397 lines
10 KiB
Plaintext
397 lines
10 KiB
Plaintext
firewall {
|
|
global-options {
|
|
state-policy {
|
|
established {
|
|
action "accept"
|
|
}
|
|
related {
|
|
action "accept"
|
|
}
|
|
}
|
|
}
|
|
ipv4 {
|
|
name lan2local {
|
|
default-action "accept"
|
|
}
|
|
name lan2wan {
|
|
default-action "accept"
|
|
}
|
|
name local2lan {
|
|
default-action "accept"
|
|
}
|
|
name local2wan {
|
|
default-action "accept"
|
|
}
|
|
name wan2lan {
|
|
default-action "drop"
|
|
default-log
|
|
rule 100 {
|
|
action "accept"
|
|
description "Allow HTTP and HTTPS to lan"
|
|
destination {
|
|
port "http,https"
|
|
}
|
|
protocol "tcp"
|
|
}
|
|
rule 200 {
|
|
action "accept"
|
|
protocol "icmp"
|
|
}
|
|
}
|
|
name wan2local {
|
|
default-action "drop"
|
|
default-log
|
|
rule 100 {
|
|
action "accept"
|
|
description "Allow HTTP and HTTPS"
|
|
destination {
|
|
port "http,https"
|
|
}
|
|
protocol "tcp"
|
|
}
|
|
}
|
|
}
|
|
ipv6 {
|
|
forward {
|
|
filter {
|
|
rule 100 {
|
|
action "jump"
|
|
inbound-interface {
|
|
name "pppoe0"
|
|
}
|
|
jump-target "wan2lan"
|
|
}
|
|
}
|
|
}
|
|
input {
|
|
filter {
|
|
rule 100 {
|
|
action "jump"
|
|
inbound-interface {
|
|
name "pppoe0"
|
|
}
|
|
jump-target "wan2local"
|
|
}
|
|
}
|
|
}
|
|
name lan2local {
|
|
default-action "accept"
|
|
}
|
|
name lan2wan {
|
|
default-action "accept"
|
|
}
|
|
name local2lan {
|
|
default-action "accept"
|
|
}
|
|
name local2wan {
|
|
default-action "accept"
|
|
}
|
|
name wan2lan {
|
|
rule 100 {
|
|
action "accept"
|
|
description "Allow HTTP and HTTPS to lan"
|
|
destination {
|
|
port "http,https"
|
|
}
|
|
protocol "tcp"
|
|
}
|
|
rule 200 {
|
|
action "accept"
|
|
protocol "ipv6-icmp"
|
|
}
|
|
}
|
|
name wan2local {
|
|
rule 200 {
|
|
action "accept"
|
|
protocol "ipv6-icmp"
|
|
}
|
|
rule 300 {
|
|
action "accept"
|
|
destination {
|
|
port "546"
|
|
}
|
|
protocol "udp"
|
|
source {
|
|
port "547"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
zone lan {
|
|
from local {
|
|
firewall {
|
|
ipv6-name "local2lan"
|
|
name "local2lan"
|
|
}
|
|
}
|
|
from wan {
|
|
firewall {
|
|
ipv6-name "wan2lan"
|
|
name "wan2lan"
|
|
}
|
|
}
|
|
interface "eth1"
|
|
}
|
|
zone local {
|
|
from lan {
|
|
firewall {
|
|
ipv6-name "lan2local"
|
|
name "lan2local"
|
|
}
|
|
}
|
|
from wan {
|
|
firewall {
|
|
ipv6-name "wan2local"
|
|
name "wan2local"
|
|
}
|
|
}
|
|
local-zone
|
|
}
|
|
zone wan {
|
|
from lan {
|
|
firewall {
|
|
ipv6-name "lan2wan"
|
|
name "lan2wan"
|
|
}
|
|
}
|
|
from local {
|
|
firewall {
|
|
ipv6-name "local2wan"
|
|
name "local2wan"
|
|
}
|
|
}
|
|
interface "pppoe0"
|
|
}
|
|
}
|
|
interfaces {
|
|
ethernet eth0 {
|
|
hw-id "00:e0:67:2c:81:b4"
|
|
offload {
|
|
gro
|
|
gso
|
|
sg
|
|
tso
|
|
}
|
|
}
|
|
ethernet eth1 {
|
|
address "10.0.0.254/24"
|
|
hw-id "00:e0:67:2c:81:b5"
|
|
offload {
|
|
gro
|
|
gso
|
|
sg
|
|
tso
|
|
}
|
|
}
|
|
ethernet eth2 {
|
|
hw-id "00:e0:67:2c:81:b6"
|
|
offload {
|
|
gro
|
|
gso
|
|
sg
|
|
tso
|
|
}
|
|
}
|
|
ethernet eth3 {
|
|
hw-id "00:e0:67:2c:81:b7"
|
|
offload {
|
|
gro
|
|
gso
|
|
sg
|
|
tso
|
|
}
|
|
}
|
|
loopback lo {
|
|
}
|
|
pppoe pppoe0 {
|
|
authentication {
|
|
password "CVDQ72qfcB"
|
|
username "prem-vdsl.de/12006575-1%11"
|
|
}
|
|
dhcpv6-options {
|
|
pd 0 {
|
|
interface eth1 {
|
|
address "100"
|
|
}
|
|
}
|
|
}
|
|
ipv6 {
|
|
address {
|
|
autoconf
|
|
}
|
|
}
|
|
source-interface "eth0"
|
|
}
|
|
}
|
|
nat {
|
|
destination {
|
|
rule 100 {
|
|
description "wan to k8s"
|
|
destination {
|
|
port "http,https"
|
|
}
|
|
inbound-interface {
|
|
name "pppoe0"
|
|
}
|
|
protocol "tcp"
|
|
translation {
|
|
address "10.0.1.0"
|
|
}
|
|
}
|
|
}
|
|
source {
|
|
rule 100 {
|
|
description "nat for internet at home"
|
|
outbound-interface {
|
|
name "pppoe0"
|
|
}
|
|
source {
|
|
address "10.0.0.0/24"
|
|
}
|
|
translation {
|
|
address "masquerade"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
protocols {
|
|
static {
|
|
route 10.0.1.0/24 {
|
|
next-hop 10.0.0.253 {
|
|
interface "eth1"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
service {
|
|
dhcp-server {
|
|
hostfile-update
|
|
shared-network-name home.stinnesbeck.com {
|
|
authoritative
|
|
option {
|
|
domain-name "home.stinnesbeck.com"
|
|
}
|
|
subnet 10.0.0.0/24 {
|
|
option {
|
|
default-router "10.0.0.254"
|
|
name-server "10.0.0.254"
|
|
}
|
|
range clients {
|
|
start "10.0.0.100"
|
|
stop "10.0.0.199"
|
|
}
|
|
static-mapping nils-sy-nas {
|
|
ip-address "10.0.0.250"
|
|
mac "00:11:32:dd:2f:2b"
|
|
}
|
|
static-mapping talos-50m-nc7 {
|
|
description "Kubernetes Laptop Lenovo"
|
|
ip-address "10.0.0.253"
|
|
mac "54:e1:ad:75:c8:04"
|
|
}
|
|
subnet-id "1"
|
|
}
|
|
}
|
|
}
|
|
dns {
|
|
forwarding {
|
|
allow-from "10.0.0.0/24"
|
|
allow-from "127.0.0.0/8"
|
|
authoritative-domain stinnesbeck.com {
|
|
records {
|
|
a ci {
|
|
address "10.0.1.0"
|
|
}
|
|
a git {
|
|
address "10.0.1.0"
|
|
}
|
|
a jellyfin {
|
|
address "10.0.1.0"
|
|
}
|
|
a pw {
|
|
address "10.0.1.0"
|
|
}
|
|
a traefik {
|
|
address "10.0.1.0"
|
|
}
|
|
}
|
|
}
|
|
listen-address "10.0.0.254"
|
|
listen-address "127.0.0.1"
|
|
system
|
|
}
|
|
}
|
|
ntp {
|
|
allow-client {
|
|
address "127.0.0.0/8"
|
|
address "169.254.0.0/16"
|
|
address "10.0.0.0/8"
|
|
address "172.16.0.0/12"
|
|
address "192.168.0.0/16"
|
|
address "::1/128"
|
|
address "fe80::/10"
|
|
address "fc00::/7"
|
|
}
|
|
server time1.vyos.net {
|
|
}
|
|
server time2.vyos.net {
|
|
}
|
|
server time3.vyos.net {
|
|
}
|
|
}
|
|
router-advert {
|
|
interface eth1 {
|
|
link-mtu "1492"
|
|
prefix ::/64 {
|
|
valid-lifetime "172800"
|
|
}
|
|
}
|
|
}
|
|
ssh {
|
|
port "22"
|
|
}
|
|
}
|
|
system {
|
|
config-management {
|
|
commit-archive {
|
|
location "git+https://nils:0013d29811ffb7ee783bf7c581b3fd0a87a0936f@git.stinnesbeck.com/nils/vyos_config"
|
|
}
|
|
commit-revisions "100"
|
|
}
|
|
console {
|
|
device ttyS0 {
|
|
speed "115200"
|
|
}
|
|
}
|
|
host-name "vyos"
|
|
login {
|
|
user nils {
|
|
authentication {
|
|
encrypted-password "$6$rounds=656000$rsZk8wL54kEl9FOC$GyN9J0WKcrqOHn1ehs63/jSjcbwRBYHQvHKn2JfCYAWuKAT4C6rTGb56U7iBuAUpBplzPLkDlH34S1bK6gkcJ1"
|
|
public-keys nils {
|
|
key "AAAAB3NzaC1yc2EAAAADAQABAAACAQCzn3TRRfOh8jFBpBUme7FgUoe3/WJnB+esrkBc1cEcsPYbsfXsRJfv4mk+vVshN2n53vp5XwPcaF73lPMv8NpNx/JdaGky19rz8b22tBlDe6NGckWfJEUSfcGve74JhSOlt3iBTe2q8251Z6Lg8FCBKUor6bembMi32s2PTbQkWuV/ZsEvTc5Y0wg+Wm5qPahsUyAiwYew9Lt5v0fEv3PF0NBQqo7unIHH7ETVubbzOp1OGG8umZLpH/qId9ZcvU3jr56InUO4bMddt9Rho5LBL1z8l/5N2Zr4XXptStxIMjtjV+Whg7eEPJ8+TcpYWVFsyP3fKTA2CcKkpOt095iFqWWyo+ucK4XLNbPu8+0nefFUZFsu6WNFVMO2mtnUSEzptrJHdixa/3+0TntFM2oS637N0odNMfx0OnEIfGhbhdZo4dFsbOmeN/gNVZiKquvVPN1bMGNtYe1H1nx0C0TWmxybfv+GNxkuzXxZF/QY7oOsBoddgJFkBkhVmBSV05Mt3Vd10RXoUqqCQXJstdUmCBxd+BpxksoOvbaKrUxXJxkgVabu4BsowO8w3pgrJz0eFct/9fTHj6vSQSeMlW6wqXMlkW+wx3dVGZghYglCi+htryDQj+Dd0TMBXkuBjsM+JE+fSl3MGPoERSttDd2y21TiTv6HRhTKVOmJyWJRvw=="
|
|
type "ssh-rsa"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
name-server "127.0.0.1"
|
|
name-server "1.0.0.1"
|
|
name-server "1.1.1.1"
|
|
syslog {
|
|
global {
|
|
facility all {
|
|
level "info"
|
|
}
|
|
facility local7 {
|
|
level "debug"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
|
|
// Warning: Do not remove the following line.
|
|
// vyos-config-version: "bgp@5:broadcast-relay@1:cluster@2:config-management@1:conntrack@5:conntrack-sync@2:container@2:dhcp-relay@2:dhcp-server@11:dhcpv6-server@6:dns-dynamic@4:dns-forwarding@4:firewall@17:flow-accounting@1:https@7:ids@1:interfaces@33:ipoe-server@4:ipsec@13:isis@3:l2tp@9:lldp@2:mdns@1:monitoring@1:nat@8:nat66@3:ntp@3:openconnect@3:openvpn@4:ospf@2:pim@1:policy@8:pppoe-server@11:pptp@5:qos@3:quagga@11:reverse-proxy@2:rip@1:rpki@2:salt@1:snmp@3:ssh@2:sstp@6:system@28:vrf@3:vrrp@4:vyos-accel-ppp@2:wanloadbalance@3:webproxy@2"
|
|
// Release version: 1.5-rolling-202411270007
|