smuda · February 16, 2017 18:50
diff --git a/gistfile1.txt b/gistfile1.txt
 // create a name for the LAN networks
 configure
 set firewall group network-group LAN_NETWORKS
 set firewall group network-group LAN_NETWORKS description "LAN Networks"
 set firewall group network-group LAN_NETWORKS network 192.168.0.0/16
 commit

 // Create a rule to accept all already established connections (for example from LAN)
 configure
 set firewall name PROTECT_IOT default-action accept 
 set firewall name PROTECT_IOT rule 10 action accept
 set firewall name PROTECT_IOT rule 10 description "Accept Established/Related"
 set firewall name PROTECT_IOT rule 10 protocol all
 set firewall name PROTECT_IOT rule 10 state established enable
 set firewall name PROTECT_IOT rule 10 state related enable

 // Now create a firewall rule to block all traffic from IOT network to the LAN networks.
 set firewall name PROTECT_IOT rule 20 action drop
 set firewall name PROTECT_IOT rule 20 description "Drop LAN_NETWORKS"
 set firewall name PROTECT_IOT rule 20 destination group network-group LAN_NETWORKS
 set firewall name PROTECT_IOT rule 20 protocol all
 commit

 // Create a firewall rule to allow access to router for DHCP and DNS
 configure
 set firewall name IOT_TO_FW 
 set firewall name IOT_TO_FW default-action drop 
 set firewall name IOT_TO_FW rule 10 action accept
 set firewall name IOT_TO_FW rule 10 description "Accept DNS"
 set firewall name IOT_TO_FW rule 10 destination port 53
 set firewall name IOT_TO_FW rule 10 protocol udp

 set firewall name IOT_TO_FW rule 20 action accept
 set firewall name IOT_TO_FW rule 20 description "Accept DHCP"
 set firewall name IOT_TO_FW rule 20 destination port 67
 set firewall name IOT_TO_FW rule 20 protocol udp
 commit

 // Now connect the rulesets to interfaces
 configure
 set interfaces ethernet eth1 vif 42 firewall in name PROTECT_IOT
 set interfaces ethernet eth1 vif 42 firewall local name IOT_TO_FW
 commit
	// create a name for the LAN networks
	configure
	set firewall group network-group LAN_NETWORKS
	set firewall group network-group LAN_NETWORKS description "LAN Networks"
	set firewall group network-group LAN_NETWORKS network 192.168.0.0/16
	commit

	// Create a rule to accept all already established connections (for example from LAN)
	configure
	set firewall name PROTECT_IOT default-action accept
	set firewall name PROTECT_IOT rule 10 action accept
	set firewall name PROTECT_IOT rule 10 description "Accept Established/Related"
	set firewall name PROTECT_IOT rule 10 protocol all
	set firewall name PROTECT_IOT rule 10 state established enable
	set firewall name PROTECT_IOT rule 10 state related enable

	// Now create a firewall rule to block all traffic from IOT network to the LAN networks.
	set firewall name PROTECT_IOT rule 20 action drop
	set firewall name PROTECT_IOT rule 20 description "Drop LAN_NETWORKS"
	set firewall name PROTECT_IOT rule 20 destination group network-group LAN_NETWORKS
	set firewall name PROTECT_IOT rule 20 protocol all
	commit

	// Create a firewall rule to allow access to router for DHCP and DNS
	configure
	set firewall name IOT_TO_FW
	set firewall name IOT_TO_FW default-action drop
	set firewall name IOT_TO_FW rule 10 action accept
	set firewall name IOT_TO_FW rule 10 description "Accept DNS"
	set firewall name IOT_TO_FW rule 10 destination port 53
	set firewall name IOT_TO_FW rule 10 protocol udp

	set firewall name IOT_TO_FW rule 20 action accept
	set firewall name IOT_TO_FW rule 20 description "Accept DHCP"
	set firewall name IOT_TO_FW rule 20 destination port 67
	set firewall name IOT_TO_FW rule 20 protocol udp
	commit

	// Now connect the rulesets to interfaces
	configure
	set interfaces ethernet eth1 vif 42 firewall in name PROTECT_IOT
	set interfaces ethernet eth1 vif 42 firewall local name IOT_TO_FW
	commit