onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-19 09:47:20 +01:00
Code Issues Releases Wiki Activity
fwbuilder/test/procurve_acl/testhp4.fw.orig

950 lines
32 KiB
Plaintext
Executable File
Raw Blame History

;
; This is automatically generated file. DO NOT MODIFY !
;
; Firewall Builder fwb_procurve_acl v4.2.0.3499
;
; Generated Fri Mar 11 12:20:05 2011 PST by vadim
;
; Compiled for procurve_acl K.13
;
;# files: * testhp4.fw
;
; Using "safety net" script option, management interface is not a vlan
;
; Prolog script:
;
;
; End of prolog script:
;
; temporary access list for "safety net install"
interface a1
no ip access-group tmp_acl in
exit
no ip access-list extended tmp_acl
ip access-list extended tmp_acl
permit ip 10.10.11.10 0.0.0.0 any
deny ip any any
exit
interface a1
ip access-group tmp_acl in
exit
interface a1
no ip access-group a1_in in
exit
no ip access-list extended a1_in
interface a1
no ip access-group a1_out out
exit
no ip access-list extended a1_out
no vlan 10 ip access-group vlan_10_in in
no ip access-list extended vlan_10_in
no vlan 10 ip access-group vlan_10_out out
no ip access-list extended vlan_10_out
no vlan 20 ip access-group vlan_20_in in
no ip access-list extended vlan_20_in
no vlan 20 ip access-group vlan_20_out out
no ip access-list extended vlan_20_out
no vlan 401 ip access-group vlan_401_in in
no ip access-list extended vlan_401_in
no vlan 401 ip access-group vlan_401_out out
no ip access-list extended vlan_401_out
no vlan 402 ip access-group vlan_402_in in
no ip access-list extended vlan_402_in
no vlan 402 ip access-group vlan_402_out out
no ip access-list extended vlan_402_out
no vlan 40 ip access-group vlan_40_in in
no ip access-list extended vlan_40_in
no vlan 40 ip access-group vlan_40_out out
no ip access-list extended vlan_40_out
; ================ IPv4
ip access-list extended a1_in
;
; Rule -1 backup ssh access rule (automatic)
remark "-1 backup ssh access rule (automatic)"
permit tcp host 10.10.11.10 host 10.10.1.1 eq 22
permit tcp host 10.10.11.10 host 10.10.10.1 eq 22
permit tcp host 10.10.11.10 host 10.10.11.1 eq 22
permit tcp host 10.10.11.10 host 10.10.12.1 eq 22
;
; Rule 1 (global)
remark "1 (global)"
permit ip any 10.10.10.0 0.0.0.255
permit ip any 10.10.11.0 0.0.0.255
permit ip any 10.10.12.0 0.0.0.255
;
; Rule 6 (global)
remark "6 (global)"
permit ip any 10.10.10.0 0.0.0.255
permit ip any 10.10.11.0 0.0.0.255
permit ip any 10.10.12.0 0.0.0.255
;
; Rule 9 (global)
remark "9 (global)"
permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255
permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255
permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255
permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255
permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255
permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255
permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255
permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255
;
; Rule 12 (global)
; interface ethernet1 has address on network 10.10.10.0/24,
; therefore net-10.10.10 is behind the router and we do
; not need to put rules 12-18 in outbound acl of eth0
remark "12 (global)"
remark "interface ethernet1 has address on network 10.10.10.0/24,"
remark "therefore net-10.10.10 is behind the router and we do"
remark "not need to put rules 12-18 in outbound acl of eth0"
permit 47 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
permit 51 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
;
; Rule 13 (global)
remark "13 (global)"
permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 3
permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 11
;
; Rule 14 (global)
remark "14 (global)"
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 21
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 80
;
; Rule 15 (global)
remark "15 (global)"
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 4000
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 500
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 53
;
; Rule 16 (global)
remark "16 (global)"
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 established
;
; Rule 17 (global)
remark "17 (global)"
permit tcp 22.22.21.0 0.0.0.255 eq 80 10.10.10.0 0.0.0.255 established
;
; Rule 18 (global)
remark "18 (global)"
permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 0
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 179
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 123
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 26000
;
; Rule 19 (global)
remark "19 (global)"
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
;
; Rule 20 (global)
remark "20 (global)"
permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
;
; Rule 21 (global)
remark "21 (global)"
deny ip any any log
exit
ip access-list extended a1_out
;
; Rule -2 backup ssh access rule (out) (automatic)
remark "-2 backup ssh access rule (out) (automatic)"
permit tcp host 10.10.1.1 eq 22 host 10.10.11.10
permit tcp host 10.10.10.1 eq 22 host 10.10.11.10
permit tcp host 10.10.11.1 eq 22 host 10.10.11.10
permit tcp host 10.10.12.1 eq 22 host 10.10.11.10
;
; Rule 21 (global)
remark "21 (global)"
deny ip any any log
exit
ip access-list extended vlan_10_in
;
; Rule -1 backup ssh access rule (automatic)
remark "-1 backup ssh access rule (automatic)"
permit tcp host 10.10.11.10 host 10.10.1.1 eq 22
permit tcp host 10.10.11.10 host 10.10.10.1 eq 22
permit tcp host 10.10.11.10 host 10.10.11.1 eq 22
permit tcp host 10.10.11.10 host 10.10.12.1 eq 22
;
; Rule 0 (vlan 10)
; anti-spoofing
remark "0 (vlan 10)"
remark anti-spoofing
deny ip 10.10.10.0 0.0.0.255 any log
deny ip 10.10.11.0 0.0.0.255 any log
deny ip 10.10.12.0 0.0.0.255 any log
;
; Rule 1 (global)
remark "1 (global)"
permit ip any 10.10.10.0 0.0.0.255
permit ip any 10.10.11.0 0.0.0.255
permit ip any 10.10.12.0 0.0.0.255
;
; Rule 2 (vlan 20,vlan 10)
remark "2 (vlan 20,vlan 10)"
permit ip any 10.10.10.0 0.0.0.255
permit ip any 10.10.11.0 0.0.0.255
permit ip any 10.10.12.0 0.0.0.255
;
; Rule 3 (testhp1 itf)
remark "3 (testhp1 itf)"
permit ip any 10.10.10.0 0.0.0.255
permit ip any 10.10.11.0 0.0.0.255
permit ip any 10.10.12.0 0.0.0.255
;
; Rule 4 (vlan 10)
remark "4 (vlan 10)"
permit ip any 10.10.10.0 0.0.0.255
permit ip any 10.10.11.0 0.0.0.255
permit ip any 10.10.12.0 0.0.0.255
;
; Rule 6 (global)
remark "6 (global)"
permit ip any 10.10.10.0 0.0.0.255
permit ip any 10.10.11.0 0.0.0.255
permit ip any 10.10.12.0 0.0.0.255
;
; Rule 7 (vlan 10)
remark "7 (vlan 10)"
permit ip any 10.10.10.0 0.0.0.255
permit ip any 10.10.11.0 0.0.0.255
permit ip any 10.10.12.0 0.0.0.255
;
; Rule 9 (global)
remark "9 (global)"
permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255
permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255
permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255
permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255
permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255
permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255
permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255
permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255
;
; Rule 10 (vlan 10)
remark "10 (vlan 10)"
permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255
permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255
permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255
permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255
permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255
permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255
permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255
permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255
;
; Rule 12 (global)
; interface ethernet1 has address on network 10.10.10.0/24,
; therefore net-10.10.10 is behind the router and we do
; not need to put rules 12-18 in outbound acl of eth0
remark "12 (global)"
remark "interface ethernet1 has address on network 10.10.10.0/24,"
remark "therefore net-10.10.10 is behind the router and we do"
remark "not need to put rules 12-18 in outbound acl of eth0"
permit 47 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
permit 51 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
;
; Rule 13 (global)
remark "13 (global)"
permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 3
permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 11
;
; Rule 14 (global)
remark "14 (global)"
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 21
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 80
;
; Rule 15 (global)
remark "15 (global)"
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 4000
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 500
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 53
;
; Rule 16 (global)
remark "16 (global)"
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 established
;
; Rule 17 (global)
remark "17 (global)"
permit tcp 22.22.21.0 0.0.0.255 eq 80 10.10.10.0 0.0.0.255 established
;
; Rule 18 (global)
remark "18 (global)"
permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 0
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 179
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 123
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 26000
;
; Rule 19 (global)
remark "19 (global)"
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
;
; Rule 20 (global)
remark "20 (global)"
permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
;
; Rule 21 (global)
remark "21 (global)"
deny ip any any log
exit
ip access-list extended vlan_10_out
;
; Rule -2 backup ssh access rule (out) (automatic)
remark "-2 backup ssh access rule (out) (automatic)"
permit tcp host 10.10.1.1 eq 22 host 10.10.11.10
permit tcp host 10.10.10.1 eq 22 host 10.10.11.10
permit tcp host 10.10.11.1 eq 22 host 10.10.11.10
permit tcp host 10.10.12.1 eq 22 host 10.10.11.10
;
; Rule 2 (vlan 20,vlan 10)
remark "2 (vlan 20,vlan 10)"
permit ip any 10.10.10.0 0.0.0.255
permit ip any 10.10.11.0 0.0.0.255
permit ip any 10.10.12.0 0.0.0.255
;
; Rule 3 (testhp1 itf)
remark "3 (testhp1 itf)"
permit ip any 10.10.10.0 0.0.0.255
permit ip any 10.10.11.0 0.0.0.255
permit ip any 10.10.12.0 0.0.0.255
;
; Rule 4 (vlan 10)
remark "4 (vlan 10)"
permit ip any 10.10.10.0 0.0.0.255
permit ip any 10.10.11.0 0.0.0.255
permit ip any 10.10.12.0 0.0.0.255
;
; Rule 10 (vlan 10)
remark "10 (vlan 10)"
permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255
permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255
permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255
permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255
permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255
permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255
permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255
permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255
;
; Rule 21 (global)
remark "21 (global)"
deny ip any any log
exit
ip access-list extended vlan_20_in
;
; Rule -1 backup ssh access rule (automatic)
remark "-1 backup ssh access rule (automatic)"
permit tcp host 10.10.11.10 host 10.10.1.1 eq 22
permit tcp host 10.10.11.10 host 10.10.10.1 eq 22
permit tcp host 10.10.11.10 host 10.10.11.1 eq 22
permit tcp host 10.10.11.10 host 10.10.12.1 eq 22
;
; Rule 1 (global)
remark "1 (global)"
permit ip any 10.10.10.0 0.0.0.255
permit ip any 10.10.11.0 0.0.0.255
permit ip any 10.10.12.0 0.0.0.255
;
; Rule 2 (vlan 20,vlan 10)
remark "2 (vlan 20,vlan 10)"
permit ip any 10.10.10.0 0.0.0.255
permit ip any 10.10.11.0 0.0.0.255
permit ip any 10.10.12.0 0.0.0.255
;
; Rule 3 (testhp1 itf)
remark "3 (testhp1 itf)"
permit ip any 10.10.10.0 0.0.0.255
permit ip any 10.10.11.0 0.0.0.255
permit ip any 10.10.12.0 0.0.0.255
;
; Rule 5 (vlan 20)
remark "5 (vlan 20)"
permit ip any 10.10.10.0 0.0.0.255
permit ip any 10.10.11.0 0.0.0.255
permit ip any 10.10.12.0 0.0.0.255
;
; Rule 6 (global)
remark "6 (global)"
permit ip any 10.10.10.0 0.0.0.255
permit ip any 10.10.11.0 0.0.0.255
permit ip any 10.10.12.0 0.0.0.255
;
; Rule 8 (vlan 20)
remark "8 (vlan 20)"
permit ip any 10.10.10.0 0.0.0.255
permit ip any 10.10.11.0 0.0.0.255
permit ip any 10.10.12.0 0.0.0.255
;
; Rule 9 (global)
remark "9 (global)"
permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255
permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255
permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255
permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255
permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255
permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255
permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255
permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255
;
; Rule 11 (vlan 20)
remark "11 (vlan 20)"
permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255
permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255
permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255
permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255
permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255
permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255
permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255
permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255
;
; Rule 12 (global)
; interface ethernet1 has address on network 10.10.10.0/24,
; therefore net-10.10.10 is behind the router and we do
; not need to put rules 12-18 in outbound acl of eth0
remark "12 (global)"
remark "interface ethernet1 has address on network 10.10.10.0/24,"
remark "therefore net-10.10.10 is behind the router and we do"
remark "not need to put rules 12-18 in outbound acl of eth0"
permit 47 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
permit 51 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
;
; Rule 13 (global)
remark "13 (global)"
permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 3
permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 11
;
; Rule 14 (global)
remark "14 (global)"
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 21
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 80
;
; Rule 15 (global)
remark "15 (global)"
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 4000
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 500
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 53
;
; Rule 16 (global)
remark "16 (global)"
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 established
;
; Rule 17 (global)
remark "17 (global)"
permit tcp 22.22.21.0 0.0.0.255 eq 80 10.10.10.0 0.0.0.255 established
;
; Rule 18 (global)
remark "18 (global)"
permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 0
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 179
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 123
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 26000
;
; Rule 19 (global)
remark "19 (global)"
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
;
; Rule 20 (global)
remark "20 (global)"
permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
;
; Rule 21 (global)
remark "21 (global)"
deny ip any any log
exit
ip access-list extended vlan_20_out
;
; Rule -2 backup ssh access rule (out) (automatic)
remark "-2 backup ssh access rule (out) (automatic)"
permit tcp host 10.10.1.1 eq 22 host 10.10.11.10
permit tcp host 10.10.10.1 eq 22 host 10.10.11.10
permit tcp host 10.10.11.1 eq 22 host 10.10.11.10
permit tcp host 10.10.12.1 eq 22 host 10.10.11.10
;
; Rule 2 (vlan 20,vlan 10)
remark "2 (vlan 20,vlan 10)"
permit ip any 10.10.10.0 0.0.0.255
permit ip any 10.10.11.0 0.0.0.255
permit ip any 10.10.12.0 0.0.0.255
;
; Rule 3 (testhp1 itf)
remark "3 (testhp1 itf)"
permit ip any 10.10.10.0 0.0.0.255
permit ip any 10.10.11.0 0.0.0.255
permit ip any 10.10.12.0 0.0.0.255
;
; Rule 5 (vlan 20)
remark "5 (vlan 20)"
permit ip any 10.10.10.0 0.0.0.255
permit ip any 10.10.11.0 0.0.0.255
permit ip any 10.10.12.0 0.0.0.255
;
; Rule 11 (vlan 20)
remark "11 (vlan 20)"
permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255
permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255
permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255
permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255
permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255
permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255
permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255
permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255
;
; Rule 21 (global)
remark "21 (global)"
deny ip any any log
exit
ip access-list extended vlan_401_in
;
; Rule -1 backup ssh access rule (automatic)
remark "-1 backup ssh access rule (automatic)"
permit tcp host 10.10.11.10 host 10.10.1.1 eq 22
permit tcp host 10.10.11.10 host 10.10.10.1 eq 22
permit tcp host 10.10.11.10 host 10.10.11.1 eq 22
permit tcp host 10.10.11.10 host 10.10.12.1 eq 22
;
; Rule 1 (global)
remark "1 (global)"
permit ip any 10.10.10.0 0.0.0.255
permit ip any 10.10.11.0 0.0.0.255
permit ip any 10.10.12.0 0.0.0.255
;
; Rule 6 (global)
remark "6 (global)"
permit ip any 10.10.10.0 0.0.0.255
permit ip any 10.10.11.0 0.0.0.255
permit ip any 10.10.12.0 0.0.0.255
;
; Rule 9 (global)
remark "9 (global)"
permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255
permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255
permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255
permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255
permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255
permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255
permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255
permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255
;
; Rule 12 (global)
; interface ethernet1 has address on network 10.10.10.0/24,
; therefore net-10.10.10 is behind the router and we do
; not need to put rules 12-18 in outbound acl of eth0
remark "12 (global)"
remark "interface ethernet1 has address on network 10.10.10.0/24,"
remark "therefore net-10.10.10 is behind the router and we do"
remark "not need to put rules 12-18 in outbound acl of eth0"
permit 47 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
permit 51 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
;
; Rule 13 (global)
remark "13 (global)"
permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 3
permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 11
;
; Rule 14 (global)
remark "14 (global)"
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 21
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 80
;
; Rule 15 (global)
remark "15 (global)"
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 4000
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 500
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 53
;
; Rule 16 (global)
remark "16 (global)"
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 established
;
; Rule 17 (global)
remark "17 (global)"
permit tcp 22.22.21.0 0.0.0.255 eq 80 10.10.10.0 0.0.0.255 established
;
; Rule 18 (global)
remark "18 (global)"
permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 0
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 179
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 123
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 26000
;
; Rule 19 (global)
remark "19 (global)"
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
;
; Rule 20 (global)
remark "20 (global)"
permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
;
; Rule 21 (global)
remark "21 (global)"
deny ip any any log
exit
ip access-list extended vlan_401_out
;
; Rule -2 backup ssh access rule (out) (automatic)
remark "-2 backup ssh access rule (out) (automatic)"
permit tcp host 10.10.1.1 eq 22 host 10.10.11.10
permit tcp host 10.10.10.1 eq 22 host 10.10.11.10
permit tcp host 10.10.11.1 eq 22 host 10.10.11.10
permit tcp host 10.10.12.1 eq 22 host 10.10.11.10
;
; Rule 21 (global)
remark "21 (global)"
deny ip any any log
exit
ip access-list extended vlan_402_in
;
; Rule -1 backup ssh access rule (automatic)
remark "-1 backup ssh access rule (automatic)"
permit tcp host 10.10.11.10 host 10.10.1.1 eq 22
permit tcp host 10.10.11.10 host 10.10.10.1 eq 22
permit tcp host 10.10.11.10 host 10.10.11.1 eq 22
permit tcp host 10.10.11.10 host 10.10.12.1 eq 22
;
; Rule 1 (global)
remark "1 (global)"
permit ip any 10.10.10.0 0.0.0.255
permit ip any 10.10.11.0 0.0.0.255
permit ip any 10.10.12.0 0.0.0.255
;
; Rule 6 (global)
remark "6 (global)"
permit ip any 10.10.10.0 0.0.0.255
permit ip any 10.10.11.0 0.0.0.255
permit ip any 10.10.12.0 0.0.0.255
;
; Rule 9 (global)
remark "9 (global)"
permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255
permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255
permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255
permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255
permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255
permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255
permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255
permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255
;
; Rule 12 (global)
; interface ethernet1 has address on network 10.10.10.0/24,
; therefore net-10.10.10 is behind the router and we do
; not need to put rules 12-18 in outbound acl of eth0
remark "12 (global)"
remark "interface ethernet1 has address on network 10.10.10.0/24,"
remark "therefore net-10.10.10 is behind the router and we do"
remark "not need to put rules 12-18 in outbound acl of eth0"
permit 47 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
permit 51 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
;
; Rule 13 (global)
remark "13 (global)"
permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 3
permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 11
;
; Rule 14 (global)
remark "14 (global)"
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 21
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 80
;
; Rule 15 (global)
remark "15 (global)"
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 4000
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 500
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 53
;
; Rule 16 (global)
remark "16 (global)"
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 established
;
; Rule 17 (global)
remark "17 (global)"
permit tcp 22.22.21.0 0.0.0.255 eq 80 10.10.10.0 0.0.0.255 established
;
; Rule 18 (global)
remark "18 (global)"
permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 0
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 179
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 123
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 26000
;
; Rule 19 (global)
remark "19 (global)"
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
;
; Rule 20 (global)
remark "20 (global)"
permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
;
; Rule 21 (global)
remark "21 (global)"
deny ip any any log
exit
ip access-list extended vlan_402_out
;
; Rule -2 backup ssh access rule (out) (automatic)
remark "-2 backup ssh access rule (out) (automatic)"
permit tcp host 10.10.1.1 eq 22 host 10.10.11.10
permit tcp host 10.10.10.1 eq 22 host 10.10.11.10
permit tcp host 10.10.11.1 eq 22 host 10.10.11.10
permit tcp host 10.10.12.1 eq 22 host 10.10.11.10
;
; Rule 1 (global)
remark "1 (global)"
permit ip any 10.10.10.0 0.0.0.255
permit ip any 10.10.11.0 0.0.0.255
permit ip any 10.10.12.0 0.0.0.255
;
; Rule 9 (global)
remark "9 (global)"
permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255
permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255
permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255
permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255
permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255
permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255
permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255
permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255
;
; Rule 12 (global)
; interface ethernet1 has address on network 10.10.10.0/24,
; therefore net-10.10.10 is behind the router and we do
; not need to put rules 12-18 in outbound acl of eth0
remark "12 (global)"
remark "interface ethernet1 has address on network 10.10.10.0/24,"
remark "therefore net-10.10.10 is behind the router and we do"
remark "not need to put rules 12-18 in outbound acl of eth0"
permit 47 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
permit 51 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
;
; Rule 13 (global)
remark "13 (global)"
permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 3
permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 11
;
; Rule 14 (global)
remark "14 (global)"
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 21
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 80
;
; Rule 15 (global)
remark "15 (global)"
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 4000
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 500
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 53
;
; Rule 16 (global)
remark "16 (global)"
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 established
;
; Rule 17 (global)
remark "17 (global)"
permit tcp 22.22.21.0 0.0.0.255 eq 80 10.10.10.0 0.0.0.255 established
;
; Rule 18 (global)
remark "18 (global)"
permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 0
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 179
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 123
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 26000
;
; Rule 19 (global)
remark "19 (global)"
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
;
; Rule 20 (global)
remark "20 (global)"
permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
;
; Rule 21 (global)
remark "21 (global)"
deny ip any any log
exit
ip access-list extended vlan_40_in
;
; Rule -1 backup ssh access rule (automatic)
remark "-1 backup ssh access rule (automatic)"
permit tcp host 10.10.11.10 host 10.10.1.1 eq 22
permit tcp host 10.10.11.10 host 10.10.10.1 eq 22
permit tcp host 10.10.11.10 host 10.10.11.1 eq 22
permit tcp host 10.10.11.10 host 10.10.12.1 eq 22
;
; Rule 1 (global)
remark "1 (global)"
permit ip any 10.10.10.0 0.0.0.255
permit ip any 10.10.11.0 0.0.0.255
permit ip any 10.10.12.0 0.0.0.255
;
; Rule 6 (global)
remark "6 (global)"
permit ip any 10.10.10.0 0.0.0.255
permit ip any 10.10.11.0 0.0.0.255
permit ip any 10.10.12.0 0.0.0.255
;
; Rule 9 (global)
remark "9 (global)"
permit ip 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
permit ip 22.22.21.0 0.0.0.255 10.10.11.0 0.0.0.255
permit ip 22.22.21.0 0.0.0.255 10.10.12.0 0.0.0.255
permit ip 22.22.22.0 0.0.0.255 10.10.10.0 0.0.0.255
permit ip 22.22.22.0 0.0.0.255 10.10.11.0 0.0.0.255
permit ip 22.22.22.0 0.0.0.255 10.10.12.0 0.0.0.255
permit ip 22.22.23.0 0.0.0.255 10.10.10.0 0.0.0.255
permit ip 22.22.23.0 0.0.0.255 10.10.11.0 0.0.0.255
permit ip 22.22.23.0 0.0.0.255 10.10.12.0 0.0.0.255
;
; Rule 12 (global)
; interface ethernet1 has address on network 10.10.10.0/24,
; therefore net-10.10.10 is behind the router and we do
; not need to put rules 12-18 in outbound acl of eth0
remark "12 (global)"
remark "interface ethernet1 has address on network 10.10.10.0/24,"
remark "therefore net-10.10.10 is behind the router and we do"
remark "not need to put rules 12-18 in outbound acl of eth0"
permit 47 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
permit 51 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
;
; Rule 13 (global)
remark "13 (global)"
permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 3
permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 11
;
; Rule 14 (global)
remark "14 (global)"
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 21
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 80
;
; Rule 15 (global)
remark "15 (global)"
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 4000
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 500
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 53
;
; Rule 16 (global)
remark "16 (global)"
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 established
;
; Rule 17 (global)
remark "17 (global)"
permit tcp 22.22.21.0 0.0.0.255 eq 80 10.10.10.0 0.0.0.255 established
;
; Rule 18 (global)
remark "18 (global)"
permit icmp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 0
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 179
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 79
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 123
permit udp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 26000
;
; Rule 19 (global)
remark "19 (global)"
permit tcp 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
;
; Rule 20 (global)
remark "20 (global)"
permit 50 22.22.21.0 0.0.0.255 10.10.10.0 0.0.0.255
;
; Rule 21 (global)
remark "21 (global)"
deny ip any any log
exit
ip access-list extended vlan_40_out
;
; Rule -2 backup ssh access rule (out) (automatic)
remark "-2 backup ssh access rule (out) (automatic)"
permit tcp host 10.10.1.1 eq 22 host 10.10.11.10
permit tcp host 10.10.10.1 eq 22 host 10.10.11.10
permit tcp host 10.10.11.1 eq 22 host 10.10.11.10
permit tcp host 10.10.12.1 eq 22 host 10.10.11.10
;
; Rule 21 (global)
remark "21 (global)"
deny ip any any log
exit
interface a1
ip access-group a1_in in
exit
interface a1
ip access-group a1_out out
exit
vlan 10 ip access-group vlan_10_in in
vlan 10 ip access-group vlan_10_out out
vlan 20 ip access-group vlan_20_in in
vlan 20 ip access-group vlan_20_out out
vlan 401 ip access-group vlan_401_in in
vlan 401 ip access-group vlan_401_out out
vlan 402 ip access-group vlan_402_in in
vlan 402 ip access-group vlan_402_out out
vlan 40 ip access-group vlan_40_in in
vlan 40 ip access-group vlan_40_out out
;
; Epilog script:
;
; End of epilog script:
;
Reference in New Issue View Git Blame Copy Permalink