## General WAN Rules config rule option name 'Allow-DHCP-Renew' option src 'wan' option proto 'udp' option dest_port '68' option target 'ACCEPT' option family 'ipv4' config rule option name 'Allow-Ping' option src 'wan' option proto 'icmp' option icmp_type 'echo-request' option target 'ACCEPT' option family 'ipv4' config rule option name 'Allow-DHCPv6' option src 'wan' option src_ip 'fe80::/10' option src_port '547' option proto 'udp' option dest_ip 'fe80::/10' option dest_port '546' option target 'ACCEPT' option family 'ipv6' config rule option name 'Allow-ICMPv6-Input' option src 'wan' option proto 'icmp' list icmp_type 'echo-request' list icmp_type 'echo-reply' list icmp_type 'destination-unreachable' list icmp_type 'packet-too-big' list icmp_type 'time-exceeded' list icmp_type 'bad-header' list icmp_type 'unknown-header-type' list icmp_type 'router-solicitation' list icmp_type 'neighbour-solicitation' list icmp_type 'router-advertisement' list icmp_type 'neighbour-advertisement' option target 'ACCEPT' option family 'ipv6' option limit '1000/sec' config rule option name 'Allow-ICMPv6-Forward' option src 'wan' option dest '*' option proto 'icmp' list icmp_type 'echo-request' list icmp_type 'echo-reply' list icmp_type 'destination-unreachable' list icmp_type 'packet-too-big' list icmp_type 'time-exceeded' list icmp_type 'bad-header' list icmp_type 'unknown-header-type' option target 'ACCEPT' option family 'ipv6' option limit '1000/sec' ## Deny IPv6 SMTP config rule option name 'Deny-SMTP' option src 'lan' option proto 'tcp' option dest 'wan' option dest_port '25' option target 'REJECT' option family 'ipv6' ## SSH from VINCI rules config rule option name 'Allow-Input-SSH-VINCI' option src 'wan' option src_ip '{{ vinci_ipv6_out }}' option proto 'tcp' option dest_port '22' option target 'ACCEPT' option family 'ipv6' config rule option name 'Allow-SSH-VINCI' option src 'wan' option src_ip '{{ vinci_ipv6_out }}' option proto 'tcp' option dest 'lan' option dest_port '22' option target 'ACCEPT' option family 'ipv6' ## Traffic for n0box2 server config rule option name 'n0box2-SMTP+SMTPS+SUBMISSION' option src 'wan' option proto 'tcp' option dest 'lan' option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv6']['address'] }}' option dest_port '25 465 587' option target 'ACCEPT' option family 'ipv6' config rule option name 'n0box2-IMAP+IMAPS' option src 'wan' option proto 'tcp' option dest 'lan' option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv6']['address'] }}' option dest_port '143 993' option target 'ACCEPT' option family 'ipv6' config rule option name 'n0box2-HTTP+HTTPS' option src 'wan' option proto 'tcp' option dest 'lan' option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv6']['address'] }}' option dest_port '80 443' option target 'ACCEPT' option family 'ipv6' #config rule # option name 'n0box2-TS-com+com2' # option src 'wan' # option proto 'tcp' # option dest 'lan' # option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv6']['address'] }}' # option dest_port '10011 30033' # option target 'ACCEPT' # option family 'ipv6' #config rule # option name 'n0box2-TS-signal' # option src 'wan' # option proto 'udp' # option dest 'lan' # option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv6']['address'] }}' # option dest_port '9987' # option target 'ACCEPT' # option family 'ipv6' config rule option name 'n0box2-mumble' option src 'wan' option proto 'tcpudp' option dest 'lan' option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv6']['address'] }}' option dest_port '64738' option target 'ACCEPT' option family 'ipv6' config redirect option name 'n0box2-SMTP' option src 'wan' option src_dport '25' option proto 'tcp' option dest 'lan' option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv4']['address'] }}' option dest_port '25' option target 'DNAT' config redirect option name 'n0box2-SMTPS' option src 'wan' option src_dport '465' option proto 'tcp' option dest 'lan' option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv4']['address'] }}' option dest_port '465' option target 'DNAT' config redirect option name 'n0box2-SUBMISSION' option src 'wan' option src_dport '587' option proto 'tcp' option dest 'lan' option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv4']['address'] }}' option dest_port '587' option target 'DNAT' config redirect option name 'n0box2-IMAP' option src 'wan' option src_dport '143' option proto 'tcp' option dest 'lan' option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv4']['address'] }}' option dest_port '143' option target 'DNAT' config redirect option name 'n0box2-IMAPS' option src 'wan' option src_dport '993' option proto 'tcp' option dest 'lan' option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv4']['address'] }}' option dest_port '993' option target 'DNAT' #config redirect # option name 'n0box2-TS-com' # option src 'wan' # option src_dport '10011' # option proto 'tcp' # option dest 'lan' # option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv4']['address'] }}' # option dest_port '10011' # option target 'DNAT' #config redirect # option name 'n0box2-TS-com2' # option src 'wan' # option src_dport '30033' # option proto 'tcp' # option dest 'lan' # option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv4']['address'] }}' # option dest_port '30033' # option target 'DNAT' #config redirect # option name 'n0box2-TS-signal' # option src 'wan' # option src_dport '9987' # option proto 'udp' # option dest 'lan' # option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv4']['address'] }}' # option dest_port '9987' # option target 'DNAT' config redirect option name 'n0box2-mumble' option src 'wan' option src_dport '64738' option proto 'tcpudp' option dest 'lan' option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv4']['address'] }}' option dest_port '64738' option target 'DNAT' ### DMZ Rules ## General Rules # ICMP config rule option name 'Allow-ICMP' option dest 'dmz' option proto 'icmp' option target 'ACCEPT' config rule option name 'Allow-ICMP' option src 'dmz' option proto 'icmp' option target 'ACCEPT' config rule option name 'Allow-ICMP' option src 'dmz' option proto 'icmp' option dest '*' option target 'ACCEPT' # DHCP rules config rule option name 'Allow-DMZ-DHCP' option dest 'dmz' option dest_port '67-68' option proto 'tcpudp' option target 'ACCEPT' option family 'ipv4' config rule option name 'Allow-DMZ-DHCP' option src 'dmz' option proto 'tcpudp' option dest_port '67-68' option target 'ACCEPT' option family 'ipv4' # DNS Resolution config rule option name 'Allow-INPUT-DNS' option src 'dmz' option proto 'tcpudp' option dest_port '53' option target 'ACCEPT' option family 'ipv4' # NTP config rule option name 'Allow-OUTPUT-NTP' option src 'dmz' option proto 'udp' option dest 'wan' option dest_port '123' option target 'ACCEPT' # Web traffic OUT config rule option name 'Allow-OUTPUT-Web' option src 'dmz' option proto 'tcpudp' option dest 'wan' option dest_port '80 443' option target 'ACCEPT' # SSH traffic IN config rule option name 'Allow-INPUT-SSH' option src 'wan' option proto 'tcp' option dest 'dmz' option dest_port '22' option target 'ACCEPT' option family 'ipv6' # Allow traffic to n0box2 config rule option name 'Allow-OUTPUT-to-n0box2' option src 'dmz' option proto 'tcpudp' option dest 'lan' option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv4']['address'] }}' option dest_port '25 26 80 443 465 587 143 993' option target 'ACCEPT' option family 'ipv4' config rule option name 'Allow-OUTPUT-to-n0box2' option src 'dmz' option proto 'tcpudp' option dest 'lan' option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv6']['address'] }}' option dest_port '25 26 80 443 465 587 143 993' option target 'ACCEPT' option family 'ipv6' ## Specific rules # Allow IPv4 Web traffic IN config redirect option name 'Allow-INPUT-v4-HTTP' option src 'wan' option src_dport '80' option proto 'tcpudp' option dest 'dmz' option dest_ip '{{ hostvars['haproxy.dmz.mateu.be']['ansible_default_ipv4']['address'] }}' option dest_port '80' option target 'DNAT' config redirect option name 'Allow-INPUT-v4-HTTPS' option src 'wan' option src_dport '443' option proto 'tcpudp' option dest 'dmz' option dest_ip '{{ hostvars['haproxy.dmz.mateu.be']['ansible_default_ipv4']['address'] }}' option dest_port '443' option target 'DNAT' # Allow Web traffic IN {% for host in groups['webservers'] %} config rule option name 'Allow-INPUT-{{ host }}-Web' option src 'wan' option proto 'tcpudp' option dest 'dmz' option dest_ip '{{ hostvars[host]['ansible_default_ipv6']['address'] }}' option dest_port '80 443' option target 'ACCEPT' option family 'ipv6' {% endfor %} # Allow traffic to and from bt.dmz.mateu.be config rule option name 'Allow-OUTPUT-BT' option src 'dmz' option src_ip '{{ hostvars['bt.dmz.mateu.be']['ansible_default_ipv4']['address'] }}' option proto 'tcpudp' option dest 'wan' option target 'ACCEPT' option family 'ipv4' config rule option name 'Allow-OUTPUT-BT' option src 'dmz' option src_ip '{{ hostvars['bt.dmz.mateu.be']['ansible_default_ipv6']['address'] }}' option proto 'tcpudp' option dest 'wan' option target 'ACCEPT' option family 'ipv6' config rule option name 'Allow-INPUT-BT' option src 'wan' option proto 'tcpudp' option dest 'dmz' option dest_ip '{{ hostvars['bt.dmz.mateu.be']['ansible_default_ipv6']['address'] }}' option dest_port '10010' option target 'ACCEPT' option family 'ipv6' config redirect option name 'Allow-INPUT-BT' option src 'wan' option src_dport '10010' option proto 'tcpudp' option dest 'dmz' option dest_ip '{{ hostvars['bt.dmz.mateu.be']['ansible_default_ipv4']['address'] }}' option dest_port '10010' option target 'DNAT' # Allow traffic to Proxmox VE interface {% for host in groups['hypervisors'] %} config rule option name 'Allow-INPUT-ProxmoxVE-{{ hostvars[host]['ansible_hostname'] }}' option src 'wan' option proto 'tcp' option dest 'dmz' option dest_ip '{{ hostvars[host]['ansible_default_ipv6']['address'] }}' option dest_port '8006' option target 'ACCEPT' option family 'ipv6' {% endfor %} # Allow SMTP traffic from mail config rule option name 'Allow-OUTPUT-SMTP' option src 'dmz' option src_ip '{{ hostvars['mail.dmz.mateu.be']['ansible_default_ipv4']['address'] }}' option proto 'tcp' option dest 'wan' option dst_port '25' option target 'ACCEPT' option family 'ipv4' # Allow XMPP traffic config rule option name 'Allow-OUTPUT-XMPP-s2s' option src 'dmz' option src_ip '{{ hostvars['jabber.dmz.mateu.be']['ansible_default_ipv4']['address']}}' option proto 'tcpudp' option dest 'wan' option dest_port '5269' option target 'ACCEPT' option family 'ipv4' config rule option name 'Allow-OUTPUT-XMPP-s2s' option src 'dmz' option src_ip '{{ hostvars['jabber.dmz.mateu.be']['ansible_default_ipv6']['address'] }}' option proto 'tcpudp' option dest 'wan' option dest_port '5269' option target 'ACCEPT' option family 'ipv6' config redirect option name 'Allow-INPUT-XMPP-c2s' option src 'wan' option src_dport '5222' option proto 'tcpudp' option dest 'dmz' option dest_ip '{{ hostvars['jabber.dmz.mateu.be']['ansible_default_ipv4']['address'] }}' option dest_port '5222' option target 'DNAT' config redirect option name 'Allow-INPUT-XMPP-s2s' option src 'wan' option src_dport '5269' option proto 'tcpudp' option dest 'dmz' option dest_ip '{{ hostvars['jabber.dmz.mateu.be']['ansible_default_ipv4']['address'] }}' option dest_port '5269' option target 'DNAT' config rule option name 'Allow-INPUT-XMPP-c2s+s2s' option src 'wan' option proto 'tcpudp' option dest 'dmz' option dest_ip '{{ hostvars['jabber.dmz.mateu.be']['ansible_default_ipv6']['address'] }}' option dest_port '5222 5269' option target 'ACCEPT' option family 'ipv6' ## Default configuration config defaults option syn_flood '1' option input 'ACCEPT' option output 'ACCEPT' option forward 'REJECT' ## Zone configuration config zone option name 'lan' option input 'ACCEPT' option output 'ACCEPT' option forward 'ACCEPT' option network 'lan' config zone option name 'dmz' option input 'REJECT' option output 'REJECT' option forward 'REJECT' option network 'dmz' config zone option name 'wan' option input 'REJECT' option output 'ACCEPT' option forward 'REJECT' option network 'vpn' option masq '1' option mtu_fix '1' config forwarding option src 'lan' option dest 'wan' config forwarding option src 'lan' option dest 'dmz' config include option path '/etc/firewall.user' config include 'miniupnpd' option type 'script' option path '/usr/share/miniupnpd/firewall.include' option family 'any' option reload '1'