Re: Advice on new firewall rules

Ok, here is the reworked code

This ruleset allows all Established/Related traffic to enter the router unless the destination address is on the "LAN" or "Guest" networks
It also drops invalid packets before they are sent to the router

	set firewall name PROTECT_DMZ_IN 
	set firewall name PROTECT_DMZ_IN default-action accept 
	set firewall name PROTECT_DMZ_IN rule 10 action accept
	set firewall name PROTECT_DMZ_IN rule 10 description "Accept Established/Related"
	set firewall name PROTECT_DMZ_IN rule 10 protocol all
	set firewall name PROTECT_DMZ_IN rule 10 state established enable
	set firewall name PROTECT_DMZ_IN rule 10 state related enable
        set firewall name PROTECT_DMZ_IN rule 20 action drop
	set firewall name PROTECT_DMZ_IN rule 20 description "Drop invalid"
	set firewall name PROTECT_DMZ_IN rule 20 protocol all
	set firewall name PROTECT_DMZ_IN rule 20 state invalid enable
	set firewall name PROTECT_DMZ_IN rule 30 action drop
	set firewall name PROTECT_DMZ_IN rule 30 description "Drop LAN and Guest"
	set firewall name PROTECT_DMZ_IN rule 30 destination address 192.168.1.0/24, 192.168.3.0/24
	set firewall name PROTECT_DMZ_IN rule 30 protocol all
	commit


This ruleset allows all Established/Related traffic to enter the router unless the destination address is on the "LAN" or "DMZ" networks
It also drops invalid packets before they are sent to the router

	set firewall name PROTECT_Guest_IN 
	set firewall name PROTECT_Guest_IN default-action accept 
	set firewall name PROTECT_Guest_IN rule 10 action accept
	set firewall name PROTECT_Guest_IN rule 10 description "Accept Established/Related"
	set firewall name PROTECT_Guest_IN rule 10 protocol all
	set firewall name PROTECT_Guest_IN rule 10 state established enable
	set firewall name PROTECT_Guest_IN rule 10 state related enable
	set firewall name PROTECT_Guest_IN rule 20 action drop
	set firewall name PROTECT_Guest_IN rule 20 description "Drop invalid"
	set firewall name PROTECT_Guest_IN rule 20 protocol all
	set firewall name PROTECT_Guest_IN rule 20 state invalid enable
	set firewall name PROTECT_Guest_IN rule 30 action drop
	set firewall name PROTECT_Guest_IN rule 30 description "Drop LAN and DMZ"
	set firewall name PROTECT_Guest_IN rule 30 destination address 192.168.1.0/24, 192.168.2.0/24
	set firewall name PROTECT_Guest_IN rule 30 protocol all
	commit


This rulset drops all traffic from Guest VLAN and DMZ VLAN to local unless it is DNS or DHCP related.

	set firewall name PROTECT_LOCAL 
	set firewall name PROTECT_LOCAL default-action drop 
	set firewall name PROTECT_LOCAL rule 10 action accept
	set firewall name PROTECT_LOCAL rule 10 description "Accept DNS and DHCP"
	set firewall name PROTECT_LOCAL rule 10 destination port 53, 67
	set firewall name PROTECT_LOCAL rule 10 protocol udp
	commit


Associate rulesets to VLAN interfaces

	set interfaces switch switch0 vif 10 firewall in name PROTECT_DMZ_IN
	set interfaces switch switch0 vif 10 firewall local name PROTECT_LOCAL
	set interfaces switch switch0 vif 20 firewall in name PROTECT_Guest_IN
	set interfaces switch switch0 vif 20 firewall local name PROTECT_LOCAL
	commit
	save
	exit