Skip to content

Instantly share code, notes, and snippets.

@wassupdoc
Last active July 10, 2024 03:41
Show Gist options
  • Save wassupdoc/c03f95fba24fae4f7aa7af9976b15be2 to your computer and use it in GitHub Desktop.
Save wassupdoc/c03f95fba24fae4f7aa7af9976b15be2 to your computer and use it in GitHub Desktop.
Zone settings for edgerouter
#based on http://www.forshee.me/2016/03/02/ubiquiti-edgerouter-lite-setup-part-2-firewall-setup.html
configure
edit firewall name allow-est-drop-inv
set default-action drop
set enable-default-log
set rule 1 action accept
set rule 1 state established enable
set rule 1 state related enable
set rule 2 action drop
set rule 2 log enable
set rule 2 state invalid enable
top
edit firewall ipv6-name allow-est-drop-inv-6
set default-action drop
set enable-default-log
set rule 1 action accept
set rule 1 state established enable
set rule 1 state related enable
set rule 2 action drop
set rule 2 log enable
set rule 2 state invalid enable
set rule 100 action accept
set rule 100 protocol ipv6-icmp
top
edit firewall
copy name allow-est-drop-inv to name allow-all
set name allow-all default-action accept
delete name allow-all enable-default-log
top
edit firewall
copy ipv6-name allow-est-drop-inv-6 to ipv6-name allow-all-6
set ipv6-name allow-all-6 default-action accept
delete ipv6-name allow-all-6 enable-default-log
top
edit firewall
copy name allow-est-drop-inv to name lan-local
edit name lan-local
set rule 100 action accept
set rule 100 protocol icmp
set rule 200 description "Allow HTTP/HTTPS"
set rule 200 action accept
set rule 200 destination port 80,443
set rule 200 protocol tcp
set rule 600 description "Allow DNS"
set rule 600 action accept
set rule 600 destination port 53
set rule 600 protocol tcp_udp
set rule 700 description "Allow DHCP"
set rule 700 action accept
set rule 700 destination port 67,68
set rule 700 protocol udp
set rule 800 description "Allow SSH"
set rule 800 action accept
set rule 800 destination port 22
set rule 800 protocol tcp
top
edit firewall
copy ipv6-name allow-est-drop-inv-6 to ipv6-name lan-local-6
edit ipv6-name lan-local-6
set rule 200 description "Allow HTTP/HTTPS"
set rule 200 action accept
set rule 200 destination port 80,443
set rule 200 protocol tcp
set rule 600 description "Allow DNS"
set rule 600 action accept
set rule 600 destination port 53
set rule 600 protocol tcp_udp
set rule 700 description "Allow DHCP"
set rule 700 action accept
set rule 700 destination port 67,68
set rule 700 protocol udp
set rule 800 description "Allow SSH"
set rule 800 action accept
set rule 800 destination port 22
set rule 800 protocol tcp
top
edit zone-policy zone local
set default-action drop
set local-zone
#WAN to local: Allow only traffic for established connections.
set from WAN firewall name allow-est-drop-inv
set from WAN firewall ipv6-name allow-est-drop-inv-6
#LAN to local: Allow traffic for established connections.
#Also allow new ICMP, DHCP, DNS, ssh, and HTTP/HTTPS connections.
set from LAN firewall name lan-local
set from LAN firewall ipv6-name lan-local-6
top
edit zone-policy zone LAN
set default-action drop
set interface eth1
#WAN to LAN: Allow only traffic for established connections.
set from WAN firewall name allow-est-drop-inv
set from WAN firewall ipv6-name allow-est-drop-inv-6
#local to LAN: Drop invalid state packets, allow all other traffic.
set from local firewall name allow-all
set from local firewall ipv6-name allow-all-6
top
edit zone-policy zone WAN
set default-action drop
set interface eth0
#local to WAN: Drop invalid state packets, allow all other traffic.
set from local firewall name allow-all
set from local firewall ipv6-name allow-all-6
#LAN to WAN: Drop invalid state packets, allow all other traffic.
set from LAN firewall name allow-all
set from LAN firewall ipv6-name allow-all-6
top
delete interfaces ethernet eth0 firewall
delete firewall name WAN_IN
delete firewall name WAN_LOCAL
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment