EdgeRouter Firewall
(blue = new, green = established, white = related, red = invalid)
firewall {
name DMZ_IN {
default-action drop
description "incoming on DMZ"
rule 1 {
action accept
description "DMZ valid established"
state {
established enable
related enable
}
}
rule 2 {
action accept
description "DMZ new to WAN"
destination {
group {
address-group ADDRv4_eth1
}
}
state {
new enable
}
}
rule 3 {
action drop
description "DMZ invalid"
state {
invalid enable
}
}
}
name DMZ_LOCAL {
default-action drop
description "DMZ to router"
}
name LAN_IN {
default-action drop
description "incoming on LAN"
rule 1 {
action accept
description "LAN all valid"
state {
established enable
new enable
related enable
}
}
rule 2 {
action drop
description "LAN invalid"
state {
invalid enable
}
}
}
name LAN_OUT {
default-action drop
description "LAN outcoming"
rule 1 {
action accept
description "LAN valid existing"
state {
established enable
related enable
}
}
rule 2 {
action drop
description "LAN new & invalid"
state {
invalid enable
new enable
}
}
}
name WAN_IN {
default-action drop
description "incoming on WAN"
rule 1 {
action accept
description "WAN valid established"
state {
established enable
related enable
}
}
/* Rules allowing WAN -> DMZ connections go here. */
rule 2 {
action drop
description "WAN new & invalid"
state {
invalid enable
new enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
}
}
interfaces {
ethernet eth0 {
description LAN
firewall {
in {
name LAN_IN
}
out {
name LAN_OUT
}
}
}
ethernet eth1 {
description WAN
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
}
ethernet eth2
ethernet eth3
ethernet eth4
switch switch0 {
description DMZ
firewall {
in {
name DMZ_IN
}
local {
name DMZ_LOCAL
}
}
switch-port {
interface eth2
interface eth3
interface eth4
}
}
}
taken from: https://github.com/didenko/er_poe_fw#all-together