sax-rgs-gw-core01: add config tree
This commit is contained in:
parent
3ec08cb017
commit
fe8d3b5dec
|
@ -0,0 +1,53 @@
|
|||
|
||||
config dnsmasq
|
||||
option domainneeded '1'
|
||||
option boguspriv '1'
|
||||
option filterwin2k '0'
|
||||
option localise_queries '1'
|
||||
option rebind_protection '0'
|
||||
option rebind_localhost '1'
|
||||
option local '/lan/'
|
||||
option domain 'lan'
|
||||
option expandhosts '1'
|
||||
option nonegcache '0'
|
||||
option authoritative '1'
|
||||
option readethers '1'
|
||||
option leasefile '/etc/dhcp.leases'
|
||||
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
|
||||
option nonwildcard '1'
|
||||
option localservice '1'
|
||||
option ednspacket_max '1232'
|
||||
|
||||
config dhcp 'mgmt'
|
||||
option interface 'mgmt'
|
||||
option start '100'
|
||||
option limit '150'
|
||||
option leasetime '12h'
|
||||
option dhcpv4 'server'
|
||||
option dhcpv6 'server'
|
||||
option ra 'server'
|
||||
option ra_slaac '1'
|
||||
list ra_flags 'managed-config'
|
||||
list ra_flags 'other-config'
|
||||
|
||||
config dhcp 'backoffice'
|
||||
option interface 'backoffice'
|
||||
option start '100'
|
||||
option limit '150'
|
||||
option leasetime '12h'
|
||||
option dhcpv4 'server'
|
||||
option dhcpv6 'server'
|
||||
option ra 'server'
|
||||
option ra_slaac '1'
|
||||
list ra_flags 'managed-config'
|
||||
list ra_flags 'other-config'
|
||||
|
||||
config dhcp 'wan'
|
||||
option interface 'wan'
|
||||
option ignore '1'
|
||||
|
||||
config odhcpd 'odhcpd'
|
||||
option maindhcp '0'
|
||||
option leasefile '/tmp/hosts/odhcpd'
|
||||
option leasetrigger '/usr/sbin/odhcpd-update'
|
||||
option loglevel '4'
|
|
@ -0,0 +1,282 @@
|
|||
config defaults
|
||||
option syn_flood 1
|
||||
option input REJECT
|
||||
option output ACCEPT
|
||||
option forward REJECT
|
||||
# Uncomment this line to disable ipv6 rules
|
||||
# option disable_ipv6 1
|
||||
|
||||
config zone
|
||||
option name mgmt
|
||||
list network 'mgmt'
|
||||
option input ACCEPT
|
||||
option output ACCEPT
|
||||
option forward REJECT
|
||||
|
||||
config zone
|
||||
option name backoffice
|
||||
list network 'backoffice'
|
||||
option input REJECT
|
||||
option output ACCEPT
|
||||
option forward REJECT
|
||||
|
||||
config rule
|
||||
option name From-Any-Allow-SSH
|
||||
option src *
|
||||
option proto tcp
|
||||
option dest_port 22
|
||||
option target ACCEPT
|
||||
|
||||
config rule
|
||||
option name Into-MGMT-Allow-SSH
|
||||
option src *
|
||||
option dest mgmt
|
||||
option proto tcp
|
||||
option dest_port 22
|
||||
option target ACCEPT
|
||||
|
||||
config rule
|
||||
option name Into-MGMT-Allow-ICMP
|
||||
option src *
|
||||
option dest mgmt
|
||||
option proto icmp
|
||||
option target ACCEPT
|
||||
|
||||
config rule
|
||||
option name Into-MGMT-Allow-Prometheus
|
||||
option src *
|
||||
option dest mgmt
|
||||
option proto tcp
|
||||
option dest_port 9100
|
||||
option target ACCEPT
|
||||
|
||||
config rule
|
||||
option name Into-MGMT-Allow-Prometheus-WebGUI-On-monitoring01
|
||||
option src *
|
||||
option dest mgmt
|
||||
option proto tcp
|
||||
option dest_ip 10.84.1.51
|
||||
option dest_port 9090
|
||||
option target ACCEPT
|
||||
|
||||
config zone
|
||||
option name wan
|
||||
list network 'wan'
|
||||
list network 'wan6'
|
||||
option input REJECT
|
||||
option output ACCEPT
|
||||
option forward REJECT
|
||||
option masq 1
|
||||
option mtu_fix 1
|
||||
|
||||
config forwarding
|
||||
option src mgmt
|
||||
option dest wan
|
||||
|
||||
config forwarding
|
||||
option src backoffice
|
||||
option dest wan
|
||||
|
||||
# We need to accept udp packets on port 68,
|
||||
# see https://dev.openwrt.org/ticket/4108
|
||||
config rule
|
||||
option name Allow-DHCP-Renew
|
||||
option src wan
|
||||
option proto udp
|
||||
option dest_port 68
|
||||
option target ACCEPT
|
||||
option family ipv4
|
||||
|
||||
# Allow IPv4 ping
|
||||
config rule
|
||||
option name Allow-Ping
|
||||
option src *
|
||||
option proto icmp
|
||||
option icmp_type echo-request
|
||||
option family ipv4
|
||||
option target ACCEPT
|
||||
|
||||
config rule
|
||||
option name Allow-IGMP
|
||||
option src wan
|
||||
option proto igmp
|
||||
option family ipv4
|
||||
option target ACCEPT
|
||||
|
||||
# Allow DHCPv6 replies
|
||||
# see https://dev.openwrt.org/ticket/10381
|
||||
config rule
|
||||
option name Allow-DHCPv6
|
||||
option src wan
|
||||
option proto udp
|
||||
option src_ip fc00::/6
|
||||
option dest_ip fc00::/6
|
||||
option dest_port 546
|
||||
option family ipv6
|
||||
option target ACCEPT
|
||||
|
||||
config rule
|
||||
option name Allow-MLD
|
||||
option src wan
|
||||
option proto icmp
|
||||
option src_ip fe80::/10
|
||||
list icmp_type '130/0'
|
||||
list icmp_type '131/0'
|
||||
list icmp_type '132/0'
|
||||
list icmp_type '143/0'
|
||||
option family ipv6
|
||||
option target ACCEPT
|
||||
|
||||
# Allow essential incoming IPv6 ICMP traffic
|
||||
config rule
|
||||
option name Allow-ICMPv6-Input
|
||||
option src wan
|
||||
option proto icmp
|
||||
list icmp_type echo-request
|
||||
list icmp_type echo-reply
|
||||
list icmp_type destination-unreachable
|
||||
list icmp_type packet-too-big
|
||||
list icmp_type time-exceeded
|
||||
list icmp_type bad-header
|
||||
list icmp_type unknown-header-type
|
||||
list icmp_type router-solicitation
|
||||
list icmp_type neighbour-solicitation
|
||||
list icmp_type router-advertisement
|
||||
list icmp_type neighbour-advertisement
|
||||
option limit 1000/sec
|
||||
option family ipv6
|
||||
option target ACCEPT
|
||||
|
||||
# Allow essential forwarded IPv6 ICMP traffic
|
||||
config rule
|
||||
option name Allow-ICMPv6-Forward
|
||||
option src wan
|
||||
option dest *
|
||||
option proto icmp
|
||||
list icmp_type echo-request
|
||||
list icmp_type echo-reply
|
||||
list icmp_type destination-unreachable
|
||||
list icmp_type packet-too-big
|
||||
list icmp_type time-exceeded
|
||||
list icmp_type bad-header
|
||||
list icmp_type unknown-header-type
|
||||
option limit 1000/sec
|
||||
option family ipv6
|
||||
option target ACCEPT
|
||||
|
||||
config rule
|
||||
option name Allow-IPSec-ESP
|
||||
option src wan
|
||||
option dest backoffice
|
||||
option proto esp
|
||||
option target ACCEPT
|
||||
|
||||
config rule
|
||||
option name Allow-ISAKMP
|
||||
option src wan
|
||||
option dest backoffice
|
||||
option dest_port 500
|
||||
option proto udp
|
||||
option target ACCEPT
|
||||
|
||||
config rule
|
||||
option name WAN_Allow-SSH
|
||||
option src wan
|
||||
option dest_port 22
|
||||
option proto tcp
|
||||
option target ACCEPT
|
||||
|
||||
# allow interoperability with traceroute classic
|
||||
# note that traceroute uses a fixed port range, and depends on getting
|
||||
# back ICMP Unreachables. if we're operating in DROP mode, it won't
|
||||
# work so we explicitly REJECT packets on these ports.
|
||||
config rule
|
||||
option name Support-UDP-Traceroute
|
||||
option src wan
|
||||
option dest_port 33434:33689
|
||||
option proto udp
|
||||
option family ipv4
|
||||
option target REJECT
|
||||
option enabled false
|
||||
|
||||
config rule
|
||||
option name BACKOFFICE_Allow-DHCP
|
||||
option src backoffice
|
||||
option proto udp
|
||||
option dest_port 67-68
|
||||
option target ACCEPT
|
||||
option family ipv4
|
||||
|
||||
config rule
|
||||
option name BACKOFFICE_Allow-DNS
|
||||
option src backoffice
|
||||
option proto udp
|
||||
option dest_port 53
|
||||
option target ACCEPT
|
||||
option family ipv4
|
||||
|
||||
|
||||
# include a file with users custom iptables rules
|
||||
config include
|
||||
option path /etc/firewall.user
|
||||
|
||||
|
||||
### EXAMPLE CONFIG SECTIONS
|
||||
# do not allow a specific ip to access wan
|
||||
#config rule
|
||||
# option src mgmt
|
||||
# option src_ip 192.168.45.2
|
||||
# option dest wan
|
||||
# option proto tcp
|
||||
# option target REJECT
|
||||
|
||||
# block a specific mac on wan
|
||||
#config rule
|
||||
# option dest wan
|
||||
# option src_mac 00:11:22:33:44:66
|
||||
# option target REJECT
|
||||
|
||||
# block incoming ICMP traffic on a zone
|
||||
#config rule
|
||||
# option src mgmt
|
||||
# option proto ICMP
|
||||
# option target DROP
|
||||
|
||||
# port redirect port coming in on wan to lan
|
||||
#config redirect
|
||||
# option src wan
|
||||
# option src_dport 80
|
||||
# option dest lan
|
||||
# option dest_ip 192.168.16.235
|
||||
# option dest_port 80
|
||||
# option proto tcp
|
||||
|
||||
# port redirect of remapped ssh port (22001) on wan
|
||||
#config redirect
|
||||
# option src wan
|
||||
# option src_dport 22001
|
||||
# option dest lan
|
||||
# option dest_port 22
|
||||
# option proto tcp
|
||||
|
||||
### FULL CONFIG SECTIONS
|
||||
#config rule
|
||||
# option src lan
|
||||
# option src_ip 192.168.45.2
|
||||
# option src_mac 00:11:22:33:44:55
|
||||
# option src_port 80
|
||||
# option dest wan
|
||||
# option dest_ip 194.25.2.129
|
||||
# option dest_port 120
|
||||
# option proto tcp
|
||||
# option target REJECT
|
||||
|
||||
#config redirect
|
||||
# option src lan
|
||||
# option src_ip 192.168.45.2
|
||||
# option src_mac 00:11:22:33:44:55
|
||||
# option src_port 1024
|
||||
# option src_dport 80
|
||||
# option dest_ip 194.25.2.129
|
||||
# option dest_port 120
|
||||
# option proto tcp
|
|
@ -0,0 +1,97 @@
|
|||
|
||||
config interface 'loopback'
|
||||
option device 'lo'
|
||||
option proto 'static'
|
||||
option ipaddr '127.0.0.1'
|
||||
option netmask '255.0.0.0'
|
||||
|
||||
config globals 'globals'
|
||||
option packet_steering '1'
|
||||
|
||||
config device 'switch'
|
||||
option name 'switch'
|
||||
option type 'bridge'
|
||||
option vlan_filtering 1
|
||||
list ports 'eth0'
|
||||
list ports 'eth1'
|
||||
list ports 'eth2'
|
||||
list ports 'eth3'
|
||||
list ports 'eth4'
|
||||
list ports 'eth5'
|
||||
list ports 'eth6'
|
||||
list ports 'eth7'
|
||||
|
||||
config bridge-vlan 'mgmt_vlan'
|
||||
option vlan '1'
|
||||
option device 'switch'
|
||||
list ports 'eth1:u*'
|
||||
list ports 'eth2:u*'
|
||||
list ports 'eth3:u*'
|
||||
list ports 'eth4:u*'
|
||||
list ports 'eth5:u*'
|
||||
list ports 'eth6:u*'
|
||||
list ports 'eth7:u*'
|
||||
|
||||
config bridge-vlan 'clients_vlan'
|
||||
option vlan '2'
|
||||
option device 'switch'
|
||||
list ports 'eth1:t'
|
||||
list ports 'eth2:t'
|
||||
list ports 'eth3:t'
|
||||
list ports 'eth4:t'
|
||||
list ports 'eth5:t'
|
||||
list ports 'eth6:t'
|
||||
list ports 'eth7:t'
|
||||
|
||||
config bridge-vlan 'wan_vlan'
|
||||
option vlan '3'
|
||||
option device 'switch'
|
||||
list ports 'eth0:u*'
|
||||
|
||||
config bridge-vlan 'backoffice_vlan'
|
||||
option vlan '8'
|
||||
option device 'switch'
|
||||
list ports 'eth1:t'
|
||||
list ports 'eth2:t'
|
||||
list ports 'eth3:t'
|
||||
list ports 'eth4:t'
|
||||
list ports 'eth5:t'
|
||||
list ports 'eth6:t'
|
||||
list ports 'eth7:t'
|
||||
|
||||
config interface 'mgmt'
|
||||
option device 'switch.1'
|
||||
option proto 'static'
|
||||
option ipaddr '10.86.1.1'
|
||||
option netmask '255.255.255.0'
|
||||
|
||||
config interface 'wan'
|
||||
option device 'switch.3'
|
||||
option proto 'dhcp'
|
||||
|
||||
config interface 'wan6'
|
||||
option device 'switch.3'
|
||||
option proto 'dhcpv6'
|
||||
|
||||
config interface 'backoffice'
|
||||
option device 'switch.8'
|
||||
option proto 'static'
|
||||
option ipaddr '10.86.8.1'
|
||||
option netmask '255.255.255.0'
|
||||
|
||||
config interface 'wg0'
|
||||
option proto 'wireguard'
|
||||
option private_key "{{ lookup('passwordstore', 'wg/wg0/gw-core01') }}"
|
||||
option listen_port 51820
|
||||
option mtu 1350
|
||||
list addresses '10.84.254.1/31'
|
||||
option disabled '1'
|
||||
|
||||
config wireguard_wg0 'eap_adp_jump01'
|
||||
option public_key "{{ lookup('passwordstore', 'wg/wg0/eae-adp-jump01.pub') }}"
|
||||
option preshared_key "{{ lookup('passwordstore', 'wg/wg0/psk') }}"
|
||||
option endpoint_host '162.55.53.85'
|
||||
option endpoint_port '51820'
|
||||
option route_allowed_ips '0'
|
||||
option persistent_keepalive 15
|
||||
list allowed_ips '0.0.0.0/0'
|
|
@ -0,0 +1,16 @@
|
|||
password zebra
|
||||
!
|
||||
router ospf
|
||||
redistribute connected
|
||||
!
|
||||
log syslog
|
||||
!
|
||||
interface wg0
|
||||
ip ospf area 0
|
||||
ip ospf network point-to-point
|
||||
!
|
||||
access-list vty permit 127.0.0.0/8
|
||||
access-list vty deny any
|
||||
!
|
||||
line vty
|
||||
access-class vty
|
Loading…
Reference in New Issue