mirror of
https://github.com/fwbuilder/fwbuilder
synced 2026-03-20 10:17:16 +01:00
686 lines
23 KiB
Plaintext
Executable File
686 lines
23 KiB
Plaintext
Executable File
;
|
|
; This is automatically generated file. DO NOT MODIFY !
|
|
;
|
|
; Firewall Builder fwb_procurve_acl v4.2.0.3483
|
|
;
|
|
; Generated Sun Feb 20 21:30:07 2011 PST by vadim
|
|
;
|
|
; Compiled for procurve_acl K.13
|
|
;
|
|
;# files: * testhp3.fw
|
|
;
|
|
; Using "safety net" script option
|
|
|
|
|
|
|
|
;
|
|
; Prolog script:
|
|
;
|
|
|
|
;
|
|
; End of prolog script:
|
|
;
|
|
|
|
|
|
|
|
; temporary access list for "safety net install"
|
|
no vlan 40 ip access-group tmp_acl in
|
|
no ip access-list extended tmp_acl
|
|
ip access-list extended tmp_acl
|
|
permit ip 10.10.11.10 0.0.0.0 any
|
|
deny ip any any
|
|
exit
|
|
vlan 40 ip access-group tmp_acl in
|
|
no vlan 10 ip access-group vlan_10_in in
|
|
no ip access-list extended vlan_10_in
|
|
|
|
no vlan 10 ip access-group vlan_10_out out
|
|
no ip access-list extended vlan_10_out
|
|
|
|
no vlan 20 ip access-group vlan_20_in in
|
|
no ip access-list extended vlan_20_in
|
|
|
|
no vlan 20 ip access-group vlan_20_out out
|
|
no ip access-list extended vlan_20_out
|
|
|
|
no vlan 401 ip access-group vlan_401_in in
|
|
no ip access-list extended vlan_401_in
|
|
|
|
no vlan 401 ip access-group vlan_401_out out
|
|
no ip access-list extended vlan_401_out
|
|
|
|
no vlan 402 ip access-group vlan_402_in in
|
|
no ip access-list extended vlan_402_in
|
|
|
|
no vlan 402 ip access-group vlan_402_out out
|
|
no ip access-list extended vlan_402_out
|
|
|
|
no vlan 40 ip access-group vlan_40_in in
|
|
no ip access-list extended vlan_40_in
|
|
|
|
no vlan 40 ip access-group vlan_40_out out
|
|
no ip access-list extended vlan_40_out
|
|
|
|
; ================ IPv4
|
|
|
|
|
|
ip access-list extended vlan_10_in
|
|
;
|
|
; Rule -1 backup ssh access rule (automatic)
|
|
permit tcp host 10.10.11.10 host 10.10.10.1 eq 22
|
|
permit tcp host 10.10.11.10 host 10.10.11.1 eq 22
|
|
permit tcp host 10.10.11.10 host 10.10.12.1 eq 22
|
|
;
|
|
; Rule 0 (vlan 10)
|
|
; anti-spoofing
|
|
deny ip 10.10.10.0 0.0.0.255 any log
|
|
deny ip 10.10.11.0 0.0.0.255 any log
|
|
deny ip 10.10.12.0 0.0.0.255 any log
|
|
;
|
|
; Rule 1 (global)
|
|
permit ip any 10.10.10.0 0.0.0.255
|
|
permit ip any 10.10.11.0 0.0.0.255
|
|
permit ip any 10.10.12.0 0.0.0.255
|
|
;
|
|
; Rule 2 (vlan 20,vlan 10)
|
|
permit ip any 10.10.10.0 0.0.0.255
|
|
permit ip any 10.10.11.0 0.0.0.255
|
|
permit ip any 10.10.12.0 0.0.0.255
|
|
;
|
|
; Rule 3 (testhp1 itf)
|
|
permit ip any 10.10.10.0 0.0.0.255
|
|
permit ip any 10.10.11.0 0.0.0.255
|
|
permit ip any 10.10.12.0 0.0.0.255
|
|
;
|
|
; Rule 4 (vlan 10)
|
|
permit ip any 10.10.10.0 0.0.0.255
|
|
permit ip any 10.10.11.0 0.0.0.255
|
|
permit ip any 10.10.12.0 0.0.0.255
|
|
;
|
|
; Rule 6 (global)
|
|
permit ip any 10.10.10.0 0.0.0.255
|
|
permit ip any 10.10.11.0 0.0.0.255
|
|
permit ip any 10.10.12.0 0.0.0.255
|
|
;
|
|
; Rule 7 (vlan 10)
|
|
permit ip any 10.10.10.0 0.0.0.255
|
|
permit ip any 10.10.11.0 0.0.0.255
|
|
permit ip any 10.10.12.0 0.0.0.255
|
|
;
|
|
; Rule 9 (global)
|
|
permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255
|
|
permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255
|
|
permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255
|
|
permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255
|
|
permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255
|
|
permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255
|
|
;
|
|
; Rule 10 (vlan 10)
|
|
permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255
|
|
permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255
|
|
permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255
|
|
permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255
|
|
permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255
|
|
permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255
|
|
;
|
|
; Rule 12 (global)
|
|
; interface ethernet1 has address on network 10.10.10.0/24,
|
|
; therefore net-10.10.10 is behind the router and we do
|
|
; not need to put rules 12-18 in outbound acl of eth0
|
|
permit 47 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
permit 51 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
;
|
|
; Rule 13 (global)
|
|
permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 3
|
|
permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 11
|
|
;
|
|
; Rule 14 (global)
|
|
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79
|
|
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 21
|
|
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 80
|
|
;
|
|
; Rule 15 (global)
|
|
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 4000
|
|
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 500
|
|
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 53
|
|
;
|
|
; Rule 16 (global)
|
|
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 established
|
|
;
|
|
; Rule 17 (global)
|
|
permit tcp 22.22.21.0 0.0.0.255 eq 80 10.10.10.0 0.0.0.255 established
|
|
;
|
|
; Rule 18 (global)
|
|
permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 0
|
|
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 179
|
|
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79
|
|
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 123
|
|
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 26000
|
|
;
|
|
; Rule 19 (global)
|
|
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
;
|
|
; Rule 20 (global)
|
|
permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
;
|
|
; Rule 21 (global)
|
|
deny ip any any log
|
|
exit
|
|
|
|
ip access-list extended vlan_10_out
|
|
;
|
|
; Rule -2 backup ssh access rule (out) (automatic)
|
|
permit tcp host 10.10.10.1 eq 22 host 10.10.11.10
|
|
permit tcp host 10.10.11.1 eq 22 host 10.10.11.10
|
|
permit tcp host 10.10.12.1 eq 22 host 10.10.11.10
|
|
;
|
|
; Rule 2 (vlan 20,vlan 10)
|
|
permit ip any 10.10.10.0 0.0.0.255
|
|
permit ip any 10.10.11.0 0.0.0.255
|
|
permit ip any 10.10.12.0 0.0.0.255
|
|
;
|
|
; Rule 3 (testhp1 itf)
|
|
permit ip any 10.10.10.0 0.0.0.255
|
|
permit ip any 10.10.11.0 0.0.0.255
|
|
permit ip any 10.10.12.0 0.0.0.255
|
|
;
|
|
; Rule 4 (vlan 10)
|
|
permit ip any 10.10.10.0 0.0.0.255
|
|
permit ip any 10.10.11.0 0.0.0.255
|
|
permit ip any 10.10.12.0 0.0.0.255
|
|
;
|
|
; Rule 10 (vlan 10)
|
|
permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255
|
|
permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255
|
|
permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255
|
|
permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255
|
|
permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255
|
|
permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255
|
|
;
|
|
; Rule 21 (global)
|
|
deny ip any any log
|
|
exit
|
|
|
|
ip access-list extended vlan_20_in
|
|
;
|
|
; Rule -1 backup ssh access rule (automatic)
|
|
permit tcp host 10.10.11.10 host 10.10.10.1 eq 22
|
|
permit tcp host 10.10.11.10 host 10.10.11.1 eq 22
|
|
permit tcp host 10.10.11.10 host 10.10.12.1 eq 22
|
|
;
|
|
; Rule 1 (global)
|
|
permit ip any 10.10.10.0 0.0.0.255
|
|
permit ip any 10.10.11.0 0.0.0.255
|
|
permit ip any 10.10.12.0 0.0.0.255
|
|
;
|
|
; Rule 2 (vlan 20,vlan 10)
|
|
permit ip any 10.10.10.0 0.0.0.255
|
|
permit ip any 10.10.11.0 0.0.0.255
|
|
permit ip any 10.10.12.0 0.0.0.255
|
|
;
|
|
; Rule 3 (testhp1 itf)
|
|
permit ip any 10.10.10.0 0.0.0.255
|
|
permit ip any 10.10.11.0 0.0.0.255
|
|
permit ip any 10.10.12.0 0.0.0.255
|
|
;
|
|
; Rule 5 (vlan 20)
|
|
permit ip any 10.10.10.0 0.0.0.255
|
|
permit ip any 10.10.11.0 0.0.0.255
|
|
permit ip any 10.10.12.0 0.0.0.255
|
|
;
|
|
; Rule 6 (global)
|
|
permit ip any 10.10.10.0 0.0.0.255
|
|
permit ip any 10.10.11.0 0.0.0.255
|
|
permit ip any 10.10.12.0 0.0.0.255
|
|
;
|
|
; Rule 8 (vlan 20)
|
|
permit ip any 10.10.10.0 0.0.0.255
|
|
permit ip any 10.10.11.0 0.0.0.255
|
|
permit ip any 10.10.12.0 0.0.0.255
|
|
;
|
|
; Rule 9 (global)
|
|
permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255
|
|
permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255
|
|
permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255
|
|
permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255
|
|
permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255
|
|
permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255
|
|
;
|
|
; Rule 11 (vlan 20)
|
|
permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255
|
|
permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255
|
|
permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255
|
|
permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255
|
|
permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255
|
|
permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255
|
|
;
|
|
; Rule 12 (global)
|
|
; interface ethernet1 has address on network 10.10.10.0/24,
|
|
; therefore net-10.10.10 is behind the router and we do
|
|
; not need to put rules 12-18 in outbound acl of eth0
|
|
permit 47 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
permit 51 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
;
|
|
; Rule 13 (global)
|
|
permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 3
|
|
permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 11
|
|
;
|
|
; Rule 14 (global)
|
|
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79
|
|
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 21
|
|
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 80
|
|
;
|
|
; Rule 15 (global)
|
|
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 4000
|
|
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 500
|
|
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 53
|
|
;
|
|
; Rule 16 (global)
|
|
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 established
|
|
;
|
|
; Rule 17 (global)
|
|
permit tcp 22.22.21.0 0.0.0.255 eq 80 10.10.10.0 0.0.0.255 established
|
|
;
|
|
; Rule 18 (global)
|
|
permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 0
|
|
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 179
|
|
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79
|
|
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 123
|
|
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 26000
|
|
;
|
|
; Rule 19 (global)
|
|
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
;
|
|
; Rule 20 (global)
|
|
permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
;
|
|
; Rule 21 (global)
|
|
deny ip any any log
|
|
exit
|
|
|
|
ip access-list extended vlan_20_out
|
|
;
|
|
; Rule -2 backup ssh access rule (out) (automatic)
|
|
permit tcp host 10.10.10.1 eq 22 host 10.10.11.10
|
|
permit tcp host 10.10.11.1 eq 22 host 10.10.11.10
|
|
permit tcp host 10.10.12.1 eq 22 host 10.10.11.10
|
|
;
|
|
; Rule 2 (vlan 20,vlan 10)
|
|
permit ip any 10.10.10.0 0.0.0.255
|
|
permit ip any 10.10.11.0 0.0.0.255
|
|
permit ip any 10.10.12.0 0.0.0.255
|
|
;
|
|
; Rule 3 (testhp1 itf)
|
|
permit ip any 10.10.10.0 0.0.0.255
|
|
permit ip any 10.10.11.0 0.0.0.255
|
|
permit ip any 10.10.12.0 0.0.0.255
|
|
;
|
|
; Rule 5 (vlan 20)
|
|
permit ip any 10.10.10.0 0.0.0.255
|
|
permit ip any 10.10.11.0 0.0.0.255
|
|
permit ip any 10.10.12.0 0.0.0.255
|
|
;
|
|
; Rule 11 (vlan 20)
|
|
permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255
|
|
permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255
|
|
permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255
|
|
permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255
|
|
permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255
|
|
permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255
|
|
;
|
|
; Rule 21 (global)
|
|
deny ip any any log
|
|
exit
|
|
|
|
ip access-list extended vlan_401_in
|
|
;
|
|
; Rule -1 backup ssh access rule (automatic)
|
|
permit tcp host 10.10.11.10 host 10.10.10.1 eq 22
|
|
permit tcp host 10.10.11.10 host 10.10.11.1 eq 22
|
|
permit tcp host 10.10.11.10 host 10.10.12.1 eq 22
|
|
;
|
|
; Rule 1 (global)
|
|
permit ip any 10.10.10.0 0.0.0.255
|
|
permit ip any 10.10.11.0 0.0.0.255
|
|
permit ip any 10.10.12.0 0.0.0.255
|
|
;
|
|
; Rule 6 (global)
|
|
permit ip any 10.10.10.0 0.0.0.255
|
|
permit ip any 10.10.11.0 0.0.0.255
|
|
permit ip any 10.10.12.0 0.0.0.255
|
|
;
|
|
; Rule 9 (global)
|
|
permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255
|
|
permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255
|
|
permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255
|
|
permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255
|
|
permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255
|
|
permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255
|
|
;
|
|
; Rule 12 (global)
|
|
; interface ethernet1 has address on network 10.10.10.0/24,
|
|
; therefore net-10.10.10 is behind the router and we do
|
|
; not need to put rules 12-18 in outbound acl of eth0
|
|
permit 47 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
permit 51 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
;
|
|
; Rule 13 (global)
|
|
permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 3
|
|
permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 11
|
|
;
|
|
; Rule 14 (global)
|
|
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79
|
|
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 21
|
|
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 80
|
|
;
|
|
; Rule 15 (global)
|
|
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 4000
|
|
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 500
|
|
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 53
|
|
;
|
|
; Rule 16 (global)
|
|
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 established
|
|
;
|
|
; Rule 17 (global)
|
|
permit tcp 22.22.21.0 0.0.0.255 eq 80 10.10.10.0 0.0.0.255 established
|
|
;
|
|
; Rule 18 (global)
|
|
permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 0
|
|
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 179
|
|
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79
|
|
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 123
|
|
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 26000
|
|
;
|
|
; Rule 19 (global)
|
|
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
;
|
|
; Rule 20 (global)
|
|
permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
;
|
|
; Rule 21 (global)
|
|
deny ip any any log
|
|
exit
|
|
|
|
ip access-list extended vlan_401_out
|
|
;
|
|
; Rule -2 backup ssh access rule (out) (automatic)
|
|
permit tcp host 10.10.10.1 eq 22 host 10.10.11.10
|
|
permit tcp host 10.10.11.1 eq 22 host 10.10.11.10
|
|
permit tcp host 10.10.12.1 eq 22 host 10.10.11.10
|
|
;
|
|
; Rule 21 (global)
|
|
deny ip any any log
|
|
exit
|
|
|
|
ip access-list extended vlan_402_in
|
|
;
|
|
; Rule -1 backup ssh access rule (automatic)
|
|
permit tcp host 10.10.11.10 host 10.10.10.1 eq 22
|
|
permit tcp host 10.10.11.10 host 10.10.11.1 eq 22
|
|
permit tcp host 10.10.11.10 host 10.10.12.1 eq 22
|
|
;
|
|
; Rule 1 (global)
|
|
permit ip any 10.10.10.0 0.0.0.255
|
|
permit ip any 10.10.11.0 0.0.0.255
|
|
permit ip any 10.10.12.0 0.0.0.255
|
|
;
|
|
; Rule 6 (global)
|
|
permit ip any 10.10.10.0 0.0.0.255
|
|
permit ip any 10.10.11.0 0.0.0.255
|
|
permit ip any 10.10.12.0 0.0.0.255
|
|
;
|
|
; Rule 9 (global)
|
|
permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255
|
|
permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255
|
|
permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255
|
|
permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255
|
|
permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255
|
|
permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255
|
|
;
|
|
; Rule 12 (global)
|
|
; interface ethernet1 has address on network 10.10.10.0/24,
|
|
; therefore net-10.10.10 is behind the router and we do
|
|
; not need to put rules 12-18 in outbound acl of eth0
|
|
permit 47 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
permit 51 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
;
|
|
; Rule 13 (global)
|
|
permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 3
|
|
permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 11
|
|
;
|
|
; Rule 14 (global)
|
|
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79
|
|
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 21
|
|
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 80
|
|
;
|
|
; Rule 15 (global)
|
|
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 4000
|
|
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 500
|
|
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 53
|
|
;
|
|
; Rule 16 (global)
|
|
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 established
|
|
;
|
|
; Rule 17 (global)
|
|
permit tcp 22.22.21.0 0.0.0.255 eq 80 10.10.10.0 0.0.0.255 established
|
|
;
|
|
; Rule 18 (global)
|
|
permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 0
|
|
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 179
|
|
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79
|
|
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 123
|
|
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 26000
|
|
;
|
|
; Rule 19 (global)
|
|
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
;
|
|
; Rule 20 (global)
|
|
permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
;
|
|
; Rule 21 (global)
|
|
deny ip any any log
|
|
exit
|
|
|
|
ip access-list extended vlan_402_out
|
|
;
|
|
; Rule -2 backup ssh access rule (out) (automatic)
|
|
permit tcp host 10.10.10.1 eq 22 host 10.10.11.10
|
|
permit tcp host 10.10.11.1 eq 22 host 10.10.11.10
|
|
permit tcp host 10.10.12.1 eq 22 host 10.10.11.10
|
|
;
|
|
; Rule 1 (global)
|
|
permit ip any 10.10.10.0 0.0.0.255
|
|
permit ip any 10.10.11.0 0.0.0.255
|
|
permit ip any 10.10.12.0 0.0.0.255
|
|
;
|
|
; Rule 9 (global)
|
|
permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255
|
|
permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255
|
|
permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255
|
|
permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255
|
|
permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255
|
|
permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255
|
|
;
|
|
; Rule 12 (global)
|
|
; interface ethernet1 has address on network 10.10.10.0/24,
|
|
; therefore net-10.10.10 is behind the router and we do
|
|
; not need to put rules 12-18 in outbound acl of eth0
|
|
permit 47 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
permit 51 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
;
|
|
; Rule 13 (global)
|
|
permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 3
|
|
permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 11
|
|
;
|
|
; Rule 14 (global)
|
|
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79
|
|
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 21
|
|
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 80
|
|
;
|
|
; Rule 15 (global)
|
|
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 4000
|
|
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 500
|
|
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 53
|
|
;
|
|
; Rule 16 (global)
|
|
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 established
|
|
;
|
|
; Rule 17 (global)
|
|
permit tcp 22.22.21.0 0.0.0.255 eq 80 10.10.10.0 0.0.0.255 established
|
|
;
|
|
; Rule 18 (global)
|
|
permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 0
|
|
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 179
|
|
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79
|
|
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 123
|
|
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 26000
|
|
;
|
|
; Rule 19 (global)
|
|
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
;
|
|
; Rule 20 (global)
|
|
permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
;
|
|
; Rule 21 (global)
|
|
deny ip any any log
|
|
exit
|
|
|
|
ip access-list extended vlan_40_in
|
|
;
|
|
; Rule -1 backup ssh access rule (automatic)
|
|
permit tcp host 10.10.11.10 host 10.10.10.1 eq 22
|
|
permit tcp host 10.10.11.10 host 10.10.11.1 eq 22
|
|
permit tcp host 10.10.11.10 host 10.10.12.1 eq 22
|
|
;
|
|
; Rule 1 (global)
|
|
permit ip any 10.10.10.0 0.0.0.255
|
|
permit ip any 10.10.11.0 0.0.0.255
|
|
permit ip any 10.10.12.0 0.0.0.255
|
|
;
|
|
; Rule 6 (global)
|
|
permit ip any 10.10.10.0 0.0.0.255
|
|
permit ip any 10.10.11.0 0.0.0.255
|
|
permit ip any 10.10.12.0 0.0.0.255
|
|
;
|
|
; Rule 9 (global)
|
|
permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255
|
|
permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255
|
|
permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255
|
|
permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255
|
|
permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255
|
|
permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255
|
|
;
|
|
; Rule 12 (global)
|
|
; interface ethernet1 has address on network 10.10.10.0/24,
|
|
; therefore net-10.10.10 is behind the router and we do
|
|
; not need to put rules 12-18 in outbound acl of eth0
|
|
permit 47 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
permit 51 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
;
|
|
; Rule 13 (global)
|
|
permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 3
|
|
permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 11
|
|
;
|
|
; Rule 14 (global)
|
|
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79
|
|
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 21
|
|
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 80
|
|
;
|
|
; Rule 15 (global)
|
|
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 4000
|
|
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 500
|
|
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 53
|
|
;
|
|
; Rule 16 (global)
|
|
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 established
|
|
;
|
|
; Rule 17 (global)
|
|
permit tcp 22.22.21.0 0.0.0.255 eq 80 10.10.10.0 0.0.0.255 established
|
|
;
|
|
; Rule 18 (global)
|
|
permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 0
|
|
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 179
|
|
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79
|
|
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 123
|
|
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 26000
|
|
;
|
|
; Rule 19 (global)
|
|
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
;
|
|
; Rule 20 (global)
|
|
permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
|
|
;
|
|
; Rule 21 (global)
|
|
deny ip any any log
|
|
exit
|
|
|
|
ip access-list extended vlan_40_out
|
|
;
|
|
; Rule -2 backup ssh access rule (out) (automatic)
|
|
permit tcp host 10.10.10.1 eq 22 host 10.10.11.10
|
|
permit tcp host 10.10.11.1 eq 22 host 10.10.11.10
|
|
permit tcp host 10.10.12.1 eq 22 host 10.10.11.10
|
|
;
|
|
; Rule 21 (global)
|
|
deny ip any any log
|
|
exit
|
|
|
|
|
|
vlan 10 ip access-group vlan_10_in in
|
|
vlan 10 ip access-group vlan_10_out out
|
|
vlan 20 ip access-group vlan_20_in in
|
|
vlan 20 ip access-group vlan_20_out out
|
|
vlan 401 ip access-group vlan_401_in in
|
|
vlan 401 ip access-group vlan_401_out out
|
|
vlan 402 ip access-group vlan_402_in in
|
|
vlan 402 ip access-group vlan_402_out out
|
|
vlan 40 ip access-group vlan_40_in in
|
|
vlan 40 ip access-group vlan_40_out out
|
|
|
|
|
|
|
|
|
|
|
|
;
|
|
; Epilog script:
|
|
;
|
|
|
|
; End of epilog script:
|
|
;
|