This is 100% asking for someone to spend (waste) time looking at my config just to tell me where I messed up, or if it looks good. I’m just starting to use zones, so I’m still in the process of getting all that converted.
So, if someone has some time they want to waste looking over a very boring and simple vyos config, I sure would appreciate it.
On that note, and unrelated to this individual post, I just wanted to say it sure is nice to see an online community that isn’t just a dungeon filled with trolls. It’s a rare thing these days…
Anyway, this is my vyos config. Other than the questions I’ve had answered here, I’ve been casually learning more and more of the network/firewall/security side of things after a significant amount of time in the sysadmin/server infrastructure side of things. So, it’s important to me that I do this right. Not for any work related things at this point, but just so I understand more about it.
Tear it apart if needed. I’m open to all input.
TIA, again and aagain…
vyos@vyos# show
[?1h =
firewall {
all-ping enable
broadcast-ping disable
group {
address-group ALL-INSIDE {
address 10.10.18.1-10.10.18.255
address 10.10.19.1-10.10.19.255
address 10.10.20.1-10.10.20.255
description "All inside snetworks"
}
port-group MAILPORTS {
port 25
port 80
port 465
port 587
port 443
}
port-group MINECRAFT-PORTS {
port 25565
}
port-group WEB-PORTS {
port 80
port 443
}
port-group WOW-PORTS {
port 3724
port 8085
port 8086
}
}
name INSIDE-OUT {
default-action accept
rule 5001 {
action accept
source {
group {
address-group ALL-INSIDE
}
}
state {
established enable
new enable
related enable
:
}
}
}
name OUTSIDE-IN {
default-action drop
rule 10 {
action accept
state {
established enable
related enable
}
}
rule 1801 {
action accept
destination {
address 10.10.18.5
group {
port-group MAILPORTS
}
}
log enable
protocol tcp
state {
established enable
new enable
related enable
}
}
rule 1901 {
action accept
description WEB-IN
destination {
address 10.10.19.60
group {
port-group WEB-PORTS
}
}
protocol tcp
state {
new enable
}
}
rule 2001 {
:
action accept
description MINECRAFT
destination {
address 10.10.20.150
group {
port-group MINECRAFT-PORTS
}
}
protocol tcp_udp
state {
new enable
}
}
}
name OUTSIDE-LOCAL {
default-action drop
rule 10 {
action accept
state {
established enable
related enable
}
}
rule 20 {
action accept
destination {
address 192.168.254.140
port 2200
}
protocol tcp
state {
new enable
}
}
}
}
interfaces {
ethernet eth0 {
address 192.168.254.139/29
address 192.168.254.140/29
address 192.168.254.141/29
hw-id 00:0c:29:4c:7b:d3
}
:
ethernet eth1 {
hw-id 00:0c:29:4c:7b:dd
vif 18 {
address 10.10.18.1/24
}
vif 19 {
address 10.10.19.1/24
}
vif 20 {
address 10.10.20.1/24
}
}
loopback lo {
}
}
nat {
destination {
rule 1801 {
destination {
address 192.168.254.139
port 25,80,465,443,587
}
inbound-interface eth0
protocol tcp
translation {
address 10.10.18.5
}
}
rule 1901 {
description "Web-services - Outside to rproxy"
destination {
address 192.168.254.140
port 80,443
}
inbound-interface eth0
protocol tcp
translation {
address 10.10.19.60
}
}
rule 2001 {
destination {
address 192.168.254.141
:
port 25565
}
inbound-interface eth0
protocol tcp_udp
translation {
address 10.10.20.150
}
}
}
source {
rule 1801 {
outbound-interface eth0
source {
address 10.10.18.0/24
}
translation {
address 192.168.254.139
}
}
rule 1901 {
outbound-interface eth0
source {
address 10.10.19.0/24
}
translation {
address 192.168.254.140
}
}
rule 2001 {
outbound-interface eth0
source {
address 10.10.20.0/24
}
translation {
address 192.168.254.141
}
}
}
}
protocols {
static {
route 0.0.0.0/0 {
next-hop 192.168.254.137 {
:
}
}
}
}
service {
ssh {
port 2200
}
}
system {
config-management {
commit-revisions 100
}
console {
device ttyS0 {
speed 115200
}
}
host-name vyos
login {
user vyos {
authentication {
encrypted-password superdupersecretpassword
plaintext-password ""
}
}
}
name-server 1.1.1.1
ntp {
server 0.pool.ntp.org {
}
server 1.pool.ntp.org {
}
server 2.pool.ntp.org {
}
}
syslog {
global {
facility all {
level info
}
facility protocols {
:
level debug
}
}
}
time-zone America/Chicago
}
zone-policy {
zone INSIDE {
from OUTSIDE {
firewall {
name OUTSIDE-IN
}
}
interface eth1
interface eth1.18
interface eth1.19
interface eth1.20
}
zone OUTSIDE {
default-action drop
from INSIDE {
firewall {
name INSIDE-OUT
}
}
interface eth0
}
zone OUTSIDE-LOCAL {
from OUTSIDE {
firewall {
name OUTSIDE-LOCAL
}
}
local-zone
}
}
[edit]