(blue = new, green = established, white = related, red = invalid)
firewall { name DMZ_IN { default-action drop description "incoming on DMZ" rule 1 { action accept description "DMZ valid established" state { established enable related enable } } rule 2 { action accept description "DMZ new to WAN" destination { group { address-group ADDRv4_eth1 } } state { new enable } } rule 3 { action drop description "DMZ invalid" state { invalid enable } } } name DMZ_LOCAL { default-action drop description "DMZ to router" } name LAN_IN { default-action drop description "incoming on LAN" rule 1 { action accept description "LAN all valid" state { established enable new enable related enable } } rule 2 { action drop description "LAN invalid" state { invalid enable } } } name LAN_OUT { default-action drop description "LAN outcoming" rule 1 { action accept description "LAN valid existing" state { established enable related enable } } rule 2 { action drop description "LAN new & invalid" state { invalid enable new enable } } } name WAN_IN { default-action drop description "incoming on WAN" rule 1 { action accept description "WAN valid established" state { established enable related enable } } /* Rules allowing WAN -> DMZ connections go here. */ rule 2 { action drop description "WAN new & invalid" state { invalid enable new enable } } } name WAN_LOCAL { default-action drop description "WAN to router" } } interfaces { ethernet eth0 { description LAN firewall { in { name LAN_IN } out { name LAN_OUT } } } ethernet eth1 { description WAN firewall { in { name WAN_IN } local { name WAN_LOCAL } } } ethernet eth2 ethernet eth3 ethernet eth4 switch switch0 { description DMZ firewall { in { name DMZ_IN } local { name DMZ_LOCAL } } switch-port { interface eth2 interface eth3 interface eth4 } } }
taken from: https://github.com/didenko/er_poe_fw#all-together