Page MenuHomeVyOS Platform

Can't commit
Closed, ResolvedPublicBUG

Description

I just upgraded from 1.3-rolling-202011080217 to the latest 1.4 rolling release. After the reboot, any config that I tried to add, the system seems to stop at the blinking cursor with no activity right after entering "commit".
It is still routing, but adding a new configuration is not possible since the system is not committing.

Here is the version I am running:

show version 

Version:          VyOS 1.4-rolling-202103091038
Release Train:    sagitta

Built by:         [email protected]
Built on:         Tue 09 Mar 2021 10:38 UTC
Build UUID:       f7071c0d-1e79-44af-85fb-cbd3f856309e
Build Commit ID:  e758a269e84509

Architecture:     x86_64
Boot via:         installed image
System type:      bare metal

Hardware vendor:  Supermicro
Hardware model:   A1SAi
Hardware S/N:     123456789
Hardware UUID:    Unknown

Copyright:        VyOS maintainers and contributors

Details

Difficulty level
Unknown (require assessment)
Version
1.4-rolling-202103091038
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)

Event Timeline

We can't reproduce/fix it without any provided information/configuration.

Here is my current configuration. If I add any configuration to this and commit, it would not commit. It seems like there is something holding the commit from committing the new configuration.

set firewall all-ping 'enable'
set firewall broadcast-ping 'disable'
set firewall config-trap 'disable'
set firewall group address-group airsonic address 'xxx.xxx.7.24'
set firewall group address-group ansible address 'xxx.xxx.7.45'
set firewall group address-group bfw-syncthing address 'xxx.xxx.7.12'
set firewall group address-group bgd-syncthing address 'xxx.xxx.7.12'
set firewall group address-group bgd-syncthing address 'xxx.xxx.7.9'
set firewall group address-group booksonic address 'xxx.xxx.7.14'
set firewall group address-group bookstack address 'xxx.xxx.7.12'
set firewall group address-group calibreweb address 'xxx.xxx.7.12'
set firewall group address-group emby address 'xxx.xxx.7.10'
set firewall group address-group heimdall address 'xxx.xxx.7.12'
set firewall group address-group ip-cameras address 'xxx.xxx.5.31-xxx.xxx.5.34'
set firewall group address-group ip-cameras address 'xxx.xxx.5.21-xxx.xxx.5.29'
set firewall group address-group ip-cameras description 'ip cameras'
set firewall group address-group jellyfin address 'xxx.xxx.7.19'
set firewall group address-group kids_devices address 'xxx.xxx.11.86'
set firewall group address-group kids_devices address 'xxx.xxx.11.117'
set firewall group address-group kids_devices address 'xxx.xxx.11.84'
set firewall group address-group kids_devices address 'xxx.xxx.11.87'
set firewall group address-group l3-home address 'xxx.xxx.4.2'
set firewall group address-group l3-home description 'home l3 devices'
set firewall group address-group l3-remote address 'xxx.xxx.0.1'
set firewall group address-group l3-remote address 'xxx.xxx.0.3'
set firewall group address-group l3-remote description 'remote l3 devices'
set firewall group address-group local address 'xxx.xxx.0.1'
set firewall group address-group local address 'xxx.xxx.3.1'
set firewall group address-group loopback address 'xxx.xxx.0.1'
set firewall group address-group loopback address 'xxx.xxx.0.2'
set firewall group address-group net-admin address 'xxx.xxx.11.27'
set firewall group address-group net-admin address 'xxx.xxx.11.21'
set firewall group address-group net-admin address 'xxx.xxx.11.24'
set firewall group address-group net-admin address 'xxx.xxx.11.27'
set firewall group address-group net-admin address 'xxx.xxx.11.21'
set firewall group address-group net-admin address 'xxx.xxx.11.24'
set firewall group address-group net-admin address 'xxx.xxx.16.130-xxx.xxx.16.133'
set firewall group address-group net-admin address 'xxx.xxx.16.130-xxx.xxx.16.133'
set firewall group address-group net-admin address 'xxx.xxx.11.22'
set firewall group address-group nms address 'xxx.xxx.7.18'
set firewall group address-group nvr address 'xxx.xxx.5.10'
set firewall group address-group nvr address 'xxx.xxx.5.9'
set firewall group address-group organizr address 'xxx.xxx.7.31'
set firewall group address-group pihole address 'xxx.xxx.20.10'
set firewall group address-group pihole address 'xxx.xxx.20.11'
set firewall group address-group pihole address 'xxx.xxx.20.10'
set firewall group address-group pivpn2 address 'xxx.xxx.20.9'
set firewall group address-group piwigo address 'xxx.xxx.7.12'
set firewall group address-group playstation4 address 'xxx.xxx.11.12'
set firewall group address-group proxmox address 'xxx.xxx.7.23'
set firewall group address-group proxmox address 'xxx.xxx.7.32'
set firewall group address-group proxmox address 'xxx.xxx.7.33'
set firewall group address-group proxmox address 'xxx.xxx.7.34'
set firewall group address-group psvita address 'xxx.xxx.11.14'
set firewall group address-group ring-security address 'xxx.xxx.5.12'
set firewall group address-group ring-security address 'xxx.xxx.5.14'
set firewall group address-group ring-security description 'ring devices'
set firewall group address-group server_normal_route address 'xxx.xxx.7.10'
set firewall group address-group server_normal_route address 'xxx.xxx.7.46'
set firewall group address-group speedtest-tracker address 'xxx.xxx.20.9'
set firewall group address-group squidguard address 'xxx.xxx.1.0'
set firewall group address-group swbgd address 'xxx.xxx.0.2'
set firewall group address-group swbgd address 'xxx.xxx.4.2'
set firewall group address-group tang_servers address 'xxx.xxx.7.38'
set firewall group address-group tang_servers address 'xxx.xxx.7.39'
set firewall group address-group torrent address 'xxx.xxx.141.188'
set firewall group address-group torrent address 'xxx.xxx.89.65'
set firewall group address-group torrent address 'xxx.xxx.88.65'
set firewall group address-group torrent address 'xxx.xxx.129.24'
set firewall group address-group torrent address 'xxx.xxx.9.48'
set firewall group address-group tower address 'xxx.xxx.7.12'
set firewall group address-group tower2 address 'xxx.xxx.7.12'
set firewall group address-group turnserver address 'xxx.xxx.20.21'
set firewall group address-group ucs-bfw address 'xxx.xxx.7.40'
set firewall group address-group ucs-bgd address 'xxx.xxx.7.40'
set firewall group address-group ucs-bgd address 'xxx.xxx.7.41'
set firewall group address-group unifi-controller address 'xxx.xxx.7.11'
set firewall group address-group untrust_addr address 'xxx.xxx.244.216'
set firewall group address-group vm-mxlinux address 'xxx.xxx.10.104'
set firewall group address-group windows-reolink address 'xxx.xxx.5.11'
set firewall group address-group wordpress address 'xxx.xxx.20.23'
set firewall group address-group youtubedl address 'xxx.xxx.7.46'
set firewall group network-group netv4_lab_data network 'xxx.xxx.71.0/24'
set firewall group network-group netv4_lab_man network 'xxx.xxx.70.0/24'
set firewall group network-group net_ap network 'xxx.xxx.6.0/24'
set firewall group network-group net_bfw network 'xxx.xxx.0.0/16'
set firewall group network-group net_bfw_ap network 'xxx.xxx.6.0/24'
set firewall group network-group net_bfw_man network 'xxx.xxx.3.0/24'
set firewall group network-group net_bfw_security network 'xxx.xxx.5.0/24'
set firewall group network-group net_bfw_server network 'xxx.xxx.7.0/24'
set firewall group network-group net_bfw_trust network 'xxx.xxx.11.0/24'
set firewall group network-group net_bfw_trust network 'xxx.xxx.10.0/24'
set firewall group network-group net_bfw_vpn network 'xxx.xxx.1.0/24'
set firewall group network-group net_bogon_and_martians description 'deny these networks'
set firewall group network-group net_bogon_and_martians network 'xxx.xxx.0.0/8'
set firewall group network-group net_bogon_and_martians network 'xxx.xxx.0.0/8'
set firewall group network-group net_bogon_and_martians network 'xxx.xxx.0.0/12'
set firewall group network-group net_bogon_and_martians network 'xxx.xxx.0.0/16'
set firewall group network-group net_bogon_and_martians network 'xxx.xxx.0.0/8'
set firewall group network-group net_bogon_and_martians network 'xxx.xxx.0.0/16'
set firewall group network-group net_bogon_and_martians network 'xxx.xxx.2.0/24'
set firewall group network-group net_bogon_and_martians network 'xxx.xxx.0.0/4'
set firewall group network-group net_dmz network 'xxx.xxx.20.0/24'
set firewall group network-group net_guest network 'xxx.xxx.12.0/24'
set firewall group network-group net_iot network 'xxx.xxx.15.0/24'
set firewall group network-group net_kids network 'xxx.xxx.9.0/24'
set firewall group network-group net_man network 'xxx.xxx.3.0/24'
set firewall group network-group net_nps network 'xxx.xxx.0.0/16'
set firewall group network-group net_security network 'xxx.xxx.5.0/24'
set firewall group network-group net_server network 'xxx.xxx.7.0/24'
set firewall group network-group net_trust network 'xxx.xxx.10.0/24'
set firewall group network-group net_trust network 'xxx.xxx.11.0/24'
set firewall group network-group net_vpn_users network 'xxx.xxx.16.0/25'
set firewall group network-group net_vpn_users network 'xxx.xxx.16.0/25'
set firewall group network-group net_vpn_users network 'xxx.xxx.16.0/25'
set firewall group network-group net_work description 'work devices'
set firewall group network-group net_work network 'xxx.xxx.14.0/24'
set firewall group port-group airsonic_app port '4040'
set firewall group port-group booksonic_app port '4040'
set firewall group port-group bookstack_app port '4040'
set firewall group port-group calibreweb_app port '8083'
set firewall group port-group emby_app port '8096'
set firewall group port-group emby_app port '8920'
set firewall group port-group heimdall_app port '880'
set firewall group port-group heimdall_app port '843'
set firewall group port-group organizr_app port 'http'
set firewall group port-group piwigo_app port '82'
set firewall group port-group proxmox_ui port '8006'
set firewall group port-group smb port 'microsoft-ds'
set firewall group port-group squidguard_app port '3128'
set firewall group port-group syncthing-svr-ui port '8384'
set firewall group port-group syncthing-sync-protocol port '22000'
set firewall group port-group tang_app description 'tang server'
set firewall group port-group tang_app port '7500'
set firewall group port-group transmission port '9091'
set firewall group port-group unifi-adoption port '3478'
set firewall group port-group unifi-adoption port '27117'
set firewall group port-group unifi-adoption port '8843'
set firewall group port-group unifi-adoption port '8880'
set firewall group port-group unifi-adoption port '8443'
set firewall group port-group unifi-adoption port '8080'
set firewall group port-group wgserver port '51820'
set firewall group port-group youtubedl port '8181'
set firewall ipv6-receive-redirects 'disable'
set firewall ipv6-src-route 'disable'
set firewall ip-src-route 'disable'
set firewall log-martians 'enable'
set firewall name all_to_torguard default-action 'drop'
set firewall name all_to_torguard rule 100 action 'accept'
set firewall name backbone_to_untrust default-action 'drop'
set firewall name backbone_to_untrust rule 100 action 'accept'
set firewall name backbone_to_untrust rule 100 source group address-group 'swbgd'
set firewall name dmz_to_untrust default-action 'drop'
set firewall name dmz_to_untrust rule 100 action 'accept'
set firewall name dmz_to_untrust rule 100 source group network-group 'net_dmz'
set firewall name guest_to_dmz default-action 'drop'
set firewall name guest_to_dmz rule 100 action 'accept'
set firewall name guest_to_dmz rule 100 description 'dns request'
set firewall name guest_to_dmz rule 100 destination group address-group 'pihole'
set firewall name guest_to_dmz rule 100 destination port 'domain'
set firewall name guest_to_dmz rule 100 protocol 'udp'
set firewall name guest_to_untrust default-action 'drop'
set firewall name guest_to_untrust rule 710 action 'accept'
set firewall name guest_to_untrust rule 710 description 'internet access'
set firewall name iot_to_dmz default-action 'drop'
set firewall name iot_to_dmz rule 100 action 'accept'
set firewall name iot_to_dmz rule 100 description 'dns request'
set firewall name iot_to_dmz rule 100 destination group address-group 'pihole'
set firewall name iot_to_dmz rule 100 destination port 'domain'
set firewall name iot_to_dmz rule 100 protocol 'udp'
set firewall name iot_to_server default-action 'drop'
set firewall name iot_to_server rule 100 action 'drop'
set firewall name iot_to_server rule 100 description 'dns request'
set firewall name iot_to_server rule 100 destination group address-group 'ucs-bgd'
set firewall name iot_to_server rule 100 destination port 'domain'
set firewall name iot_to_server rule 100 protocol 'udp'
set firewall name iot_to_server rule 110 action 'accept'
set firewall name iot_to_server rule 110 description 'dhcp request'
set firewall name iot_to_server rule 110 destination group address-group 'ucs-bgd'
set firewall name iot_to_server rule 110 destination port 'bootps'
set firewall name iot_to_server rule 110 protocol 'udp'
set firewall name iot_to_server rule 115 action 'accept'
set firewall name iot_to_server rule 115 description 'emby'
set firewall name iot_to_server rule 115 destination group address-group 'emby'
set firewall name iot_to_server rule 115 destination group port-group 'emby_app'
set firewall name iot_to_server rule 115 protocol 'tcp'
set firewall name iot_to_untrust default-action 'drop'
set firewall name iot_to_untrust rule 100 action 'accept'
set firewall name iot_to_untrust rule 100 source group network-group 'net_iot'
set firewall name local_man default-action 'drop'
set firewall name local_man rule 100 action 'accept'
set firewall name local_man rule 100 destination group address-group 'local'
set firewall name local_man rule 100 source group address-group 'net-admin'
set firewall name local_man rule 9999 action 'drop'
set firewall name local_man rule 9999 log 'enable'
set firewall name local_to_all default-action 'drop'
set firewall name local_to_all enable-default-log
set firewall name local_to_all rule 100 action 'accept'
set firewall name main_to_remote-site default-action 'drop'
set firewall name main_to_remote-site rule 10 action 'accept'
set firewall name main_to_remote-site rule 10 description 'netadmin'
set firewall name main_to_remote-site rule 10 source group address-group 'net-admin'
set firewall name man_to_local default-action 'drop'
set firewall name man_to_local rule 110 action 'accept'
set firewall name man_to_local rule 110 description 'dhcp request'
set firewall name man_to_local rule 110 destination port 'bootps'
set firewall name man_to_local rule 110 protocol 'udp'
set firewall name man_to_server default-action 'drop'
set firewall name man_to_server rule 100 action 'accept'
set firewall name man_to_server rule 100 description 'dns request'
set firewall name man_to_server rule 100 destination group address-group 'ucs-bgd'
set firewall name man_to_server rule 100 destination port 'domain'
set firewall name man_to_server rule 100 protocol 'udp'
set firewall name man_to_server rule 110 action 'accept'
set firewall name man_to_server rule 110 description 'dhcp request'
set firewall name man_to_server rule 110 destination group address-group 'ucs-bgd'
set firewall name man_to_server rule 110 destination port 'bootps'
set firewall name man_to_server rule 110 protocol 'udp'
set firewall name man_to_server rule 120 action 'accept'
set firewall name man_to_server rule 120 description 'unifi ap adoption'
set firewall name man_to_server rule 120 destination group address-group 'unifi-controller'
set firewall name man_to_server rule 120 icmp type-name 'echo-request'
set firewall name man_to_server rule 120 protocol 'icmp'
set firewall name man_to_server rule 120 source group network-group 'net_ap'
set firewall name man_to_server rule 121 action 'accept'
set firewall name man_to_server rule 121 description 'unifi ap adoption'
set firewall name man_to_server rule 121 destination group address-group 'unifi-controller'
set firewall name man_to_server rule 121 destination group port-group 'unifi-adoption'
set firewall name man_to_server rule 121 protocol 'tcp_udp'
set firewall name man_to_server rule 121 source group network-group 'net_ap'
set firewall name man_to_server rule 122 action 'accept'
set firewall name man_to_server rule 122 description 'unifi ap adoption'
set firewall name man_to_server rule 122 destination group address-group 'unifi-controller'
set firewall name man_to_server rule 122 destination port 'ssh'
set firewall name man_to_server rule 122 protocol 'tcp'
set firewall name man_to_server rule 122 source group network-group 'net_ap'
set firewall name man_to_server rule 9999 action 'drop'
set firewall name man_to_server rule 9999 log 'enable'
set firewall name netadmin default-action 'drop'
set firewall name netadmin description 'netadmin access'
set firewall name netadmin rule 100 action 'accept'
set firewall name netadmin rule 100 description 'netadmin from trust and vpn'
set firewall name netadmin rule 100 source group address-group 'net-admin'
set firewall name ospf default-action 'drop'
set firewall name ospf rule 10 action 'accept'
set firewall name ospf rule 10 description 'peering with swbgd'
set firewall name ospf rule 10 protocol 'ospf'
set firewall name ospf rule 10 source group address-group 'swbgd'
set firewall name remote-site_to_local default-action 'drop'
set firewall name remote-site_to_local rule 50 action 'accept'
set firewall name remote-site_to_local rule 50 description 'bgp peering'
set firewall name remote-site_to_local rule 50 destination port 'bgp'
set firewall name remote-site_to_local rule 50 protocol 'tcp'
set firewall name remote-site_to_local rule 50 source group address-group 'l3-remote'
set firewall name remote-site_to_local rule 100 action 'accept'
set firewall name remote-site_to_local rule 100 description 'operation use'
set firewall name remote-site_to_local rule 100 destination address 'xxx.xxx.0.1'
set firewall name remote-site_to_local rule 100 icmp type-name 'echo-request'
set firewall name remote-site_to_local rule 100 protocol 'icmp'
set firewall name remote-site_to_local rule 100 source group network-group 'net_bfw_trust'
set firewall name remote-site_to_server default-action 'drop'
set firewall name remote-site_to_server rule 90 action 'accept'
set firewall name remote-site_to_server rule 90 description 'tang access'
set firewall name remote-site_to_server rule 90 destination group address-group 'tang_servers'
set firewall name remote-site_to_server rule 90 destination group port-group 'tang_app'
set firewall name remote-site_to_server rule 90 protocol 'tcp'
set firewall name remote-site_to_server rule 100 action 'accept'
set firewall name remote-site_to_server rule 100 description 'ucs access'
set firewall name remote-site_to_server rule 100 destination group address-group 'ucs-bgd'
set firewall name remote-site_to_server rule 100 destination port 'https'
set firewall name remote-site_to_server rule 100 protocol 'tcp'
set firewall name remote-site_to_server rule 100 source group network-group 'net_bfw_trust'
set firewall name remote-site_to_server rule 120 action 'accept'
set firewall name remote-site_to_server rule 120 description 'unifi ap adoption'
set firewall name remote-site_to_server rule 120 destination group address-group 'unifi-controller'
set firewall name remote-site_to_server rule 120 icmp type-name 'echo-request'
set firewall name remote-site_to_server rule 120 protocol 'icmp'
set firewall name remote-site_to_server rule 120 source group network-group 'net_bfw_ap'
set firewall name remote-site_to_server rule 121 action 'accept'
set firewall name remote-site_to_server rule 121 description 'unifi ap adoption'
set firewall name remote-site_to_server rule 121 destination group address-group 'unifi-controller'
set firewall name remote-site_to_server rule 121 destination group port-group 'unifi-adoption'
set firewall name remote-site_to_server rule 121 protocol 'tcp_udp'
set firewall name remote-site_to_server rule 121 source group network-group 'net_bfw_ap'
set firewall name remote-site_to_server rule 122 action 'accept'
set firewall name remote-site_to_server rule 122 description 'unifi ap adoption'
set firewall name remote-site_to_server rule 122 destination group address-group 'unifi-controller'
set firewall name remote-site_to_server rule 122 destination port 'ssh'
set firewall name remote-site_to_server rule 122 protocol 'tcp'
set firewall name remote-site_to_server rule 122 source group network-group 'net_bfw_ap'
set firewall name remote-site_to_server rule 710 action 'accept'
set firewall name remote-site_to_server rule 710 description 'emby access'
set firewall name remote-site_to_server rule 710 destination group address-group 'emby'
set firewall name remote-site_to_server rule 710 destination group port-group 'emby_app'
set firewall name remote-site_to_server rule 710 protocol 'tcp'
set firewall name remote-site_to_server rule 710 source group network-group 'net_bfw_trust'
set firewall name remote-site_to_server rule 715 action 'accept'
set firewall name remote-site_to_server rule 715 description 'airsonic access'
set firewall name remote-site_to_server rule 715 destination group address-group 'airsonic'
set firewall name remote-site_to_server rule 715 destination group port-group 'airsonic_app'
set firewall name remote-site_to_server rule 715 protocol 'tcp'
set firewall name remote-site_to_server rule 715 source group network-group 'net_bfw_trust'
set firewall name remote-site_to_server rule 720 action 'accept'
set firewall name remote-site_to_server rule 720 description 'bookstack access'
set firewall name remote-site_to_server rule 720 destination group address-group 'bookstack'
set firewall name remote-site_to_server rule 720 destination group port-group 'bookstack_app'
set firewall name remote-site_to_server rule 720 protocol 'tcp'
set firewall name remote-site_to_server rule 720 source group network-group 'net_bfw_trust'
set firewall name remote-site_to_server rule 725 action 'accept'
set firewall name remote-site_to_server rule 725 description 'calibreweb access'
set firewall name remote-site_to_server rule 725 destination group address-group 'calibreweb'
set firewall name remote-site_to_server rule 725 destination group port-group 'calibreweb_app'
set firewall name remote-site_to_server rule 725 protocol 'tcp'
set firewall name remote-site_to_server rule 725 source group network-group 'net_bfw_trust'
set firewall name remote-site_to_server rule 730 action 'accept'
set firewall name remote-site_to_server rule 730 description 'heimdall access'
set firewall name remote-site_to_server rule 730 destination group address-group 'heimdall'
set firewall name remote-site_to_server rule 730 destination group port-group 'heimdall_app'
set firewall name remote-site_to_server rule 730 protocol 'tcp'
set firewall name remote-site_to_server rule 730 source group network-group 'net_bfw_trust'
set firewall name remote-site_to_server rule 735 action 'accept'
set firewall name remote-site_to_server rule 735 description 'organizr access'
set firewall name remote-site_to_server rule 735 destination group address-group 'organizr'
set firewall name remote-site_to_server rule 735 destination group port-group 'organizr_app'
set firewall name remote-site_to_server rule 735 protocol 'tcp'
set firewall name remote-site_to_server rule 735 source group network-group 'net_bfw_trust'
set firewall name remote-site_to_server rule 740 action 'accept'
set firewall name remote-site_to_server rule 740 description 'piwigo access'
set firewall name remote-site_to_server rule 740 destination group address-group 'piwigo'
set firewall name remote-site_to_server rule 740 destination group port-group 'piwigo_app'
set firewall name remote-site_to_server rule 740 protocol 'tcp'
set firewall name remote-site_to_server rule 740 source group network-group 'net_bfw_trust'
set firewall name remote-site_to_server rule 750 action 'accept'
set firewall name remote-site_to_server rule 750 description 'syncthing client xxxxxx
set firewall name remote-site_to_server rule 750 destination group address-group 'bgd-syncthing'
set firewall name remote-site_to_server rule 750 protocol 'tcp'
set firewall name remote-site_to_server rule 750 source group network-group 'net_bfw_trust'
set firewall name routing default-action 'drop'
set firewall name routing description 'routing protocols'
set firewall name routing rule 100 action 'drop'
set firewall name routing rule 100 description 'isis peer'
set firewall name routing rule 100 protocol 'isis'
set firewall name routing rule 100 source group address-group 'l3-remote'
set firewall name routing rule 105 action 'drop'
set firewall name routing rule 105 description 'ospf peer'
set firewall name routing rule 105 protocol 'ospf'
set firewall name routing rule 110 action 'accept'
set firewall name routing rule 110 description 'bgp peer'
set firewall name routing rule 110 destination port 'bgp'
set firewall name routing rule 110 protocol 'tcp'
set firewall name routing rule 110 source group address-group 'l3-home'
set firewall name routing rule 9999 action 'drop'
set firewall name routing rule 9999 log 'enable'
set firewall name security_to_local default-action 'drop'
set firewall name security_to_local rule 110 action 'accept'
set firewall name security_to_local rule 110 description 'dhcp relay'
set firewall name security_to_local rule 110 destination port 'bootps,bootpc'
set firewall name security_to_local rule 110 protocol 'udp'
set firewall name security_to_server default-action 'drop'
set firewall name security_to_server rule 100 action 'accept'
set firewall name security_to_server rule 100 description 'dns request'
set firewall name security_to_server rule 100 destination group address-group 'ucs-bgd'
set firewall name security_to_server rule 100 destination port 'domain'
set firewall name security_to_server rule 100 protocol 'udp'
set firewall name security_to_server rule 700 action 'accept'
set firewall name security_to_server rule 700 description 'samba access'
set firewall name security_to_server rule 700 destination group address-group 'tower'
set firewall name security_to_server rule 700 destination port '445,139'
set firewall name security_to_server rule 700 protocol 'tcp_udp'
set firewall name security_to_server rule 701 action 'accept'
set firewall name security_to_server rule 701 description 'nfs access'
set firewall name security_to_server rule 701 destination group address-group 'tower'
set firewall name security_to_server rule 701 protocol 'tcp_udp'
set firewall name security_to_server rule 701 source group address-group 'nvr'
set firewall name security_to_untrust default-action 'drop'
set firewall name security_to_untrust rule 100 action 'accept'
set firewall name security_to_untrust rule 100 source group address-group 'ring-security'
set firewall name security_to_untrust rule 110 action 'drop'
set firewall name security_to_untrust rule 110 description 'windows reolink vm'
set firewall name security_to_untrust rule 110 source group address-group 'windows-reolink'
set firewall name security_to_untrust rule 111 action 'accept'
set firewall name security_to_untrust rule 111 description 'shinobi vm'
set firewall name security_to_untrust rule 111 source group address-group 'nvr'
set firewall name security_to_untrust rule 120 action 'drop'
set firewall name server_to_backbone default-action 'drop'
set firewall name server_to_backbone rule 50 action 'accept'
set firewall name server_to_backbone rule 50 description 'nms snmp'
set firewall name server_to_backbone rule 50 destination group address-group 'loopback'
set firewall name server_to_backbone rule 50 destination port 'snmp'
set firewall name server_to_backbone rule 50 protocol 'tcp_udp'
set firewall name server_to_backbone rule 50 source group address-group 'nms'
set firewall name server_to_backbone rule 55 action 'accept'
set firewall name server_to_backbone rule 55 description 'nms ping'
set firewall name server_to_backbone rule 55 destination group address-group 'loopback'
set firewall name server_to_backbone rule 55 icmp type-name 'echo-request'
set firewall name server_to_backbone rule 55 protocol 'icmp'
set firewall name server_to_backbone rule 55 source group address-group 'nms'
set firewall name server_to_dmz default-action 'drop'
set firewall name server_to_dmz rule 50 action 'accept'
set firewall name server_to_dmz rule 50 description 'nms snmp'
set firewall name server_to_dmz rule 50 destination group network-group 'net_dmz'
set firewall name server_to_dmz rule 50 destination port 'snmp'
set firewall name server_to_dmz rule 50 protocol 'tcp_udp'
set firewall name server_to_dmz rule 50 source group address-group 'nms'
set firewall name server_to_dmz rule 51 action 'accept'
set firewall name server_to_dmz rule 51 description 'nms ping'
set firewall name server_to_dmz rule 51 destination group network-group 'net_dmz'
set firewall name server_to_dmz rule 51 icmp type-name 'echo-request'
set firewall name server_to_dmz rule 51 protocol 'icmp'
set firewall name server_to_dmz rule 51 source group address-group 'nms'
set firewall name server_to_dmz rule 55 action 'accept'
set firewall name server_to_dmz rule 55 description 'ansible'
set firewall name server_to_dmz rule 55 destination port 'ssh'
set firewall name server_to_dmz rule 55 protocol 'tcp'
set firewall name server_to_dmz rule 55 source group address-group 'ansible'
set firewall name server_to_dmz rule 56 action 'accept'
set firewall name server_to_dmz rule 56 description 'ansible'
set firewall name server_to_dmz rule 56 icmp type-name 'echo-request'
set firewall name server_to_dmz rule 56 protocol 'icmp'
set firewall name server_to_dmz rule 56 source group address-group 'ansible'
set firewall name server_to_dmz rule 90 action 'accept'
set firewall name server_to_dmz rule 90 icmp type-name 'echo-request'
set firewall name server_to_dmz rule 90 protocol 'icmp'
set firewall name server_to_dmz rule 100 action 'accept'
set firewall name server_to_dmz rule 100 destination port 'domain'
set firewall name server_to_dmz rule 100 protocol 'udp'
set firewall name server_to_dmz rule 150 action 'accept'
set firewall name server_to_dmz rule 150 description 'letsencrypt to dmz'
set firewall name server_to_dmz rule 150 destination group address-group 'wordpress'
set firewall name server_to_iot default-action 'drop'
set firewall name server_to_iot rule 50 action 'accept'
set firewall name server_to_iot rule 50 description 'nms snmp'
set firewall name server_to_iot rule 50 destination group network-group 'net_iot'
set firewall name server_to_iot rule 50 destination port 'snmp'
set firewall name server_to_iot rule 50 protocol 'udp'
set firewall name server_to_iot rule 50 source group address-group 'nms'
set firewall name server_to_iot rule 55 action 'accept'
set firewall name server_to_iot rule 55 description 'nms ping'
set firewall name server_to_iot rule 55 destination group network-group 'net_iot'
set firewall name server_to_iot rule 55 icmp type-name 'echo-request'
set firewall name server_to_iot rule 55 protocol 'icmp'
set firewall name server_to_iot rule 55 source group address-group 'nms'
set firewall name server_to_local default-action 'drop'
set firewall name server_to_local rule 50 action 'accept'
set firewall name server_to_local rule 50 description 'nms access'
set firewall name server_to_local rule 50 destination group address-group 'local'
set firewall name server_to_local rule 50 destination port 'snmp'
set firewall name server_to_local rule 50 protocol 'tcp_udp'
set firewall name server_to_local rule 50 source group address-group 'nms'
set firewall name server_to_local rule 55 action 'accept'
set firewall name server_to_local rule 55 description 'nms ping'
set firewall name server_to_local rule 55 destination group address-group 'local'
set firewall name server_to_local rule 55 icmp type-name 'echo-request'
set firewall name server_to_local rule 55 protocol 'icmp'
set firewall name server_to_local rule 55 source group address-group 'nms'
set firewall name server_to_local rule 60 action 'accept'
set firewall name server_to_local rule 60 description 'ucs ping to gateway'
set firewall name server_to_local rule 60 destination address 'xxx.xxx.7.1'
set firewall name server_to_local rule 60 icmp type-name 'echo-request'
set firewall name server_to_local rule 60 protocol 'icmp'
set firewall name server_to_local rule 60 source group address-group 'ucs-bgd'
set firewall name server_to_man default-action 'drop'
set firewall name server_to_man rule 50 action 'accept'
set firewall name server_to_man rule 50 description 'nms access'
set firewall name server_to_man rule 50 destination group network-group 'net_ap'
set firewall name server_to_man rule 50 destination port 'snmp'
set firewall name server_to_man rule 50 protocol 'tcp_udp'
set firewall name server_to_man rule 50 source group address-group 'nms'
set firewall name server_to_man rule 55 action 'accept'
set firewall name server_to_man rule 55 description 'nms ping'
set firewall name server_to_man rule 55 destination group network-group 'net_ap'
set firewall name server_to_man rule 55 icmp type-name 'echo-request'
set firewall name server_to_man rule 55 protocol 'icmp'
set firewall name server_to_man rule 55 source group address-group 'nms'
set firewall name server_to_remote-site default-action 'drop'
set firewall name server_to_remote-site rule 50 action 'accept'
set firewall name server_to_remote-site rule 50 description 'nms snmp'
set firewall name server_to_remote-site rule 50 destination group network-group 'net_bfw'
set firewall name server_to_remote-site rule 50 destination port 'snmp'
set firewall name server_to_remote-site rule 50 protocol 'tcp_udp'
set firewall name server_to_remote-site rule 50 source group address-group 'nms'
set firewall name server_to_remote-site rule 51 action 'accept'
set firewall name server_to_remote-site rule 51 description 'nms ping'
set firewall name server_to_remote-site rule 51 destination group network-group 'net_bfw'
set firewall name server_to_remote-site rule 51 icmp type-name 'echo-request'
set firewall name server_to_remote-site rule 51 protocol 'icmp'
set firewall name server_to_remote-site rule 51 source group address-group 'nms'
set firewall name server_to_remote-site rule 55 action 'accept'
set firewall name server_to_remote-site rule 55 description 'ansible'
set firewall name server_to_remote-site rule 55 destination group network-group 'net_bfw_trust'
set firewall name server_to_remote-site rule 55 destination port 'ssh'
set firewall name server_to_remote-site rule 55 protocol 'tcp'
set firewall name server_to_remote-site rule 55 source group address-group 'ansible'
set firewall name server_to_remote-site rule 56 action 'accept'
set firewall name server_to_remote-site rule 56 description 'ansible'
set firewall name server_to_remote-site rule 56 destination group network-group 'net_bfw_trust'
set firewall name server_to_remote-site rule 56 icmp type-name 'echo-request'
set firewall name server_to_remote-site rule 56 protocol 'icmp'
set firewall name server_to_remote-site rule 56 source group address-group 'ansible'
set firewall name server_to_security default-action 'drop'
set firewall name server_to_security rule 710 action 'accept'
set firewall name server_to_security rule 710 source group network-group 'net_server'
set firewall name server_to_transit default-action 'drop'
set firewall name server_to_transit rule 700 action 'accept'
set firewall name server_to_transit rule 700 description 'syncthing sync'
set firewall name server_to_transit rule 700 destination group address-group 'bfw-syncthing'
set firewall name server_to_transit rule 700 destination group port-group 'syncthing-sync-protocol'
set firewall name server_to_transit rule 700 source group address-group 'bgd-syncthing'
set firewall name server_to_trust default-action 'drop'
set firewall name server_to_trust rule 50 action 'accept'
set firewall name server_to_trust rule 50 description 'nms'
set firewall name server_to_trust rule 50 source group address-group 'nms'
set firewall name server_to_trust rule 55 action 'accept'
set firewall name server_to_trust rule 55 description 'ansible'
set firewall name server_to_trust rule 55 destination group network-group 'net_trust'
set firewall name server_to_trust rule 55 destination port 'ssh'
set firewall name server_to_trust rule 55 protocol 'tcp'
set firewall name server_to_trust rule 55 source group address-group 'ansible'
set firewall name server_to_trust rule 56 action 'accept'
set firewall name server_to_trust rule 56 description 'ansible'
set firewall name server_to_trust rule 56 destination group network-group 'net_trust'
set firewall name server_to_trust rule 56 icmp type-name 'echo-request'
set firewall name server_to_trust rule 56 protocol 'icmp'
set firewall name server_to_trust rule 56 source group address-group 'ansible'
set firewall name server_to_untrust default-action 'drop'
set firewall name server_to_untrust rule 100 action 'accept'
set firewall name server_to_untrust rule 100 protocol 'all'
set firewall name server_to_untrust rule 100 source group network-group 'net_server'
set firewall name transit_to_server default-action 'drop'
set firewall name transit_to_server rule 700 action 'accept'
set firewall name transit_to_server rule 700 description 'syncthing sync'
set firewall name transit_to_server rule 700 destination group address-group 'bgd-syncthing'
set firewall name transit_to_server rule 700 destination group port-group 'syncthing-sync-protocol'
set firewall name transit_to_server rule 700 source group address-group 'bfw-syncthing'
set firewall name transit_to_server rule 710 action 'accept'
set firewall name transit_to_server rule 710 description 'emby access'
set firewall name transit_to_server rule 710 destination group address-group 'emby'
set firewall name transit_to_server rule 710 destination group port-group 'emby_app'
set firewall name transit_to_server rule 710 protocol 'tcp'
set firewall name transit_to_server rule 710 source group network-group 'net_bfw_trust'
set firewall name transit_to_server rule 715 action 'accept'
set firewall name transit_to_server rule 715 description 'airsonic access'
set firewall name transit_to_server rule 715 destination group address-group 'airsonic'
set firewall name transit_to_server rule 715 destination group port-group 'airsonic_app'
set firewall name transit_to_server rule 715 protocol 'tcp'
set firewall name transit_to_server rule 715 source group network-group 'net_bfw_trust'
set firewall name transit_to_server rule 720 action 'accept'
set firewall name transit_to_server rule 720 description 'bookstack access'
set firewall name transit_to_server rule 720 destination group address-group 'bookstack'
set firewall name transit_to_server rule 720 destination group port-group 'bookstack_app'
set firewall name transit_to_server rule 720 protocol 'tcp'
set firewall name transit_to_server rule 720 source group network-group 'net_bfw_trust'
set firewall name transit_to_server rule 725 action 'accept'
set firewall name transit_to_server rule 725 description 'calibreweb access'
set firewall name transit_to_server rule 725 destination group address-group 'calibreweb'
set firewall name transit_to_server rule 725 destination group port-group 'calibreweb_app'
set firewall name transit_to_server rule 725 protocol 'tcp'
set firewall name transit_to_server rule 725 source group network-group 'net_bfw_trust'
set firewall name transit_to_server rule 730 action 'accept'
set firewall name transit_to_server rule 730 description 'heimdall access'
set firewall name transit_to_server rule 730 destination group address-group 'heimdall'
set firewall name transit_to_server rule 730 destination group port-group 'heimdall_app'
set firewall name transit_to_server rule 730 protocol 'tcp'
set firewall name transit_to_server rule 730 source group network-group 'net_bfw_trust'
set firewall name transit_to_server rule 735 action 'accept'
set firewall name transit_to_server rule 735 description 'organizr access'
set firewall name transit_to_server rule 735 destination group address-group 'organizr'
set firewall name transit_to_server rule 735 destination group port-group 'organizr_app'
set firewall name transit_to_server rule 735 protocol 'tcp'
set firewall name transit_to_server rule 735 source group network-group 'net_bfw_trust'
set firewall name transit_to_server rule 740 action 'accept'
set firewall name transit_to_server rule 740 description 'piwigo access'
set firewall name transit_to_server rule 740 destination group address-group 'piwigo'
set firewall name transit_to_server rule 740 destination group port-group 'piwigo_app'
set firewall name transit_to_server rule 740 protocol 'tcp'
set firewall name transit_to_server rule 740 source group network-group 'net_bfw_trust'
set firewall name transit_to_server rule 745 action 'accept'
set firewall name transit_to_server rule 745 description 'syncthing client xxxxxx
set firewall name transit_to_server rule 745 destination group address-group 'bgd-syncthing'
set firewall name transit_to_server rule 745 destination group port-group 'syncthing-sync-protocol'
set firewall name transit_to_server rule 745 protocol 'tcp'
set firewall name transit_to_server rule 745 source group network-group 'net_bfw_trust'
set firewall name trust_to_dmz default-action 'drop'
set firewall name trust_to_dmz rule 710 action 'accept'
set firewall name trust_to_dmz rule 710 description 'dmz access'
set firewall name trust_to_iot default-action 'drop'
set firewall name trust_to_iot rule 120 action 'accept'
set firewall name trust_to_iot rule 120 description 'netadmin access'
set firewall name trust_to_iot rule 120 source group address-group 'net-admin'
set firewall name trust_to_iot rule 130 action 'accept'
set firewall name trust_to_iot rule 130 description 'trust access'
set firewall name trust_to_iot rule 130 source group network-group 'net_trust'
set firewall name trust_to_local default-action 'drop'
set firewall name trust_to_local rule 10 action 'accept'
set firewall name trust_to_local rule 10 description 'netadmin'
set firewall name trust_to_local rule 10 source group address-group 'net-admin'
set firewall name trust_to_local rule 20 action 'accept'
set firewall name trust_to_local rule 20 description 'trust users'
set firewall name trust_to_local rule 20 destination group address-group 'squidguard'
set firewall name trust_to_local rule 20 destination group port-group 'squidguard_app'
set firewall name trust_to_local rule 20 source group network-group 'net_trust'
set firewall name trust_to_local rule 30 action 'accept'
set firewall name trust_to_local rule 30 description 'wireguard remote access'
set firewall name trust_to_local rule 30 source group network-group 'net_trust'
set firewall name trust_to_man default-action 'drop'
set firewall name trust_to_man rule 710 action 'accept'
set firewall name trust_to_man rule 710 description 'netadmin access'
set firewall name trust_to_man rule 710 protocol 'all'
set firewall name trust_to_man rule 710 source group address-group 'net-admin'
set firewall name trust_to_remote-site default-action 'drop'
set firewall name trust_to_remote-site rule 100 action 'accept'
set firewall name trust_to_remote-site rule 100 description 'netadmin'
set firewall name trust_to_remote-site rule 100 source group address-group 'net-admin'
set firewall name trust_to_security default-action 'drop'
set firewall name trust_to_security rule 120 action 'accept'
set firewall name trust_to_security rule 120 description 'netadmin access'
set firewall name trust_to_security rule 120 source group address-group 'net-admin'
set firewall name trust_to_security rule 700 action 'accept'
set firewall name trust_to_server default-action 'drop'
set firewall name trust_to_server rule 10 action 'accept'
set firewall name trust_to_server rule 10 description 'netadmin'
set firewall name trust_to_server rule 10 source group address-group 'net-admin'
set firewall name trust_to_server rule 90 action 'accept'
set firewall name trust_to_server rule 90 description 'clevis to tang'
set firewall name trust_to_server rule 90 destination address 'xxx.xxx.7.162'
set firewall name trust_to_server rule 90 destination group port-group 'tang_app'
set firewall name trust_to_server rule 90 protocol 'tcp'
set firewall name trust_to_server rule 100 action 'accept'
set firewall name trust_to_server rule 100 description 'dns request'
set firewall name trust_to_server rule 100 destination group address-group 'ucs-bgd'
set firewall name trust_to_server rule 100 destination port 'domain'
set firewall name trust_to_server rule 100 protocol 'udp'
set firewall name trust_to_server rule 710 action 'accept'
set firewall name trust_to_server rule 710 description 'emby access'
set firewall name trust_to_server rule 710 destination group address-group 'emby'
set firewall name trust_to_server rule 710 destination group port-group 'emby_app'
set firewall name trust_to_server rule 710 protocol 'tcp'
set firewall name trust_to_server rule 715 action 'accept'
set firewall name trust_to_server rule 715 description 'airsonic access'
set firewall name trust_to_server rule 715 destination group address-group 'airsonic'
set firewall name trust_to_server rule 715 destination group port-group 'airsonic_app'
set firewall name trust_to_server rule 715 protocol 'tcp'
set firewall name trust_to_server rule 720 action 'accept'
set firewall name trust_to_server rule 720 description 'bookstack access'
set firewall name trust_to_server rule 720 destination group address-group 'bookstack'
set firewall name trust_to_server rule 720 destination group port-group 'bookstack_app'
set firewall name trust_to_server rule 720 protocol 'tcp'
set firewall name trust_to_server rule 725 action 'accept'
set firewall name trust_to_server rule 725 description 'calibreweb access'
set firewall name trust_to_server rule 725 destination group address-group 'calibreweb'
set firewall name trust_to_server rule 725 destination group port-group 'calibreweb_app'
set firewall name trust_to_server rule 725 protocol 'tcp'
set firewall name trust_to_server rule 730 action 'accept'
set firewall name trust_to_server rule 730 description 'heimdall access'
set firewall name trust_to_server rule 730 destination group address-group 'heimdall'
set firewall name trust_to_server rule 730 destination group port-group 'heimdall_app'
set firewall name trust_to_server rule 730 protocol 'tcp'
set firewall name trust_to_server rule 735 action 'accept'
set firewall name trust_to_server rule 735 description 'organizr access'
set firewall name trust_to_server rule 735 destination group address-group 'organizr'
set firewall name trust_to_server rule 735 destination group port-group 'organizr_app'
set firewall name trust_to_server rule 735 protocol 'tcp'
set firewall name trust_to_server rule 740 action 'accept'
set firewall name trust_to_server rule 740 description 'piwigo access'
set firewall name trust_to_server rule 740 destination group address-group 'piwigo'
set firewall name trust_to_server rule 740 destination group port-group 'piwigo_app'
set firewall name trust_to_server rule 740 protocol 'tcp'
set firewall name trust_to_server rule 745 action 'accept'
set firewall name trust_to_server rule 745 description 'jellyfin'
set firewall name trust_to_server rule 745 destination group address-group 'jellyfin'
set firewall name trust_to_server rule 745 destination group port-group 'emby_app'
set firewall name trust_to_server rule 745 protocol 'tcp'
set firewall name trust_to_server rule 750 action 'accept'
set firewall name trust_to_server rule 750 description 'syncthing client xxxxxx
set firewall name trust_to_server rule 750 destination group address-group 'bgd-syncthing'
set firewall name trust_to_server rule 750 protocol 'tcp'
set firewall name trust_to_server rule 750 source group network-group 'net_trust'
set firewall name trust_to_server rule 760 action 'accept'
set firewall name trust_to_server rule 760 description 'nms access'
set firewall name trust_to_server rule 760 destination group address-group 'nms'
set firewall name trust_to_server rule 760 destination port 'http,https,ssh'
set firewall name trust_to_server rule 760 protocol 'tcp'
set firewall name trust_to_server rule 760 source group network-group 'net_trust'
set firewall name trust_to_server rule 765 action 'accept'
set firewall name trust_to_server rule 765 description 'booksonic'
set firewall name trust_to_server rule 765 destination group address-group 'booksonic'
set firewall name trust_to_server rule 765 destination group port-group 'booksonic_app'
set firewall name trust_to_server rule 765 protocol 'tcp'
set firewall name trust_to_server rule 765 source group network-group 'net_trust'
set firewall name trust_to_server rule 9999 action 'drop'
set firewall name trust_to_server rule 9999 log 'enable'
set firewall name trust_to_untrust default-action 'drop'
set firewall name trust_to_untrust rule 5 action 'drop'
set firewall name trust_to_untrust rule 5 description 'no internet for the kids'
set firewall name trust_to_untrust rule 5 log 'enable'
set firewall name trust_to_untrust rule 5 source group address-group 'kids_devices'
set firewall name trust_to_untrust rule 5 time starttime 'xxxx:xxxx:00'
set firewall name trust_to_untrust rule 5 time stoptime 'xxxx:xxxx:00'
set firewall name trust_to_untrust rule 5 time utc
set firewall name trust_to_untrust rule 5 time weekdays 'Sun,Mon,Tue,Wed,Thu'
set firewall name trust_to_untrust rule 6 action 'drop'
set firewall name trust_to_untrust rule 6 description 'no internet for the kids during the weekends'
set firewall name trust_to_untrust rule 6 log 'enable'
set firewall name trust_to_untrust rule 6 source group address-group 'kids_devices'
set firewall name trust_to_untrust rule 6 time starttime 'xxxx:xxxx:00'
set firewall name trust_to_untrust rule 6 time stoptime 'xxxx:xxxx:00'
set firewall name trust_to_untrust rule 6 time utc
set firewall name trust_to_untrust rule 6 time weekdays 'Fri,Sat'
set firewall name trust_to_untrust rule 7 action 'drop'
set firewall name trust_to_untrust rule 7 description 'no rogue dns'
set firewall name trust_to_untrust rule 7 destination port 'domain'
set firewall name trust_to_untrust rule 7 protocol 'udp'
set firewall name trust_to_untrust rule 710 action 'accept'
set firewall name trust_to_untrust rule 710 description 'Internet access'
set firewall name trust_to_untrust rule 710 protocol 'all'
set firewall name trust_to_untrust rule 1500 action 'accept'
set firewall name trust_to_untrust rule 1500 description 'url filtering'
set firewall name trust_to_untrust rule 1500 destination address 'xxx.xxx.10.1'
set firewall name untrust_in default-action 'accept'
set firewall name untrust_in description 'drop bogons and martians ip blocks'
set firewall name untrust_in rule 100 action 'drop'
set firewall name untrust_in rule 100 source group network-group 'net_bogon_and_martians'
set firewall name untrust_in rule 9999 action 'accept'
set firewall name untrust_out default-action 'accept'
set firewall name untrust_out description 'drop bogons and martians ip blocks'
set firewall name untrust_out rule 100 action 'drop'
set firewall name untrust_out rule 100 destination group network-group 'net_bogon_and_martians'
set firewall name untrust_out rule 9999 action 'accept'
set firewall name untrust_to_dmz default-action 'drop'
set firewall name untrust_to_dmz rule 100 action 'accept'
set firewall name untrust_to_dmz rule 100 description 'reverse proxy - nginx'
set firewall name untrust_to_dmz rule 100 destination port 'https'
set firewall name untrust_to_dmz rule 100 disable
set firewall name untrust_to_dmz rule 100 protocol 'tcp'
set firewall name untrust_to_dmz rule 110 action 'accept'
set firewall name untrust_to_dmz rule 110 description 'turn server for nextcloud talk'
set firewall name untrust_to_dmz rule 110 destination group address-group 'turnserver'
set firewall name untrust_to_dmz rule 110 destination port '5349'
set firewall name untrust_to_dmz rule 110 disable
set firewall name untrust_to_dmz rule 110 protocol 'tcp'
set firewall name untrust_to_dmz rule 111 action 'accept'
set firewall name untrust_to_dmz rule 111 description 'turn server for nextcloud talk'
set firewall name untrust_to_dmz rule 111 destination group address-group 'turnserver'
set firewall name untrust_to_dmz rule 111 destination port '3478'
set firewall name untrust_to_dmz rule 111 disable
set firewall name untrust_to_dmz rule 111 protocol 'tcp'
set firewall name untrust_to_dmz rule 112 action 'accept'
set firewall name untrust_to_dmz rule 112 description 'turn server for nextcloud talk'
set firewall name untrust_to_dmz rule 112 destination group address-group 'turnserver'
set firewall name untrust_to_dmz rule 112 destination port '63000-64535'
set firewall name untrust_to_dmz rule 112 disable
set firewall name untrust_to_dmz rule 112 protocol 'tcp'
set firewall name untrust_to_local default-action 'drop'
set firewall name untrust_to_local rule 10 action 'accept'
set firewall name untrust_to_local rule 10 description 'wireguard'
set firewall name untrust_to_local rule 10 destination port '51820-51821'
set firewall name untrust_to_local rule 10 protocol 'udp'
set firewall name untrust_to_server default-action 'drop'
set firewall name untrust_to_server description 'reverse proxy - letsencrypt'
set firewall name untrust_to_server rule 100 action 'accept'
set firewall name untrust_to_server rule 100 destination group address-group 'tower'
set firewall name untrust_to_server rule 100 destination port '442,81'
set firewall name untrust_to_server rule 100 protocol 'tcp'
set firewall name untrust_to_server rule 9999 action 'drop'
set firewall name untrust_to_server rule 9999 log 'enable'
set firewall name vpn_to_iot default-action 'drop'
set firewall name vpn_to_iot rule 120 action 'accept'
set firewall name vpn_to_iot rule 120 description 'netadmin access'
set firewall name vpn_to_iot rule 120 source group address-group 'net-admin'
set firewall name vpn_to_man default-action 'drop'
set firewall name vpn_to_man rule 120 action 'accept'
set firewall name vpn_to_man rule 120 description 'netadmin access'
set firewall name vpn_to_man rule 120 source group address-group 'net-admin'
set firewall name vpn_to_security default-action 'drop'
set firewall name vpn_to_security rule 100 action 'accept'
set firewall name vpn_to_security rule 100 source group address-group 'net-admin'
set firewall name vpn_to_server default-action 'drop'
set firewall name vpn_to_server rule 100 action 'accept'
set firewall name vpn_to_server rule 100 destination group address-group 'ucs-bgd'
set firewall name vpn_to_server rule 100 destination port 'domain'
set firewall name vpn_to_server rule 100 protocol 'udp'
set firewall name vpn_to_server rule 110 action 'accept'
set firewall name vpn_to_server rule 110 description 'netadmin access'
set firewall name vpn_to_server rule 110 protocol 'all'
set firewall name vpn_to_server rule 110 source group address-group 'net-admin'
set firewall name vpn_to_server rule 710 action 'accept'
set firewall name vpn_to_server rule 710 description 'emby access'
set firewall name vpn_to_server rule 710 destination group address-group 'emby'
set firewall name vpn_to_server rule 710 destination group port-group 'emby_app'
set firewall name vpn_to_server rule 710 protocol 'tcp'
set firewall name vpn_to_server rule 715 action 'accept'
set firewall name vpn_to_server rule 715 description 'airsonic access'
set firewall name vpn_to_server rule 715 destination group address-group 'airsonic'
set firewall name vpn_to_server rule 715 destination group port-group 'airsonic_app'
set firewall name vpn_to_server rule 715 protocol 'tcp'
set firewall name vpn_to_server rule 720 action 'accept'
set firewall name vpn_to_server rule 720 description 'bookstack access'
set firewall name vpn_to_server rule 720 destination group address-group 'bookstack'
set firewall name vpn_to_server rule 720 destination group port-group 'bookstack_app'
set firewall name vpn_to_server rule 720 protocol 'tcp'
set firewall name vpn_to_server rule 725 action 'accept'
set firewall name vpn_to_server rule 725 description 'calibreweb access'
set firewall name vpn_to_server rule 725 destination group address-group 'calibreweb'
set firewall name vpn_to_server rule 725 destination group port-group 'calibreweb_app'
set firewall name vpn_to_server rule 725 protocol 'tcp'
set firewall name vpn_to_server rule 730 action 'accept'
set firewall name vpn_to_server rule 730 description 'heimdall access'
set firewall name vpn_to_server rule 730 destination group address-group 'heimdall'
set firewall name vpn_to_server rule 730 destination group port-group 'heimdall_app'
set firewall name vpn_to_server rule 730 protocol 'tcp'
set firewall name vpn_to_server rule 735 action 'accept'
set firewall name vpn_to_server rule 735 description 'organizr access'
set firewall name vpn_to_server rule 735 destination group address-group 'organizr'
set firewall name vpn_to_server rule 735 destination group port-group 'organizr_app'
set firewall name vpn_to_server rule 735 protocol 'tcp'
set firewall name vpn_to_server rule 740 action 'accept'
set firewall name vpn_to_server rule 740 description 'piwigo access'
set firewall name vpn_to_server rule 740 destination group address-group 'piwigo'
set firewall name vpn_to_server rule 740 destination group port-group 'piwigo_app'
set firewall name vpn_to_server rule 740 protocol 'tcp'
set firewall name vpn_to_trust default-action 'drop'
set firewall name vpn_to_trust rule 120 action 'accept'
set firewall name vpn_to_trust rule 120 description 'netadmin access'
set firewall name vpn_to_trust rule 120 source group address-group 'net-admin'
set firewall name vpn_to_untrust default-action 'drop'
set firewall name vpn_to_untrust rule 100 action 'accept'
set firewall name vpn_to_untrust rule 100 source group address-group 'net-admin'
set firewall name vpn_to_untrust rule 110 action 'accept'
set firewall name vpn_to_untrust rule 110 source group network-group 'net_vpn_users'
set firewall name work_to_dmz default-action 'drop'
set firewall name work_to_dmz rule 100 action 'accept'
set firewall name work_to_dmz rule 100 description 'dns request'
set firewall name work_to_dmz rule 100 destination port 'domain'
set firewall name work_to_dmz rule 100 protocol 'udp'
set firewall name work_to_local default-action 'drop'
set firewall name work_to_local rule 110 action 'accept'
set firewall name work_to_local rule 110 description 'dhcp relay'
set firewall name work_to_local rule 110 destination port 'bootps,bootpc'
set firewall name work_to_local rule 110 protocol 'udp'
set firewall name work_to_untrust default-action 'drop'
set firewall name work_to_untrust rule 710 action 'accept'
set firewall name work_to_untrust rule 710 description 'work internet access'
set firewall name work_to_untrust rule 710 source group network-group 'net_work'
set firewall receive-redirects 'disable'
set firewall send-redirects 'enable'
set firewall source-validation 'disable'
set firewall state-policy established action 'accept'
set firewall state-policy invalid action 'drop'
set firewall state-policy invalid log enable
set firewall state-policy related action 'accept'
set firewall syn-cookies 'enable'
set firewall twa-hazards-protection 'disable'
set interfaces bonding bond0 description 'Core: see eth4 and eth5'
set interfaces bonding bond0 hash-policy 'layer3+4'
set interfaces bonding bond0 member interface 'eth4'
set interfaces bonding bond0 member interface 'eth5'
set interfaces bonding bond0 mode '802.3ad'
set interfaces bonding bond0 vif 3
set interfaces bonding bond0 vif 4
set interfaces bonding bond0 vif 5 address 'xxx.xxx.5.1/24'
set interfaces bonding bond0 vif 5 description 'security gateway'
set interfaces bonding bond0 vif 6 address 'xxx.xxx.6.1/24'
set interfaces bonding bond0 vif 6 description 'ap gateway'
set interfaces bonding bond0 vif 7 address 'xxx.xxx.7.1/24'
set interfaces bonding bond0 vif 7 description 'server gateway'
set interfaces bonding bond0 vif 7 policy route 'pbr_server'
set interfaces bonding bond0 vif 9
set interfaces bonding bond0 vif 10 address 'xxx.xxx.10.1/24'
set interfaces bonding bond0 vif 10 description 'wired gateway'
set interfaces bonding bond0 vif 11 address 'xxx.xxx.11.1/24'
set interfaces bonding bond0 vif 11 description 'wireless gateway'
set interfaces bonding bond0 vif 11 policy route 'pbr_trust'
set interfaces bonding bond0 vif 12 address 'xxx.xxx.12.1/24'
set interfaces bonding bond0 vif 12 description 'guest gateway'
set interfaces bonding bond0 vif 12 policy route 'pbr_guest'
set interfaces bonding bond0 vif 14 address 'xxx.xxx.14.1/24'
set interfaces bonding bond0 vif 14 description 'work gateway'
set interfaces bonding bond0 vif 15 address 'xxx.xxx.15.1/24'
set interfaces bonding bond0 vif 15 description 'iot gateway'
set interfaces bonding bond0 vif 20 address 'xxx.xxx.20.1/24'
set interfaces bonding bond0 vif 20 description 'dmz gateway'
set interfaces bonding bond0 vif 20 policy route 'pbr_dmz'
set interfaces bridge br3 address 'xxx.xxx.3.1/24'
set interfaces bridge br3 aging '300'
set interfaces bridge br3 description 'management gateway'
set interfaces bridge br3 hello-time '2'
set interfaces bridge br3 max-age '20'
set interfaces bridge br3 member interface bond0.3
set interfaces bridge br3 member interface eth1
set interfaces bridge br3 member interface eth3
set interfaces bridge br3 priority '0'
set interfaces bridge br4 address 'xxx.xxx.4.1/24'
set interfaces bridge br4 aging '300'
set interfaces bridge br4 description 'backbone gateway'
set interfaces bridge br4 hello-time '2'
set interfaces bridge br4 max-age '20'
set interfaces bridge br4 member interface bond0.4
set interfaces bridge br4 priority '0'
set interfaces bridge br30 address 'xxx.xxx.3.1/24'
set interfaces bridge br30 aging '300'
set interfaces bridge br30 hello-time '2'
set interfaces bridge br30 max-age '20'
set interfaces bridge br30 member interface eth2
set interfaces dummy dum0 address 'xxx.xxx.0.1/32'
set interfaces dummy dum0 description 'in-band management'
set interfaces dummy dum1 address 'xxx.xxx.1.0/32'
set interfaces dummy dum1 description 'url filtering'
set interfaces ethernet eth0 address 'dhcp'
set interfaces ethernet eth0 address 'dhcpv6'
set interfaces ethernet eth0 description 'Transit: untrust interface - Xfinity [1Gbps/35Mbps]'
set interfaces ethernet eth0 duplex 'auto'
set interfaces ethernet eth0 hw-id 'XX:XX:XX:XX:XX:a8'
set interfaces ethernet eth0 speed 'auto'
set interfaces ethernet eth1 description 'RESERVED FOR FUTURE EXPANSION'
set interfaces ethernet eth1 duplex 'auto'
set interfaces ethernet eth1 hw-id 'XX:XX:XX:XX:XX:a9'
set interfaces ethernet eth1 speed 'auto'
set interfaces ethernet eth2 description 'ipmi | Unraid'
set interfaces ethernet eth2 duplex 'auto'
set interfaces ethernet eth2 hw-id 'XX:XX:XX:XX:XX:aa'
set interfaces ethernet eth2 speed 'auto'
set interfaces ethernet eth3 description '(ipmi) pve1'
set interfaces ethernet eth3 duplex 'auto'
set interfaces ethernet eth3 hw-id 'XX:XX:XX:XX:XX:ab'
set interfaces ethernet eth3 speed 'auto'
set interfaces ethernet eth4 description 'link to swbgd ethernet 26'
set interfaces ethernet eth4 duplex 'auto'
set interfaces ethernet eth4 hw-id 'XX:XX:XX:XX:XX:a0'
set interfaces ethernet eth4 speed 'auto'
set interfaces ethernet eth5 description 'link to swbgd ethernet 27'
set interfaces ethernet eth5 duplex 'auto'
set interfaces ethernet eth5 hw-id 'XX:XX:XX:XX:XX:a1'
set interfaces ethernet eth5 speed 'auto'
set interfaces loopback lo
set interfaces openvpn vtun1 disable
set interfaces openvpn vtun1 encryption cipher 'aes256'
set interfaces openvpn vtun1 mode 'client'
set interfaces openvpn vtun1 openvpn-option '--auth-user-pass /config/auth/torguard/torguard.txt --persist-key --persist-tun --nobind --pull --route-nopull --comp-lzo --script-security 2'
set interfaces openvpn vtun1 persistent-tunnel
set interfaces openvpn vtun1 protocol 'udp'
set interfaces openvpn vtun1 remote-host 'nl.torguardvpnaccess.com'
set interfaces openvpn vtun1 remote-port '443'
set interfaces openvpn vtun1 tls ca-cert-file xxxxxx
set interfaces openvpn vtun1 tls cert-file xxxxxx
set interfaces openvpn vtun1 tls key-file xxxxxx
set interfaces openvpn vtun1 use-lzo-compression
set interfaces wireguard wg100 address 'xxx.xxx.16.1/24'
set interfaces wireguard wg100 description 'remote access vpn gateway'
set interfaces wireguard wg100 peer kalaptop allowed-ips 'xxx.xxx.16.132/32'
set interfaces wireguard wg100 peer kalaptop persistent-keepalive '15'
set interfaces wireguard wg100 peer kalaptop pubkey 'OQVujtLM5W2IzP2r7n7GYYUI='
set interfaces wireguard wg100 peer kamobile allowed-ips 'xxx.xxx.16.131/32'
set interfaces wireguard wg100 peer kamobile persistent-keepalive '15'
set interfaces wireguard wg100 peer kamobile pubkey 'NuNYGOSJOxXTP6jD9KgyJ1YA2RFwc='
set interfaces wireguard wg100 peer kas76lp allowed-ips 'xxx.xxx.16.133/32'
set interfaces wireguard wg100 peer kas76lp persistent-keepalive '15'
set interfaces wireguard wg100 peer kas76lp pubkey 'Q5KlghWHSb2kj0+gXgSbmwP/1s='
set interfaces wireguard wg100 policy route 'pbr_rawg'
set interfaces wireguard wg100 port '51821'
set interfaces wireguard wg100 private-key 'rawg'
set interfaces wireguard wg101 address 'xxx.xxx.0.0/31'
set interfaces wireguard wg101 description 'Peering: site-to-site vpn with bfw'
set interfaces wireguard wg101 peer bfwfw1 address 'xxx.xxx.153.148'
set interfaces wireguard wg101 peer bfwfw1 allowed-ips 'xxx.xxx.0.1/32'
set interfaces wireguard wg101 peer bfwfw1 allowed-ips 'xxx.xxx.0.0/16'
set interfaces wireguard wg101 peer bfwfw1 port '51820'
set interfaces wireguard wg101 peer bfwfw1 pubkey 'U226Tj5abUWkTBO3Nr2IbsJsIaSzA='
set interfaces wireguard wg101 port '51820'
set interfaces wireguard wg101 private-key 's2s'
set interfaces wireguard wg1000 address 'xxx.xxx.84.245/24'
set interfaces wireguard wg1000 description 'Transit: torguard wireguard gateway'
set interfaces wireguard wg1000 peer torguard address 'xxx.xxx.177.130'
set interfaces wireguard wg1000 peer torguard allowed-ips 'xxx.xxx.0.0/0'
set interfaces wireguard wg1000 peer torguard persistent-keepalive '25'
set interfaces wireguard wg1000 peer torguard port '1443'
set interfaces wireguard wg1000 peer torguard pubkey 'Av+bq9kbIGg/T71g/EBkWY762aGM='
set interfaces wireguard wg1000 port '51920'
set interfaces wireguard wg1000 private-key 'torguard'
set nat destination rule 100 description 'reverse proxy - nginx'
set nat destination rule 100 destination port 'https'
set nat destination rule 100 inbound-interface 'eth0'
set nat destination rule 100 protocol 'tcp'
set nat destination rule 100 translation address 'xxx.xxx.7.12'
set nat destination rule 100 translation port '442'
set nat destination rule 110 description 'reverse proxy - nginx'
set nat destination rule 110 destination port '80'
set nat destination rule 110 inbound-interface 'eth0'
set nat destination rule 110 protocol 'tcp'
set nat destination rule 110 translation address 'xxx.xxx.7.12'
set nat destination rule 110 translation port '81'
set nat destination rule 115 description 'turnserver for nextcloud talk'
set nat destination rule 115 destination port '3478'
set nat destination rule 115 inbound-interface 'eth0'
set nat destination rule 115 protocol 'tcp'
set nat destination rule 115 translation address 'xxx.xxx.20.21'
set nat destination rule 116 description 'turn server tls for nextcloud talk'
set nat destination rule 116 destination port '5349'
set nat destination rule 116 inbound-interface 'eth0'
set nat destination rule 116 protocol 'tcp'
set nat destination rule 116 translation address 'xxx.xxx.20.21'
set nat destination rule 117 description 'turnserver for nextcloud talk'
set nat destination rule 117 destination port '63000-64535'
set nat destination rule 117 inbound-interface 'eth0'
set nat destination rule 117 protocol 'tcp'
set nat destination rule 117 translation address 'xxx.xxx.20.21'
set nat destination rule 117 translation port '63000-64535'
set nat destination rule 1000 description 'hairpin nat'
set nat destination rule 1000 destination address 'xxx.xxx.244.216'
set nat destination rule 1000 destination port 'https'
set nat destination rule 1000 inbound-interface 'bond0.11'
set nat destination rule 1000 protocol 'tcp'
set nat destination rule 1000 translation address 'xxx.xxx.7.12'
set nat destination rule 1000 translation port '442'
set nat destination rule 1001 description 'hairpin nat - vpn'
set nat destination rule 1001 destination address 'xxx.xxx.244.216'
set nat destination rule 1001 destination port 'https'
set nat destination rule 1001 inbound-interface 'wg100'
set nat destination rule 1001 protocol 'tcp'
set nat destination rule 1001 translation address 'xxx.xxx.7.12'
set nat destination rule 1001 translation port '442'
set nat destination rule 1002 description 'hairping nat - turnserver'
set nat destination rule 1002 destination address 'xxx.xxx.244.216'
set nat destination rule 1002 destination port '3478'
set nat destination rule 1002 inbound-interface 'bond0.7'
set nat destination rule 1002 protocol 'tcp'
set nat destination rule 1002 translation address 'xxx.xxx.20.21'
set nat destination rule 1002 translation port '3478'
set nat destination rule 1003 description 'hairpin nat - wireguard'
set nat destination rule 1003 destination address 'xxx.xxx.244.216'
set nat destination rule 1003 destination port '51821'
set nat destination rule 1003 inbound-interface 'bond0.11'
set nat destination rule 1003 protocol 'udp'
set nat destination rule 1003 translation address 'xxx.xxx.0.1'
set nat destination rule 1003 translation port '51821'
set nat destination rule 2000 description 'url filtering - wired trust'
set nat destination rule 2000 destination port '80,443'
set nat destination rule 2000 disable
set nat destination rule 2000 inbound-interface 'bond0.10'
set nat destination rule 2000 protocol 'tcp'
set nat destination rule 2000 translation address 'xxx.xxx.1.0'
set nat destination rule 2000 translation port '3128'
set nat destination rule 2001 description 'url filtering - wireless trust'
set nat destination rule 2001 destination
set nat destination rule 2001 disable
set nat destination rule 2001 inbound-interface 'bond0.11'
set nat destination rule 2001 protocol 'tcp'
set nat destination rule 2001 translation address 'xxx.xxx.1.0'
set nat destination rule 2001 translation port '3128'
set nat source rule 4 description 'source nat for loopbacks'
set nat source rule 4 outbound-interface 'eth0'
set nat source rule 4 source address 'xxx.xxx.4.0/24'
set nat source rule 4 translation address 'masquerade'
set nat source rule 5 description 'source nat security'
set nat source rule 5 outbound-interface 'eth0'
set nat source rule 5 source address 'xxx.xxx.5.0/24'
set nat source rule 5 translation address 'masquerade'
set nat source rule 7 description 'source nat servers'
set nat source rule 7 outbound-interface 'eth0'
set nat source rule 7 source address 'xxx.xxx.7.0/24'
set nat source rule 7 translation address 'masquerade'
set nat source rule 9 description 'source nat kids'
set nat source rule 9 outbound-interface 'eth0'
set nat source rule 9 source address 'xxx.xxx.9.0/24'
set nat source rule 9 translation address 'masquerade'
set nat source rule 11 description 'source nat trust'
set nat source rule 11 outbound-interface 'eth0'
set nat source rule 11 source address 'xxx.xxx.10.0/23'
set nat source rule 11 translation address 'masquerade'
set nat source rule 12 description 'souce nat guest'
set nat source rule 12 outbound-interface 'eth0'
set nat source rule 12 source address 'xxx.xxx.12.0/24'
set nat source rule 12 translation address 'masquerade'
set nat source rule 14 description 'source nat work'
set nat source rule 14 outbound-interface 'eth0'
set nat source rule 14 source address 'xxx.xxx.14.0/24'
set nat source rule 14 translation address 'masquerade'
set nat source rule 15 description 'source nat iot'
set nat source rule 15 outbound-interface 'eth0'
set nat source rule 15 source address 'xxx.xxx.15.0/24'
set nat source rule 15 translation address 'masquerade'
set nat source rule 16 description 'source nat vpn'
set nat source rule 16 outbound-interface 'eth0'
set nat source rule 16 source address 'xxx.xxx.16.0/24'
set nat source rule 16 translation address 'masquerade'
set nat source rule 20 description 'source nat dmz'
set nat source rule 20 outbound-interface 'eth0'
set nat source rule 20 source address 'xxx.xxx.20.0/24'
set nat source rule 20 translation address 'masquerade'
set nat source rule 1000 description 'hairpin nat'
set nat source rule 1000 destination address 'xxx.xxx.244.216/32'
set nat source rule 1000 outbound-interface 'eth0'
set nat source rule 1000 protocol 'tcp'
set nat source rule 1000 translation address 'masquerade'
set nat source rule 1500 description 'torguard source nat'
set nat source rule 1500 outbound-interface 'wg1000'
set nat source rule 1500 source address 'xxx.xxx.0.0/14'
set nat source rule 1500 translation address 'masquerade'
set policy route pbr_dmz rule 2000 description 'route normally'
set policy route pbr_dmz rule 2000 destination address 'xxx.xxx.0.0/14'
set policy route pbr_dmz rule 2000 set table 'main'
set policy route pbr_dmz rule 2001 description 'destination torguard'
set policy route pbr_dmz rule 2001 destination address 'xxx.xxx.0.0/0'
set policy route pbr_dmz rule 2001 set table '1'
set policy route pbr_dmz rule 2001 source group address-group 'pihole'
set policy route pbr_guest enable-default-log
set policy route pbr_guest rule 10 description 'dns request'
set policy route pbr_guest rule 10 destination group address-group 'pihole'
set policy route pbr_guest rule 10 destination port 'domain'
set policy route pbr_guest rule 10 protocol 'udp'
set policy route pbr_guest rule 10 set table 'main'
set policy route pbr_guest rule 100 description 'all to torguard'
set policy route pbr_guest rule 100 destination address 'xxx.xxx.0.0/0'
set policy route pbr_guest rule 100 set table '1'mally'
set policy route pbr_server rule 2000 destination address 'xxx.xxx.0.0/14'
set policy route pbr_server rule 2000 set table 'main'
set policy route pbr_server rule 2000 source group address-group 'server_normal_route'
set policy route pbr_server rule 2001 description 'emby to torguard'
set policy route pbr_server rule 2001 destination address 'xxx.xxx.0.0/0'
set policy route pbr_server rule 2001 set table '1'
set policy route pbr_server rule 2001 source group address-group 'emby'
set policy route pbr_trust rule 2000 description 'route local normally'
set policy route pbr_trust rule 2000 destination address 'xxx.xxx.0.0/14'
set policy route pbr_trust rule 2000 set table 'main'
set policy route pbr_trust rule 2001 description 'vm-mxlinux torgruad'
set policy route pbr_trust rule 2001 destination address 'xxx.xxx.0.0/0'
set policy route pbr_trust rule 2001 set table '1'
set policy route pbr_webproxy rule 2000 description 'route normally'
set policy route pbr_webproxy rule 2000 destination address 'xxx.xxx.0.0/14'
set policy route pbr_webproxy rule 2000 set table 'main'
set policy route pbr_webproxy rule 2001 description 'url filtering'
set policy route pbr_webproxy rule 2001 destination port '80,443'
set policy route pbr_webproxy rule 2001 protocol 'tcp'
set policy route pbr_webproxy rule 2001 set table '10'
set protocols bgp XXXXXX address-family ipv4-unicast network xxx.xxx.0.0/16
set protocols bgp XXXXXX neighbor xxx.xxx.0.1 remote-as '64514'
set protocols bgp XXXXXX parameters router-id 'xxx.xxx.0.1'
set protocols ospf area xxx.xxx.0.0 area-type normal
set protocols ospf area xxx.xxx.0.0 network 'xxx.xxx.0.1/32'
set protocols ospf area xxx.xxx.0.0 network 'xxx.xxx.4.0/24'
set protocols ospf default-information originate always
set protocols ospf default-information originate metric-type '2'
set protocols ospf interface br4 authentication md5 key-id 1 md5-key xxxxxx
set protocols ospf interface br4 dead-interval '40'
set protocols ospf interface br4 hello-interval '10'
set protocols ospf interface br4 priority '1'
set protocols ospf interface br4 retransmit-interval '5'
set protocols ospf interface br4 transmit-delay '1'
set protocols ospf log-adjacency-changes
set protocols ospf parameters abr-type 'cisco'
set protocols ospf parameters router-id 'xxx.xxx.0.1'
set protocols ospf passive-interface 'default'
set protocols ospf passive-interface-exclude 'br4'
set protocols static route xxx.xxx.0.2/32 next-hop xxx.xxx.4.2
set protocols static route xxx.xxx.2.5/32 next-hop xxx.xxx.7.56
set protocols static table 1 route xxx.xxx.0.0/0 interface wg1000
set protocols static table 10 route xxx.xxx.0.0/0 interface dum1
set service dhcp-relay interface 'bond0.10'
set service dhcp-relay interface 'bond0.7'
set service dhcp-relay interface 'bond0.12'
set service dhcp-relay interface 'bond0.9'
set service dhcp-relay interface 'bond0.5'
set service dhcp-relay interface 'bond0.6'
set service dhcp-relay interface 'bond0.11'
set service dhcp-relay interface 'bond0.14'
set service dhcp-relay interface 'bond0.15'
set service dhcp-relay interface 'bond0.20'
set service dhcp-relay relay-options
set service dhcp-relay server 'xxx.xxx.7.40'
set service dhcp-server shared-network-name xxxxxx authoritative
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.3.0/24 default-router 'xxx.xxx.3.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.3.0/24 dns-server 'xxx.xxx.7.40'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.3.0/24 lease '2592000'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.3.0/24 range bfw_man_range start 'xxx.xxx.3.50'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.3.0/24 range bfw_man_range stop 'xxx.xxx.3.100'
set service dhcp-server shared-network-name xxxxxx authoritative
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.3.0/24 default-router 'xxx.xxx.3.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.3.0/24 dns-server 'xxx.xxx.7.40'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.3.0/24 dns-server 'xxx.xxx.7.41'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.3.0/24 lease '2592000'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.3.0/24 range bgd_man_range start 'xxx.xxx.3.50'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.3.0/24 range bgd_man_range stop 'xxx.xxx.3.100'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.3.0/24 static-mapping xxxxxx ip-address 'xxx.xxx.3.9'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.3.0/24 static-mapping xxxxxx mac-address 'XX:XX:XX:XX:XX:e8'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.3.0/24 static-mapping xxxxxx ip-address 'xxx.xxx.3.12'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.3.0/24 static-mapping xxxxxx mac-address 'XX:XX:XX:XX:XX:25'
set service dns dynamic interface eth0 service custom host-name xxxxxx
set service dns dynamic interface eth0 service custom login 'nouser'
set service dns dynamic interface eth0 service custom password xxxxxx
set service dns dynamic interface eth0 service custom protocol 'dyndns2'
set service dns dynamic interface eth0 service custom server 'www.duckdns.org'
set service lldp interface bond0
set service lldp interface eth4
set service lldp interface eth5
set service lldp management-address 'xxx.xxx.0.1'
set service lldp snmp enable
set service snmp contact 'karlo'
set service snmp listen-address xxx.xxx.0.1
set service snmp location xxxxxx
set service snmp trap-source 'xxx.xxx.0.1'
set service snmp trap-target xxx.xxx.7.18
set service snmp v3 engineid '62676476796f73'
set service snmp v3 group all-access mode 'ro'
set service snmp v3 group all-access seclevel 'priv'
set service snmp v3 group all-access view 'global'
set service snmp v3 user xxxxxx auth encrypted-password xxxxxx
set service snmp v3 user xxxxxx auth type 'sha'
set service snmp v3 user xxxxxx group 'all-access'
set service snmp v3 user xxxxxx mode 'ro'
set service snmp v3 user xxxxxx privacy encrypted-password xxxxxx
set service snmp v3 user xxxxxx privacy type 'aes'
set service snmp v3 view global oid 1
set service ssh listen-address 'xxx.xxx.0.1'
set service ssh listen-address 'xxx.xxx.3.1'
set service ssh port '22'
set service webproxy cache-size '100'
set service webproxy default-port '3128'
set service webproxy listen-address xxx.xxx.1.0 disable-transparent
set service webproxy listen-address xxx.xxx.1.0 port '3128'
set service webproxy url-filtering squidguard auto-update update-hour '23'
set service webproxy url-filtering squidguard block-category 'adult'
set service webproxy url-filtering squidguard block-category 'ads'
set service webproxy url-filtering squidguard block-category 'malware'
set service webproxy url-filtering squidguard block-category 'porn'
set service webproxy url-filtering squidguard block-category 'gambling'
set service webproxy url-filtering squidguard block-category 'games'
set service webproxy url-filtering squidguard default-action 'allow'
set service webproxy url-filtering squidguard local-block 'youtube.com'
set service webproxy url-filtering squidguard log 'adult'
set service webproxy url-filtering squidguard redirect-url 'http://block.vyos.net'
set system config-management commit-revisions '20'
set system console device ttyS0 speed '9600'
set system flow-accounting interface 'bond0.10'
set system flow-accounting interface 'bond0.11'
set system flow-accounting interface 'bond0.12'
set system flow-accounting interface 'bond0.14'
set system flow-accounting interface 'bond0.15'
set system flow-accounting interface 'bond0.20'
set system flow-accounting interface 'bond0.5'
set system flow-accounting interface 'bond0.6'
set system flow-accounting interface 'bond0.7'
set system flow-accounting netflow engine-id '1'
set system flow-accounting netflow max-flows '8192'
set system flow-accounting netflow sampling-rate '100'
set system flow-accounting netflow server xxxxx.tld port '2055'
set system flow-accounting netflow source-ip 'xxx.xxx.0.1'
set system flow-accounting netflow timeout expiry-interval '60'
set system flow-accounting netflow version '9'
set system host-name xxxxxx
set system login banner pre-login '\nUNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED\n\nYou must have explicit, authorized permission to access or configure this\ndevice. Unauthorized attempts and actions to access or use this system may\nresult in civil and/or criminal penalties. All activities performed on this\ndevice are logged and monitored.\n\n!n'
set system login user xxxxxx authentication encrypted-password xxxxxx
set system login user xxxxxx authentication plaintext-password xxxxxx
set system login user xxxxxx full-name xxxxxx
set system name-server 'xxx.xxx.7.40'
set system name-server 'xxx.xxx.7.41'
set system name-server 'xxx.xxx.20.10'
set system ntp server xxxxx.tld
set system ntp server xxxxx.tld
set system ntp server xxxxx.tld
set system syslog global facility all level 'notice'
set system syslog global facility protocols level 'debug'
set system time-zone 'America/New_York'
set zone-policy zone backbone default-action 'drop'
set zone-policy zone backbone from local firewall name 'local_to_all'
set zone-policy zone backbone from server firewall name 'server_to_backbone'
set zone-policy zone backbone from trust firewall name 'netadmin'
set zone-policy zone backbone from vpn firewall name 'netadmin'
set zone-policy zone backbone interface 'br4'
set zone-policy zone dmz default-action 'drop'
set zone-policy zone dmz from guest firewall name 'guest_to_dmz'
set zone-policy zone dmz from iot firewall name 'iot_to_dmz'
set zone-policy zone dmz from server firewall name 'server_to_dmz'
set zone-policy zone dmz from trust firewall name 'trust_to_dmz'
set zone-policy zone dmz from vpn firewall name 'netadmin'
set zone-policy zone dmz from work firewall name 'work_to_dmz'
set zone-policy zone dmz interface 'bond0.20'
set zone-policy zone guest default-action 'drop'
set zone-policy zone guest interface 'bond0.12'
set zone-policy zone iot default-action 'drop'
set zone-policy zone iot from server firewall name 'server_to_iot'
set zone-policy zone iot from trust firewall name 'trust_to_iot'
set zone-policy zone iot from vpn firewall name 'vpn_to_iot'
set zone-policy zone iot interface 'bond0.15'
set zone-policy zone local default-action 'drop'
set zone-policy zone local from backbone firewall name 'ospf'
set zone-policy zone local from management firewall name 'man_to_local'
set zone-policy zone local from server firewall name 'server_to_local'
set zone-policy zone local from trust firewall name 'trust_to_local'
set zone-policy zone local from untrust firewall name 'untrust_to_local'
set zone-policy zone local from vpn firewall name 'netadmin'
set zone-policy zone local from wgtunnel firewall name 'remote-site_to_local'
set zone-policy zone local local-zone
set zone-policy zone management default-action 'drop'
set zone-policy zone management from local firewall name 'local_to_all'
set zone-policy zone management from server firewall name 'server_to_man'
set zone-policy zone management from trust firewall name 'trust_to_man'
set zone-policy zone management from vpn firewall name 'vpn_to_man'
set zone-policy zone management interface 'br3'
set zone-policy zone management interface 'bond0.6'
set zone-policy zone management interface 'br30'
set zone-policy zone security default-action 'drop'
set zone-policy zone security from local firewall name 'local_to_all'
set zone-policy zone security from server firewall name 'server_to_security'
set zone-policy zone security from trust firewall name 'trust_to_security'
set zone-policy zone security from vpn firewall name 'vpn_to_security'
set zone-policy zone security interface 'bond0.5'
set zone-policy zone server default-action 'drop'
set zone-policy zone server from iot firewall name 'iot_to_server'
set zone-policy zone server from local firewall name 'local_to_all'
set zone-policy zone server from management firewall name 'man_to_server'
set zone-policy zone server from security firewall name 'security_to_server'
set zone-policy zone server from trust firewall name 'trust_to_server'
set zone-policy zone server from untrust firewall name 'untrust_to_server'
set zone-policy zone server from vpn firewall name 'vpn_to_server'
set zone-policy zone server from wgtunnel firewall name 'remote-site_to_server'
set zone-policy zone server interface 'bond0.7'
set zone-policy zone torguard default-action 'drop'
set zone-policy zone torguard from dmz firewall name 'all_to_torguard'
set zone-policy zone torguard from guest firewall name 'all_to_torguard'
set zone-policy zone torguard from server firewall name 'all_to_torguard'
set zone-policy zone torguard from trust firewall name 'all_to_torguard'
set zone-policy zone torguard from vpn firewall name 'all_to_torguard'
set zone-policy zone torguard interface 'wg1000'
set zone-policy zone trust default-action 'drop'
set zone-policy zone trust from server firewall name 'server_to_trust'
set zone-policy zone trust from vpn firewall name 'vpn_to_trust'
set zone-policy zone trust interface 'bond0.10'
set zone-policy zone trust interface 'bond0.9'
set zone-policy zone trust interface 'bond0.11'
set zone-policy zone untrust default-action 'drop'
set zone-policy zone untrust from backbone firewall name 'backbone_to_untrust'
set zone-policy zone untrust from dmz firewall name 'dmz_to_untrust'
set zone-policy zone untrust from guest firewall name 'guest_to_untrust'
set zone-policy zone untrust from iot firewall name 'iot_to_untrust'
set zone-policy zone untrust from local firewall name 'local_to_all'
set zone-policy zone untrust from security firewall name 'security_to_untrust'
set zone-policy zone untrust from server firewall name 'server_to_untrust'
set zone-policy zone untrust from trust firewall name 'trust_to_untrust'
set zone-policy zone untrust from vpn firewall name 'vpn_to_untrust'
set zone-policy zone untrust from work firewall name 'work_to_untrust'
set zone-policy zone untrust interface 'eth0'
set zone-policy zone vpn default-action 'drop'
set zone-policy zone vpn interface 'wg100'
set zone-policy zone wgtunnel default-action 'drop'
set zone-policy zone wgtunnel from server firewall name 'server_to_remote-site'
set zone-policy zone wgtunnel from trust firewall name 'trust_to_remote-site'
set zone-policy zone wgtunnel interface 'wg101'
set zone-policy zone work default-action 'drop'
set zone-policy zone work interface 'bond0.14'

This can be close. The commit is working again after upgrading to the latest rolling

Viacheslav claimed this task.