## General WAN Rules config rule option name 'Allow-DHCP-Renew' option src 'wan' list proto 'udp' option dest_port '68' option target 'ACCEPT' option family 'ipv4' config rule option name 'Allow-Ping' option src 'wan' list proto 'icmp' option icmp_type 'echo-request' option target 'ACCEPT' option family 'ipv4' config rule option name 'Allow-DHCPv6' option src 'wan' option src_ip 'fe80::/10' option src_port '547' list proto 'udp' option dest_ip 'fe80::/10' option dest_port '546' option target 'ACCEPT' option family 'ipv6' config rule option name 'Allow-ICMPv6-Input' option src 'wan' list proto 'icmp' list icmp_type 'echo-request' list icmp_type 'echo-reply' list icmp_type 'destination-unreachable' list icmp_type 'packet-too-big' list icmp_type 'time-exceeded' list icmp_type 'bad-header' list icmp_type 'unknown-header-type' list icmp_type 'router-solicitation' list icmp_type 'neighbour-solicitation' list icmp_type 'router-advertisement' list icmp_type 'neighbour-advertisement' option target 'ACCEPT' option family 'ipv6' option limit '1000/sec' config rule option name 'Allow-ICMPv6-Forward' option src 'wan' option dest '*' list proto 'icmp' list icmp_type 'echo-request' list icmp_type 'echo-reply' list icmp_type 'destination-unreachable' list icmp_type 'packet-too-big' list icmp_type 'time-exceeded' list icmp_type 'bad-header' list icmp_type 'unknown-header-type' option target 'ACCEPT' option family 'ipv6' option limit '1000/sec' config rule option name 'Allow-INPUT-SSH' option src 'wan' list proto 'tcp' option dest_port '22' option target 'ACCEPT' ### DMZ Rules ## General Rules # ICMP config rule option name 'Allow-ICMP' option dest 'dmz' list proto 'icmp' option target 'ACCEPT' config rule option name 'Allow-ICMP' option src 'dmz' list proto 'icmp' option target 'ACCEPT' config rule option name 'Allow-ICMP' option src 'dmz' list proto 'icmp' option dest '*' option target 'ACCEPT' # DHCP rules config rule option name 'Allow-DMZ-DHCP' option dest 'dmz' option dest_port '67-68' list proto 'tcp' list proto 'udp' option target 'ACCEPT' option family 'ipv4' config rule option name 'Allow-DMZ-DHCP' option src 'dmz' list proto 'tcp' list proto 'udp' option dest_port '67-68' option target 'ACCEPT' option family 'ipv4' # SSH rules config rule option name 'Allow-DMZ-SSH' option dest 'dmz' list proto 'tcp' option dest_port '22' option target 'ACCEPT' config rule option name 'Allow-DMZ-Syslog' option dest 'dmz' option dest_ip '{{ hostvars['syslog']['ansible_default_ipv4']['address'] }}' option dest_port '514' list proto 'udp' option target 'ACCEPT' # DNS Resolution config rule option name 'Allow-INPUT-DNS' option src 'dmz' list proto 'tcp' list proto 'udp' option dest_port '53' option target 'ACCEPT' option family 'ipv4' # NTP config rule option name 'Allow-OUTPUT-NTP' option src 'dmz' list proto 'udp' option dest 'wan' option dest_port '123' option target 'ACCEPT' # Web traffic OUT config rule option name 'Allow-OUTPUT-Web' option src 'dmz' list proto 'tcp' list proto 'udp' option dest 'wan' option dest_port '80 443' option target 'ACCEPT' # SSH traffic IN config rule option name 'Allow-INPUT-SSH' option src 'wan' list proto 'tcp' option dest 'dmz' option dest_port '22' option target 'ACCEPT' option family 'ipv6' ## Specific rules # Allow IPv4 Web traffic IN config redirect option name 'Allow-INPUT-v4-HTTP' option src 'wan' option src_dport '80' list proto 'tcp' list proto 'udp' option dest 'dmz' option dest_ip '{{ hostvars['haproxy']['ansible_default_ipv4']['address'] }}' option dest_port '80' option target 'DNAT' config redirect option name 'Allow-INPUT-v4-HTTPS' option src 'wan' option src_dport '443' list proto 'tcp' list proto 'udp' option dest 'dmz' option dest_ip '{{ hostvars['haproxy']['ansible_default_ipv4']['address'] }}' option dest_port '443' option target 'DNAT' # Allow Web traffic IN {% for host in groups['webservers'] | sort %} config rule option name 'Allow-INPUT-{{ hostvars[host]['ansible_host'] }}-Web' option src 'wan' list proto 'tcp' list proto 'udp' option dest 'dmz' option dest_ip '{{ hostvars[host]['ansible_default_ipv6']['address'] }}' option dest_port '80 443' option target 'ACCEPT' option family 'ipv6' {% endfor %} # Allow traffic to and from bt.dmz.mateu.be config rule option name 'Allow-OUTPUT-BT' option src 'dmz' option src_ip '{{ hostvars['bt']['ansible_default_ipv4']['address'] }}' list proto 'tcp' list proto 'udp' option dest 'wan' option target 'ACCEPT' option family 'ipv4' config rule option name 'Allow-OUTPUT-BT' option src 'dmz' option src_ip '{{ hostvars['bt']['ansible_default_ipv6']['address'] }}' list proto 'tcp' list proto 'udp' option dest 'wan' option target 'ACCEPT' option family 'ipv6' config rule option name 'Allow-INPUT-BT' option src 'wan' list proto 'tcp' list proto 'udp' option dest 'dmz' option dest_ip '{{ hostvars['bt']['ansible_default_ipv6']['address'] }}' option dest_port '10010' option target 'ACCEPT' option family 'ipv6' config redirect option name 'Allow-INPUT-BT' option src 'wan' option src_dport '10010' list proto 'tcp' list proto 'udp' option dest 'dmz' option dest_ip '{{ hostvars['bt']['ansible_default_ipv4']['address'] }}' option dest_port '10010' option target 'DNAT' # Allow traffic to Proxmox VE interface {% for host in groups['hypervisors'] %} config rule option name 'Allow-INPUT-ProxmoxVE-{{ hostvars[host]['ansible_hostname'] }}' option src 'wan' list proto 'tcp' option dest 'dmz' option dest_ip '{{ hostvars[host]['ansible_default_ipv6']['address'] }}' option dest_port '8006' option target 'ACCEPT' option family 'ipv6' {% endfor %} {% set first_hypervisor = hostvars[groups['hypervisors'][0]] %} config redirect option name 'Allow-INPUT-ProxmoxVE-Admin' option src 'wan' option src_dport '8006' list proto 'tcp' option dest 'dmz' option dest_ip '{{ first_hypervisor['ansible_default_ipv4']['address'] }}' option dest_port '8006' option target 'DNAT' # Allow XMPP traffic config rule option name 'Allow-OUTPUT-XMPP-s2s' option src 'dmz' option src_ip '{{ hostvars['jabber']['ansible_default_ipv4']['address']}}' list proto 'tcp' list proto 'udp' option dest 'wan' option dest_port '5269' option target 'ACCEPT' option family 'ipv4' config rule option name 'Allow-OUTPUT-XMPP-s2s' option src 'dmz' option src_ip '{{ hostvars['jabber']['ansible_default_ipv6']['address'] }}' list proto 'tcp' list proto 'udp' option dest 'wan' option dest_port '5269' option target 'ACCEPT' option family 'ipv6' config redirect option name 'Allow-INPUT-XMPP-c2s' option src 'wan' option src_dport '5222' list proto 'tcp' list proto 'udp' option dest 'dmz' option dest_ip '{{ hostvars['jabber']['ansible_default_ipv4']['address'] }}' option dest_port '5222' option target 'DNAT' config redirect option name 'Allow-INPUT-XMPP-s2s' option src 'wan' option src_dport '5269' list proto 'tcp' list proto 'udp' option dest 'dmz' option dest_ip '{{ hostvars['jabber']['ansible_default_ipv4']['address'] }}' option dest_port '5269' option target 'DNAT' config rule option name 'Allow-INPUT-XMPP-c2s+s2s' option src 'wan' list proto 'tcp' list proto 'udp' option dest 'dmz' option dest_ip '{{ hostvars['jabber']['ansible_default_ipv6']['address'] }}' option dest_port '5222 5269' option target 'ACCEPT' option family 'ipv6' # Allow Mumble traffic config rule option name 'Allow-INPUT-mumble' option src 'wan' list proto 'tcp' list proto 'udp' option dest 'dmz' option dest_ip '{{ hostvars['voice1']['ansible_default_ipv6']['address'] }}' option dest_port '64738' option target 'ACCEPT' option family 'ipv6' config redirect option name 'Allow-INPUT-mumble' option src 'wan' option src_dport '64738' list proto 'tcp' list proto 'udp' option dest 'dmz' option dest_ip '{{ hostvars['voice1']['ansible_default_ipv4']['address'] }}' option dest_port '64738' option target 'DNAT' # Allow mail traffic config rule option name 'Allow-OUTPUT-SMTP' option src 'dmz' option src_ip '{{ hostvars['mail']['ansible_default_ipv4']['address'] }}' list proto 'tcp' option dest 'wan' option dest_port '25' option target 'ACCEPT' option family 'ipv4' config rule option name 'Allow-INPUT-SMTP+SMTPS+SUBMISSION' option src 'wan' list proto 'tcp' option dest 'dmz' option dest_ip '{{ hostvars['mail']['ansible_default_ipv6']['address'] }}' option dest_port '25 465 587' option target 'ACCEPT' option family 'ipv6' config rule option name 'Allow-INPUT-IMAP+IMAPS' option src 'wan' list proto 'tcp' option dest 'dmz' option dest_ip '{{ hostvars['mail']['ansible_default_ipv6']['address'] }}' option dest_port '143 993' option target 'ACCEPT' option family 'ipv6' config redirect option name 'Allow-INPUT-SMTP' option src 'wan' option src_dport '25' list proto 'tcp' option dest 'dmz' option dest_ip '{{ hostvars['mail']['ansible_default_ipv4']['address'] }}' option dest_port '25' option target 'DNAT' config redirect option name 'Allow-INPUT-SMTPS' option src 'wan' option src_dport '465' list proto 'tcp' option dest 'dmz' option dest_ip '{{ hostvars['mail']['ansible_default_ipv4']['address'] }}' option dest_port '465' option target 'DNAT' config redirect option name 'Allow-INPUT-SUBMISSION' option src 'wan' option src_dport '587' list proto 'tcp' option dest 'dmz' option dest_ip '{{ hostvars['mail']['ansible_default_ipv4']['address'] }}' option dest_port '587' option target 'DNAT' config redirect option name 'Allow-INPUT-IMAP' option src 'wan' option src_dport '143' list proto 'tcp' option dest 'dmz' option dest_ip '{{ hostvars['mail']['ansible_default_ipv4']['address'] }}' option dest_port '143' option target 'DNAT' config redirect option name 'Allow-INPUT-IMAPS' option src 'wan' option src_dport '993' list proto 'tcp' option dest 'lan' option dest_ip '{{ hostvars['mail']['ansible_default_ipv4']['address'] }}' option dest_port '993' option target 'DNAT' # Allow Munin traffic config rule option name 'Allow-INPUT-Munin' option src 'dmz' option src_ip '{{ hostvars['munin']['ansible_default_ipv4']['address'] }}' list proto 'tcp' option dest_port '4949' option target 'ACCEPT' option family 'ipv4' config rule option name 'Allow-FORWARD-Munin-Mikrotik-Garregmach' option src 'dmz' option src_ip '{{ hostvars['munin']['ansible_default_ipv4']['address'] }}' list proto 'tcp' list proto 'udp' option dest 'lan' option dest_ip '{{ lookup('dig', 'garreg-mach.mateu.be') }}' option dest_port '161' option target 'ACCEPT' option family 'ipv4' config rule option name 'Allow-FORWARD-Munin-Mikrotik-Derdriu' option src 'dmz' option src_ip '{{ hostvars['munin']['ansible_default_ipv4']['address'] }}' list proto 'tcp' list proto 'udp' option dest 'lan' option dest_ip '{{ lookup('dig', 'derdriu.mateu.be') }}' option dest_port '161' option target 'ACCEPT' option family 'ipv4' ### IoT Rules ## General Rules # ICMP config rule option name 'Allow-ICMP' option dest 'iot' list proto 'icmp' option target 'ACCEPT' config rule option name 'Allow-ICMP' option src 'iot' list proto 'icmp' option target 'ACCEPT' config rule option name 'Allow-ICMP' option src 'iot' list proto 'icmp' option dest '*' option target 'ACCEPT' # DHCP rules config rule option name 'Allow-DMZ-DHCP' option dest 'iot' list proto 'tcp' list proto 'udp' option dest_port '67-68' option target 'ACCEPT' option family 'ipv4' config rule option name 'Allow-DMZ-DHCP' option src 'iot' list proto 'tcp' list proto 'udp' option dest_port '67-68' option target 'ACCEPT' option family 'ipv4' # DNS Resolution config rule option name 'Allow-INPUT-DNS' option src 'iot' list proto 'tcp' list proto 'udp' option dest_port '53' option target 'ACCEPT' option family 'ipv4' # NTP config rule option name 'Allow-OUTPUT-NTP' option src 'iot' list proto 'udp' option dest_port '123' option target 'ACCEPT' # FTP config rule option name 'Allow-OUTPUT-FTP' option src 'iot' list proto 'tcp' option dest 'dmz' option dest_ip '{{ hostvars['ftp']['ansible_default_ipv4']['address'] }}' option dest_port '21 10100-10110' option target 'ACCEPT' ## LAN Rules # Block DNS redirector {% for ip in ['1.1.1.1', '1.0.0.1'] %} config rule option name 'Deny-OUTPUT-DNS-{{ ip }}' option src 'lan' option dest 'wan' option dest_ip '{{ ip }}' option target 'REJECT' {% endfor %} ## Default configuration config defaults option syn_flood '1' option input 'ACCEPT' option output 'ACCEPT' option forward 'REJECT' ## Zone configuration config zone option name 'lan' option input 'ACCEPT' option output 'ACCEPT' option forward 'ACCEPT' list network 'lan' config zone option name 'dmz' option input 'REJECT' option output 'REJECT' option forward 'REJECT' list network 'dmz' config zone option name 'iot' option input 'REJECT' option output 'REJECT' option forward 'REJECT' list network 'iot' config zone option name 'wan' option input 'REJECT' option output 'ACCEPT' option forward 'REJECT' option masq '1' option mtu_fix '1' list network 'wan' list network 'wan6' config forwarding option src 'lan' option dest 'wan' config forwarding option src 'lan' option dest 'dmz' config forwarding option src 'lan' option dest 'iot'