Hi all,
i want to try dns based firewall rules.
somehow i fail to build a rule for INSIDE. Could anyone help me?
See this post on Github
that is the right way?
set firewall name INSIDE-OUT rule 10 destination group domain-group myadgroup
firewall {
all-ping enable
broadcast-ping disable
config-trap disable
group {
domain-group myadgroup {
address company.example.com
}
}
interface eth0 {
in {
name OUTSIDE-IN
}
local {
name OUTSIDE-LOCAL
}
}
interface eth1 {
out {
name INSIDE-OUT
}
}
ipv6-src-route disable
ip-src-route disable
log-martians enable
name INSIDE-OUT {
default-action accept
rule 10 {
action drop
destination {
group {
domain-group myadgroup
}
}
state {
new enable
}
}
rule 20 {
action accept
icmp {
type-name echo-request
}
protocol icmp
state {
new enable
}
}
}
name OUTSIDE-IN {
default-action drop
rule 10 {
action accept
state {
established enable
related enable
}
}
rule 20 {
action accept
protocol icmp
state {
new enable
}
}
}
name OUTSIDE-LOCAL {
default-action drop
rule 10 {
action accept
state {
established enable
related enable
}
}
rule 20 {
action accept
icmp {
type-name echo-request
}
protocol icmp
state {
new enable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
twa-hazards-protection disable
}
interfaces {
ethernet eth0 {
address 10.10.10.30/23
description OUTSIDE
}
ethernet eth1 {
address 192.168.0.10/24
description INSIDE
}
loopback lo {
}
}
nat {
source {
rule 99 {
outbound-interface eth0
source {
address 192.168.0.0/24
}
translation {
address masquerade
}
}
}
}
protocols {
static {
route 0.0.0.0/0 {
next-hop 10.10.10.1 {
distance 1
}
}
}
}
service {
dns {
forwarding {
allow-from 192.168.0.0/24
cache-size 0
listen-address 192.168.0.1
listen-address 192.168.0.10
name-server 10.10.10.10
name-server 10.10.10.11
}
}
ssh {
port 22
}
}
system {
config-management {
commit-revisions 100
}
conntrack {
modules {
ftp
h323
nfs
pptp
sip
sqlnet
tftp
}
}
console {
device ttyS0 {
speed 115200
}
}
host-name vyos
login {
user vyos {
authentication {
encrypted-password ****************
plaintext-password ****************
}
}
}
name-server 10.10.10.16
ntp {
server time1.vyos.net {
}
server time2.vyos.net {
}
server time3.vyos.net {
}
}
syslog {
global {
facility all {
level info
}
facility protocols {
level debug
}
}
}
}