Last active
July 10, 2024 03:41
-
-
Save wassupdoc/c03f95fba24fae4f7aa7af9976b15be2 to your computer and use it in GitHub Desktop.
Zone settings for edgerouter
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #based on http://www.forshee.me/2016/03/02/ubiquiti-edgerouter-lite-setup-part-2-firewall-setup.html | |
| configure | |
| edit firewall name allow-est-drop-inv | |
| set default-action drop | |
| set enable-default-log | |
| set rule 1 action accept | |
| set rule 1 state established enable | |
| set rule 1 state related enable | |
| set rule 2 action drop | |
| set rule 2 log enable | |
| set rule 2 state invalid enable | |
| top | |
| edit firewall ipv6-name allow-est-drop-inv-6 | |
| set default-action drop | |
| set enable-default-log | |
| set rule 1 action accept | |
| set rule 1 state established enable | |
| set rule 1 state related enable | |
| set rule 2 action drop | |
| set rule 2 log enable | |
| set rule 2 state invalid enable | |
| set rule 100 action accept | |
| set rule 100 protocol ipv6-icmp | |
| top | |
| edit firewall | |
| copy name allow-est-drop-inv to name allow-all | |
| set name allow-all default-action accept | |
| delete name allow-all enable-default-log | |
| top | |
| edit firewall | |
| copy ipv6-name allow-est-drop-inv-6 to ipv6-name allow-all-6 | |
| set ipv6-name allow-all-6 default-action accept | |
| delete ipv6-name allow-all-6 enable-default-log | |
| top | |
| edit firewall | |
| copy name allow-est-drop-inv to name lan-local | |
| edit name lan-local | |
| set rule 100 action accept | |
| set rule 100 protocol icmp | |
| set rule 200 description "Allow HTTP/HTTPS" | |
| set rule 200 action accept | |
| set rule 200 destination port 80,443 | |
| set rule 200 protocol tcp | |
| set rule 600 description "Allow DNS" | |
| set rule 600 action accept | |
| set rule 600 destination port 53 | |
| set rule 600 protocol tcp_udp | |
| set rule 700 description "Allow DHCP" | |
| set rule 700 action accept | |
| set rule 700 destination port 67,68 | |
| set rule 700 protocol udp | |
| set rule 800 description "Allow SSH" | |
| set rule 800 action accept | |
| set rule 800 destination port 22 | |
| set rule 800 protocol tcp | |
| top | |
| edit firewall | |
| copy ipv6-name allow-est-drop-inv-6 to ipv6-name lan-local-6 | |
| edit ipv6-name lan-local-6 | |
| set rule 200 description "Allow HTTP/HTTPS" | |
| set rule 200 action accept | |
| set rule 200 destination port 80,443 | |
| set rule 200 protocol tcp | |
| set rule 600 description "Allow DNS" | |
| set rule 600 action accept | |
| set rule 600 destination port 53 | |
| set rule 600 protocol tcp_udp | |
| set rule 700 description "Allow DHCP" | |
| set rule 700 action accept | |
| set rule 700 destination port 67,68 | |
| set rule 700 protocol udp | |
| set rule 800 description "Allow SSH" | |
| set rule 800 action accept | |
| set rule 800 destination port 22 | |
| set rule 800 protocol tcp | |
| top | |
| edit zone-policy zone local | |
| set default-action drop | |
| set local-zone | |
| #WAN to local: Allow only traffic for established connections. | |
| set from WAN firewall name allow-est-drop-inv | |
| set from WAN firewall ipv6-name allow-est-drop-inv-6 | |
| #LAN to local: Allow traffic for established connections. | |
| #Also allow new ICMP, DHCP, DNS, ssh, and HTTP/HTTPS connections. | |
| set from LAN firewall name lan-local | |
| set from LAN firewall ipv6-name lan-local-6 | |
| top | |
| edit zone-policy zone LAN | |
| set default-action drop | |
| set interface eth1 | |
| #WAN to LAN: Allow only traffic for established connections. | |
| set from WAN firewall name allow-est-drop-inv | |
| set from WAN firewall ipv6-name allow-est-drop-inv-6 | |
| #local to LAN: Drop invalid state packets, allow all other traffic. | |
| set from local firewall name allow-all | |
| set from local firewall ipv6-name allow-all-6 | |
| top | |
| edit zone-policy zone WAN | |
| set default-action drop | |
| set interface eth0 | |
| #local to WAN: Drop invalid state packets, allow all other traffic. | |
| set from local firewall name allow-all | |
| set from local firewall ipv6-name allow-all-6 | |
| #LAN to WAN: Drop invalid state packets, allow all other traffic. | |
| set from LAN firewall name allow-all | |
| set from LAN firewall ipv6-name allow-all-6 | |
| top | |
| delete interfaces ethernet eth0 firewall | |
| delete firewall name WAN_IN | |
| delete firewall name WAN_LOCAL |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment