firewall { all-ping enable broadcast-ping disable config-trap disable group { network-group Private_IPs { network 10.0.0.0/8 network 127.0.0.0/8 network 172.16.0.0/12 network 192.168.0.0/16 network 168.254.0.0/16 network 169.254.0.0/16 network 192.0.2.0/24 network 224.0.0.0/4 network 240.0.0.0/4 } port-group NetBIOS_TCP { port 135-139 port 445 } port-group NetBIOS_UDP { port 137-138 } } ipv6-receive-redirects disable ipv6-src-route disable ip-src-route disable log-martians enable name accept_all { default-action accept } name private_to_public { default-action accept rule 9 { action accept description "Allow admin of Vigor 130" destination { address 192.168.5.2 port 443 } protocol tcp source { address 192.168.3.100 } } rule 10 { action drop description "Stop Local Addresses traversing the WEB" destination { group { network-group Private_IPs } } } rule 20 { action drop description "Block NetBIOS from LAN to WEB" destination { group { port-group NetBIOS_TCP } } protocol tcp } rule 21 { action drop description "Block NetBIOS from LAN to WEB" destination { group { port-group NetBIOS_UDP } } protocol udp } } name public_to_private { default-action drop rule 10 { action accept destination { address 192.168.3.205 port 58444 } protocol tcp } rule 12 { action accept destination { address 192.168.3.205 port 64504 } protocol udp } } receive-redirects disable send-redirects enable source-validation disable state-policy { established { action accept } related { action accept } } syn-cookies enable twa-hazards-protection disable } interfaces { ethernet eth0 { address 192.168.3.1/24 duplex auto hw-id 4c:02:89:12:16:ce smp-affinity auto speed auto } ethernet eth1 { address 192.168.1.1/24 duplex auto hw-id 4c:02:89:12:16:cf smp-affinity auto speed auto } ethernet eth2 { address 192.168.4.1/24 duplex auto hw-id 4c:02:89:12:16:d0 smp-affinity auto speed auto } ethernet eth3 { address 192.168.5.1/24 duplex auto hw-id 4c:02:89:12:16:d1 mtu 1508 pppoe 0 { default-route auto mtu 1500 name-server none password 1234 traffic-policy { out myshaper-out } user-id bthomehub@btbroadband.com } smp-affinity auto speed auto } loopback lo { } } nat { destination { rule 10 { description "e-mule to Junksurfing VM" destination { port 58444 } inbound-interface pppoe0 protocol tcp translation { address 192.168.3.205 } } rule 11 { description "e-mule to Junksurfing VM" destination { port 64504 } inbound-interface pppoe0 protocol udp translation { address 192.168.3.205 } } } source { rule 10 { outbound-interface pppoe0 translation { address masquerade } } } } service { dhcp-server { shared-network-name ETH0_Pool { subnet 192.168.3.0/24 { default-router 192.168.3.1 dns-server 192.168.3.1 lease 86400 range 0 { start 192.168.3.100 stop 192.168.3.199 } static-mapping JunkSurfing { ip-address 192.168.3.205 mac-address 00:0C:29:AB:B5:40 } static-mapping NB0001 { ip-address 192.168.3.100 mac-address EC:F4:BB:40:22:CE } } } shared-network-name ETH1_Pool { subnet 192.168.1.0/24 { default-router 192.168.1.1 dns-server 192.168.1.1 lease 86400 range 0 { start 192.168.1.100 stop 192.168.1.199 } static-mapping SamsungTV { ip-address 192.168.1.103 mac-address cc:b1:1a:70:ab:95 } } } shared-network-name ETH2_Pool { subnet 192.168.4.0/24 { default-router 192.168.4.1 dns-server 192.168.4.1 lease 86400 range 0 { start 192.168.4.100 stop 192.168.4.199 } } } } dns { forwarding { allow-from 0.0.0.0/0 allow-from ::/0 cache-size 150 listen-address 192.168.1.1 listen-address 192.168.3.1 listen-address 192.168.4.1 name-server 194.72.6.51 name-server 194.74.65.69 } } ssh { listen-address 192.168.3.1 port 22 } } system { config-management { commit-revisions 20 } conntrack { expect-table-size 2048 hash-size 32768 modules { sip { disable } } table-size 262144 } console { device ttyS0 { speed 9600 } } host-name home-r1 login { user root { authentication { encrypted-password plaintext-password "" } level admin } user stevep { authentication { encrypted-password plaintext-password "" } full-name "Steve Palmer" level admin } user vyos { authentication { encrypted-password plaintext-password "" } level admin } } name-server 8.8.8.8 ntp { server 0.pool.ntp.org { } server 1.pool.ntp.org { } server 2.pool.ntp.org { } } syslog { global { facility all { level notice } facility protocols { level debug } } } time-zone Europe/London } traffic-policy { shaper myshaper-out { bandwidth 6480kbit class 2 { bandwidth 30% burst 50kb ceiling 100% description "Syn ack bufferbloat out" match tiny4 { ip { max-length 256 tcp { ack syn } } } match tiny6 { ip { max-length 256 tcp { ack syn } } } queue-type fq-codel } default { bandwidth 70% burst 250kb ceiling 100% queue-type fq-codel } } } zone-policy { zone local { default-action drop from private { firewall { name accept_all } } local-zone } zone private { default-action drop description "Private Zone" from public { firewall { name public_to_private } } interface eth0 interface eth1 interface eth2 } zone public { default-action drop description "Public Zone" from private { firewall { name private_to_public } } interface pppoe0 interface eth3 } } /* Warning: Do not remove the following line. */ /* === vyatta-config-version: "broadcast-relay@1:cluster@1:config-management@1:conntrack@1:conntrack-sync@1:dhcp-relay@2:dhcp-server@5:dns-forwarding@2:firewall@5:interfaces@4:ipsec@5:l2tp@2:lldp@1:mdns@1:nat@4:ntp@1:pptp@1:qos@1:quagga@4:snmp@1:ssh@1:system@15:vrrp@2:vyos-accel-ppp@2:wanloadbalance@3:webgui@1:webproxy@2:zone-policy@1" === */ /* Release version: 1.3-rolling-202002050217 */