homelab/wizard/config/firewall.sh

set firewall global-options all-ping 'enable'
set firewall global-options broadcast-ping 'disable'
set firewall global-options ip-src-route 'disable'
set firewall global-options ipv6-receive-redirects 'disable'
set firewall global-options ipv6-src-route 'disable'
set firewall global-options log-martians 'enable'
set firewall global-options receive-redirects 'disable'
set firewall global-options send-redirects 'enable'
set firewall global-options source-validation 'disable'
set firewall global-options syn-cookies 'enable'
set firewall group interface-group IG_LAN interface 'eth6'
set firewall group interface-group IG_WAN interface 'pppoe1'
set firewall ipv4 forward filter default-action 'accept'
set firewall ipv4 forward filter rule 5 action 'jump'
set firewall ipv4 forward filter rule 5 inbound-interface name 'pppoe1'
set firewall ipv4 forward filter rule 5 jump-target 'WAN_IN'
set firewall ipv4 forward filter rule 101 action 'accept'
set firewall ipv4 forward filter rule 101 inbound-interface group 'IG_LAN'
set firewall ipv4 forward filter rule 101 outbound-interface group 'IG_LAN'
set firewall ipv4 forward filter rule 106 action 'jump'
set firewall ipv4 forward filter rule 106 inbound-interface group 'IG_WAN'
set firewall ipv4 forward filter rule 106 jump-target 'WAN_IN'
set firewall ipv4 forward filter rule 106 outbound-interface group 'IG_LAN'
set firewall ipv4 forward filter rule 111 action 'drop'
set firewall ipv4 forward filter rule 111 description 'zone_LAN default-action'
set firewall ipv4 forward filter rule 111 outbound-interface group 'IG_LAN'
set firewall ipv4 forward filter rule 116 action 'accept'
set firewall ipv4 forward filter rule 116 inbound-interface group 'IG_WAN'
set firewall ipv4 forward filter rule 116 outbound-interface group 'IG_WAN'
set firewall ipv4 forward filter rule 121 action 'jump'
set firewall ipv4 forward filter rule 121 inbound-interface group 'IG_LAN'
set firewall ipv4 forward filter rule 121 jump-target 'IN_WAN'
set firewall ipv4 forward filter rule 121 outbound-interface group 'IG_WAN'
set firewall ipv4 forward filter rule 126 action 'drop'
set firewall ipv4 forward filter rule 126 description 'zone_WAN default-action'
set firewall ipv4 forward filter rule 126 outbound-interface group 'IG_WAN'
set firewall ipv4 input filter default-action 'accept'
set firewall ipv4 input filter rule 5 action 'jump'
set firewall ipv4 input filter rule 5 inbound-interface name 'pppoe1'
set firewall ipv4 input filter rule 5 jump-target 'WAN_LOCAL'
set firewall ipv4 input filter rule 101 action 'jump'
set firewall ipv4 input filter rule 101 inbound-interface group 'IG_LAN'
set firewall ipv4 input filter rule 101 jump-target 'IN_LOCAL'
set firewall ipv4 input filter rule 106 action 'jump'
set firewall ipv4 input filter rule 106 inbound-interface group 'IG_WAN'
set firewall ipv4 input filter rule 106 jump-target 'WAN_LOCAL'
set firewall ipv4 input filter rule 111 action 'drop'
set firewall ipv4 name IN_LOCAL default-action 'accept'
set firewall ipv4 name IN_WAN default-action 'accept'
set firewall ipv4 name LOCAL_IN default-action 'accept'
set firewall ipv4 name LOCAL_WAN default-action 'accept'
set firewall ipv4 name WAN_IN default-action 'drop'
set firewall ipv4 name WAN_IN description 'WAN to internal'
set firewall ipv4 name WAN_IN rule 10 action 'accept'
set firewall ipv4 name WAN_IN rule 10 description 'Allow established/related'
set firewall ipv4 name WAN_IN rule 10 state 'established'
set firewall ipv4 name WAN_IN rule 10 state 'related'
set firewall ipv4 name WAN_IN rule 20 action 'drop'
set firewall ipv4 name WAN_IN rule 20 description 'Drop invalid state'
set firewall ipv4 name WAN_IN rule 20 state 'invalid'
set firewall ipv4 name WAN_IN rule 1000 action 'accept'
set firewall ipv4 name WAN_IN rule 1000 description 'Plex'
set firewall ipv4 name WAN_IN rule 1000 destination port '32400'
set firewall ipv4 name WAN_IN rule 1000 protocol 'tcp_udp'
set firewall ipv4 name WAN_IN rule 1000 state 'new'
set firewall ipv4 name WAN_IN rule 1001 action 'accept'
set firewall ipv4 name WAN_IN rule 1001 description 'BitTorrent'
set firewall ipv4 name WAN_IN rule 1001 destination port '49500'
set firewall ipv4 name WAN_IN rule 1001 protocol 'tcp_udp'
set firewall ipv4 name WAN_IN rule 1001 state 'new'
set firewall ipv4 name WAN_IN rule 1002 action 'accept'
set firewall ipv4 name WAN_IN rule 1002 description 'WireGuard'
set firewall ipv4 name WAN_IN rule 1002 destination port '53820-53829'
set firewall ipv4 name WAN_IN rule 1002 protocol 'tcp_udp'
set firewall ipv4 name WAN_IN rule 1002 state 'new'
set firewall ipv4 name WAN_IN rule 1003 action 'accept'
set firewall ipv4 name WAN_IN rule 1003 description 'Minecraft'
set firewall ipv4 name WAN_IN rule 1003 destination port '25565'
set firewall ipv4 name WAN_IN rule 1003 protocol 'tcp_udp'
set firewall ipv4 name WAN_IN rule 1003 state 'new'
set firewall ipv4 name WAN_IN rule 1005 action 'accept'
set firewall ipv4 name WAN_IN rule 1005 description 'Web'
set firewall ipv4 name WAN_IN rule 1005 destination port '443,80'
set firewall ipv4 name WAN_IN rule 1005 protocol 'tcp_udp'
set firewall ipv4 name WAN_IN rule 1005 state 'new'
set firewall ipv4 name WAN_LOCAL default-action 'drop'
set firewall ipv4 name WAN_LOCAL description 'WAN to router'
set firewall ipv4 name WAN_LOCAL rule 10 action 'accept'
set firewall ipv4 name WAN_LOCAL rule 10 description 'Allow established/related'
set firewall ipv4 name WAN_LOCAL rule 10 state 'established'
set firewall ipv4 name WAN_LOCAL rule 10 state 'related'
set firewall ipv4 name WAN_LOCAL rule 20 action 'accept'
set firewall ipv4 name WAN_LOCAL rule 20 protocol 'icmp'
set firewall ipv4 name WAN_LOCAL rule 20 state 'new'
set firewall ipv4 name WAN_LOCAL rule 30 action 'drop'
set firewall ipv4 name WAN_LOCAL rule 30 description 'Drop invalid state'
set firewall ipv4 name WAN_LOCAL rule 30 state 'invalid'
set firewall ipv4 output filter default-action 'accept'
set firewall ipv4 output filter rule 101 action 'jump'
set firewall ipv4 output filter rule 101 jump-target 'LOCAL_IN'
set firewall ipv4 output filter rule 101 outbound-interface group 'IG_LAN'
set firewall ipv4 output filter rule 106 action 'jump'
set firewall ipv4 output filter rule 106 jump-target 'LOCAL_WAN'
set firewall ipv4 output filter rule 106 outbound-interface group 'IG_WAN'
set firewall ipv4 output filter rule 111 action 'drop'
set firewall ipv6 forward filter default-action 'accept'
set firewall ipv6 forward filter rule 101 action 'accept'
set firewall ipv6 forward filter rule 101 inbound-interface group 'IG_LAN'
set firewall ipv6 forward filter rule 101 outbound-interface group 'IG_LAN'
set firewall ipv6 forward filter rule 106 action 'drop'
set firewall ipv6 forward filter rule 106 description 'zone_LAN default-action'
set firewall ipv6 forward filter rule 106 outbound-interface group 'IG_LAN'
set firewall ipv6 forward filter rule 111 action 'accept'
set firewall ipv6 forward filter rule 111 inbound-interface group 'IG_WAN'
set firewall ipv6 forward filter rule 111 outbound-interface group 'IG_WAN'
set firewall ipv6 forward filter rule 116 action 'drop'
set firewall ipv6 forward filter rule 116 description 'zone_WAN default-action'
set firewall ipv6 forward filter rule 116 outbound-interface group 'IG_WAN'
set firewall ipv6 input filter default-action 'accept'
set firewall ipv6 input filter rule 101 action 'drop'
set firewall ipv6 output filter default-action 'accept'
set firewall ipv6 output filter rule 101 action 'drop'
Init new, split, commands-based configuration for wizard to ease automated deployment 2024-02-14 10:37:43 -08:00			`set firewall global-options all-ping 'enable'`
			`set firewall global-options broadcast-ping 'disable'`
			`set firewall global-options ip-src-route 'disable'`
			`set firewall global-options ipv6-receive-redirects 'disable'`
			`set firewall global-options ipv6-src-route 'disable'`
			`set firewall global-options log-martians 'enable'`
			`set firewall global-options receive-redirects 'disable'`
			`set firewall global-options send-redirects 'enable'`
			`set firewall global-options source-validation 'disable'`
			`set firewall global-options syn-cookies 'enable'`
			`set firewall group interface-group IG_LAN interface 'eth6'`
			`set firewall group interface-group IG_WAN interface 'pppoe1'`
			`set firewall ipv4 forward filter default-action 'accept'`
			`set firewall ipv4 forward filter rule 5 action 'jump'`
			`set firewall ipv4 forward filter rule 5 inbound-interface name 'pppoe1'`
			`set firewall ipv4 forward filter rule 5 jump-target 'WAN_IN'`
			`set firewall ipv4 forward filter rule 101 action 'accept'`
			`set firewall ipv4 forward filter rule 101 inbound-interface group 'IG_LAN'`
			`set firewall ipv4 forward filter rule 101 outbound-interface group 'IG_LAN'`
			`set firewall ipv4 forward filter rule 106 action 'jump'`
			`set firewall ipv4 forward filter rule 106 inbound-interface group 'IG_WAN'`
			`set firewall ipv4 forward filter rule 106 jump-target 'WAN_IN'`
			`set firewall ipv4 forward filter rule 106 outbound-interface group 'IG_LAN'`
			`set firewall ipv4 forward filter rule 111 action 'drop'`
			`set firewall ipv4 forward filter rule 111 description 'zone_LAN default-action'`
			`set firewall ipv4 forward filter rule 111 outbound-interface group 'IG_LAN'`
			`set firewall ipv4 forward filter rule 116 action 'accept'`
			`set firewall ipv4 forward filter rule 116 inbound-interface group 'IG_WAN'`
			`set firewall ipv4 forward filter rule 116 outbound-interface group 'IG_WAN'`
			`set firewall ipv4 forward filter rule 121 action 'jump'`
			`set firewall ipv4 forward filter rule 121 inbound-interface group 'IG_LAN'`
			`set firewall ipv4 forward filter rule 121 jump-target 'IN_WAN'`
			`set firewall ipv4 forward filter rule 121 outbound-interface group 'IG_WAN'`
			`set firewall ipv4 forward filter rule 126 action 'drop'`
			`set firewall ipv4 forward filter rule 126 description 'zone_WAN default-action'`
			`set firewall ipv4 forward filter rule 126 outbound-interface group 'IG_WAN'`
			`set firewall ipv4 input filter default-action 'accept'`
			`set firewall ipv4 input filter rule 5 action 'jump'`
			`set firewall ipv4 input filter rule 5 inbound-interface name 'pppoe1'`
			`set firewall ipv4 input filter rule 5 jump-target 'WAN_LOCAL'`
			`set firewall ipv4 input filter rule 101 action 'jump'`
			`set firewall ipv4 input filter rule 101 inbound-interface group 'IG_LAN'`
			`set firewall ipv4 input filter rule 101 jump-target 'IN_LOCAL'`
			`set firewall ipv4 input filter rule 106 action 'jump'`
			`set firewall ipv4 input filter rule 106 inbound-interface group 'IG_WAN'`
			`set firewall ipv4 input filter rule 106 jump-target 'WAN_LOCAL'`
			`set firewall ipv4 input filter rule 111 action 'drop'`
			`set firewall ipv4 name IN_LOCAL default-action 'accept'`
			`set firewall ipv4 name IN_WAN default-action 'accept'`
			`set firewall ipv4 name LOCAL_IN default-action 'accept'`
			`set firewall ipv4 name LOCAL_WAN default-action 'accept'`
			`set firewall ipv4 name WAN_IN default-action 'drop'`
			`set firewall ipv4 name WAN_IN description 'WAN to internal'`
			`set firewall ipv4 name WAN_IN rule 10 action 'accept'`
			`set firewall ipv4 name WAN_IN rule 10 description 'Allow established/related'`
			`set firewall ipv4 name WAN_IN rule 10 state 'established'`
			`set firewall ipv4 name WAN_IN rule 10 state 'related'`
			`set firewall ipv4 name WAN_IN rule 20 action 'drop'`
			`set firewall ipv4 name WAN_IN rule 20 description 'Drop invalid state'`
			`set firewall ipv4 name WAN_IN rule 20 state 'invalid'`
			`set firewall ipv4 name WAN_IN rule 1000 action 'accept'`
			`set firewall ipv4 name WAN_IN rule 1000 description 'Plex'`
			`set firewall ipv4 name WAN_IN rule 1000 destination port '32400'`
			`set firewall ipv4 name WAN_IN rule 1000 protocol 'tcp_udp'`
			`set firewall ipv4 name WAN_IN rule 1000 state 'new'`
			`set firewall ipv4 name WAN_IN rule 1001 action 'accept'`
			`set firewall ipv4 name WAN_IN rule 1001 description 'BitTorrent'`
			`set firewall ipv4 name WAN_IN rule 1001 destination port '49500'`
			`set firewall ipv4 name WAN_IN rule 1001 protocol 'tcp_udp'`
			`set firewall ipv4 name WAN_IN rule 1001 state 'new'`
			`set firewall ipv4 name WAN_IN rule 1002 action 'accept'`
			`set firewall ipv4 name WAN_IN rule 1002 description 'WireGuard'`
			`set firewall ipv4 name WAN_IN rule 1002 destination port '53820-53829'`
			`set firewall ipv4 name WAN_IN rule 1002 protocol 'tcp_udp'`
			`set firewall ipv4 name WAN_IN rule 1002 state 'new'`
			`set firewall ipv4 name WAN_IN rule 1003 action 'accept'`
			`set firewall ipv4 name WAN_IN rule 1003 description 'Minecraft'`
			`set firewall ipv4 name WAN_IN rule 1003 destination port '25565'`
			`set firewall ipv4 name WAN_IN rule 1003 protocol 'tcp_udp'`
			`set firewall ipv4 name WAN_IN rule 1003 state 'new'`
			`set firewall ipv4 name WAN_IN rule 1005 action 'accept'`
			`set firewall ipv4 name WAN_IN rule 1005 description 'Web'`
			`set firewall ipv4 name WAN_IN rule 1005 destination port '443,80'`
			`set firewall ipv4 name WAN_IN rule 1005 protocol 'tcp_udp'`
			`set firewall ipv4 name WAN_IN rule 1005 state 'new'`
			`set firewall ipv4 name WAN_LOCAL default-action 'drop'`
			`set firewall ipv4 name WAN_LOCAL description 'WAN to router'`
			`set firewall ipv4 name WAN_LOCAL rule 10 action 'accept'`
			`set firewall ipv4 name WAN_LOCAL rule 10 description 'Allow established/related'`
			`set firewall ipv4 name WAN_LOCAL rule 10 state 'established'`
			`set firewall ipv4 name WAN_LOCAL rule 10 state 'related'`
			`set firewall ipv4 name WAN_LOCAL rule 20 action 'accept'`
			`set firewall ipv4 name WAN_LOCAL rule 20 protocol 'icmp'`
			`set firewall ipv4 name WAN_LOCAL rule 20 state 'new'`
			`set firewall ipv4 name WAN_LOCAL rule 30 action 'drop'`
			`set firewall ipv4 name WAN_LOCAL rule 30 description 'Drop invalid state'`
			`set firewall ipv4 name WAN_LOCAL rule 30 state 'invalid'`
			`set firewall ipv4 output filter default-action 'accept'`
			`set firewall ipv4 output filter rule 101 action 'jump'`
			`set firewall ipv4 output filter rule 101 jump-target 'LOCAL_IN'`
			`set firewall ipv4 output filter rule 101 outbound-interface group 'IG_LAN'`
			`set firewall ipv4 output filter rule 106 action 'jump'`
			`set firewall ipv4 output filter rule 106 jump-target 'LOCAL_WAN'`
			`set firewall ipv4 output filter rule 106 outbound-interface group 'IG_WAN'`
			`set firewall ipv4 output filter rule 111 action 'drop'`
			`set firewall ipv6 forward filter default-action 'accept'`
			`set firewall ipv6 forward filter rule 101 action 'accept'`
			`set firewall ipv6 forward filter rule 101 inbound-interface group 'IG_LAN'`
			`set firewall ipv6 forward filter rule 101 outbound-interface group 'IG_LAN'`
			`set firewall ipv6 forward filter rule 106 action 'drop'`
			`set firewall ipv6 forward filter rule 106 description 'zone_LAN default-action'`
			`set firewall ipv6 forward filter rule 106 outbound-interface group 'IG_LAN'`
			`set firewall ipv6 forward filter rule 111 action 'accept'`
			`set firewall ipv6 forward filter rule 111 inbound-interface group 'IG_WAN'`
			`set firewall ipv6 forward filter rule 111 outbound-interface group 'IG_WAN'`
			`set firewall ipv6 forward filter rule 116 action 'drop'`
			`set firewall ipv6 forward filter rule 116 description 'zone_WAN default-action'`
			`set firewall ipv6 forward filter rule 116 outbound-interface group 'IG_WAN'`
			`set firewall ipv6 input filter default-action 'accept'`
			`set firewall ipv6 input filter rule 101 action 'drop'`
			`set firewall ipv6 output filter default-action 'accept'`
			`set firewall ipv6 output filter rule 101 action 'drop'`