firewall { all-ping enable broadcast-ping disable config-trap disable group { address-group BareOS_Servers { address xxx.xxx.141.13 address xxx.xxx.141.2 } address-group Chollo { address xxx.xxx.130.178 address xxx.xxx.130.179 address xxx.xxx.130.180 address xxx.xxx.130.185 address xxx.xxx.130.177 address xxx.xxx.130.181 } address-group Chusma { address xxx.xxx.130.172-xxx.xxx.130.175 } address-group children { address xxx.xxx.130.172-xxx.xxx.130.180 } address-group deb-ubu-mirrors { address xxx.xxx.53.171 address xxx.xxx.132.32 address xxx.xxx.242.89 address xxx.xxx.132.250 address xxx.xxx.149.233 address xxx.xxx.112.204 description "Debian/Ubuntu Mirrors" } address-group dmz_dns_ntp { address xxx.xxx.129.2 address xxx.xxx.129.6 address xxx.xxx.129.1 address xxx.xxx.129.5 } address-group dmz_infra_servers { address xxx.xxx.129.2 address xxx.xxx.129.5 } address-group fileservers { address xxx.xxx.141.8 address xxx.xxx.141.1 } address-group google_dns { address xxx.xxx.8.8 address xxx.xxx.4.4 } address-group int_dns_servers { address xxx.xxx.141.3 address xxx.xxx.141.15 address xxx.xxx.141.20 address xxx.xxx.141.1 address xxx.xxx.141.8 } address-group int_ntp_servers { address xxx.xxx.141.23-xxx.xxx.141.27 address xxx.xxx.141.5-xxx.xxx.141.6 address xxx.xxx.141.13 description "Internal NTP Servers" } address-group kids_allowed_sites { address xxx.xxx.73.6 address xxx.xxx.250.108 address xxx.xxx.129.2 address xxx.xxx.73.26 address xxx.xxx.210.28-xxx.xxx.210.30 address xxx.xxx.121.147 address xxx.xxx.87.51 address xxx.xxx.194.31 address xxx.xxx.157.111 address xxx.xxx.11.203 address xxx.xxx.201.147 address xxx.xxx.116.200 address xxx.xxx.223.41 address xxx.xxx.168.12 address xxx.xxx.43.217 address xxx.xxx.157.112 address xxx.xxx.40.64-xxx.xxx.40.90 description "Permitted Sites for Kids" } address-group kids_banned_sites { address xxx.xxx.162.5 address xxx.xxx.35.232 address xxx.xxx.139.0-xxx.xxx.139.255 description "Sites that are banned for Kids" } address-group moxa_allowed_hosts { address xxx.xxx.141.0-xxx.xxx.141.254 address xxx.xxx.4.5 address xxx.xxx.128.242-xxx.xxx.128.254 description "Hosts allowed access to MOXA Serial Device Servers" } address-group moxa_nports { address xxx.xxx.143.244 address xxx.xxx.143.248 description "MOXA Nport Serial Device Addresses" } address-group package_servers { address xxx.xxx.10.36 address xxx.xxx.103.38 address xxx.xxx.103.41 address xxx.xxx.13.129 description "Package servers for Vyatta/Debian" } address-group radius_servers { address xxx.xxx.141.20 address xxx.xxx.141.62 address xxx.xxx.141.8 address xxx.xxx.141.1 description "Internal RADIUS Servers" } address-group trusted_external_hosts { address xxx.xxx.4.5 address xxx.xxx.128.242-xxx.xxx.128.254 address xxx.xxx.44.193-xxx.xxx.44.206 address xxx.xxx.157.133 address xxx.xxx.238.193-xxx.xxx.238.195 address xxx.xxx.238.225 address xxx.xxx.162.10 address xxx.xxx.4.247 address xxx.xxx.188.7 description "Trusted External Hosts" } address-group ubiquiti { address xxx.xxx.157.3 address xxx.xxx.83.111 address xxx.xxx.247.231 address xxx.xxx.148.35 address xxx.xxx.177.66 address xxx.xxx.121.9 description "Ubiquiti Networks Web" } network-group Martians { description "Bogons from RFCs 1918 and 5735" network xxx.xxx.0.0/8 network xxx.xxx.0.0/12 network xxx.xxx.0.0/16 network xxx.xxx.0.0/8 network xxx.xxx.0.0/16 network xxx.xxx.2.0/24 network xxx.xxx.0.0/15 network xxx.xxx.0.0/4 network xxx.xxx.0.0/24 network xxx.xxx.99.0/24 network xxx.xxx.100.0/24 network xxx.xxx.113.0/24 } network-group Nets4-BlackList { description "Blacklisted IPv4 Sources" } network-group amazonaws { network xxx.xxx.192.0/19 network xxx.xxx.0.0/15 network xxx.xxx.141.53/32 } network-group blocked_nets_in { description "Blocked Networks inbound" network xxx.xxx.212.0/22 network xxx.xxx.40.0/21 network xxx.xxx.222.0/23 network xxx.xxx.64.0/20 network xxx.xxx.160.0/24 network xxx.xxx.0.0/15 } network-group facebook { description "Facebook AS32934 Networks" network xxx.xxx.96.0/22 network xxx.xxx.0.0/16 network xxx.xxx.64.0/18 network xxx.xxx.192.0/22 network xxx.xxx.216.0/22 network xxx.xxx.20.0/22 network xxx.xxx.64.0/18 network xxx.xxx.40.0/22 network xxx.xxx.144.0/20 network xxx.xxx.224.0/19 network xxx.xxx.176.0/20 network xxx.xxx.76.0/22 } network-group gaming { description "Game Hosting IPs" } network-group geoblock { description "GeoBlocked Networks" } network-group icdc-networks { description "ICDC Internal Networks for IPSec" } network-group kids-machines { description "Subnet range for Kids Machines" network xxx.xxx.130.176/28 } network-group snort.org { description "Snort.org C network" network xxx.xxx.102.0/24 network xxx.xxx.192.0/19 network xxx.xxx.248.120/31 } network-group trusted_networks { description "Networks considered Trustworthy" network xxx.xxx.128.240/28 network xxx.xxx.141.0/24 network xxx.xxx.188.0/24 network xxx.xxx.78.0/24 } network-group wikipedia { description "Wikipedia Servers" network xxx.xxx.174.0/24 network xxx.xxx.152.0/22 } port-group CAPWAPP { description "Lightweight Access Point Traffic" port 12222-12223 port 5246-5247 } port-group RTP_Media { description "RTP Media Ports" } port-group XMPP { port 5222 port 5269 port 5280 port 443 port 993 port 5443 port 80 } port-group cisco_ts_lines { description "NM-32 Ports on Cisco Terminal Server" port 2033-2064 port 23 } port-group dmz_tcp_inbound { description "Incoming TCP ports to DMZ" port 25 port 465 port 80 port 993 port 587 } port-group dmz_tcp_outbound { description "Outgoing TCP ports from DMZ" port 25 port 2703 port 465 port 80 port 443 } port-group dmz_udp_outbound { description "Outgoing UDP ports from DMZ" port 123 port 53 port 6277 } port-group fileservice_ports { port 548 port 445 } port-group internet_to_fts { description "Allowed ports from Internet to xxx.xxx.44.192/28" port 22 port 25 port 80 port 443 port 465 port 993 port 2022 port 8440-8450 port 12000 port 17283 port 9080-9082 port 5060-5061 port 4444 } port-group mail { description "Ports used for Mail" port 25 port 465 port 587 port 993 } port-group management { description "Ports used for Management" port 2022 port 22 port 443 port 8443-8445 } port-group moxa_in { description "MOXA Nport Inbound Ports for serial Communication" port 966-969 port 950-953 } port-group moxa_out { description "MOXA Nport Outbound Ports for Serial Communication" port 950-953 port 966-969 } port-group radius_ports { port 1812-1813 } port-group steam { port 27000-27040 port 4379-4380 port 3478 } port-group telephony_signalling { description "SIP and IAX Ports" port 4569 port 5060-5080 } port-group web_redirection_ports { description "ports for HTTP redirection" port 9080-9085 } } ipv6-receive-redirects disable ipv6-src-route disable ip-src-route disable log-martians enable name DMZ_In { default-action drop description "Permit Bareos to Internal Server" enable-default-log rule 10 { action accept description "Allow Return packets from Originated connections" state { established enable related enable } } rule 20 { action accept description "Allow TCP outbound from DNS/Mail Exchanger in DMZ" destination { group { port-group dmz_tcp_outbound } } protocol tcp source { address xxx.xxx.129.1-xxx.xxx.129.2 } state { established enable new enable related enable } } rule 30 { action accept description "Allow UDP outbound from DMZ Hosts" destination { group { } port 53,123,6277 } protocol udp source { group { address-group dmz_dns_ntp } } state { established enable new enable related enable } } rule 40 { action accept description "Permit DNS Zone Transfer from DMZ DNS" destination { port 53 } protocol tcp source { address xxx.xxx.129.1-xxx.xxx.129.2 } state { established enable new enable related enable } } rule 50 { action accept description "Permit SIP Signalling from PBX" destination { } disable protocol udp source { address xxx.xxx.129.3 port 5060 } state { established enable new enable related enable } } rule 60 { action accept description "Permit IAX Signalling from PBX" destination { port 4569 } disable protocol tcp source { address xxx.xxx.129.3 } state { established enable new enable related enable } } rule 70 { action accept description "Permit syslog from DMZ Network" destination { port 514 } protocol udp source { address xxx.xxx.129.0/27 } state { new enable } } rule 80 { action accept description "Permit Traffic from WWWDMZ" destination { port 80 } protocol tcp source { address xxx.xxx.129.4-xxx.xxx.129.6 } state { established enable new enable related enable } } rule 82 { action accept description "Permit Traffic from dmzservices" destination { address xxx.xxx.0.0/0 } protocol tcp_udp source { address xxx.xxx.129.6 } state { established enable new enable related enable } } rule 90 { action accept description "Allow TCP Outbound from PBXinaFlash" destination { port 80 } protocol tcp source { address xxx.xxx.129.5 } state { established enable new enable related enable } } rule 92 { action accept description "Permit SIP/IAX/RTP/UDPTL udp from PBXinaFlash" protocol udp source { address xxx.xxx.129.5 port 4000-4999,4569,5060-5080,10000-20000 } state { established enable new enable related enable } } rule 94 { action accept description "Permit IAX Signalling from PBX" destination { port 4569 } disable protocol udp source { address xxx.xxx.129.5 } state { established enable new enable related enable } } rule 96 { action accept description "TCP Outbound from PBXinaFlash" protocol tcp source { address xxx.xxx.129.5 } state { established enable new enable related enable } } rule 98 { action accept description "UDP Outbound from PBXinaFlash" destination { port 53,123,3478 } protocol udp source { address xxx.xxx.129.5 } state { established enable new enable related enable } } rule 100 { action accept description "Permit BareOS to Internal Server" destination { group { address-group BareOS_Servers } port 9101,9103 } protocol tcp source { address xxx.xxx.129.0/27 } state { new enable } } rule 110 { action accept description "Permit PBX to send CID to MediaCenter" destination { address xxx.xxx.141.156 port 8080 } protocol tcp source { address xxx.xxx.129.5/32 } state { new enable } } rule 120 { action accept description "Permit PBX to send CID to dreambox" destination { address xxx.xxx.141.14 port 80 } protocol tcp source { address xxx.xxx.129.5/32 } state { new enable } } } name DMZ_Out { default-action drop description "Traffic Inbound to DMZ" enable-default-log rule 10 { action accept description "Permit return packets from originated connections" state { established enable related enable } } rule 15 { action accept description "Permit management ports from Trusted" destination { address xxx.xxx.129.0/27 port 22,80,443,8083 } protocol tcp source { group { network-group trusted_networks } } } rule 20 { action accept description "Permit Inbound TCP to DNS/Mail Exchanger in DMZ" destination { address xxx.xxx.129.1-xxx.xxx.129.2 port 22,25,53,465,587,993 } protocol tcp state { established enable new enable related enable } } rule 24 { action accept description "Permit Inbound TCP to PBXinaFlash in DMZ" destination { address xxx.xxx.129.5 port 22,80,443,5060-5065 } protocol tcp state { established enable new enable related enable } } rule 30 { action accept description "Permit Inbound UDP to DNS/Mail Exchanger in DMZ" destination { group { address-group dmz_dns_ntp } port 53,123 } protocol udp state { established enable new enable related enable } } rule 40 { action accept description "permit DNS udp replies" destination { address xxx.xxx.129.2 } protocol udp source { port 53 } state { established enable related enable } } rule 50 { action accept description "Permit Inbound SIP Signalling to PBX" destination { address xxx.xxx.129.3 port 5060-5080,10000-20000 } disable protocol udp state { established enable new enable related enable } } rule 52 { action accept description "Permit Inbound SIP/IAX/RTP/UDPTL to PBXinaFlash" destination { address xxx.xxx.129.5 port 4000-4999,4569,5060-5080,10000-20000 } protocol udp state { established enable new enable related enable } } rule 60 { action accept description "Permit Inbound IAX Signalling to PBX" destination { address xxx.xxx.129.3 port 80,443,4569 } disable protocol tcp state { established enable new enable related enable } } rule 70 { action accept description "Permit Traffic to DMZServices" destination { address xxx.xxx.129.6 port 53,80,443,993,5222,5269,5280,5443,8083,8888,9050 } protocol tcp state { established enable new enable related enable } } rule 80 { action accept description "Permit Traffic to WWWDMZ" destination { address xxx.xxx.129.4 port 22,80 } protocol tcp state { established enable new enable related enable } } rule 88 { action accept description "Permit SNMP from Internal for Monitoring" destination { address xxx.xxx.129.0/27 port 161 } protocol udp source { address xxx.xxx.141.0/24 } } rule 90 { action accept description "Permit ICMP from internal for monitoring" destination { address xxx.xxx.129.0/27 } icmp { code 0 type 8 } protocol icmp source { address xxx.xxx.141.0/24 } } rule 100 { action accept description "Permit bareos-dir to connnect to bareos-fd in DMZ" destination { address xxx.xxx.129.0/27 port 9102 } protocol tcp source { group { address-group BareOS_Servers } } state { established enable new enable related enable } } } name Internet2Local { default-action drop enable-default-log rule 10 { action drop description "Drop DHCP Traffic" destination { port 68 } protocol udp source { address xxx.xxx.0.1 port 67 } state { new enable } } rule 20 { action accept description "Allow Incoming Path MTU Discovery (destination-unreachable/fragmentation-needed)" icmp { code 4 type 3 } protocol icmp state { new enable } } rule 22 { action accept description "Allow Incoming Source Quench" icmp { type-name source-quench } protocol icmp state { new enable } } rule 24 { action accept description "Allow Inbound Echo-Request" icmp { type-name echo-request } protocol icmp state { new enable } } rule 26 { action accept description "Allow Inbound Echo-Request" protocol icmp } rule 86 { action accept description "Permit IPSec ESP" protocol esp state { established enable new enable related enable } } rule 88 { action accept description "Allow VPN Termination" destination { port 500,1194,4500,51820,51821 } protocol udp state { established enable new enable related enable } } rule 90 { action accept description "Permit IPSec Encapsulated Packets" ipsec { match-ipsec } } rule 100 { action accept description "Allow Vyatta to do DNS lookups" protocol udp source { port 53 } state { established enable related enable } } rule 120 { action accept description "Allow Vyatta to NTP on Internet" protocol udp source { port 123 } state { established enable related enable } } rule 150 { action accept description "Allow Trusted External Hosts Management Access" destination { port 2022,8443 } protocol tcp source { group { address-group trusted_external_hosts } } } rule 160 { action accept description "Permit Download of Snort.org rulesets" protocol tcp source { group { network-group snort.org } port 80,443 } } rule 165 { action accept description "Permit http and https downloads" protocol tcp source { port 43,80,443 } state { established enable related enable } } rule 170 { action accept disable protocol tcp source { group { address-group package_servers } port 80,443 } state { established enable related enable } } rule 180 { action accept description "Allow dynamic DNS replies from dynupdate.no-ip.com" protocol tcp source { address xxx.xxx.224.120 port 443 } state { established enable related enable } } rule 185 { action accept description "Allow dynamic DNS replies from updates.dnsomatic.com" protocol tcp source { address xxx.xxx.92.215 port 443 } state { established enable related enable } } rule 190 { action accept description "Permit Inbound OSCam" destination { port 17283 } disable protocol tcp source { address xxx.xxx.0.0/0 } state { new enable } } rule 500 { action accept icmp { type 8 } protocol icmp source { address xxx.xxx.2.0/26 } } } name Internet_In { default-action drop description "Traffic Permitted Inbound from Internet" enable-default-log rule 1 { action accept description "Allow Return packets from Originated connections" disable state { established enable related enable } } rule 3 { action drop description "Block Networks based on Geo-Location" protocol all source { group { network-group geoblock } } state { established disable new enable related disable } } rule 4 { action drop description "Block Networks on Blacklist" protocol all source { group { network-group Nets4-BlackList } } state { established disable new enable related disable } } rule 5 { action drop description "Block Banned Networks" protocol all source { group { network-group blocked_nets_in } } state { established disable new enable related disable } } rule 7 { action drop description "Drop SMTP to PBX" destination { address xxx.xxx.129.5 port 25 } protocol tcp } rule 9 { action drop description "Drop Unwanted Packets" destination { port 23,135-139,445,1433,1434,3306 } protocol tcp_udp } rule 10 { action accept description "Allow Return packets from Originated connections" state { established enable related enable } } rule 12 { action accept description "Allow ICMP Destination Unreachable" icmp { code 4 type 3 } protocol icmp state { new enable } } rule 14 { action accept description "Allow ICMP Source Quench" icmp { type-name source-quench } protocol icmp state { new enable } } rule 16 { action accept description "Allow ICMP Echo-Request" icmp { type-name echo-request } protocol icmp state { new enable } } rule 20 { action accept description "Allow ESP (IPsec) to FTS Public Internet" destination { address xxx.xxx.44.192/28 } protocol esp } rule 22 { action accept description "Allow isakmp+openvpn to FTS Public Internet" destination { address xxx.xxx.44.192/28 port 500,1194 } protocol udp } rule 26 { action accept description "Permit IPSec encapsulated packets from Apartment Spain" destination { address xxx.xxx.141.0/24 } ipsec { match-ipsec } source { address xxx.xxx.79.0/24 } state { established enable new enable related enable } } rule 28 { action accept description "Permit IPSec encapsulated packets from ADDM" destination { address xxx.xxx.141.0/24 } ipsec { match-ipsec } source { address xxx.xxx.32.0/24 } state { established enable new enable related enable } } rule 30 { action accept description "Permit IPSec encapsulated packets from ICDC" destination { address xxx.xxx.141.0/24 } ipsec { match-ipsec } source { address xxx.xxx.45.0/22 group { } } state { established enable new enable related enable } } rule 32 { action accept description "Permit IPSec encapsulated packets from DiCandilo Berwyn" destination { address xxx.xxx.141.0/24 } ipsec { match-ipsec } source { address xxx.xxx.1.0/24 group { } } state { established enable new enable related enable } } rule 34 { action accept description "Permit IPSec encapsulated packets from Securosys" destination { address xxx.xxx.141.0/24 } ipsec { match-ipsec } source { address xxx.xxx.171.0/24 } state { established enable new enable related enable } } rule 36 { action accept description "Permit IPSec encapsulated packets from test networks xxx.xxx.176.0/20" destination { address xxx.xxx.141.0/24 } ipsec { match-ipsec } source { address xxx.xxx.176.0/20 } state { established enable new enable related enable } } rule 37 { action accept description "Permit IPSec encap packets from ACP AG Internal" destination { address xxx.xxx.141.0/24 } ipsec { match-ipsec } source { address xxx.xxx.2.0/23 } state { established enable new enable related enable } } rule 38 { action accept description "Permit IPSec encap packets from ACP AG DMZ" destination { address xxx.xxx.141.0/24 } ipsec { match-ipsec } source { address xxx.xxx.7.0/24 } state { established enable new enable related enable } } rule 40 { action accept description "Allow DNS UDP traffic to FTS Public Internet" destination { address xxx.xxx.44.192/28 port 53 } protocol udp state { established enable new enable related enable } } rule 42 { action accept description "Allow DNS TCP traffic to FTS Public Internet" destination { address xxx.xxx.44.192/28 port 53 } protocol tcp state { established enable new enable related enable } } rule 44 { action accept destination { address xxx.xxx.44.192/28 } protocol udp source { port 53 } state { established enable new enable related enable } } rule 46 { action accept destination { address xxx.xxx.44.192/28 } protocol tcp source { port 53 } state { established enable new enable related enable } } rule 48 { action accept description "Allow DNS UDP to DMZ" destination { address xxx.xxx.129.2 port 53 } protocol udp state { new enable related enable } } rule 49 { action accept description "Allow DNS TCP (Zone XFER) to DMZ" destination { address xxx.xxx.129.2 port 53 } protocol tcp state { established enable new enable related enable } } rule 50 { action accept description "Allow NTP Traffic to FTS Public Internet" destination { address xxx.xxx.44.192/28 port 123 } protocol udp state { new enable related enable } } rule 52 { action accept destination { address xxx.xxx.44.192/28 } protocol udp source { port 123 } state { new enable related enable } } rule 54 { action accept description "Permit Inbound NTP to DMZ" destination { address xxx.xxx.129.1-xxx.xxx.129.2 port 123 } protocol udp state { new enable } } rule 56 { action accept description "Permit Inbound NTP to internal NTP server" destination { group { address-group int_ntp_servers } port 123 } protocol udp state { new enable } } rule 60 { action accept description "TCP Traffic Inbound Permitted to xxx.xxx.44.192/28" destination { address xxx.xxx.44.192/28 group { port-group internet_to_fts } } protocol tcp state { established enable new enable related enable } } rule 62 { action accept description "Allow access to Minecraft server" destination { address xxx.xxx.141.158 port 25565 } protocol tcp state { established enable new enable related enable } } rule 70 { action accept description "Allow SIP/IAX2/RTP Incoming" destination { address xxx.xxx.44.192/28 port 4569,5060-5080,10000-20000 } protocol udp state { established enable new enable related enable } } rule 72 { action accept description "Permit Inbound SIP/IAX/RTP/UDPTL to PBX in DMZ UDP" destination { address xxx.xxx.129.5 port 4000-4999,4569,5060-5080,10000-20000 } protocol udp state { established enable new enable related enable } } rule 74 { action accept description "Permit Inbound TCP SIP/SIP-TLS to PBX in DMZ" destination { address xxx.xxx.129.5 port 5060-5065 } protocol tcp state { established enable new enable related enable } } rule 76 { action accept description "Permit RTP Audio Inbound" destination { group { port-group RTP_Media } } protocol udp state { established enable new enable related enable } } rule 80 { action accept description "Permit Inbound Mail Traffic to Mail Server DMZ" destination { address xxx.xxx.129.1-xxx.xxx.129.2 group { port-group mail } } protocol tcp state { established enable new enable related enable } } rule 82 { action accept description "Permit ssh to Mail Exchange" destination { address xxx.xxx.129.2 port 22 } protocol tcp source { group { address-group trusted_external_hosts } } state { established enable new enable related enable } } rule 84 { action accept description "Permit Trusted External hosts Askozia Management(Https)" destination { address xxx.xxx.129.3 port 80,443 } disable protocol tcp source { group { address-group trusted_external_hosts } } state { established enable new enable related enable } } rule 85 { action accept description "Permit Trusted External hosts PBXinaFlash Management" destination { address xxx.xxx.129.5 port 22,80,443,9001 } protocol tcp source { group { address-group trusted_external_hosts } } state { established enable new enable related enable } } rule 86 { action accept description "Permit Inbound WWW to DMZ WWW" destination { address xxx.xxx.129.4 port 80 } disable protocol tcp state { established enable new enable related enable } } rule 90 { action accept description "Permit XMPP/Jabber to DMZServices" destination { address xxx.xxx.129.6 group { port-group XMPP } } protocol tcp state { established enable new enable related enable } } rule 92 { action accept description "Pemit access to TOR Proxy from Trusted External Hosts" destination { address xxx.xxx.129.6 port 9050 } protocol tcp source { group { address-group trusted_external_hosts } } state { established enable new enable related enable } } rule 100 { action accept description "Allow ICMP Echo Requests from ETH (Smokeping)" destination { address xxx.xxx.44.192/28 } icmp { type 8 } protocol icmp source { address xxx.xxx.2.0/26 } } rule 110 { action accept description "Allow ICMP Echo Replies" destination { address xxx.xxx.44.192/28 } icmp { type 0 } protocol icmp } rule 150 { action accept description "Permit Inbound Web Redirection (Zenoss)" destination { address xxx.xxx.141.30 port 8080 } disable protocol tcp source { group { address-group trusted_external_hosts } } state { established enable new enable related enable } } rule 154 { action accept description "Permit Inbound Web Redirection (New Server)" destination { address xxx.xxx.141.3 port 80 } disable protocol tcp source { group { address-group trusted_external_hosts } } state { established enable new enable related enable } } rule 158 { action accept description "Permit Inbound Web Redirection" destination { address xxx.xxx.141.114 port 80 } disable protocol tcp source { group { address-group trusted_external_hosts } } state { established enable new enable related enable } } rule 165 { action accept description "Permit Inbound MOXA Nport Redirection" destination { group { address-group moxa_nports } port 950-969 } protocol tcp source { group { address-group trusted_external_hosts } } state { established enable new enable related enable } } rule 900 { action accept description "Permit Inbound NewCS Cardsharing" destination { address xxx.xxx.141.3 port 12000 } protocol tcp state { established enable new enable related enable } } rule 910 { action accept description "Permit IMAP/S Test to vmail" destination { address xxx.xxx.141.17 port 993 } protocol tcp state { established enable new enable related enable } } } name Internet_Out { default-action drop description "Traffic Permitted Outbound to Internet" enable-default-log rule 4 { action drop description "Deny Kids Banned Sites" destination { group { address-group kids_banned_sites } } } rule 6 { action drop description "Deny Oubound Minecraft" destination { port 25565 } log enable protocol tcp } rule 10 { action drop description "Drop Facebook" destination { group { network-group facebook } } disable log enable } rule 15 { action drop description "Drop Gaming" destination { group { network-group gaming } } log enable time { starttime xxxx:xxxx:00 stoptime xxxx:xxxx:00 weekdays Mon,Tue,Wed,Thu,Fri } } rule 99 { action accept description "Allow outgoing connections originated through firewall" state { established enable new enable related enable } } rule 100 { action accept description "Permit traffic to ADDM" destination { address xxx.xxx.32.0/24 } source { address xxx.xxx.141.0/24 } state { established enable new enable related enable } } rule 110 { action accept description "Permit traffic to ICDC" destination { address xxx.xxx.47.0/22 group { } } source { address xxx.xxx.141.0/24 } state { established enable new enable related enable } } rule 120 { action accept description "Permit traffic to Securosys" destination { address xxx.xxx.171.0/24 } source { address xxx.xxx.141.0/24 } state { established enable new enable related enable } } rule 9000 { action accept log enable source { address xxx.xxx.44.192/28 } state { established enable new enable related enable } } } name Management_In { default-action drop enable-default-log rule 20 { action drop description "Drop UPnP" destination { address xxx.xxx.0.0/0 } protocol udp source { address xxx.xxx.143.0/24 port 1900 } state { established enable new enable related enable } } rule 30 { action accept description "Allow return packets from UniFi Controller to OpenHAB" destination { address xxx.xxx.142.5 } protocol tcp source { address xxx.xxx.143.129 port 8443 } state { established enable related enable } } rule 40 { action accept description "Allow RTP/RTSP Streams from Cameras" destination { address xxx.xxx.141.0/24 } protocol tcp source { address xxx.xxx.143.0/24 } state { established enable new enable related enable } } rule 50 { action accept description "Allow NTP queries from Management hosts" destination { group { address-group int_ntp_servers } port 123 } protocol udp source { address xxx.xxx.143.0/24 } state { established enable new enable related enable } } rule 60 { action accept description "Allow DNS queries from Management hosts" destination { group { address-group int_dns_servers } port 53 } protocol udp source { address xxx.xxx.143.0/24 } state { established enable new enable related enable } } rule 70 { action accept description "Allow Managment hosts to send email alerts via DNS SMTP" destination { address xxx.xxx.129.2 port 25 } protocol tcp source { address xxx.xxx.143.0/24 } state { established enable new enable related enable } } rule 80 { action accept description "Allow SNMP query return packets" destination { address xxx.xxx.141.0/24 } protocol udp source { address xxx.xxx.143.0/24 port 161 } state { established enable related enable } } rule 82 { action accept description "Allow Management Hosts to send SNMP Traps/Syslog/SFlow packets" destination { address xxx.xxx.141.0/24 port 162,514,6343 } protocol udp source { address xxx.xxx.143.0/24 } state { established enable new enable related enable } } rule 84 { action accept description "Allow icmp replies to internal" destination { address xxx.xxx.141.0/24 } protocol icmp source { address xxx.xxx.143.0/24 } state { established enable related enable } } rule 86 { action accept description "Allow return packets from management ports on Management Network" destination { group { network-group trusted_networks } } protocol tcp source { address xxx.xxx.143.0/24 port 22,23,80,443,7578,8080,8443,9292 } state { established enable related enable } } rule 88 { action accept destination { address xxx.xxx.141.0/24 } protocol tcp source { address xxx.xxx.143.251 group { port-group cisco_ts_lines } } state { established enable related enable } } rule 90 { action accept destination { group { address-group radius_servers port-group radius_ports } } protocol udp source { address xxx.xxx.143.0/24 } state { established enable new enable related enable } } rule 100 { action accept destination { address xxx.xxx.47.0/24 } source { address xxx.xxx.143.0/24 } state { established enable new enable related enable } } rule 110 { action accept destination { address xxx.xxx.32.0/24 } source { address xxx.xxx.143.0/24 } state { established enable new enable related enable } } rule 120 { action accept description "Allow IPMI KVMoverIP" destination { group { network-group trusted_networks } } protocol tcp source { address xxx.xxx.143.0/24 port 5900-5901,5120 } state { established enable new enable related enable } } rule 122 { action accept description "Allow IPMI Serial over IP" destination { group { network-group trusted_networks } } protocol udp source { address xxx.xxx.143.0/24 port 623 } state { established enable new enable related enable } } rule 160 { action accept destination { group { address-group moxa_allowed_hosts } } protocol tcp source { group { address-group moxa_nports port-group moxa_in } } state { established enable new enable related enable } } rule 170 { action accept description "Allow Management access to LDAP,KRB5,SMB" destination { group { network-group trusted_networks } port 88,464,445 } protocol tcp source { address xxx.xxx.143.0/24 } state { established enable new enable related enable } } rule 200 { action accept description "Allow Management Access to Debian/Ubuntu Mirrors" destination { group { address-group deb-ubu-mirrors } port 80,443 } protocol tcp source { address xxx.xxx.143.0/24 } state { established enable new enable related enable } } rule 210 { action accept description "Allow Unifi Server access to UBNT Mirrors" destination { group { address-group ubiquiti } port 80,443 } protocol tcp source { address xxx.xxx.143.129 } state { established enable new enable related enable } } } name Management_Out { default-action drop enable-default-log rule 10 { action accept description "Allow Establed and Related Connections" destination { address xxx.xxx.143.0/24 } protocol all source { address xxx.xxx.0.0/0 } state { established enable related enable } } rule 60 { action accept description "Permit Access from OpenHAB to UniFi Controller" destination { address xxx.xxx.143.129 port 8443 } protocol tcp source { address xxx.xxx.142.5 } state { established enable new enable related enable } } rule 70 { action accept description "Permit return SMTP packets" destination { address xxx.xxx.143.0/24 } protocol tcp source { address xxx.xxx.129.2 port 25 } state { established enable related enable } } rule 80 { action accept description "Permit SNMP access to subnet" destination { address xxx.xxx.143.0/24 port 161,554,5556,5557 } protocol udp source { address xxx.xxx.141.0/24 } state { established enable new enable related enable } } rule 82 { action accept description "Allow ICMP from Internal" destination { address xxx.xxx.143.0/24 } protocol icmp source { address xxx.xxx.141.0/24 } state { established enable new enable related enable } } rule 84 { action accept description "Permit access to management ports on mangement network" destination { address xxx.xxx.143.0/24 port 22,23,80,443,8080,8443,9292,554,5556,5557 } protocol tcp source { group { network-group trusted_networks } } state { established enable new enable related enable } } rule 85 { action accept destination { address xxx.xxx.143.251 group { port-group cisco_ts_lines } } protocol tcp source { address xxx.xxx.141.0/24 } state { established enable new enable related enable } } rule 90 { action accept destination { address xxx.xxx.143.0/24 } log enable protocol udp source { group { address-group radius_servers } port 1812 } state { established enable related enable } } rule 95 { action accept description "Permit OpenVPN clients access to Management Network" destination { address xxx.xxx.143.0/24 } source { group { network-group trusted_networks } } state { established enable new enable related enable } } rule 100 { action accept destination { address xxx.xxx.143.0/24 } ipsec { match-ipsec } source { address xxx.xxx.47.0/24 } state { established enable new enable related enable } } rule 110 { action accept destination { address xxx.xxx.143.0/24 } ipsec { match-ipsec } source { address xxx.xxx.32.0/24 } state { established enable new enable related enable } } rule 120 { action accept description "Permit NTP return packets" destination { address xxx.xxx.143.0/24 } protocol udp source { port 123 } state { established enable new enable related enable } } rule 160 { action accept description "Allow Trusted External Hosts access to MOXA Serial Ports" destination { group { address-group moxa_nports port-group moxa_out } } protocol tcp source { group { address-group moxa_allowed_hosts } } state { established enable new enable related enable } } } name PublicAccess_In { default-action drop description "Traffic from PublicAccess Outbound" enable-default-log rule 35 { action drop description "Disable UPnP Discovery" destination { port 1900 } protocol udp source { address xxx.xxx.130.0/24 } state { established enable new enable related enable } } rule 36 { action drop description "Drop Google DNS Queries" destination { group { address-group google_dns } port 53 } protocol tcp_udp source { address xxx.xxx.130.0/24 } state { new enable } } rule 42 { action accept description "Allow access to proxy in DMZ" destination { address xxx.xxx.129.6 port 80,443,9050 } protocol tcp source { address xxx.xxx.130.0/24 } state { new enable } } rule 44 { action accept description "Allow Access to Fileservers" destination { group { address-group fileservers port-group fileservice_ports } } protocol tcp source { address xxx.xxx.130.0/24 } state { established enable new enable related enable } } rule 48 { action accept description "Allow access to Jellyfin Server" destination { address xxx.xxx.141.2 port 8096 } protocol tcp source { address xxx.xxx.130.0/24 } state { established enable new enable related enable } } rule 50 { action drop description "Time-based Permit for Chollo Gamer PC" destination { address xxx.xxx.0.0/0 } log disable source { address xxx.xxx.130.179 } state { established enable new enable related enable } time { starttime xxxx:xxxx:00 stoptime xxxx:xxxx:00 weekdays Sun,Mon,Tue,Wed,Thu,Fri,Sat } } rule 54 { action drop description "Block Steam Gaming" destination { address xxx.xxx.0.0/0 group { port-group steam } } disable log enable protocol all source { group { address-group Chollo } } state { new enable } } rule 65 { action accept description "Open access for xxx.xxx.130.224/27" destination { address xxx.xxx.0.0/0 } protocol all source { address xxx.xxx.130.224/27 } state { established enable new enable related enable } } rule 70 { action accept description "Allow return packets from Web Servers on Public_Access net" destination { address xxx.xxx.141.0/24 } protocol tcp source { address xxx.xxx.130.0/24 port 23,80 } state { established enable new enable related enable } } rule 80 { action accept description "Allow management (UDP) traffic out" destination { address xxx.xxx.141.0/24 } protocol udp source { address xxx.xxx.130.0/24 port 161,514 } state { established enable new enable related enable } } rule 90 { action accept description "Allow APs to speak LWAPP/CAPWAP to Cisco WLC Controller" destination { address xxx.xxx.141.244 group { port-group CAPWAPP } } disable protocol udp source { address xxx.xxx.130.0/24 } state { new enable } } rule 100 { action drop description "Deny Children after 11pm Schoolnights" destination { address xxx.xxx.0.0/0 } disable log enable source { group { address-group children } } state { established enable new enable related enable } time { starttime xxxx:xxxx:00 stoptime xxxx:xxxx:00 weekdays !Fri,Sat } } rule 102 { action drop description "Deny Children LateNight" destination { address xxx.xxx.0.0/0 } disable log enable source { group { address-group children } } state { established enable new enable related enable } time { starttime xxxx:xxxx:00 stoptime xxxx:xxxx:00 } } rule 115 { action accept description "Allow Outbound UDP (DNS/NTP/DHCP/IAX)" destination { address xxx.xxx.0.0/0 port 53,67,68,123,4569 } protocol udp source { address xxx.xxx.130.0/24 } state { established enable new enable related enable } } rule 200 { action accept description "Allow access to Google Play Services" destination { address xxx.xxx.0.0/0 port 5228 } disable protocol tcp_udp source { address xxx.xxx.130.0/24 } state { established enable new enable related enable } } rule 1006 { action accept description "Allow Chusma" destination { address xxx.xxx.0.0/0 } protocol all source { group { address-group Chusma } } state { established enable new enable related enable } } rule 1008 { action accept description "Allow Chollo" destination { address xxx.xxx.0.0/0 } protocol all source { group { address-group Chollo } } state { established enable new enable related enable } } rule 1030 { action accept description "Weekday Time-based Permit for Chollo" destination { address xxx.xxx.0.0/0 } disable log disable source { group { address-group Chollo } } state { established enable new enable related enable } time { starttime xxxx:xxxx:00 stoptime xxxx:xxxx:00 weekdays Mon,Tue,Wed,Thu,Fri } } rule 1035 { action accept description "Weekend Time-based Permit for Chollo" destination { address xxx.xxx.0.0/0 } disable log disable source { group { address-group Chollo } } state { established enable new enable related enable } time { starttime xxxx:xxxx:00 stoptime xxxx:xxxx:00 weekdays Sat,Sun } } rule 1040 { action accept description "Allowed outbound for Chollo" destination { address xxx.xxx.0.0/0 port 80,443,587,993,5222 } log disable protocol tcp source { group { address-group Chollo } } state { established enable new enable } } rule 9000 { action accept description "Allow Random DHCP Clients" destination { address xxx.xxx.0.0/0 } protocol all source { address xxx.xxx.130.192-xxx.xxx.130.221 } state { established enable new enable related enable } } } name PublicAccess_Out { default-action drop description "Traffic Inbound to PublicAccess" enable-default-log rule 100 { action accept description "Permit return packets from originated connections" state { established enable related enable } } rule 500 { action accept destination { address xxx.xxx.130.0/24 } protocol all source { address xxx.xxx.141.0/24 } } } receive-redirects disable send-redirects enable source-validation disable state-policy { invalid { action drop } } syn-cookies enable twa-hazards-protection disable } interfaces { ethernet eth0 { address xxx.xxx.129.30/27 description DMZ duplex auto firewall { in { name DMZ_In } out { name DMZ_Out } } hw-id XX:XX:XX:XX:XX:30 mtu 9000 smp-affinity auto speed auto } ethernet eth1 { address xxx.xxx.130.254/24 description "Public Access" duplex auto firewall { in { name PublicAccess_In } out { name PublicAccess_Out } } hw-id XX:XX:XX:XX:XX:31 mtu 9000 smp-affinity auto speed auto traffic-policy { out ShapePublicOutbound } } ethernet eth2 { address xxx.xxx.141.254/24 description Internal duplex auto hw-id XX:XX:XX:XX:XX:32 mtu 9000 smp-affinity auto speed auto } ethernet eth3 { address xxx.xxx.143.254/24 description Management duplex auto firewall { in { name Management_In } out { name Management_Out } } hw-id XX:XX:XX:XX:XX:33 mtu 9000 smp-affinity auto speed auto } ethernet eth4 { address xxx.xxx.44.193/28 address xxx.xxx.44.200/28 address xxx.xxx.44.201/28 address xxx.xxx.44.197/28 description "FTS Public Internet Subnet" duplex auto hw-id XX:XX:XX:XX:XX:34 mtu 9000 smp-affinity auto speed auto } ethernet eth5 { address xxx.xxx.62.21/27 description InternetUplink duplex auto firewall { in { name Internet_In } local { name Internet2Local } out { name Internet_Out } } hw-id XX:XX:XX:XX:XX:35 mtu 9000 smp-affinity auto speed auto } ethernet eth6 { address xxx.xxx.142.254/24 description IoT duplex auto hw-id XX:XX:XX:XX:XX:36 mtu 9000 smp-affinity auto speed auto } loopback lo { } openvpn vtun0 { description "OpenVPN Endpoint" encryption aes256 hash sha512 local-host xxxxx.tld local-port 1194 mode server openvpn-option "--comp-lzo --push dhcp-option DOMAIN feigin.com --push dhcp-option DNS xxx.xxx.141.20 --push route xxx.xxx.140.0 xxx.xxx.252.0 --push route xxx.xxx.130.0 xxx.xxx.255.0 --push route xxx.xxx.129.0 xxx.xxx.255.224" protocol udp server { subnet xxx.xxx.128.240/28 } tls { ca-cert-file xxxxxx cert-file xxxxxx dh-file xxxxxx key-file xxxxxx } } wireguard wg01 { address xxx.xxx.188.1/24 description "Wireguard Endpoint" peer GalaxyS7 { allowed-ips xxx.xxx.188.3/32 persistent-keepalive 15 pubkey **************** } peer Hospitalet { allowed-ips xxx.xxx.78.0/24 allowed-ips xxx.xxx.188.2/32 persistent-keepalive 15 preshared-key **************** pubkey **************** } peer OpenWRT-Test { allowed-ips xxx.xxx.188.9/32 allowed-ips xxx.xxx.83.0/24 persistent-keepalive 15 preshared-key **************** pubkey **************** } peer OpenWRT-zbt826 { allowed-ips xxx.xxx.188.6/32 allowed-ips xxx.xxx.84.0/24 persistent-keepalive 15 preshared-key **************** pubkey **************** } peer PocoF3 { allowed-ips xxx.xxx.188.4/32 persistent-keepalive 15 preshared-key **************** pubkey **************** } peer XiaoMiNote5 { allowed-ips xxx.xxx.188.5/32 persistent-keepalive 15 preshared-key **************** pubkey **************** } peer ayahuasca { allowed-ips xxx.xxx.188.7/32 persistent-keepalive 15 preshared-key **************** pubkey **************** } peer x230 { allowed-ips xxx.xxx.188.10/32 persistent-keepalive 15 preshared-key **************** pubkey **************** } port 51820 } wireguard wg02 { address xxx.xxx.0.2/24 description "ACP site-to-site" peer xxxxx.tld { allowed-ips xxx.xxx.0.0/24 allowed-ips xxx.xxx.2.0/23 allowed-ips xxx.xxx.7.0/24 preshared-key **************** pubkey **************** } port 51821 } } nat { destination { rule 20 { description "Redirect Inbound SMTP" destination { address xxx.xxx.44.193 port 25 } inbound-interface eth5 protocol tcp translation { address xxx.xxx.129.2 port 25 } } rule 22 { description "Redirect Inbound SMTP/S" destination { address xxx.xxx.44.193 port 465 } inbound-interface eth5 protocol tcp translation { address xxx.xxx.129.2 port 465 } } rule 23 { description "Redirect Inbound SMTP Submission" destination { address xxx.xxx.44.193 port 587 } inbound-interface eth5 protocol tcp translation { address xxx.xxx.129.2 port 587 } } rule 24 { description "Redirect Inbound IMAPS" destination { address xxx.xxx.44.193 port 993 } inbound-interface eth5 protocol tcp translation { address xxx.xxx.141.17 port 993 } } rule 26 { description "Redirect inbound SSH" destination { address xxx.xxx.44.193 port 22 } inbound-interface eth5 protocol tcp translation { address xxx.xxx.129.2 port 22 } } rule 30 { description "Redirect Inbound HTTPS to xxx.xxx.62.21" destination { address xxx.xxx.62.21 port 443 } inbound-interface eth5 protocol tcp translation { address xxx.xxx.129.6 port 443 } } rule 32 { description "Redirect Inbound HTTPS for xxx.xxx.44.193" destination { address xxx.xxx.44.193 port 443 } inbound-interface eth5 protocol tcp translation { address xxx.xxx.129.6 port 443 } } rule 34 { description "Redirect Inbound HTTP for xxx.xxx.62.21" destination { address xxx.xxx.62.21 port 80 } inbound-interface eth5 protocol tcp translation { address xxx.xxx.129.6 port 80 } } rule 36 { description "Redirect Inbound HTTP for xxx.xxx.44.193" destination { address xxx.xxx.44.193 port 80 } inbound-interface eth5 protocol tcp translation { address xxx.xxx.129.6 port 80 } } rule 40 { description "Redirect Inbound DNS UDP" destination { address xxx.xxx.44.193 port 53 } inbound-interface eth5 protocol udp translation { address xxx.xxx.129.2 port 53 } } rule 42 { description "Redirect Inbound DNS TCP" destination { address xxx.xxx.44.193 port 53 } inbound-interface eth5 protocol tcp translation { address xxx.xxx.129.2 port 53 } } rule 44 { description "Redirect Inbound NTP" destination { address xxx.xxx.62.21 port 123 } inbound-interface eth5 protocol udp translation { address xxx.xxx.141.13 port 123 } } rule 50 { description "Inbound Web Redirect 9080" destination { address xxx.xxx.44.193 port 9080 } inbound-interface eth5 protocol tcp translation { address xxx.xxx.141.3 port 80 } } rule 52 { description "Inbound Web Redirect 9081->8080(Zenoss)" destination { address xxx.xxx.44.193 port 9081 } inbound-interface eth5 protocol tcp translation { address xxx.xxx.141.30 port 8080 } } rule 54 { description "Inbound Web Redirect 9082 -> Test MythTV Backend" destination { address xxx.xxx.44.193 port 9082 } inbound-interface eth5 protocol tcp translation { address xxx.xxx.141.114 port 80 } } rule 56 { description "Inbound Web Redirect 9083 -> OSCam" destination { address xxx.xxx.44.193 port 9083 } inbound-interface eth5 protocol tcp translation { address xxx.xxx.141.3 port 8443 } } rule 60 { description "Redirect Inbound DNS for old server (Temporary)" destination { address xxx.xxx.44.194 port 53 } inbound-interface eth5 protocol udp translation { address xxx.xxx.129.2 port 53 } } rule 76 { description "1:1 Inbound NAT PBXinaFlash" destination { address xxx.xxx.44.201 } inbound-interface eth5 translation { address xxx.xxx.129.5 } } rule 78 { description "1:1 Inbound NAT PBXinaFlash for FTS Subnet" destination { address xxx.xxx.44.201 } inbound-interface eth4 translation { address xxx.xxx.129.5 } } rule 84 { description "Reflection Rule Inside->Outside:SMTP" destination { address xxx.xxx.44.193 port 25 } inbound-interface eth2 protocol tcp source { address xxx.xxx.141.0/24 } translation { address xxx.xxx.129.2 port 25 } } rule 85 { description "Reflection Rule Inside->Outside:Submission" destination { address xxx.xxx.44.193 port 587 } inbound-interface eth2 protocol tcp source { address xxx.xxx.141.0/24 } translation { address xxx.xxx.129.2 port 587 } } rule 86 { description "Reflection Rule Inside->Outside:SMTP/S" destination { address xxx.xxx.44.193 port 465 } inbound-interface eth2 protocol tcp source { address xxx.xxx.141.0/24 } translation { address xxx.xxx.129.2 port 465 } } rule 88 { description "Reflection Rule Public->Outside:SMTP" destination { address xxx.xxx.44.193 port 25 } inbound-interface eth1 protocol tcp source { address xxx.xxx.130.0/24 } translation { address xxx.xxx.129.2 port 25 } } rule 89 { description "Reflection Rule Public->Outside:Submission" destination { address xxx.xxx.44.193 port 587 } inbound-interface eth1 protocol tcp source { address xxx.xxx.130.0/24 } translation { address xxx.xxx.129.2 port 587 } } rule 90 { description "Reflection Rule Internal->Outside:IMAPS" destination { address xxx.xxx.44.193 port 993 } inbound-interface eth2 protocol tcp source { address xxx.xxx.141.0/24 } translation { address xxx.xxx.129.2 port 993 } } rule 92 { description "Reflection Rule Public->Outside:IMAPS" destination { address xxx.xxx.44.193 port 993 } inbound-interface eth1 protocol tcp source { address xxx.xxx.130.0/24 } translation { address xxx.xxx.141.17 port 993 } } rule 94 { description "Reflection Rule Public->Outside:IAX" destination { address xxx.xxx.44.201 port 4569 } inbound-interface eth1 protocol udp source { address xxx.xxx.130.0/24 } translation { address xxx.xxx.129.5 port 4569 } } rule 96 { description "Reflection Rule Public->Inside:https for cloud" destination { address xxx.xxx.62.21 port 443 } inbound-interface eth1 protocol tcp source { address xxx.xxx.130.0/24 } translation { address xxx.xxx.141.53 port 443 } } rule 102 { description "Reflection Rule Public ->Outside:SIP" destination { address xxx.xxx.44.201 port 5060 } inbound-interface eth1 protocol tcp_udp source { address xxx.xxx.130.0/24 } translation { address xxx.xxx.129.5 port 5060 } } rule 110 { description "Inbound Redirect for XMPP port 5222" destination { address xxx.xxx.62.21 port 5222 } inbound-interface eth5 protocol tcp translation { address xxx.xxx.129.6 port 5222 } } rule 112 { description "Inbound Redirect for XMPP port 5269" destination { address xxx.xxx.62.21 port 5269 } inbound-interface eth5 protocol tcp translation { address xxx.xxx.129.6 port 5269 } } rule 114 { description "Inbound Redirect for XMPP port 5280" destination { address xxx.xxx.62.21 port 5280 } inbound-interface eth5 protocol tcp translation { address xxx.xxx.129.6 port 5280 } } rule 116 { description "Inbound Redirect for XMPP http_upload port 5443" destination { address xxx.xxx.62.21 port 5443 } inbound-interface eth5 protocol tcp translation { address xxx.xxx.129.6 port 5443 } } rule 120 { description "Reflection Rule Public->Outside:XMPP-5222" destination { address xxx.xxx.62.21 port 5222 } inbound-interface eth1 protocol tcp translation { address xxx.xxx.129.6 port 5222 } } rule 122 { description "Reflection Rule Public->Outside:XMPP-5269" destination { address xxx.xxx.62.21 port 5269 } inbound-interface eth1 protocol tcp translation { address xxx.xxx.129.6 port 5269 } } rule 124 { description "Reflection Rule Public->Outside:XMPP-5280" destination { address xxx.xxx.62.21 port 5280 } inbound-interface eth1 protocol tcp translation { address xxx.xxx.129.6 port 5280 } } rule 126 { description "Reflection Rule Public->Outside:XMPP-5443" destination { address xxx.xxx.62.21 port 5443 } inbound-interface eth1 protocol tcp translation { address xxx.xxx.129.6 port 5443 } } rule 128 { description "Reflection Rule Public->Outside:HTTPS" destination { address xxx.xxx.62.21 port 443 } inbound-interface eth1 protocol tcp translation { address xxx.xxx.129.6 port 443 } } rule 140 { description "Test Redirect HAPROXY IMAPS" destination { address xxx.xxx.62.21 port 993 } inbound-interface eth5 protocol tcp translation { address xxx.xxx.129.6 port 993 } } rule 156 { description "Inbound Redirect for Minecraft" destination { address xxx.xxx.44.193 port 25565 } disable inbound-interface eth5 protocol tcp translation { address xxx.xxx.141.158 port 25565 } } rule 160 { description "Inbound Redirect for MOXA Serial Server" destination { address xxx.xxx.44.193 port 950-969 } disable inbound-interface eth5 protocol tcp translation { address xxx.xxx.143.244 port 950-969 } } } source { rule 30 { description "Source NAT for Outbound SMTP" destination { } outbound-interface eth0 protocol tcp source { address xxx.xxx.129.2 port 25 } translation { address xxx.xxx.44.193 } } rule 992 { description "1:1 Outbound for PBXinaFlash" outbound-interface eth5 source { address xxx.xxx.129.5 } translation { address xxx.xxx.44.201 } } rule 4991 { description "Exclude Test Networks from NAT" destination { address xxx.xxx.93.0/24 } exclude outbound-interface eth4 source { address xxx.xxx.141.0/24 } translation { address masquerade } } rule 4992 { description "Exclude Apartment Spain Internal Network from NAT" destination { address xxx.xxx.79.0/24 } disable exclude outbound-interface eth5 source { address xxx.xxx.141.0/24 } translation { address masquerade } } rule 4993 { description "Exclude ACP Internal Network from NAT" destination { address xxx.xxx.2.0/23 } exclude outbound-interface eth5 source { address xxx.xxx.141.0/24 } translation { address masquerade } } rule 4994 { description "Exclude ACP DMZ Network from NAT" destination { address xxx.xxx.7.0/24 } exclude outbound-interface eth5 source { address xxx.xxx.141.0/24 } translation { address masquerade } } rule 4995 { description "Exclude SecuroSys Network from NAT" destination { address xxx.xxx.171.0/24 } disable exclude outbound-interface eth5 source { address xxx.xxx.141.0/24 } translation { address masquerade } } rule 4996 { description "Exclude Test Networks from NAT" destination { address xxx.xxx.176.0/20 } exclude outbound-interface eth4 source { address xxx.xxx.141.0/24 } translation { address masquerade } } rule 4997 { description "Exclude DiCandilo Berwyn Network from NAT" destination { address xxx.xxx.1.0/24 } exclude outbound-interface eth5 source { address xxx.xxx.141.0/24 } translation { address masquerade } } rule 4998 { description "Exclude ADDM Network From NAT" destination { address xxx.xxx.32.0/24 } exclude outbound-interface eth5 source { address xxx.xxx.141.0/24 } translation { address masquerade } } rule 4999 { description "Exclude ICDC Network from NAT" destination { address xxx.xxx.47.0/22 } disable exclude outbound-interface eth5 source { address xxx.xxx.141.0/24 } translation { address masquerade } } rule 9000 { description "Masquerade Internal on FTS Internet Segment" destination { address xxx.xxx.44.192/28 } outbound-interface eth4 source { address xxx.xxx.141.0/24 } translation { address xxx.xxx.44.193 } } rule 9005 { description "Masquerade Internal" destination { address xxx.xxx.0.0/0 } outbound-interface eth5 source { address xxx.xxx.141.0/24 } translation { address xxx.xxx.44.193 } } rule 9010 { description "Masquerade DMZ" destination { address xxx.xxx.0.0/0 } outbound-interface eth5 source { address xxx.xxx.129.0/27 } translation { address xxx.xxx.44.193 } } rule 9020 { description "Masquerade Public" destination { address xxx.xxx.0.0/0 } outbound-interface eth5 source { address xxx.xxx.130.0/24 } translation { address xxx.xxx.44.197 } } rule 9030 { description "Masquerade IoT & Management" outbound-interface eth5 source { address xxx.xxx.142.0/23 } translation { address xxx.xxx.44.193 } } } } protocols { igmp-proxy { interface eth2 { role downstream threshold 1 } interface eth5 { role upstream threshold 1 } } static { interface-route xxx.xxx.188.0/24 { next-hop-interface wg01 { } } interface-route xxx.xxx.2.0/23 { next-hop-interface wg02 { } } interface-route xxx.xxx.7.0/24 { next-hop-interface wg02 { } } interface-route xxx.xxx.78.0/24 { next-hop-interface wg01 { } } interface-route xxx.xxx.83.0/24 { next-hop-interface wg01 { } } interface-route xxx.xxx.84.0/24 { next-hop-interface wg01 { } } route xxx.xxx.0.0/0 { next-hop xxx.xxx.62.1 { } } route xxx.xxx.53.0/27 { blackhole { } } route xxx.xxx.1.47/32 { next-hop xxx.xxx.128.242 { } } route xxx.xxx.0.0/16 { blackhole { } } route xxx.xxx.0.0/15 { blackhole { } } route xxx.xxx.0.0/15 { blackhole { } } route xxx.xxx.128.0/28 { next-hop xxx.xxx.141.251 { } } route xxx.xxx.131.0/24 { next-hop xxx.xxx.141.222 { } } route xxx.xxx.0.0/17 { blackhole { } } } } service { dhcp-relay { interface eth1 interface eth3 interface eth4 interface eth6 interface eth2 relay-options { relay-agents-packets discard } server xxxxx.tld } mdns { repeater { interface eth2 interface wg01 } } snmp { community public { authorization ro network xxx.xxx.141.0/24 } contact "Adam Feigin" listen-address xxx.xxx.141.254 { port 161 } location xxxxxx 235" trap-target xxx.xxx.141.30 { } } ssh { port 2022 } } system { config-management { commit-archive { location xxxxxx } commit-revisions 50 } conntrack { expect-table-size 4096 hash-size 4096 modules { sip { disable } } table-size 32768 } console { device ttyS0 { speed 9600 } } domain-name xxxxxx flow-accounting { disable-imt interface eth5 interface eth4 interface eth2 interface eth1 interface eth0 netflow { engine-id 2 sampling-rate 64 server xxxxx.tld { port 9995 } timeout { expiry-interval 60 flow-generic 60 icmp 300 max-active-life 60 tcp-fin 60 tcp-generic 60 tcp-rst 60 udp 60 } version 5 } sflow { agent-address xxx.xxx.141.254 sampling-rate 64 server xxxxx.tld { port 6343 } } syslog-facility daemon } host-name xxxxxx ipv6 { } login { radius-server xxx.xxx.141.20 { port 1812 secret xxxxxxxxxxxx timeout 3 } radius-source-address xxx.xxx.143.254 user xxxxxx { authentication { encrypted-password xxxxxx plaintext-password xxxxxx public-keys xxxx@xxx.xxx { key xxxxxx type ssh-rsa } public-keys xxxx@xxx.xxx { key xxxxxx type ssh-rsa } public-keys xxxx@xxx.xxx { key xxxxxx type ssh-rsa } public-keys xxxx@xxx.xxx { key xxxxxx type ssh-rsa } } full-name xxxxxx level admin } user xxxxxx { authentication { encrypted-password xxxxxx plaintext-password xxxxxx public-keys xxxx@xxx.xxx { key xxxxxx type ssh-rsa } } level admin } user xxxxxx { authentication { encrypted-password xxxxxx plaintext-password xxxxxx public-keys xxxx@xxx.xxx { key xxxxxx type ssh-rsa } public-keys xxxx@xxx.xxx { key xxxxxx type ssh-rsa } } level admin } user xxxxxx { authentication { encrypted-password xxxxxx plaintext-password xxxxxx } level admin } } name-server xxx.xxx.141.3 name-server xxx.xxx.40.2 name-server xxx.xxx.40.34 name-server xxx.xxx.141.20 ntp { allow-clients { address xxx.xxx.143.0/24 address xxx.xxx.142.0/24 address xxx.xxx.141.0/24 address xxx.xxx.130.0/24 address xxx.xxx.129.0/24 } listen-address xxx.xxx.141.254 listen-address xxx.xxx.130.254 listen-address xxx.xxx.129.254 listen-address xxx.xxx.142.254 listen-address xxx.xxx.143.254 server xxxxx.tld { } server xxxxx.tld { } server xxxxx.tld { } server xxxxx.tld { } server xxxxx.tld { } } syslog { file messages { archive { } } global { archive { size 8192 } facility all { level notice } facility protocols { level debug } } } task-scheduler { task Update-Blacklists { executable { path /config/scripts/updBlackList.sh } interval 12h } } time-zone Europe/Zurich } traffic-policy { limiter LimitChildrenOutBound { class 10 { bandwidth 512 burst 2048 match Children { ip { source { address xxx.xxx.130.175/27 } } } priority 20 } } shaper ShapeInternalOutbound { bandwidth 1gibps class 10 { bandwidth 128kibit burst 15k ceiling 16384kibit match JohanaRestricted { ip { destination { address xxx.xxx.141.188/30 } } } queue-type fair-queue } default { bandwidth 1gibps burst 15k ceiling 100% queue-type fair-queue } } shaper ShapePublicOutbound { bandwidth 20mibit class 10 { bandwidth 1kibit burst 15k ceiling 4096kibit description "Chusmas Devices" match Chusma { ip { destination { address xxx.xxx.130.172/30 } } } queue-type fair-queue } class 20 { bandwidth 1kibit burst 15k ceiling 16384kibit description "Chollos Devices" match Chollo { ip { destination { address xxx.xxx.130.176/29 } } } queue-type fair-queue } class 30 { bandwidth 1kibit burst 15k ceiling 64kibit match mbpgen2-wlan { ip { destination { address xxx.xxx.130.242/32 } } } queue-type fair-queue } class 40 { bandwidth 1kibit burst 15k ceiling 8192kibit description "Sony PS4 Traffic" match sonyps4 { ip { destination { address xxx.xxx.130.185/32 } } } queue-type fair-queue } class 120 { bandwidth 100% burst 15k queue-type fair-queue } default { bandwidth 10mibit burst 15k ceiling 100% queue-type fair-queue } description "QoS Policy for Public" } shaper VoIP-DSCP { bandwidth 5mbit class 10 { bandwidth 20% burst 15k ceiling 40% match VoIP-RTP { description "RTP Audio Packets (with dscp set to 46)" ip { dscp 46 } } priority 7 queue-type fair-queue } class 20 { bandwidth 10% burst 15k ceiling 20% description "SIP Signalling (with dscp set to 26)" match VoIP-SIP { ip { dscp 26 } } priority 4 queue-type fair-queue } default { bandwidth 70% burst 15k ceiling 100% queue-type fair-queue } description "VoIP Traffic Shaping based on DSCP" } } vpn { ipsec { esp-group ACP-ESP { compression disable lifetime 3600 mode tunnel pfs dh-group18 proposal 1 { encryption aes256 hash sha512 } proposal 2 { encryption aes128 hash sha512 } } esp-group CiscoESP { compression disable lifetime 3600 mode tunnel pfs enable proposal 1 { encryption aes128 hash sha1 } } esp-group DiCandilo-PA-ESP { compression disable lifetime 3600 mode tunnel pfs enable proposal 1 { encryption 3des hash sha1 } } esp-group OPNSenseESP { compression disable lifetime 3600 mode tunnel pfs dh-group18 proposal 1 { encryption aes256 hash sha512 } proposal 2 { encryption aes128 hash sha512 } } esp-group OpenWRT-ESP { compression enable lifetime 3600 mode tunnel pfs dh-group14 proposal 1 { encryption aes256 hash sha512 } proposal 2 { encryption aes256 hash sha256 } proposal 3 { encryption aes128 hash sha512 } proposal 4 { encryption aes128 hash sha256 } } esp-group PFSenseESP { compression disable lifetime 3600 mode tunnel pfs dh-group18 proposal 1 { encryption aes256 hash sha512 } proposal 2 { encryption aes128 hash sha1 } } esp-group SecuroSysESP { compression disable lifetime 3600 mode tunnel pfs dh-group18 proposal 1 { encryption aes256 hash sha512 } proposal 2 { encryption aes128 hash sha1 } } esp-group SophosUTM-ESP { compression disable lifetime 3600 mode tunnel pfs dh-group16 proposal 1 { encryption aes256 hash sha512 } proposal 2 { encryption aes128 hash sha1 } } esp-group StonegateESP { compression disable lifetime 3600 mode tunnel pfs enable proposal 1 { encryption aes128 hash sha1 } } ike-group CiscoIKE { close-action none dead-peer-detection { action restart interval 30 timeout 120 } ikev2-reauth no key-exchange ikev1 lifetime 28800 proposal 1 { dh-group 2 encryption aes128 hash sha1 } proposal 2 { dh-group 2 encryption aes256 hash sha1 } } ike-group DiCandilo-PA-IKE { close-action none ikev2-reauth no key-exchange ikev1 lifetime 28800 proposal 1 { dh-group 5 encryption 3des hash sha1 } } ike-group OPNSenseIKEv2 { close-action none dead-peer-detection { action hold interval 30 timeout 120 } ikev2-reauth no key-exchange ikev2 lifetime 28800 proposal 1 { dh-group 18 encryption aes256 hash sha512 } proposal 2 { dh-group 24 encryption aes128 hash sha512 } } ike-group OpenWRT-IKEv1 { close-action none dead-peer-detection { action restart interval 30 timeout 120 } ikev2-reauth no key-exchange ikev1 lifetime 3600 proposal 1 { dh-group 2 encryption aes256 hash sha1 } } ike-group OpenWRT-IKEv2 { close-action none dead-peer-detection { action restart interval 30 timeout 120 } ikev2-reauth no key-exchange ikev2 lifetime 3600 mobike enable proposal 1 { dh-group 14 encryption aes256 hash sha512 } proposal 2 { dh-group 14 encryption aes256 hash sha256 } proposal 3 { dh-group 14 encryption aes128 hash sha512 } proposal 4 { dh-group 14 encryption aes128 hash sha256 } } ike-group PFSenseIKE { close-action none dead-peer-detection { action restart interval 30 timeout 120 } ikev2-reauth no key-exchange ikev1 lifetime 28800 proposal 1 { dh-group 18 encryption aes256 hash sha512 } proposal 2 { dh-group 2 encryption aes128 hash sha1 } } ike-group SecuroSysIKE { close-action none dead-peer-detection { action restart interval 30 timeout 120 } ikev2-reauth no key-exchange ikev1 lifetime 28800 proposal 1 { dh-group 18 encryption aes256 hash sha512 } proposal 2 { dh-group 2 encryption aes128 hash sha1 } } ike-group SophosUTM-IKE { close-action none dead-peer-detection { action restart interval 30 timeout 120 } ikev2-reauth no key-exchange ikev1 lifetime 28800 proposal 1 { dh-group 16 encryption aes256 hash sha512 } proposal 2 { dh-group 2 encryption aes128 hash sha1 } } ike-group StonegateIKE { close-action none ikev2-reauth no key-exchange ikev1 lifetime 3600 proposal 1 { dh-group 2 encryption aes128 hash sha1 } } ipsec-interfaces { interface eth5 } nat-networks { allowed-network xxx.xxx.1.0/24 { } allowed-network xxx.xxx.2.0/23 { } allowed-network xxx.xxx.7.0/24 { } allowed-network xxx.xxx.32.0/24 { } allowed-network xxx.xxx.45.0/24 { } allowed-network xxx.xxx.46.0/24 { } allowed-network xxx.xxx.47.0/24 { } allowed-network xxx.xxx.79.0/24 { } allowed-network xxx.xxx.93.0/24 { } allowed-network xxx.xxx.113.0/24 { } allowed-network xxx.xxx.141.0/24 { } allowed-network xxx.xxx.143.0/24 { } allowed-network xxx.xxx.171.0/24 { } allowed-network xxx.xxx.176.0/20 { } } nat-traversal enable site-to-site { peer xxxxx.tld { authentication { mode pre-shared-secret pre-shared-secret xxxxxx } connection-type initiate description "Aviq Systems AG PFSense" ike-group PFSenseIKE ikev2-reauth inherit local-address xxx.xxx.62.21 tunnel 1 { allow-nat-networks disable allow-public-networks enable disable esp-group PFSenseESP local { prefix xxx.xxx.141.0/24 } remote { prefix xxx.xxx.1.0/24 } } } peer xxxxx.tld { authentication { mode pre-shared-secret pre-shared-secret xxxxxx } connection-type initiate description "Adi Doerflinger Cisco" ike-group CiscoIKE ikev2-reauth inherit local-address xxx.xxx.62.21 tunnel 1 { allow-nat-networks disable allow-public-networks enable disable esp-group CiscoESP local { prefix xxx.xxx.141.0/24 } remote { prefix xxx.xxx.32.0/24 } } } peer xxxxx.tld { authentication { mode pre-shared-secret pre-shared-secret xxxxxx } connection-type respond default-esp-group DiCandilo-PA-ESP description "DiCandilo Berwyn" ike-group DiCandilo-PA-IKE ikev2-reauth inherit local-address xxx.xxx.62.21 tunnel 1 { allow-nat-networks disable allow-public-networks disable local { prefix xxx.xxx.141.0/24 } remote { prefix xxx.xxx.1.0/24 } } } peer xxxxx.tld { authentication { mode pre-shared-secret pre-shared-secret xxxxxx } connection-type initiate description "ACP AG OPNSense" ike-group OPNSenseIKEv2 ikev2-reauth inherit local-address xxx.xxx.62.21 tunnel 1 { allow-nat-networks disable allow-public-networks enable disable esp-group OPNSenseESP local { prefix xxx.xxx.141.0/24 } remote { prefix xxx.xxx.2.0/23 } } tunnel 2 { allow-nat-networks disable allow-public-networks enable disable esp-group OPNSenseESP local { prefix xxx.xxx.141.0/24 } remote { prefix xxx.xxx.7.0/24 } } } peer xxxxx.tld { authentication { mode pre-shared-secret pre-shared-secret xxxxxx } connection-type respond description "ICDC-CBCDG Stonegate" ike-group StonegateIKE ikev2-reauth inherit local-address xxx.xxx.62.21 tunnel 1 { allow-nat-networks disable allow-public-networks enable disable esp-group StonegateESP local { prefix xxx.xxx.141.0/24 } remote { prefix xxx.xxx.47.0/24 } } tunnel 2 { allow-nat-networks disable allow-public-networks enable disable esp-group StonegateESP local { prefix xxx.xxx.141.0/24 } remote { prefix xxx.xxx.46.0/24 } } } peer xxxxx.tld { authentication { mode pre-shared-secret pre-shared-secret xxxxxx } connection-type initiate description "Sophos UTM Test Gateway" ike-group SophosUTM-IKE ikev2-reauth inherit local-address xxx.xxx.44.193 tunnel 1 { allow-nat-networks disable allow-public-networks enable disable esp-group SophosUTM-ESP local { prefix xxx.xxx.141.0/24 } remote { prefix xxx.xxx.178.0/24 } } } peer xxxxx.tld { authentication { mode pre-shared-secret pre-shared-secret xxxxxx } connection-type initiate description "OPNSense Test" ike-group OPNSenseIKEv2 ikev2-reauth inherit local-address xxx.xxx.44.193 tunnel 1 { allow-nat-networks disable allow-public-networks enable disable esp-group OPNSenseESP local { prefix xxx.xxx.141.0/24 } remote { prefix xxx.xxx.93.0/24 } } } peer xxxxx.tld { authentication { id @xxx.xxx.62.21 mode pre-shared-secret pre-shared-secret xxxxxx remote-id @awfhospitalet.dyndns.org } connection-type respond description "Apartment Spain VPN" ike-group OpenWRT-IKEv2 ikev2-reauth inherit local-address xxx.xxx.62.21 tunnel 1 { allow-nat-networks disable allow-public-networks enable disable esp-group OpenWRT-ESP local { prefix xxx.xxx.141.0/24 } remote { prefix xxx.xxx.79.0/24 } } } } } }