configure edit firewall # Rejected Servers Group set group address-group REJECT-SERVERS description "Block IP List" # Rejected Networks Group set group network-group REJECT-NETWORKS description "Block Network List" # Rejected Ports Group set group port-group REJECT-PORTS description "Block Port List" # SSH Allowed Hosts List set group address-group SSH-FROM description "IPs allowed to SSH into router" set group address-group SSH-FROM address set group address-group SSH-FROM address # SMB Ports to drop and not log set group port-group SMB description "SMB Ports to block and not log from ZZ Windows customers to local router" set group port-group SMB port 67 set group port-group SMB port 135 set group port-group SMB port 137 set group port-group SMB port 138 set group port-group SMB port 139 # Default deny set name internet-local default-action drop # Accept established & related set name internet-local rule 1 action accept set name internet-local rule 1 state established enable set name internet-local rule 1 state related enable set name internet-local rule 2 action drop set name internet-local rule 2 log enable set name internet-local rule 2 state invalid enable # Drop and do not log Customer SMB set name internet-local rule 3 action drop set name internet-local rule 3 log disable set name internet-local rule 3 destination group port-group SMB # Allow inbound ICMP set name internet-local rule 4 action accept set name internet-local rule 4 protocol icmp # Allow inbound VRRP set name internet-local rule 5 action accept set name internet-local rule 5 protocol vrrp # Allow inbound BGP set name internet-local rule 6 action accept set name internet-local rule 6 port 179 set name internet-local rule 6 protocol tcp # Allow inbound BGP set name internet-local rule 7 action accept set name internet-local rule 7 source port 179 set name internet-local rule 7 protocol tcp # Allow inbound HEARTBEAT set name internet-local rule 8 action accept set name internet-local rule 8 destination port 694 set name internet-local rule 8 protocol udp # Allow inbound HEARTBEAT set name internet-local rule 9 action accept set name internet-local rule 9 source port 694 set name internet-local rule 9 protocol udp # Allow inbound SSH set name internet-local rule 10 action accept set name internet-local rule 10 log enable set name internet-local rule 10 source group address-group SSH-FROM set name internet-local rule 10 destination port 22 set name internet-local rule 10 protocol tcp # Logging rule set name internet-local rule 9999 action drop set name internet-local rule 9999 log enable # Default deny set name local-internet default-action drop # Accept established & related set name local-internet rule 1 action accept set name local-internet rule 1 state established enable set name local-internet rule 1 state related enable set name local-internet rule 2 action drop set name local-internet rule 2 log enable set name local-internet rule 2 state invalid enable # Allow outbound ICMP set name local-internet rule 4 action accept set name local-internet rule 4 protocol icmp # Allow outbound VRRP set name local-internet rule 5 action accept set name local-internet rule 5 protocol vrrp # Allow outbound BGP set name local-internet rule 6 action accept set name local-internet rule 6 destination port 179 set name local-internet rule 6 protocol tcp # Allow outbound BGP set name local-internet rule 7 action accept set name local-internet rule 7 source port 179 set name local-internet rule 7 protocol tcp # Allow outbound HEARTBEAT set name local-internet rule 8 action accept set name local-internet rule 8 destination port 694 set name local-internet rule 8 protocol udp # Allow outbound HEARTBEAT set name local-internet rule 9 action accept set name local-internet rule 9 source port 694 set name local-internet rule 9 protocol udp # Accept outbound DNS requests set name local-internet rule 10 action accept set name local-internet rule 10 destination port 53 set name local-internet rule 10 protocol tcp_udp # Accept outbound NTP set name local-internet rule 15 action accept set name local-internet rule 15 destination port 123 set name local-internet rule 15 protocol tcp_udp # Allow upgrade - only during valid changes #set name local-internet rule 69 action accept #set name local-internet rule 69 log enable #set name local-internet rule 69 destination port 80 #set name local-internet rule 69 protocol tcp # Logging rule set name local-internet rule 9999 action drop set name local-internet rule 9999 log enable # Default Deny set name zzservers-local default-action drop # Accept established and related set name zzservers-local rule 1 action accept set name zzservers-local rule 1 state established enable set name zzservers-local rule 1 state related enable set name zzservers-local rule 2 action drop set name zzservers-local rule 2 log enable set name zzservers-local rule 2 state invalid enable # Drop and do not log Customer SMB set name zzservers-local rule 3 action drop set name zzservers-local rule 3 log disable set name zzservers-local rule 3 destination group port-group SMB set name zzservers-local rule 3 protocol udp # Allow inbound ICMP set name zzservers-local rule 4 action accept set name zzservers-local rule 4 protocol icmp # Allow inbound VRRP set name zzservers-local rule 5 action accept set name zzservers-local rule 5 protocol vrrp # Allow inbound BGP set name zzservers-local rule 6 action accept set name zzservers-local rule 6 destination port 179 set name zzservers-local rule 6 protocol tcp # Allow inbound BGP set name zzservers-local rule 7 action accept set name zzservers-local rule 7 source port 179 set name zzservers-local rule 7 protocol tcp # Allow inbound HEARTBEAT set name zzservers-local rule 8 action accept set name zzservers-local rule 8 destination port 694 set name zzservers-local rule 8 protocol udp # Allow inbound HEARTBEAT set name zzservers-local rule 9 action accept set name zzservers-local rule 9 source port 694 set name zzservers-local rule 9 protocol udp # Allow inbound SSH set name zzservers-local rule 10 action accept set name zzservers-local rule 10 log enable set name zzservers-local rule 10 source group address-group SSH-FROM set name zzservers-local rule 10 destination port 22 set name zzservers-local rule 10 protocol tcp # Logging rule set name zzservers-local rule 9999 action drop set name zzservers-local rule 9999 log enable # Default Deny set name local-zzservers default-action drop # Accept established and related set name local-zzservers rule 1 action accept set name local-zzservers rule 1 state established enable set name local-zzservers rule 1 state related enable set name local-zzservers rule 2 action drop set name local-zzservers rule 2 log enable set name local-zzservers rule 2 state invalid enable # Allow outbound ICMP set name local-zzservers rule 4 action accept set name local-zzservers rule 4 protocol icmp # Allow outbound VRRP set name local-zzservers rule 5 action accept set name local-zzservers rule 5 protocol vrrp # Allow outbound BGP set name local-zzservers rule 6 action accept set name local-zzservers rule 6 destination port 179 set name local-zzservers rule 6 protocol tcp # Allow outbound BGP set name local-zzservers rule 7 action accept set name local-zzservers rule 7 source port 179 set name local-zzservers rule 7 protocol tcp # Allow outbound HEARTBEAT set name local-zzservers rule 8 action accept set name local-zzservers rule 8 destination port 694 set name local-zzservers rule 8 protocol udp # Allow outbound HEARTBEAT set name local-zzservers rule 9 action accept set name local-zzservers rule 9 source port 694 set name local-zzservers rule 9 protocol udp # Allow outbound dns lookups set name local-zzservers rule 10 action accept set name local-zzservers rule 10 destination port 53 set name local-zzservers rule 10 protocol tcp_udp # Allow upgrades - only during valid change #set name local-zzservers rule 69 action accept #set name local-zzservers rule 69 log enable #set name local-zzservers rule 69 destination port 80 #set name local-zzservers rule 69 protocol tcp # Logging rule set name local-zzservers rule 9999 action drop set name local-zzservers rule 9999 log enable # Default route all packets set name internet-zzservers default-action accept # Deny and reject blocked servers / networks / ports set name internet-zzservers rule 10 action reject set name internet-zzservers rule 10 log enable set name internet-zzservers rule 10 source group address-group REJECT-SERVERS set name internet-zzservers rule 11 action reject set name internet-zzservers rule 11 log enable set name internet-zzservers rule 11 destination group address-group REJECT-SERVERS set name internet-zzservers rule 15 action reject set name internet-zzservers rule 15 log enable set name internet-zzservers rule 15 source group network-group REJECT-NETWORKS set name internet-zzservers rule 16 action reject set name internet-zzservers rule 16 log enable set name internet-zzservers rule 16 destination group network-group REJECT-NETWORKS set name internet-zzservers rule 20 action reject set name internet-zzservers rule 20 log enable set name internet-zzservers rule 20 source group port-group REJECT-PORTS set name internet-zzservers rule 21 action reject set name internet-zzservers rule 21 log enable set name internet-zzservers rule 21 destination group port-group REJECT-PORTS # Default route all packets set name zzservers-internet default-action accept # Deny and reject blocked servers / networks / ports set name zzservers-internet rule 10 action reject set name zzservers-internet rule 10 log enable set name zzservers-internet rule 10 source group address-group REJECT-SERVERS set name zzservers-internet rule 11 action reject set name zzservers-internet rule 11 log enable set name zzservers-internet rule 11 destination group address-group REJECT-SERVERS set name zzservers-internet rule 15 action reject set name zzservers-internet rule 15 log enable set name zzservers-internet rule 15 source group network-group REJECT-NETWORKS set name zzservers-internet rule 16 action reject set name zzservers-internet rule 16 log enable set name zzservers-internet rule 16 destination group network-group REJECT-NETWORKS set name zzservers-internet rule 20 action reject set name zzservers-internet rule 20 log enable set name zzservers-internet rule 20 source group port-group REJECT-PORTS set name zzservers-internet rule 21 action reject set name zzservers-internet rule 21 log enable set name zzservers-internet rule 21 destination group port-group REJECT-PORTS exit edit zone-policy # Set the default policy for zone internet to drop set zone internet default-action drop # For internet zone, traffic from zzservers to internet uses firewall filter zzservers-internet set zone internet from zzservers firewall name zzservers-internet # For internet zone, traffic from local router to internet  uses firewall filter local-internet set zone internet from local firewall name local-internet # Set internet zone assignment to eth0 set zone internet interface eth0 # Set the default policy for zzservers zone to drop set zone zzservers default-action drop # For zzservers zone, traffic from internet to zzservers uses firewall filter internet-zzservers set zone zzservers from internet firewall name internet-zzservers # For zzservers zone, traffic from local router to zzservers uses firewall filter local-zzservers set zone zzservers from local firewall name local-zzservers # Set zzservers interface eth1 set zone zzservers interface eth1 # Set the default policy for local zone to drop set zone local default-action drop # For local zone, traffic from internet to the local router uses firewall  filter internet-local set zone local from internet firewall name internet-local # For local zone, traffic from zzservers to the local router uses firewall filter zzservers-local set zone local from zzservers firewall name zzservers-local set zone local local-zone exit save commit show firewall all-ping enable group { address-group REJECT-SERVERS { description "Block IP List" } address-group SSH-FROM { address address description "IPs allowed to SSH into router" } network-group REJECT-NETWORKS { description "Block Network List" } port-group REJECT-PORTS { description "Block Port List" } port-group SMB { description "SMB Ports to block and not log from ZZ Windows customers to local router" port 67 port 135 port 137 port 138 port 139 } } name internet-local { default-action drop rule 1 { action accept state { established enable related enable } } rule 2 { action drop log enable state { invalid enable } } rule 3 { action drop destination { group { port-group SMB } } log disable } rule 4 { action accept protocol icmp } rule 5 { action accept protocol vrrp } rule 6 { action accept destination { port 179 } protocol tcp } rule 7 { action accept protocol tcp source { port 179 } } rule 8 { action accept destination { port 694 } protocol udp } rule 9 { action accept protocol udp source { port 694 } } rule 10 { action accept destination { port 22 } log enable protocol tcp source { group { address-group SSH-FROM } } } rule 9999 { action drop log enable } } name internet-zzservers { default-action accept rule 10 { action reject log enable source { group { address-group REJECT-SERVERS } } } rule 11 { action reject destination { group { address-group REJECT-SERVERS } } log enable } rule 15 { action reject log enable source { group { network-group REJECT-NETWORKS } } } rule 16 { action reject destination { group { network-group REJECT-NETWORKS } } log enable } rule 20 { action reject log enable source { group { port-group REJECT-PORTS } } } rule 21 { action reject destination { group { port-group REJECT-PORTS } } log enable } } name local-internet { default-action drop rule 1 { action accept state { established enable related enable } } rule 2 { action drop log enable state { invalid enable } } rule 4 { action accept protocol icmp } rule 5 { action accept protocol vrrp } rule 6 { action accept destination { port 179 } protocol tcp } rule 7 { action accept protocol tcp source { port 179 } } rule 8 { action accept destination { port 694 } protocol udp } rule 9 { action accept protocol udp source { port 694 } } rule 10 { action accept destination { port 53 } protocol tcp_udp } rule 9999 { action drop log enable } } name local-zzservers { default-action drop rule 1 { action accept state { established enable related enable } } rule 2 { action drop log enable state { invalid enable } } rule 4 { action accept protocol icmp } rule 5 { action accept protocol vrrp } rule 6 { action accept destination { port 179 } protocol tcp } rule 7 { action accept protocol tcp source { port 179 } } rule 8 { action accept destination { port 694 } protocol udp } rule 9 { action accept protocol udp source { port 694 } } rule 10 { action accept destination { port 53 } protocol tcp_udp } rule 9999 { action drop log enable } } name zzservers-internet { default-action accept rule 10 { action reject log enable source { group { address-group REJECT-SERVERS } } } rule 11 { action reject destination { group { address-group REJECT-SERVERS } } log enable } rule 15 { action reject log enable source { group { network-group REJECT-NETWORKS } } } rule 16 { action reject destination { group { network-group REJECT-NETWORKS } } log enable } rule 20 { action reject log enable source { group { port-group REJECT-PORTS } } } rule 21 { action reject destination { group { port-group REJECT-PORTS } } log enable } } name zzservers-local { default-action drop rule 1 { action accept state { established enable related enable } } rule 2 { action drop log enable state { invalid enable } } rule 3 { action drop destination { group { port-group SMB } } log disable protocol udp } rule 4 { action accept protocol icmp } rule 5 { action accept protocol vrrp } rule 6 { action accept destination { port 179 } protocol tcp } rule 7 { action accept protocol tcp source { port 179 } } rule 8 { action accept destination { port 694 } protocol udp } rule 9 { action accept protocol udp source { port 694 } } rule 10 { action accept destination { port 22 } log enable protocol tcp source { group { address-group SSH-FROM } } } rule 9999 { action drop log enable } } show zone-policy zone internet { default-action drop from local { firewall { name local-internet } } from zzservers { firewall { name zzservers-internet } } interface eth0 } zone local { default-action drop from internet { firewall { name internet-local } } from zzservers { firewall { name zzservers-local } } local-zone } zone zzservers { default-action drop from internet { firewall { name internet-zzservers } } from local { firewall { name local-zzservers } } interface eth1 }