Debian/Ubuntu Mirrors"
destination {
group {
address-group deb-ubu-mirrors
}
port 80,443
}
protocol tcp
source {
address xxx.xxx.143.0/24
}
state {
established enable
new enable
related enable
}
}
rule 210 {
action accept
description "Allow Unifi Server access to UBNT Mirrors"
destination {
group {
address-group ubiquiti
}
port 80,443
}
protocol tcp
source {
address xxx.xxx.143.129
}
state {
established enable
new enable
related enable
}
}
}
name Management_Out {
default-action drop
enable-default-log
rule 10 {
action accept
description "Allow Establed and Related Connections"
destination {
address xxx.xxx.143.0/24
}
protocol all
source {
address xxx.xxx.0.0/0
}
state {
established enable
related enable
}
}
rule 60 {
action accept
description "Permit Access from OpenHAB to UniFi Controller"
destination {
address xxx.xxx.143.129
port 8443
}
protocol tcp
source {
address xxx.xxx.142.5
}
state {
established enable
new enable
related enable
}
}
rule 70 {
action accept
description "Permit return SMTP packets"
destination {
address xxx.xxx.143.0/24
}
protocol tcp
source {
address xxx.xxx.129.2
port 25
}
state {
established enable
related enable
}
}
rule 80 {
action accept
description "Permit SNMP access to subnet"
destination {
address xxx.xxx.143.0/24
port 161,554,5556,5557
}
protocol udp
source {
address xxx.xxx.141.0/24
}
state {
established enable
new enable
related enable
}
}
rule 82 {
action accept
description "Allow ICMP from Internal"
destination {
address xxx.xxx.143.0/24
}
protocol icmp
source {
address xxx.xxx.141.0/24
}
state {
established enable
new enable
related enable
}
}
rule 84 {
action accept
description "Permit access to management ports on mangement network"
destination {
address xxx.xxx.143.0/24
port 22,23,80,443,8080,8443,9292,554,5556,5557
}
protocol tcp
source {
group {
network-group trusted_networks
}
}
state {
established enable
new enable
related enable
}
}
rule 85 {
action accept
destination {
address xxx.xxx.143.251
group {
port-group cisco_ts_lines
}
}
protocol tcp
source {
address xxx.xxx.141.0/24
}
state {
established enable
new enable
related enable
}
}
rule 90 {
action accept
destination {
address xxx.xxx.143.0/24
}
log enable
protocol udp
source {
group {
address-group radius_servers
}
port 1812
}
state {
established enable
related enable
}
}
rule 95 {
action accept
description "Permit OpenVPN clients access to Management Network"
destination {
address xxx.xxx.143.0/24
}
source {
group {
network-group trusted_networks
}
}
state {
established enable
new enable
related enable
}
}
rule 100 {
action accept
destination {
address xxx.xxx.143.0/24
}
ipsec {
match-ipsec
}
source {
address xxx.xxx.47.0/24
}
state {
established enable
new enable
related enable
}
}
rule 110 {
action accept
destination {
address xxx.xxx.143.0/24
}
ipsec {
match-ipsec
}
source {
address xxx.xxx.32.0/24
}
state {
established enable
new enable
related enable
}
}
rule 120 {
action accept
description "Permit NTP return packets"
destination {
address xxx.xxx.143.0/24
}
protocol udp
source {
port 123
}
state {
established enable
new enable
related enable
}
}
rule 160 {
action accept
description "Allow Trusted External Hosts access to MOXA Serial Ports"
destination {
group {
address-group moxa_nports
port-group moxa_out
}
}
protocol tcp
source {
group {
address-group moxa_allowed_hosts
}
}
state {
established enable
new enable
related enable
}
}
}
name PublicAccess_In {
default-action drop
description "Traffic from PublicAccess Outbound"
enable-default-log
rule 35 {
action drop
description "Disable UPnP Discovery"
destination {
port 1900
}
protocol udp
source {
address xxx.xxx.130.0/24
}
state {
established enable
new enable
related enable
}
}
rule 36 {
action drop
description "Drop Google DNS Queries"
destination {
group {
address-group google_dns
}
port 53
}
protocol tcp_udp
source {
address xxx.xxx.130.0/24
}
state {
new enable
}
}
rule 42 {
action accept
description "Allow access to proxy in DMZ"
destination {
address xxx.xxx.129.6
port 80,443,9050
}
protocol tcp
source {
address xxx.xxx.130.0/24
}
state {
new enable
}
}
rule 44 {
action accept
description "Allow Access to Fileservers"
destination {
group {
address-group fileservers
port-group fileservice_ports
}
}
protocol tcp
source {
address xxx.xxx.130.0/24
}
state {
established enable
new enable
related enable
}
}
rule 48 {
action accept
description "Allow access to Jellyfin Server"
destination {
address xxx.xxx.141.2
port 8096
}
protocol tcp
source {
address xxx.xxx.130.0/24
}
state {
established enable
new enable
related enable
}
}
rule 50 {
action drop
description "Time-based Permit for Chollo Gamer PC"
destination {
address xxx.xxx.0.0/0
}
log disable
source {
address xxx.xxx.130.179
}
state {
established enable
new enable
related enable
}
time {
starttime xxxx:xxxx:00
stoptime xxxx:xxxx:00
weekdays Sun,Mon,Tue,Wed,Thu,Fri,Sat
}
}
rule 54 {
action drop
description "Block Steam Gaming"
destination {
address xxx.xxx.0.0/0
group {
port-group steam
}
}
disable
log enable
protocol all
source {
group {
address-group Chollo
}
}
state {
new enable
}
}
rule 65 {
action accept
description "Open access for xxx.xxx.130.224/27"
destination {
address xxx.xxx.0.0/0
}
protocol all
source {
address xxx.xxx.130.224/27
}
state {
established enable
new enable
related enable
}
}
rule 70 {
action accept
description "Allow return packets from Web Servers on Public_Access net"
destination {
address xxx.xxx.141.0/24
}
protocol tcp
source {
address xxx.xxx.130.0/24
port 23,80
}
state {
established enable
new enable
related enable
}
}
rule 80 {
action accept
description "Allow management (UDP) traffic out"
destination {
address xxx.xxx.141.0/24
}
protocol udp
source {
address xxx.xxx.130.0/24
port 161,514
}
state {
established enable
new enable
related enable
}
}
rule 90 {
action accept
description "Allow APs to speak LWAPP/CAPWAP to Cisco WLC Controller"
destination {
address xxx.xxx.141.244
group {
port-group CAPWAPP
}
}
disable
protocol udp
source {
address xxx.xxx.130.0/24
}
state {
new enable
}
}
rule 100 {
action drop
description "Deny Children after 11pm Schoolnights"
destination {
address xxx.xxx.0.0/0
}
disable
log enable
source {
group {
address-group children
}
}
state {
established enable
new enable
related enable
}
time {
starttime xxxx:xxxx:00
stoptime xxxx:xxxx:00
weekdays !Fri,Sat
}
}
rule 102 {
action drop
description "Deny Children LateNight"
destination {
address xxx.xxx.0.0/0
}
disable
log enable
source {
group {
address-group children
}
}
state {
established enable
new enable
related enable
}
time {
starttime xxxx:xxxx:00
stoptime xxxx:xxxx:00
}
}
rule 115 {
action accept
description "Allow Outbound UDP (DNS/NTP/DHCP/IAX)"
destination {
address xxx.xxx.0.0/0
port 53,67,68,123,4569
}
protocol udp
source {
address xxx.xxx.130.0/24
}
state {
established enable
new enable
related enable
}
}
rule 200 {
action accept
description "Allow access to Google Play Services"
destination {
address xxx.xxx.0.0/0
port 5228
}
disable
protocol tcp_udp
source {
address xxx.xxx.130.0/24
}
state {
established enable
new enable
related enable
}
}
rule 1006 {
action accept
description "Allow Chusma"
destination {
address xxx.xxx.0.0/0
}
protocol all
source {
group {
address-group Chusma
}
}
state {
established enable
new enable
related enable
}
}
rule 1008 {
action accept
description "Allow Chollo"
destination {
address xxx.xxx.0.0/0
}
protocol all
source {
group {
address-group Chollo
}
}
state {
established enable
new enable
related enable
}
}
rule 1030 {
action accept
description "Weekday Time-based Permit for Chollo"
destination {
address xxx.xxx.0.0/0
}
disable
log disable
source {
group {
address-group Chollo
}
}
state {
established enable
new enable
related enable
}
time {
starttime xxxx:xxxx:00
stoptime xxxx:xxxx:00
weekdays Mon,Tue,Wed,Thu,Fri
}
}
rule 1035 {
action accept
description "Weekend Time-based Permit for Chollo"
destination {
address xxx.xxx.0.0/0
}
disable
log disable
source {
group {
address-group Chollo
}
}
state {
established enable
new enable
related enable
}
time {
starttime xxxx:xxxx:00
stoptime xxxx:xxxx:00
weekdays Sat,Sun
}
}
rule 1040 {
action accept
description "Allowed outbound for Chollo"
destination {
address xxx.xxx.0.0/0
port 80,443,587,993,5222
}
log disable
protocol tcp
source {
group {
address-group Chollo
}
}
state {
established enable
new enable
}
}
rule 9000 {
action accept
description "Allow Random DHCP Clients"
destination {
address xxx.xxx.0.0/0
}
protocol all
source {
address xxx.xxx.130.192-xxx.xxx.130.221
}
state {
established enable
new enable
related enable
}
}
}
name PublicAccess_Out {
default-action drop
description "Traffic Inbound to PublicAccess"
enable-default-log
rule 100 {
action accept
description "Permit return packets from originated connections"
state {
established enable
related enable
}
}
rule 500 {
action accept
destination {
address xxx.xxx.130.0/24
}
protocol all
source {
address xxx.xxx.141.0/24
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
state-policy {
invalid {
action drop
}
}
syn-cookies enable
twa-hazards-protection disable
}
interfaces {
ethernet eth0 {
address xxx.xxx.129.30/27
description DMZ
duplex auto
firewall {
in {
name DMZ_In
}
out {
name DMZ_Out
}
}
hw-id XX:XX:XX:XX:XX:30
mtu 9000
smp-affinity auto
speed auto
}
ethernet eth1 {
address xxx.xxx.130.254/24
description "Public Access"
duplex auto
firewall {
in {
name PublicAccess_In
}
out {
name PublicAccess_Out
}
}
hw-id XX:XX:XX:XX:XX:31
mtu 9000
smp-affinity auto
speed auto
traffic-policy {
out ShapePublicOutbound
}
}
ethernet eth2 {
address xxx.xxx.141.254/24
description Internal
duplex auto
hw-id XX:XX:XX:XX:XX:32
mtu 9000
smp-affinity auto
speed auto
}
ethernet eth3 {
address xxx.xxx.143.254/24
description Management
duplex auto
firewall {
in {
name Management_In
}
out {
name Management_Out
}
}
hw-id XX:XX:XX:XX:XX:33
mtu 9000
smp-affinity auto
speed auto
}
ethernet eth4 {
address xxx.xxx.44.193/28
address xxx.xxx.44.200/28
address xxx.xxx.44.201/28
address xxx.xxx.44.197/28
description "FTS Public Internet Subnet"
duplex auto
hw-id XX:XX:XX:XX:XX:34
mtu 9000
smp-affinity auto
speed auto
}
ethernet eth5 {
address xxx.xxx.62.21/27
description InternetUplink
duplex auto
firewall {
in {
name Internet_In
}
local {
name Internet2Local
}
out {
name Internet_Out
}
}
hw-id XX:XX:XX:XX:XX:35
mtu 9000
smp-affinity auto
speed auto
}
ethernet eth6 {
address xxx.xxx.142.254/24
description IoT
duplex auto
hw-id XX:XX:XX:XX:XX:36
mtu 9000
smp-affinity auto
speed auto
}
loopback lo {
}
openvpn vtun0 {
description "OpenVPN Endpoint"
encryption aes256
hash sha512
local-host xxxxx.tld
local-port 1194
mode server
openvpn-option "--comp-lzo --push dhcp-option DOMAIN feigin.com --push dhcp-option DNS xxx.xxx.141.20 --push route xxx.xxx.140.0 xxx.xxx.252.0 --push route xxx.xxx.130.0 xxx.xxx.255.0 --push route xxx.xxx.129.0 xxx.xxx.255.224"
protocol udp
server {
subnet xxx.xxx.128.240/28
}
tls {
ca-cert-file xxxxxx
cert-file xxxxxx
dh-file xxxxxx
key-file xxxxxx
}
}
wireguard wg01 {
address xxx.xxx.188.1/24
description "Wireguard Endpoint"
peer GalaxyS7 {
allowed-ips xxx.xxx.188.3/32
persistent-keepalive 15
pubkey ****************
}
peer Hospitalet {
allowed-ips xxx.xxx.78.0/24
allowed-ips xxx.xxx.188.2/32
persistent-keepalive 15
preshared-key ****************
pubkey ****************
}
peer OpenWRT-Test {
allowed-ips xxx.xxx.188.9/32
allowed-ips xxx.xxx.83.0/24
persistent-keepalive 15
preshared-key ****************
pubkey ****************
}
peer OpenWRT-zbt826 {
allowed-ips xxx.xxx.188.6/32
allowed-ips xxx.xxx.84.0/24
persistent-keepalive 15
preshared-key ****************
pubkey ****************
}
peer PocoF3 {
allowed-ips xxx.xxx.188.4/32
persistent-keepalive 15
preshared-key ****************
pubkey ****************
}
peer XiaoMiNote5 {
allowed-ips xxx.xxx.188.5/32
persistent-keepalive 15
preshared-key ****************
pubkey ****************
}
peer ayahuasca {
allowed-ips xxx.xxx.188.7/32
persistent-keepalive 15
preshared-key ****************
pubkey ****************
}
peer x230 {
allowed-ips xxx.xxx.188.10/32
persistent-keepalive 15
preshared-key ****************
pubkey ****************
}
port 51820
}
wireguard wg02 {
address xxx.xxx.0.2/24
description "ACP site-to-site"
peer xxxxx.tld {
allowed-ips xxx.xxx.0.0/24
allowed-ips xxx.xxx.2.0/23
allowed-ips xxx.xxx.7.0/24
preshared-key ****************
pubkey ****************
}
port 51821
}
}
nat {
destination {
rule 20 {
description "Redirect Inbound SMTP"
destination {
address xxx.xxx.44.193
port 25
}
inbound-interface eth5
protocol tcp
translation {
address xxx.xxx.129.2
port 25
}
}
rule 22 {
description "Redirect Inbound SMTP/S"
destination {
address xxx.xxx.44.193
port 465
}
inbound-interface eth5
protocol tcp
translation {
address xxx.xxx.129.2
port 465
}
}
rule 23 {
description "Redirect Inbound SMTP Submission"
destination {
address xxx.xxx.44.193
port 587
}
inbound-interface eth5
protocol tcp
translation {
address xxx.xxx.129.2
port 587
}
}
rule 24 {
description "Redirect Inbound IMAPS"
destination {
address xxx.xxx.44.193
port 993
}
inbound-interface eth5
protocol tcp
translation {
address xxx.xxx.141.17
port 993
}
}
rule 26 {
description "Redirect inbound SSH"
destination {
address xxx.xxx.44.193
port 22
}
inbound-interface eth5
protocol tcp
translation {
address xxx.xxx.129.2
port 22
}
}
rule 30 {
description "Redirect Inbound HTTPS to xxx.xxx.62.21"
destination {
address xxx.xxx.62.21
port 443
}
inbound-interface eth5
protocol tcp
translation {
address xxx.xxx.129.6
port 443
}
}
rule 32 {
description "Redirect Inbound HTTPS for xxx.xxx.44.193"
destination {
address xxx.xxx.44.193
port 443
}
inbound-interface eth5
protocol tcp
translation {
address xxx.xxx.129.6
port 443
}
}
rule 34 {
description "Redirect Inbound HTTP for xxx.xxx.62.21"
destination {
address xxx.xxx.62.21
port 80
}
inbound-interface eth5
protocol tcp
translation {
address xxx.xxx.129.6
port 80
}
}
rule 36 {
description "Redirect Inbound HTTP for xxx.xxx.44.193"
destination {
address xxx.xxx.44.193
port 80
}
inbound-interface eth5
protocol tcp
translation {
address xxx.xxx.129.6
port 80
}
}
rule 40 {
description "Redirect Inbound DNS UDP"
destination {
address xxx.xxx.44.193
port 53
}
inbound-interface eth5
protocol udp
translation {
address xxx.xxx.129.2
port 53
}
}
rule 42 {
description "Redirect Inbound DNS TCP"
destination {
address xxx.xxx.44.193
port 53
}
inbound-interface eth5
protocol tcp
translation {
address xxx.xxx.129.2
port 53
}
}
rule 44 {
description "Redirect Inbound NTP"
destination {
address xxx.xxx.62.21
port 123
}
inbound-interface eth5
protocol udp
translation {
address xxx.xxx.141.13
port 123
}
}
rule 50 {
description "Inbound Web Redirect 9080"
destination {
address xxx.xxx.44.193
port 9080
}
inbound-interface eth5
protocol tcp
translation {
address xxx.xxx.141.3
port 80
}
}
rule 52 {
description "Inbound Web Redirect 9081->8080(Zenoss)"
destination {
address xxx.xxx.44.193
port 9081
}
inbound-interface eth5
protocol tcp
translation {
address xxx.xxx.141.30
port 8080
}
}
rule 54 {
description "Inbound Web Redirect 9082 -> Test MythTV Backend"
destination {
address xxx.xxx.44.193
port 9082
}
inbound-interface eth5
protocol tcp
translation {
address xxx.xxx.141.114
port 80
}
}
rule 56 {
description "Inbound Web Redirect 9083 -> OSCam"
destination {
address xxx.xxx.44.193
port 9083
}
inbound-interface eth5
protocol tcp
translation {
address xxx.xxx.141.3
port 8443
}
}
rule 60 {
description "Redirect Inbound DNS for old server (Temporary)"
destination {
address xxx.xxx.44.194
port 53
}
inbound-interface eth5
protocol udp
translation {
address xxx.xxx.129.2
port 53
}
}
rule 76 {
description "1:1 Inbound NAT PBXinaFlash"
destination {
address xxx.xxx.44.201
}
inbound-interface eth5
translation {
address xxx.xxx.129.5
}
}
rule 78 {
description "1:1 Inbound NAT PBXinaFlash for FTS Subnet"
destination {
address xxx.xxx.44.201
}
inbound-interface eth4
translation {
address xxx.xxx.129.5
}
}
rule 84 {
description "Reflection Rule Inside->Outside:SMTP"
destination {
address xxx.xxx.44.193
port 25
}
inbound-interface eth2
protocol tcp
source {
address xxx.xxx.141.0/24
}
translation {
address xxx.xxx.129.2
port 25
}
}
rule 85 {
description "Reflection Rule Inside->Outside:Submission"
destination {
address xxx.xxx.44.193
port 587
}
inbound-interface eth2
protocol tcp
source {
address xxx.xxx.141.0/24
}
translation {
address xxx.xxx.129.2
port 587
}
}
rule 86 {
description "Reflection Rule Inside->Outside:SMTP/S"
destination {
address xxx.xxx.44.193
port 465
}
inbound-interface eth2
protocol tcp
source {
address xxx.xxx.141.0/24
}
translation {
address xxx.xxx.129.2
port 465
}
}
rule 88 {
description "Reflection Rule Public->Outside:SMTP"
destination {
address xxx.xxx.44.193
port 25
}
inbound-interface eth1
protocol tcp
source {
address xxx.xxx.130.0/24
}
translation {
address xxx.xxx.129.2
port 25
}
}
rule 89 {
description "Reflection Rule Public->Outside:Submission"
destination {
address xxx.xxx.44.193
port 587
}
inbound-interface eth1
protocol tcp
source {
address xxx.xxx.130.0/24
}
translation {
address xxx.xxx.129.2
port 587
}
}
rule 90 {
description "Reflection Rule Internal->Outside:IMAPS"
destination {
address xxx.xxx.44.193
port 993
}
inbound-interface eth2
protocol tcp
source {
address xxx.xxx.141.0/24
}
translation {
address xxx.xxx.129.2
port 993
}
}
rule 92 {
description "Reflection Rule Public->Outside:IMAPS"
destination {
address xxx.xxx.44.193
port 993
}
inbound-interface eth1
protocol tcp
source {
address xxx.xxx.130.0/24
}
translation {
address xxx.xxx.141.17
port 993
}
}
rule 94 {
description "Reflection Rule Public->Outside:IAX"
destination {
address xxx.xxx.44.201
port 4569
}
inbound-interface eth1
protocol udp
source {
address xxx.xxx.130.0/24
}
translation {
address xxx.xxx.129.5
port 4569
}
}
rule 96 {
description "Reflection Rule Public->Inside:https for cloud"
destination {
address xxx.xxx.62.21
port 443
}
inbound-interface eth1
protocol tcp
source {
address xxx.xxx.130.0/24
}
translation {
address xxx.xxx.141.53
port 443
}
}
rule 102 {
description "Reflection Rule Public ->Outside:SIP"
destination {
address xxx.xxx.44.201
port 5060
}
inbound-interface eth1
protocol tcp_udp
source {
address xxx.xxx.130.0/24
}
translation {
address xxx.xxx.129.5
port 5060
}
}
rule 110 {
description "Inbound Redirect for XMPP port 5222"
destination {
address xxx.xxx.62.21
port 5222
}
inbound-interface eth5
protocol tcp
translation {
address xxx.xxx.129.6
port 5222
}
}
rule 112 {
description "Inbound Redirect for XMPP port 5269"
destination {
address xxx.xxx.62.21
port 5269
}
inbound-interface eth5
protocol tcp
translation {
address xxx.xxx.129.6
port 5269
}
}
rule 114 {
description "Inbound Redirect for XMPP port 5280"
destination {
address xxx.xxx.62.21
port 5280
}
inbound-interface eth5
protocol tcp
translation {
address xxx.xxx.129.6
port 5280
}
}
rule 116 {
description "Inbound Redirect for XMPP http_upload port 5443"
destination {
address xxx.xxx.62.21
port 5443
}
inbound-interface eth5
protocol tcp
translation {
address xxx.xxx.129.6
port 5443
}
}
rule 120 {
description "Reflection Rule Public->Outside:XMPP-5222"
destination {
address xxx.xxx.62.21
port 5222
}
inbound-interface eth1
protocol tcp
translation {
address xxx.xxx.129.6
port 5222
}
}
rule 122 {
description "Reflection Rule Public->Outside:XMPP-5269"
destination {
address xxx.xxx.62.21
port 5269
}
inbound-interface eth1
protocol tcp
translation {
address xxx.xxx.129.6
port 5269
}
}
rule 124 {
description "Reflection Rule Public->Outside:XMPP-5280"
destination {
address xxx.xxx.62.21
port 5280
}
inbound-interface eth1
protocol tcp
translation {
address xxx.xxx.129.6
port 5280
}
}
rule 126 {
description "Reflection Rule Public->Outside:XMPP-5443"
destination {
address xxx.xxx.62.21
port 5443
}
inbound-interface eth1
protocol tcp
translation {
address xxx.xxx.129.6
port 5443
}
}
rule 128 {
description "Reflection Rule Public->Outside:HTTPS"
destination {
address xxx.xxx.62.21
port 443
}
inbound-interface eth1
protocol tcp
translation {
address xxx.xxx.129.6
port 443
}
}
rule 140 {
description "Test Redirect HAPROXY IMAPS"
destination {
address xxx.xxx.62.21
port 993
}
inbound-interface eth5
protocol tcp
translation {
address xxx.xxx.129.6
port 993
}
}
rule 156 {
description "Inbound Redirect for Minecraft"
destination {
address xxx.xxx.44.193
port 25565
}
disable
inbound-interface eth5
protocol tcp
translation {
address xxx.xxx.141.158
port 25565
}
}
rule 160 {
description "Inbound Redirect for MOXA Serial Server"
destination {
address xxx.xxx.44.193
port 950-969
}
disable
inbound-interface eth5
protocol tcp
translation {
address xxx.xxx.143.244
port 950-969
}
}
}
source {
rule 30 {
description "Source NAT for Outbound SMTP"
destination {
}
outbound-interface eth0
protocol tcp
source {
address xxx.xxx.129.2
port 25
}
translation {
address xxx.xxx.44.193
}
}
rule 992 {
description "1:1 Outbound for PBXinaFlash"
outbound-interface eth5
source {
address xxx.xxx.129.5
}
translation {
address xxx.xxx.44.201
}
}
rule 4991 {
description "Exclude Test Networks from NAT"
destination {
address xxx.xxx.93.0/24
}
exclude
outbound-interface eth4
source {
address xxx.xxx.141.0/24
}
translation {
address masquerade
}
}
rule 4992 {
description "Exclude Apartment Spain Internal Network from NAT"
destination {
address xxx.xxx.79.0/24
}
disable
exclude
outbound-interface eth5
source {
address xxx.xxx.141.0/24
}
translation {
address masquerade
}
}
rule 4993 {
description "Exclude ACP Internal Network from NAT"
destination {
address xxx.xxx.2.0/23
}
exclude
outbound-interface eth5
source {
address xxx.xxx.141.0/24
}
translation {
address masquerade
}
}
rule 4994 {
description "Exclude ACP DMZ Network from NAT"
destination {
address xxx.xxx.7.0/24
}
exclude
outbound-interface eth5
source {
address xxx.xxx.141.0/24
}
translation {
address masquerade
}
}
rule 4995 {
description "Exclude SecuroSys Network from NAT"
destination {
address xxx.xxx.171.0/24
}
disable
exclude
outbound-interface eth5
source {
address xxx.xxx.141.0/24
}
translation {
address masquerade
}
}
rule 4996 {
description "Exclude Test Networks from NAT"
destination {
address xxx.xxx.176.0/20
}
exclude
outbound-interface eth4
source {
address xxx.xxx.141.0/24
}
translation {
address masquerade
}
}
rule 4997 {
description "Exclude DiCandilo Berwyn Network from NAT"
destination {
address xxx.xxx.1.0/24
}
exclude
outbound-interface eth5
source {
address xxx.xxx.141.0/24
}
translation {
address masquerade
}
}
rule 4998 {
description "Exclude ADDM Network From NAT"
destination {
address xxx.xxx.32.0/24
}
exclude
outbound-interface eth5
source {
address xxx.xxx.141.0/24
}
translation {
address masquerade
}
}
rule 4999 {
description "Exclude ICDC Network from NAT"
destination {
address xxx.xxx.47.0/22
}
disable
exclude
outbound-interface eth5
source {
address xxx.xxx.141.0/24
}
translation {
address masquerade
}
}
rule 9000 {
description "Masquerade Internal on FTS Internet Segment"
destination {
address xxx.xxx.44.192/28
}
outbound-interface eth4
source {
address xxx.xxx.141.0/24
}
translation {
address xxx.xxx.44.193
}
}
rule 9005 {
description "Masquerade Internal"
destination {
address xxx.xxx.0.0/0
}
outbound-interface eth5
source {
address xxx.xxx.141.0/24
}
translation {
address xxx.xxx.44.193
}
}
rule 9010 {
description "Masquerade DMZ"
destination {
address xxx.xxx.0.0/0
}
outbound-interface eth5
source {
address xxx.xxx.129.0/27
}
translation {
address xxx.xxx.44.193
}
}
rule 9020 {
description "Masquerade Public"
destination {
address xxx.xxx.0.0/0
}
outbound-interface eth5
source {
address xxx.xxx.130.0/24
}
translation {
address xxx.xxx.44.197
}
}
rule 9030 {
description "Masquerade IoT & Management"
outbound-interface eth5
source {
address xxx.xxx.142.0/23
}
translation {
address xxx.xxx.44.193
}
}
}
}
protocols {
igmp-proxy {
interface eth2 {
role downstream
threshold 1
}
interface eth5 {
role upstream
threshold 1
}
}
static {
interface-route xxx.xxx.188.0/24 {
next-hop-interface wg01 {
}
}
interface-route xxx.xxx.2.0/23 {
next-hop-interface wg02 {
}
}
interface-route xxx.xxx.7.0/24 {
next-hop-interface wg02 {
}
}
interface-route xxx.xxx.78.0/24 {
next-hop-interface wg01 {
}
}
interface-route xxx.xxx.83.0/24 {
next-hop-interface wg01 {
}
}
interface-route xxx.xxx.84.0/24 {
next-hop-interface wg01 {
}
}
route xxx.xxx.0.0/0 {
next-hop xxx.xxx.62.1 {
}
}
route xxx.xxx.53.0/27 {
blackhole {
}
}
route xxx.xxx.1.47/32 {
next-hop xxx.xxx.128.242 {
}
}
route xxx.xxx.0.0/16 {
blackhole {
}
}
route xxx.xxx.0.0/15 {
blackhole {
}
}
route xxx.xxx.0.0/15 {
blackhole {
}
}
route xxx.xxx.128.0/28 {
next-hop xxx.xxx.141.251 {
}
}
route xxx.xxx.131.0/24 {
next-hop xxx.xxx.141.222 {
}
}
route xxx.xxx.0.0/17 {
blackhole {
}
}
}
}
service {
dhcp-relay {
interface eth1
interface eth3
interface eth4
interface eth6
interface eth2
relay-options {
relay-agents-packets discard
}
server xxxxx.tld
}
mdns {
repeater {
interface eth2
interface wg01
}
}
snmp {
community public {
authorization ro
network xxx.xxx.141.0/24
}
contact "Adam Feigin"
listen-address xxx.xxx.141.254 {
port 161
}
location xxxxxx 235"
trap-target xxx.xxx.141.30 {
}
}
ssh {
port 2022
}
}
system {
config-management {
commit-archive {
location xxxxxx
}
commit-revisions 50
}
conntrack {
expect-table-size 4096
hash-size 4096
modules {
sip {
disable
}
}
table-size 32768
}
console {
device ttyS0 {
speed 9600
}
}
domain-name xxxxxx
flow-accounting {
disable-imt
interface eth5
interface eth4
interface eth2
interface eth1
interface eth0
netflow {
engine-id 2
sampling-rate 64
server xxxxx.tld {
port 9995
}
timeout {
expiry-interval 60
flow-generic 60
icmp 300
max-active-life 60
tcp-fin 60
tcp-generic 60
tcp-rst 60
udp 60
}
version 5
}
sflow {
agent-address xxx.xxx.141.254
sampling-rate 64
server xxxxx.tld {
port 6343
}
}
syslog-facility daemon
}
host-name xxxxxx
ipv6 {
}
login {
radius-server xxx.xxx.141.20 {
port 1812
secret xxxxxxxxxxxx
timeout 3
}
radius-source-address xxx.xxx.143.254
user xxxxxx {
authentication {
encrypted-password xxxxxx
plaintext-password xxxxxx
public-keys [email protected] {
key xxxxxx
type ssh-rsa
}
public-keys [email protected] {
key xxxxxx
type ssh-rsa
}
public-keys [email protected] {
key xxxxxx
type ssh-rsa
}
public-keys [email protected] {
key xxxxxx
type ssh-rsa
}
}
full-name xxxxxx
level admin
}
user xxxxxx {
authentication {
encrypted-password xxxxxx
plaintext-password xxxxxx
public-keys [email protected] {
key xxxxxx
type ssh-rsa
}
}
level admin
}
user xxxxxx {
authentication {
encrypted-password xxxxxx
plaintext-password xxxxxx
public-keys [email protected] {
key xxxxxx
type ssh-rsa
}
public-keys [email protected] {
key xxxxxx
type ssh-rsa
}
}
level admin
}
user xxxxxx {
authentication {
encrypted-password xxxxxx
plaintext-password xxxxxx
}
level admin
}
}
name-server xxx.xxx.141.3
name-server xxx.xxx.40.2
name-server xxx.xxx.40.34
name-server xxx.xxx.141.20
ntp {
allow-clients {
address xxx.xxx.143.0/24
address xxx.xxx.142.0/24
address xxx.xxx.141.0/24
address xxx.xxx.130.0/24
address xxx.xxx.129.0/24
}
listen-address xxx.xxx.141.254
listen-address xxx.xxx.130.254
listen-address xxx.xxx.129.254
listen-address xxx.xxx.142.254
listen-address xxx.xxx.143.254
server xxxxx.tld {
}
server xxxxx.tld {
}
server xxxxx.tld {
}
server xxxxx.tld {
}
server xxxxx.tld {
}
}
syslog {
file messages {
archive {
}
}
global {
archive {
size 8192
}
facility all {
level notice
}
facility protocols {
level debug
}
}
}
task-scheduler {
task Update-Blacklists {
executable {
path /config/scripts/updBlackList.sh
}
interval 12h
}
}
time-zone Europe/Zurich
}
traffic-policy {
limiter LimitChildrenOutBound {
class 10 {
bandwidth 512
burst 2048
match Children {
ip {
source {
address xxx.xxx.130.175/27
}
}
}
priority 20
}
}
shaper ShapeInternalOutbound {
bandwidth 1gibps
class 10 {
bandwidth 128kibit
burst 15k
ceiling 16384kibit
match JohanaRestricted {
ip {
destination {
address xxx.xxx.141.188/30
}
}
}
queue-type fair-queue
}
default {
bandwidth 1gibps
burst 15k
ceiling 100%
queue-type fair-queue
}
}
shaper ShapePublicOutbound {
bandwidth 20mibit
class 10 {
bandwidth 1kibit
burst 15k
ceiling 4096kibit
description "Chusmas Devices"
match Chusma {
ip {
destination {
address xxx.xxx.130.172/30
}
}
}
queue-type fair-queue
}
class 20 {
bandwidth 1kibit
burst 15k
ceiling 16384kibit
description "Chollos Devices"
match Chollo {
ip {
destination {
address xxx.xxx.130.176/29
}
}
}
queue-type fair-queue
}
class 30 {
bandwidth 1kibit
burst 15k
ceiling 64kibit
match mbpgen2-wlan {
ip {
destination {
address xxx.xxx.130.242/32
}
}
}
queue-type fair-queue
}
class 40 {
bandwidth 1kibit
burst 15k
ceiling 8192kibit
description "Sony PS4 Traffic"
match sonyps4 {
ip {
destination {
address xxx.xxx.130.185/32
}
}
}
queue-type fair-queue
}
class 120 {
bandwidth 100%
burst 15k
queue-type fair-queue
}
default {
bandwidth 10mibit
burst 15k
ceiling 100%
queue-type fair-queue
}
description "QoS Policy for Public"
}
shaper VoIP-DSCP {
bandwidth 5mbit
class 10 {
bandwidth 20%
burst 15k
ceiling 40%
match VoIP-RTP {
description "RTP Audio Packets (with dscp set to 46)"
ip {
dscp 46
}
}
priority 7
queue-type fair-queue
}
class 20 {
bandwidth 10%
burst 15k
ceiling 20%
description "SIP Signalling (with dscp set to 26)"
match VoIP-SIP {
ip {
dscp 26
}
}
priority 4
queue-type fair-queue
}
default {
bandwidth 70%
burst 15k
ceiling 100%
queue-type fair-queue
}
description "VoIP Traffic Shaping based on DSCP"
}
}
vpn {
ipsec {
esp-group ACP-ESP {
compression disable
lifetime 3600
mode tunnel
pfs dh-group18
proposal 1 {
encryption aes256
hash sha512
}
proposal 2 {
encryption aes128
hash sha512
}
}
esp-group CiscoESP {
compression disable
lifetime 3600
mode tunnel
pfs enable
proposal 1 {
encryption aes128
hash sha1
}
}
esp-group DiCandilo-PA-ESP {
compression disable
lifetime 3600
mode tunnel
pfs enable
proposal 1 {
encryption 3des
hash sha1
}
}
esp-group OPNSenseESP {
compression disable
lifetime 3600
mode tunnel
pfs dh-group18
proposal 1 {
encryption aes256
hash sha512
}
proposal 2 {
encryption aes128
hash sha512
}
}
esp-group OpenWRT-ESP {
compression enable
lifetime 3600
mode tunnel
pfs dh-group14
proposal 1 {
encryption aes256
hash sha512
}
proposal 2 {
encryption aes256
hash sha256
}
proposal 3 {
encryption aes128
hash sha512
}
proposal 4 {
encryption aes128
hash sha256
}
}
esp-group PFSenseESP {
compression disable
lifetime 3600
mode tunnel
pfs dh-group18
proposal 1 {
encryption aes256
hash sha512
}
proposal 2 {
encryption aes128
hash sha1
}
}
esp-group SecuroSysESP {
compression disable
lifetime 3600
mode tunnel
pfs dh-group18
proposal 1 {
encryption aes256
hash sha512
}
proposal 2 {
encryption aes128
hash sha1
}
}
esp-group SophosUTM-ESP {
compression disable
lifetime 3600
mode tunnel
pfs dh-group16
proposal 1 {
encryption aes256
hash sha512
}
proposal 2 {
encryption aes128
hash sha1
}
}
esp-group StonegateESP {
compression disable
lifetime 3600
mode tunnel
pfs enable
proposal 1 {
encryption aes128
hash sha1
}
}
ike-group CiscoIKE {
close-action none
dead-peer-detection {
action restart
interval 30
timeout 120
}
ikev2-reauth no
key-exchange ikev1
lifetime 28800
proposal 1 {
dh-group 2
encryption aes128
hash sha1
}
proposal 2 {
dh-group 2
encryption aes256
hash sha1
}
}
ike-group DiCandilo-PA-IKE {
close-action none
ikev2-reauth no
key-exchange ikev1
lifetime 28800
proposal 1 {
dh-group 5
encryption 3des
hash sha1
}
}
ike-group OPNSenseIKEv2 {
close-action none
dead-peer-detection {
action hold
interval 30
timeout 120
}
ikev2-reauth no
key-exchange ikev2
lifetime 28800
proposal 1 {
dh-group 18
encryption aes256
hash sha512
}
proposal 2 {
dh-group 24
encryption aes128
hash sha512
}
}
ike-group OpenWRT-IKEv1 {
close-action none
dead-peer-detection {
action restart
interval 30
timeout 120
}
ikev2-reauth no
key-exchange ikev1
lifetime 3600
proposal 1 {
dh-group 2
encryption aes256
hash sha1
}
}
ike-group OpenWRT-IKEv2 {
close-action none
dead-peer-detection {
action restart
interval 30
timeout 120
}
ikev2-reauth no
key-exchange ikev2
lifetime 3600
mobike enable
proposal 1 {
dh-group 14
encryption aes256
hash sha512
}
proposal 2 {
dh-group 14
encryption aes256
hash sha256
}
proposal 3 {
dh-group 14
encryption aes128
hash sha512
}
proposal 4 {
dh-group 14
encryption aes128
hash sha256
}
}
ike-group PFSenseIKE {
close-action none
dead-peer-detection {
action restart
interval 30
timeout 120
}
ikev2-reauth no
key-exchange ikev1
lifetime 28800
proposal 1 {
dh-group 18
encryption aes256
hash sha512
}
proposal 2 {
dh-group 2
encryption aes128
hash sha1
}
}
ike-group SecuroSysIKE {
close-action none
dead-peer-detection {
action restart
interval 30
timeout 120
}
ikev2-reauth no
key-exchange ikev1
lifetime 28800
proposal 1 {
dh-group 18
encryption aes256
hash sha512
}
proposal 2 {
dh-group 2
encryption aes128
hash sha1
}
}
ike-group SophosUTM-IKE {
close-action none
dead-peer-detection {
action restart
interval 30
timeout 120
}
ikev2-reauth no
key-exchange ikev1
lifetime 28800
proposal 1 {
dh-group 16
encryption aes256
hash sha512
}
proposal 2 {
dh-group 2
encryption aes128
hash sha1
}
}
ike-group StonegateIKE {
close-action none
ikev2-reauth no
key-exchange ikev1
lifetime 3600
proposal 1 {
dh-group 2
encryption aes128
hash sha1
}
}
ipsec-interfaces {
interface eth5
}
nat-networks {
allowed-network xxx.xxx.1.0/24 {
}
allowed-network xxx.xxx.2.0/23 {
}
allowed-network xxx.xxx.7.0/24 {
}
allowed-network xxx.xxx.32.0/24 {
}
allowed-network xxx.xxx.45.0/24 {
}
allowed-network xxx.xxx.46.0/24 {
}
allowed-network xxx.xxx.47.0/24 {
}
allowed-network xxx.xxx.79.0/24 {
}
allowed-network xxx.xxx.93.0/24 {
}
allowed-network xxx.xxx.113.0/24 {
}
allowed-network xxx.xxx.141.0/24 {
}
allowed-network xxx.xxx.143.0/24 {
}
allowed-network xxx.xxx.171.0/24 {
}
allowed-network xxx.xxx.176.0/20 {
}
}
nat-traversal enable
site-to-site {
peer xxxxx.tld {
authentication {
mode pre-shared-secret
pre-shared-secret xxxxxx
}
connection-type initiate
description "Aviq Systems AG PFSense"
ike-group PFSenseIKE
ikev2-reauth inherit
local-address xxx.xxx.62.21
tunnel 1 {
allow-nat-networks disable
allow-public-networks enable
disable
esp-group PFSenseESP
local {
prefix xxx.xxx.141.0/24
}
remote {
prefix xxx.xxx.1.0/24
}
}
}
peer xxxxx.tld {
authentication {
mode pre-shared-secret
pre-shared-secret xxxxxx
}
connection-type initiate
description "Adi Doerflinger Cisco"
ike-group CiscoIKE
ikev2-reauth inherit
local-address xxx.xxx.62.21
tunnel 1 {
allow-nat-networks disable
allow-public-networks enable
disable
esp-group CiscoESP
local {
prefix xxx.xxx.141.0/24
}
remote {
prefix xxx.xxx.32.0/24
}
}
}
peer xxxxx.tld {
authentication {
mode pre-shared-secret
pre-shared-secret xxxxxx
}
connection-type respond
default-esp-group DiCandilo-PA-ESP
description "DiCandilo Berwyn"
ike-group DiCandilo-PA-IKE
ikev2-reauth inherit
local-address xxx.xxx.62.21
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
local {
prefix xxx.xxx.141.0/24
}
remote {
prefix xxx.xxx.1.0/24
}
}
}
peer xxxxx.tld {
authentication {
mode pre-shared-secret
pre-shared-secret xxxxxx
}
connection-type initiate
description "ACP AG OPNSense"
ike-group OPNSenseIKEv2
ikev2-reauth inherit
local-address xxx.xxx.62.21
tunnel 1 {
allow-nat-networks disable
allow-public-networks enable
disable
esp-group OPNSenseESP
local {
prefix xxx.xxx.141.0/24
}
remote {
prefix xxx.xxx.2.0/23
}
}
tunnel 2 {
allow-nat-networks disable
allow-public-networks enable
disable
esp-group OPNSenseESP
local {
prefix xxx.xxx.141.0/24
}
remote {
prefix xxx.xxx.7.0/24
}
}
}
peer xxxxx.tld {
authentication {
mode pre-shared-secret
pre-shared-secret xxxxxx
}
connection-type respond
description "ICDC-CBCDG Stonegate"
ike-group StonegateIKE
ikev2-reauth inherit
local-address xxx.xxx.62.21
tunnel 1 {
allow-nat-networks disable
allow-public-networks enable
disable
esp-group StonegateESP
local {
prefix xxx.xxx.141.0/24
}
remote {
prefix xxx.xxx.47.0/24
}
}
tunnel 2 {
allow-nat-networks disable
allow-public-networks enable
disable
esp-group StonegateESP
local {
prefix xxx.xxx.141.0/24
}
remote {
prefix xxx.xxx.46.0/24
}
}
}
peer xxxxx.tld {
authentication {
mode pre-shared-secret
pre-shared-secret xxxxxx
}
connection-type initiate
description "Sophos UTM Test Gateway"
ike-group SophosUTM-IKE
ikev2-reauth inherit
local-address xxx.xxx.44.193
tunnel 1 {
allow-nat-networks disable
allow-public-networks enable
disable
esp-group SophosUTM-ESP
local {
prefix xxx.xxx.141.0/24
}
remote {
prefix xxx.xxx.178.0/24
}
}
}
peer xxxxx.tld {
authentication {
mode pre-shared-secret
pre-shared-secret xxxxxx
}
connection-type initiate
description "OPNSense Test"
ike-group OPNSenseIKEv2
ikev2-reauth inherit
local-address xxx.xxx.44.193
tunnel 1 {
allow-nat-networks disable
allow-public-networks enable
disable
esp-group OPNSenseESP
local {
prefix xxx.xxx.141.0/24
}
remote {
prefix xxx.xxx.93.0/24
}
}
}
peer xxxxx.tld {
authentication {
id @xxx.xxx.62.21
mode pre-shared-secret
pre-shared-secret xxxxxx
remote-id @awfhospitalet.dyndns.org
}
connection-type respond
description "Apartment Spain VPN"
ike-group OpenWRT-IKEv2
ikev2-reauth inherit
local-address xxx.xxx.62.21
tunnel 1 {
allow-nat-networks disable
allow-public-networks enable
disable
esp-group OpenWRT-ESP
local {
prefix xxx.xxx.141.0/24
}
remote {
prefix xxx.xxx.79.0/24
}
}
}
}
}
}

File Metadata

Mime Type
text/plain
Storage Engine
local-disk
Storage Format
Raw Data
Storage Handle
b5/30/6b9678ad7f8068eaa0658e8ba9e9
Default Alt Text
private.cfg (127 KB)

Event Timeline