VyOS General Firewall Configuration
Compatible Version: 1.2.x
set system host-name 'vyos-firewall' set service ssh port '22' set system time-zone 'UTC' set system name-server '1.1.1.1' set system name-server '8.8.8.8' set system ntp server 0.pool.ntp.org set system ntp server 1.pool.ntp.org set system ntp server 2.pool.ntp.org set system syslog global facility all level 'notice' set system syslog global facility protocols level 'debug' set interfaces ethernet eth0 address 'dhcp' set interfaces ethernet eth0 description 'OUTSIDE__WAN' set interfaces ethernet eth0 firewall in name 'OUTSIDE-IN' set interfaces ethernet eth0 firewall local name 'OUTSIDE-LOCAL' set interfaces ethernet eth1 address '10.0.0.1/24' set interfaces ethernet eth1 description 'INSIDE__LAN' set service dhcp-server shared-network-name INSIDE_LAN authoritative set service dhcp-server shared-network-name INSIDE_LAN subnet 10.0.0.0/24 default-router '10.0.0.1' set service dhcp-server shared-network-name INSIDE_LAN subnet 10.0.0.0/24 dns-server '10.0.0.1' set service dhcp-server shared-network-name INSIDE_LAN subnet 10.0.0.0/24 domain-name 'internal-network' set service dhcp-server shared-network-name INSIDE_LAN subnet 10.0.0.0/24 lease '3600' set service dhcp-server shared-network-name INSIDE_LAN subnet 10.0.0.0/24 range POOL_1 start '10.0.0.50' set service dhcp-server shared-network-name INSIDE_LAN subnet 10.0.0.0/24 range POOL_1 stop '10.0.0.100' set service dns forwarding allow-from '10.0.0.0/16' set service dns forwarding allow-from '172.16.0.0/12' set service dns forwarding allow-from '192.168.0.0/16' set service dns forwarding cache-size '4096' set service dns forwarding listen-address '10.0.0.1' set service dns forwarding name-server '1.1.1.1' set service dns forwarding name-server '8.8.8.8' set firewall all-ping 'enable' set firewall broadcast-ping 'disable' set firewall config-trap 'disable' set firewall ipv6-receive-redirects 'disable' set firewall ipv6-src-route 'disable' set firewall ip-src-route 'disable' set firewall log-martians 'enable' set firewall receive-redirects 'disable' set firewall send-redirects 'disable' set firewall source-validation 'disable' set firewall syn-cookies 'enable' set firewall twa-hazards-protection 'disable' set firewall name OUTSIDE-IN default-action 'drop' set firewall name OUTSIDE-IN rule 10 action 'accept' set firewall name OUTSIDE-IN rule 10 description 'Allow : Established / Related Traffic' set firewall name OUTSIDE-IN rule 10 state established 'enable' set firewall name OUTSIDE-IN rule 10 state related 'enable' set firewall name OUTSIDE-LOCAL default-action 'drop' set firewall name OUTSIDE-LOCAL rule 10 action 'accept' set firewall name OUTSIDE-LOCAL rule 10 description 'Allow : Established / Related Traffic' set firewall name OUTSIDE-LOCAL rule 10 state established 'enable' set firewall name OUTSIDE-LOCAL rule 10 state related 'enable' set firewall name OUTSIDE-LOCAL rule 20 action 'accept' set firewall name OUTSIDE-LOCAL rule 20 description 'Allow : ICMP Echo Requests' set firewall name OUTSIDE-LOCAL rule 20 icmp type-name 'echo-request' set firewall name OUTSIDE-LOCAL rule 20 protocol 'icmp' set firewall name OUTSIDE-LOCAL rule 20 state new 'enable' set firewall name OUTSIDE-LOCAL rule 30 action 'drop' set firewall name OUTSIDE-LOCAL rule 30 description 'Deny : SSH Rate-Limited Connections' set firewall name OUTSIDE-LOCAL rule 30 destination port '22' set firewall name OUTSIDE-LOCAL rule 30 protocol 'tcp' set firewall name OUTSIDE-LOCAL rule 30 recent count '4' set firewall name OUTSIDE-LOCAL rule 30 recent time '60' set firewall name OUTSIDE-LOCAL rule 30 state new 'enable' set firewall name OUTSIDE-LOCAL rule 31 action 'accept' set firewall name OUTSIDE-LOCAL rule 31 description 'Allow : SSH Connections' set firewall name OUTSIDE-LOCAL rule 31 destination port '22' set firewall name OUTSIDE-LOCAL rule 31 protocol 'tcp' set firewall name OUTSIDE-LOCAL rule 31 state new 'enable' set nat source rule 100 outbound-interface 'eth0' set nat source rule 100 source address '10.0.0.0/8' set nat source rule 100 translation address 'masquerade' set nat source rule 110 outbound-interface 'eth0' set nat source rule 110 source address '172.16.0.0/12' set nat source rule 110 translation address 'masquerade' set nat source rule 120 outbound-interface 'eth0' set nat source rule 120 source address '192.168.0.0/16' set nat source rule 120 translation address 'masquerade'