tech_documents:networking:edgerouter

Firewall IP and Port Groups

This is to set port or IP address groups. This is useful to create aliases to port groups so your firewall rules are cleaner and are more easily interpreted (this means documenting the groups you've created of course!). This can be done for IPV6 but the examples below are for IPV4 (ports are the same for both).

With each group to add additional items to the group just repeat the command but add the additional settings.

IPV4 Address Group

This can be for a single IPs, a subnet or a range of IPs. For the <group_name_ip> use something like MAIL_SVR_IP so that in your firewall rules you know it's an IP group.

set firewall group address-group <group_name_ip> address <x.x.x.x>, <x.x.x.x/x>, <x.x.x.x>-<x.x.x.x>
set firewall group address-group <group_name_ip> address <x.x.x.x>, <x.x.x.x/x>, <x.x.x.x>-<x.x.x.x>
set firewall group address-group <group_name_ip> address <x.x.x.x>, <x.x.x.x/x>, <x.x.x.x>-<x.x.x.x>

IPV4 Network Group

This is for defining subnets only.

set firewall group network-group <group_name_subnet> network <x.x.x.x/x>
set firewall group network-group <group_name_subnet> network <x.x.x.x/x>
set firewall group network-group <group_name_subnet> network <x.x.x.x/x>

Port Group

This can be for single ports or port ranges. For the <group_name_tcp> use something like MAIL_SVR_TCP so that in your firewall rules you know it's a TCP group. If you want a UDP group you'll need to make a separate group as the firewall will only allow either TCP or UDP or both on the entire list of ports in the group.

set firewall group port-group <group_name_tcp> port <name>, <port #>, <portrangestart-end>
set firewall group port-group <group_name_tcp> port <name>, <port #>, <portrangestart-end>
set firewall group port-group <group_name_tcp> port <name>, <port #>, <portrangestart-end>

Example of Rules Using Groups

set firewall name GUEST_IN rule 20 action drop
set firewall name GUEST_IN rule 20 description 'drop guest to lan'
set firewall name GUEST_IN rule 20 destination group network-group LAN_NETWORKS
set firewall name GUEST_IN rule 20 protocol all

Common Firewall Rules in Order

Use this as a template for the order of any new zone based firewall setups. Of course, delete any rules you don't need but try to keep the numbering/order for the protocols below… This is to help performance and consistency.

1-199 should be used pre-filters, allow all/established/related, or others related to such.

200-299 should be used for drop invalid or others related to such.

300-999 should be used for firewall groups, since these are custom groups the order is up to you but try to put DNS/HTTPS and other high traffic/frequency protocol groups towards the front.

set firewall name MGMT_LAN_to_LOCAL enable-default-log

set firewall name MGMT_LAN_to_LOCAL rule 80 description "Allow All"
set firewall name MGMT_LAN_to_LOCAL rule 80 action accept
set firewall name MGMT_LAN_to_LOCAL rule 80 log enable

set firewall name MGMT_LAN_to_LOCAL rule 100 description "Allow established/related"
set firewall name MGMT_LAN_to_LOCAL rule 100 action accept
set firewall name MGMT_LAN_to_LOCAL rule 100 state established enable
set firewall name MGMT_LAN_to_LOCAL rule 100 state related enable
set firewall name MGMT_LAN_to_LOCAL rule 100 log enable

set firewall name MGMT_LAN_to_LOCAL rule 200 description "Drop invalid"
set firewall name MGMT_LAN_to_LOCAL rule 200 action drop
set firewall name MGMT_LAN_to_LOCAL rule 200 state invalid enable
set firewall name MGMT_LAN_to_LOCAL rule 200 log enable

set firewall name LOCAL_to_EXTERNAL rule 300 description "BASIC-WEB-TCP"
set firewall name LOCAL_to_EXTERNAL rule 300 action accept
set firewall name LOCAL_to_EXTERNAL rule 300 destination group port-group BASIC-WEB-TCP
set firewall name LOCAL_to_EXTERNAL rule 300 destination group address-group BASIC-WEB-TCP
set firewall name LOCAL_to_EXTERNAL rule 300 protocol tcp
set firewall name LOCAL_to_EXTERNAL rule 300 state new enable
set firewall name LOCAL_to_EXTERNAL rule 300 log enable
set firewall name LOCAL_to_EXTERNAL rule 301 description "BASIC-WEB-UDP"
set firewall name LOCAL_to_EXTERNAL rule 301 action accept
set firewall name LOCAL_to_EXTERNAL rule 301 destination group port-group BASIC-WEB-UDP
set firewall name LOCAL_to_EXTERNAL rule 301 protocol tcp
set firewall name LOCAL_to_EXTERNAL rule 301 state new enable
set firewall name LOCAL_to_EXTERNAL rule 301 log enable

set firewall name MGMT_LAN_to_LOCAL rule 1000 description "Allow DNS"
set firewall name MGMT_LAN_to_LOCAL rule 1000 action accept
set firewall name MGMT_LAN_to_LOCAL rule 1000 destination port 53
set firewall name MGMT_LAN_to_LOCAL rule 1000 protocol tcp_udp
set firewall name MGMT_LAN_to_LOCAL rule 1000 state new enable
set firewall name MGMT_LAN_to_LOCAL rule 1000 log enable

set firewall name MGMT_LAN_to_LOCAL rule 1001 description "Allow DNS TLS"
set firewall name MGMT_LAN_to_LOCAL rule 1001 action accept
set firewall name MGMT_LAN_to_LOCAL rule 1001 destination port 853
set firewall name MGMT_LAN_to_LOCAL rule 1001 protocol tcp
set firewall name MGMT_LAN_to_LOCAL rule 1001 state new enable
set firewall name MGMT_LAN_to_LOCAL rule 1001 log enable

set firewall name MGMT_LAN_to_LOCAL rule 1005 description "Allow VOIP"
set firewall name MGMT_LAN_to_LOCAL rule 1005 action accept
set firewall name MGMT_LAN_to_LOCAL rule 1005 destination port 5060
set firewall name MGMT_LAN_to_LOCAL rule 1005 protocol tcp_udp
set firewall name MGMT_LAN_to_LOCAL rule 1005 state new enable
set firewall name MGMT_LAN_to_LOCAL rule 1005 log enable

set firewall name MGMT_LAN_to_LOCAL rule 1010 description "Allow HTTPS"
set firewall name MGMT_LAN_to_LOCAL rule 1010 action accept
set firewall name MGMT_LAN_to_LOCAL rule 1010 destination port 443
set firewall name MGMT_LAN_to_LOCAL rule 1010 protocol tcp
set firewall name MGMT_LAN_to_LOCAL rule 1010 state new enable
set firewall name MGMT_LAN_to_LOCAL rule 1010 log enable

set firewall name MGMT_LAN_to_LOCAL rule 1011 description "Allow HTTP"
set firewall name MGMT_LAN_to_LOCAL rule 1011 action accept
set firewall name MGMT_LAN_to_LOCAL rule 1011 destination port 80
set firewall name MGMT_LAN_to_LOCAL rule 1011 protocol tcp
set firewall name MGMT_LAN_to_LOCAL rule 1011 state new enable
set firewall name MGMT_LAN_to_LOCAL rule 1011 log enable

set firewall name MGMT_LAN_to_LOCAL rule 1030 description "Allow ICMP"
set firewall name MGMT_LAN_to_LOCAL rule 1030 action accept
set firewall name MGMT_LAN_to_LOCAL rule 1030 icmp type-name echo-request
set firewall name MGMT_LAN_to_LOCAL rule 1030 protocol icmp
set firewall name MGMT_LAN_to_LOCAL rule 1030 state new enable
set firewall name MGMT_LAN_to_LOCAL rule 1030 log enable

set firewall name MGMT_LAN_to_LOCAL rule 1040 description "Allow SMTP"
set firewall name MGMT_LAN_to_LOCAL rule 1040 action accept
set firewall name MGMT_LAN_to_LOCAL rule 1040 destination port 25
set firewall name MGMT_LAN_to_LOCAL rule 1040 protocol tcp
set firewall name MGMT_LAN_to_LOCAL rule 1040 state new enable
set firewall name MGMT_LAN_to_LOCAL rule 1040 log enable

set firewall name MGMT_LAN_to_LOCAL rule 1041 description "Allow SMTP TLS"
set firewall name MGMT_LAN_to_LOCAL rule 1041 action accept
set firewall name MGMT_LAN_to_LOCAL rule 1041 destination port 587
set firewall name MGMT_LAN_to_LOCAL rule 1041 protocol tcp
set firewall name MGMT_LAN_to_LOCAL rule 1041 state new enable
set firewall name MGMT_LAN_to_LOCAL rule 1041 log enable

set firewall name MGMT_LAN_to_LOCAL rule 1050 description "Allow MDNS\Bonjour"
set firewall name MGMT_LAN_to_LOCAL rule 1050 action accept
set firewall name MGMT_LAN_to_LOCAL rule 1050 destination port 5353
set firewall name MGMT_LAN_to_LOCAL rule 1050 protocol udp
set firewall name MGMT_LAN_to_LOCAL rule 1050 state new enable
set firewall name MGMT_LAN_to_LOCAL rule 1050 log enable

set firewall name MGMT_LAN_to_LOCAL rule 1060 description "Allow IMAPS"
set firewall name MGMT_LAN_to_LOCAL rule 1060 action accept
set firewall name MGMT_LAN_to_LOCAL rule 1060 destination port 993
set firewall name MGMT_LAN_to_LOCAL rule 1060 protocol tcp
set firewall name MGMT_LAN_to_LOCAL rule 1060 state new enable
set firewall name MGMT_LAN_to_LOCAL rule 1060 log enable

set firewall name MGMT_LAN_to_LOCAL rule 1070 description "Allow SSH"
set firewall name MGMT_LAN_to_LOCAL rule 1070 action accept
set firewall name MGMT_LAN_to_LOCAL rule 1070 destination port 22
set firewall name MGMT_LAN_to_LOCAL rule 1070 protocol tcp
set firewall name MGMT_LAN_to_LOCAL rule 1070 state new enable
set firewall name MGMT_LAN_to_LOCAL rule 1070 log enable

set firewall name MGMT_LAN_to_LOCAL rule 1080 description "Allow NTP Request"
set firewall name MGMT_LAN_to_LOCAL rule 1080 action accept
set firewall name MGMT_LAN_to_LOCAL rule 1080 destination port 123
set firewall name MGMT_LAN_to_LOCAL rule 1080 protocol udp
set firewall name MGMT_LAN_to_LOCAL rule 1080 state new enable
set firewall name MGMT_LAN_to_LOCAL rule 1080 log enable

set firewall name MGMT_LAN_to_LOCAL rule 1090 description "Allow OSPF"
set firewall name MGMT_LAN_to_LOCAL rule 1090 action accept
set firewall name MGMT_LAN_to_LOCAL rule 1090 protocol ospf
set firewall name MGMT_LAN_to_LOCAL rule 1090 state new enable
set firewall name MGMT_LAN_to_LOCAL rule 1090 log enable

set firewall name MGMT_LAN_to_LOCAL rule 1100 description "Allow DHCP Request"
set firewall name MGMT_LAN_to_LOCAL rule 1100 action accept
set firewall name MGMT_LAN_to_LOCAL rule 1100 destination port 67
set firewall name MGMT_LAN_to_LOCAL rule 1100 protocol udp
set firewall name MGMT_LAN_to_LOCAL rule 1100 state new enable
set firewall name MGMT_LAN_to_LOCAL rule 1100 log enable

set firewall name MGMT_LAN_to_LOCAL rule 1110 description "Allow LDAP"
set firewall name MGMT_LAN_to_LOCAL rule 1110 action accept
set firewall name MGMT_LAN_to_LOCAL rule 1110 destination port 389
set firewall name MGMT_LAN_to_LOCAL rule 1110 protocol tcp
set firewall name MGMT_LAN_to_LOCAL rule 1110 state new enable
set firewall name MGMT_LAN_to_LOCAL rule 1110 log enable

set firewall name MGMT_LAN_to_LOCAL rule 1111 description "Allow LDAPS"
set firewall name MGMT_LAN_to_LOCAL rule 1111 action accept
set firewall name MGMT_LAN_to_LOCAL rule 1111 destination port 636
set firewall name MGMT_LAN_to_LOCAL rule 1111 protocol tcp
set firewall name MGMT_LAN_to_LOCAL rule 1111 state new enable
set firewall name MGMT_LAN_to_LOCAL rule 1111 log enable

set firewall name MGMT_LAN_to_LOCAL rule 1120 description "Allow SMB"
set firewall name MGMT_LAN_to_LOCAL rule 1120 action accept
set firewall name MGMT_LAN_to_LOCAL rule 1120 destination port 445
set firewall name MGMT_LAN_to_LOCAL rule 1120 protocol tcp
set firewall name MGMT_LAN_to_LOCAL rule 1120 state new enable
set firewall name MGMT_LAN_to_LOCAL rule 1120 log enable

set firewall name MGMT_LAN_to_LOCAL rule 1130 description "Allow Kerberos"
set firewall name MGMT_LAN_to_LOCAL rule 1130 action accept
set firewall name MGMT_LAN_to_LOCAL rule 1130 destination port 88
set firewall name MGMT_LAN_to_LOCAL rule 1130 protocol tcp_udp
set firewall name MGMT_LAN_to_LOCAL rule 1130 state new enable
set firewall name MGMT_LAN_to_LOCAL rule 1130 log enable

set firewall name MGMT_LAN_to_LOCAL rule 1140 description "Allow IP Printing"
set firewall name MGMT_LAN_to_LOCAL rule 1140 action accept
set firewall name MGMT_LAN_to_LOCAL rule 1140 destination port 515,9100
set firewall name MGMT_LAN_to_LOCAL rule 1140 protocol tcp
set firewall name MGMT_LAN_to_LOCAL rule 1140 state new enable
set firewall name MGMT_LAN_to_LOCAL rule 1140 log enable

set firewall name MGMT_LAN_to_LOCAL rule 1150 description "Allow RDP"
set firewall name MGMT_LAN_to_LOCAL rule 1150 action accept
set firewall name MGMT_LAN_to_LOCAL rule 1150 destination port 3389
set firewall name MGMT_LAN_to_LOCAL rule 1150 protocol tcp
set firewall name MGMT_LAN_to_LOCAL rule 1150 state new enable
set firewall name MGMT_LAN_to_LOCAL rule 1150 log enable

set firewall name MGMT_LAN_to_LOCAL rule 1160 description "Allow VNC"
set firewall name MGMT_LAN_to_LOCAL rule 1160 action accept
set firewall name MGMT_LAN_to_LOCAL rule 1160 destination port 5900,5908
set firewall name MGMT_LAN_to_LOCAL rule 1160 protocol tcp
set firewall name MGMT_LAN_to_LOCAL rule 1160 state new enable
set firewall name MGMT_LAN_to_LOCAL rule 1160 log enable

set firewall name MGMT_LAN_to_LOCAL rule 1170 description "Allow XMMP"
set firewall name MGMT_LAN_to_LOCAL rule 1170 action accept
set firewall name MGMT_LAN_to_LOCAL rule 1170 destination port 5222,5223
set firewall name MGMT_LAN_to_LOCAL rule 1170 protocol tcp
set firewall name MGMT_LAN_to_LOCAL rule 1170 state new enable
set firewall name MGMT_LAN_to_LOCAL rule 1170 log enable