Tools - ZonesExampleConfigBoot

 firewall {
   ipv6-name dmz-lan-6 {
       default-action drop
       enable-default-log
       rule 100 {
           action accept
           log enable
           protocol ipv6-icmp
       }
       rule 1 {
           action accept
           state {
               established enable
               related enable
           }
       }
       rule 2 {
           action drop
           log enable
           state {
               invalid enable
           }
       }
   }
   ipv6-name dmz-local-6 {
       default-action drop
       enable-default-log
       rule 100 {
           action accept
           log enable
           protocol ipv6-icmp
       }
       rule 400 {
           action accept
           destination {
               port 123
           }
           log enable
           protocol tcp
       }
       rule 600 {
           action accept
           destination {
               port 53
           }
           log enable
           protocol tcp_udp
       }
       rule 700 {
           action accept
           destination {
               port 67,68
           }
           log enable
           protocol udp
       }
       rule 1 {
           action accept
           state {
               established enable
               related enable
           }
       }
       rule 2 {
           action drop
           log enable
           state {
               invalid enable
           }
       }
   }
   ipv6-name dmz-wan-6 {
       default-action drop
       enable-default-log
       rule 100 {
           action accept
           log enable
           protocol ipv6-icmp
       }
       rule 200 {
           action accept
           destination {
               port 80,443
           }
           log enable
           protocol tcp
       }
       rule 300 {
           action accept
           destination {
               port 20,21
           }
           log enable
           protocol tcp
       }
       rule 500 {
           action accept
           destination {
               port 25
           }
           log enable
           protocol tcp
           source {
               address 2001:db8:0:BBBB::200
           }
       }
       rule 600 {
           action accept
           destination {
               port 53
           }
           log enable
           protocol tcp_udp
           source {
               address 2001:db8:0:BBBB::200
           }
       }
       rule 800 {
           action accept
           destination {
               port 22
           }
           log enable
           protocol tcp
       }
       rule 1 {
           action accept
           state {
               established enable
               related enable
           }
       }
       rule 2 {
           action drop
           log enable
           state {
               invalid enable
           }
       }
   }
   ipv6-name lan-dmz-6 {
       default-action drop
       enable-default-log
       rule 100 {
           action accept
           log enable
           protocol ipv6-icmp
       }
       rule 200 {
           action accept
           destination {
               port 80,443
           }
           log enable
           protocol tcp
       }
       rule 800 {
           action accept
           destination {
               port 22
           }
           log enable
           protocol tcp
       }
       rule 900 {
           action accept
           destination {
               address 2001:db8:0:BBBB::200
               port 993
           }
           log enable
           protocol tcp
       }
       rule 1 {
           action accept
           state {
               established enable
               related enable
           }
       }
       rule 2 {
           action drop
           log enable
           state {
               invalid enable
           }
       }
   }
   ipv6-name lan-local-6 {
       default-action drop
       enable-default-log
       rule 100 {
           action accept
           log enable
           protocol ipv6-icmp
       }
       rule 400 {
           action accept
           destination {
               port 123
           }
           log enable
           protocol tcp
       }
       rule 600 {
           action accept
           destination {
               port 53
           }
           log enable
           protocol tcp_udp
       }
       rule 700 {
           action accept
           destination {
               port 67,68
           }
           log enable
           protocol udp
       }
       rule 800 {
           action accept
           destination {
               port 22
           }
           log enable
           protocol tcp
           source {
               address 2001:db8:0:AAAA::10
           }
       }
       rule 1 {
           action accept
           state {
               established enable
               related enable
           }
       }
       rule 2 {
           action drop
           log enable
           state {
               invalid enable
           }
       }
   }
   ipv6-name lan-wan-6 {
       default-action drop
       enable-default-log
       rule 100 {
           action accept
           log enable
           protocol ipv6-icmp
       }
       rule 200 {
           action accept
           destination {
               port 80,443
           }
           log enable
           protocol tcp
       }
       rule 300 {
           action accept
           destination {
               port 20,21
           }
           log enable
           protocol tcp
       }
       rule 400 {
           action accept
       }
       rule 800 {
           action accept
           destination {
               port 22
           }
           log enable
           protocol tcp
       }
       rule 1 {
           action accept
           state {
               established enable
               related enable
           }
       }
       rule 2 {
           action drop
           log enable
           state {
               invalid enable
           }
       }
   }
   ipv6-name local-dmz-6 {
       default-action drop
       enable-default-log
       rule 100 {
           action accept
           log enable
           protocol ipv6-icmp
       }
       rule 500 {
           action accept
           destination {
               port 25
           }
           log enable
           protocol tcp
       }
       rule 600 {
           action accept
           destination {
               port 53
           }
           log enable
           protocol tcp_udp
       }
       rule 700 {
           action accept
           destination {
               port 67,68
           }
           log enable
           protocol udp
       }
       rule 1 {
           action accept
           state {
               established enable
               related enable
           }
       }
       rule 2 {
           action drop
           log enable
           state {
               invalid enable
           }
       }
   }
   ipv6-name local-lan-6 {
       default-action drop
       enable-default-log
       rule 100 {
           action accept
           log enable
           protocol ipv6-icmp
       }
       rule 700 {
           action accept
           destination {
               port 67,68
           }
           log enable
           protocol udp
       }
       rule 1 {
           action accept
           state {
               established enable
               related enable
           }
       }
       rule 2 {
           action drop
           log enable
           state {
               invalid enable
           }
       }
   }
   ipv6-name local-wan-6 {
       default-action drop
       enable-default-log
       rule 100 {
           action accept
           log enable
           protocol ipv6-icmp
       }
       rule 200 {
           action accept
           destination {
               port 80,443
           }
           log enable
           protocol tcp
       }
       rule 300 {
           action accept
           destination {
               port 20,21
           }
           log enable
           protocol tcp
       }
       rule 800 {
           action accept
           destination {
               port 22
           }
           log enable
           protocol tcp
       }
       rule 1 {
           action accept
           state {
               established enable
               related enable
           }
       }
       rule 2 {
           action drop
           log enable
           state {
               invalid enable
           }
       }
   }
   ipv6-name wan-dmz-6 {
       default-action drop
       enable-default-log
       rule 100 {
           action accept
           log enable
           protocol ipv6-icmp
       }
       rule 500 {
           action accept
           destination {
               port 25
           }
           log enable
           protocol tcp
       }
       rule 600 {
           action accept
           destination {
               port 53
           }
           log enable
           protocol tcp_udp
       }
       rule 1 {
           action accept
           state {
               established enable
               related enable
           }
       }
       rule 2 {
           action drop
           log enable
           state {
               invalid enable
           }
       }
   }
   ipv6-name wan-lan-6 {
       default-action drop
       enable-default-log
       rule 100 {
           action accept
           log enable
           protocol ipv6-icmp
       }
       rule 1 {
           action accept
           state {
               established enable
               related enable
           }
       }
       rule 2 {
           action drop
           log enable
           state {
               invalid enable
           }
       }
   }
   ipv6-name wan-local-6 {
       default-action drop
       enable-default-log
       rule 100 {
           action accept
           log enable
           protocol ipv6-icmp
       }
       rule 1 {
           action accept
           state {
               established enable
               related enable
           }
       }
       rule 2 {
           action drop
           log enable
           state {
               invalid enable
           }
       }
   }
   name dmz-lan {
       default-action drop
       enable-default-log
       rule 100 {
           action accept
           log enable
           protocol icmp
       }
       rule 1 {
           action accept
           state {
               established enable
               related enable
           }
       }
       rule 2 {
           action drop
           log enable
           state {
               invalid enable
           }
       }
   }
   name dmz-local {
       default-action drop
       enable-default-log
       rule 100 {
           action accept
           log enable
           protocol icmp
       }
       rule 400 {
           action accept
           destination {
               port 123
           }
           log enable
           protocol tcp
       }
       rule 600 {
           action accept
           destination {
               port 53
           }
           log enable
           protocol tcp_udp
       }
       rule 700 {
           action accept
           destination {
               port 67,68
           }
           log enable
           protocol udp
       }
       rule 1 {
           action accept
           state {
               established enable
               related enable
           }
       }
       rule 2 {
           action drop
           log enable
           state {
               invalid enable
           }
       }
   }
   name dmz-wan {
       default-action drop
       enable-default-log
       rule 100 {
           action accept
           log enable
           protocol icmp
       }
       rule 200 {
           action accept
           destination {
               port 80,443
           }
           log enable
           protocol tcp
       }
       rule 300 {
           action accept
           destination {
               port 20,21
           }
           log enable
           protocol tcp
       }
       rule 500 {
           action accept
           destination {
               port 25
           }
           log enable
           protocol tcp
           source {
               address 192.168.200.200
           }
       }
       rule 600 {
           action accept
           destination {
               port 53
           }
           log enable
           protocol tcp_udp
           source {
               address 192.168.200.200
           }
       }
       rule 800 {
           action accept
           destination {
               port 22
           }
           log enable
           protocol tcp
       }
       rule 1 {
           action accept
           state {
               established enable
               related enable
           }
       }
       rule 2 {
           action drop
           log enable
           state {
               invalid enable
           }
       }
   }
   name lan-dmz {
       default-action drop
       enable-default-log
       rule 100 {
           action accept
           log enable
           protocol icmp
       }
       rule 200 {
           action accept
           destination {
               port 80,443
           }
           log enable
           protocol tcp
       }
       rule 800 {
           action accept
           destination {
               port 22
           }
           log enable
           protocol tcp
       }
       rule 900 {
           action accept
           destination {
               address 192.168.200.200
               port 993
           }
           log enable
           protocol tcp
       }
       rule 1 {
           action accept
           state {
               established enable
               related enable
           }
       }
       rule 2 {
           action drop
           log enable
           state {
               invalid enable
           }
       }
   }
   name lan-local {
       default-action drop
       enable-default-log
       rule 100 {
           action accept
           log enable
           protocol icmp
       }
       rule 400 {
           action accept
           destination {
               port 123
           }
           log enable
           protocol tcp
       }
       rule 600 {
           action accept
           destination {
               port 53
           }
           log enable
           protocol tcp_udp
       }
       rule 700 {
           action accept
           destination {
               port 67,68
           }
           log enable
           protocol udp
       }
       rule 800 {
           action accept
           destination {
               port 22
           }
           log enable
           protocol tcp
           source {
               address 192.168.100.10
           }
       }
       rule 1 {
           action accept
           state {
               established enable
               related enable
           }
       }
       rule 2 {
           action drop
           log enable
           state {
               invalid enable
           }
       }
   }
   name lan-wan {
       default-action drop
       enable-default-log
       rule 100 {
           action accept
           log enable
           protocol icmp
       }
       rule 200 {
           action accept
           destination {
               port 80,443
           }
           log enable
           protocol tcp
       }
       rule 300 {
           action accept
           destination {
               port 20,21
           }
           log enable
           protocol tcp
       }
       rule 400 {
           action accept
       }
       rule 800 {
           action accept
           destination {
               port 22
           }
           log enable
           protocol tcp
       }
       rule 1 {
           action accept
           state {
               established enable
               related enable
           }
       }
       rule 2 {
           action drop
           log enable
           state {
               invalid enable
           }
       }
   }
   name local-dmz {
       default-action drop
       enable-default-log
       rule 100 {
           action accept
           log enable
           protocol icmp
       }
       rule 500 {
           action accept
           destination {
               address 192.168.200.200
               port 25
           }
           log enable
           protocol tcp
       }
       rule 600 {
           action accept
           destination {
               address 192.168.200.200
               port 53
           }
           log enable
           protocol tcp_udp
       }
       rule 700 {
           action accept
           destination {
               port 67,68
           }
           log enable
           protocol udp
       }
       rule 1 {
           action accept
           state {
               established enable
               related enable
           }
       }
       rule 2 {
           action drop
           log enable
           state {
               invalid enable
           }
       }
   }
   name local-lan {
       default-action drop
       enable-default-log
       rule 100 {
           action accept
           log enable
           protocol icmp
       }
       rule 700 {
           action accept
           destination {
               port 67,68
           }
           log enable
           protocol udp
       }
       rule 1 {
           action accept
           state {
               established enable
               related enable
           }
       }
       rule 2 {
           action drop
           log enable
           state {
               invalid enable
           }
       }
   }
   name local-wan {
       default-action drop
       enable-default-log
       rule 100 {
           action accept
           log enable
           protocol icmp
       }
       rule 200 {
           action accept
           destination {
               port 80,443
           }
           log enable
           protocol tcp
       }
       rule 300 {
           action accept
           destination {
               port 20,21
           }
           log enable
           protocol tcp
       }
       rule 400 {
           action accept
           destination {
               port 123
           }
           log enable
           protocol tcp
       }
       rule 500 {
           action accept
           destination {
               port 25
           }
           log enable
           protocol tcp
       }
       rule 800 {
           action accept
           destination {
               port 22
           }
           log enable
           protocol tcp
       }
       rule 1 {
           action accept
           state {
               established enable
               related enable
           }
       }
       rule 2 {
           action drop
           log enable
           state {
               invalid enable
           }
       }
   }
   name wan-dmz {
       default-action drop
       enable-default-log
       rule 500 {
           action accept
           destination {
               address 192.168.200.200
               port 25
           }
           log enable
           protocol tcp
       }
       rule 600 {
           action accept
           destination {
               address 192.168.200.200
               port 53
           }
           log enable
           protocol tcp_udp
       }
       rule 1 {
           action accept
           state {
               established enable
               related enable
           }
       }
       rule 2 {
           action drop
           log enable
           state {
               invalid enable
           }
       }
   }
   name wan-lan {
       default-action drop
       enable-default-log
       rule 1 {
           action accept
           state {
               established enable
               related enable
           }
       }
       rule 2 {
           action drop
           log enable
           state {
               invalid enable
           }
       }
   }
   name wan-local {
       default-action drop
       enable-default-log
       rule 100 {
           action accept
           log enable
           protocol icmp
       }
       rule 1 {
           action accept
           state {
               established enable
               related enable
           }
       }
       rule 2 {
           action drop
           log enable
           state {
               invalid enable
           }
       }
   }
} interfaces {

   ethernet eth0 {
       vif 10 {
           address 172.16.10.1/24
           address 2001:db8:0:9999::1/64
       }
       vif 20 {
           address 192.168.100.1/24
           address 2001:db8:0:AAAA::1/64
       }
       vif 30 {
           address 192.168.200.1/24
           address 2001:db8:0:BBBB::1/64
       }
   }
   ethernet eth1 {
   }
   ethernet eth2 {
   }
   loopback lo {
   }
} zone-policy {

   zone dmz {
       default-action drop
       from lan {
           firewall {
               ipv6-name lan-dmz-6
               name lan-dmz
           }
       }
       from local {
           firewall {
               ipv6-name local-dmz-6
               name local-dmz
           }
       }
       from wan {
           firewall {
               ipv6-name wan-dmz-6
               name wan-dmz
           }
       }
       interface eth0.30
   }
   zone lan {
       default-action drop
       from dmz {
           firewall {
               ipv6-name dmz-lan-6
               name dmz-lan
           }
       }
       from local {
           firewall {
               ipv6-name local-lan-6
               name local-lan
           }
       }
       from wan {
           firewall {
               ipv6-name wan-lan-6
               name wan-lan
           }
       }
       interface eth0.20
   }
   zone local {
       default-action drop
       from dmz {
           firewall {
               name dmz-local
           }
       }
       from lan {
           firewall {
               name lan-local
           }
       }
       from wan {
           firewall {
               name wan-local
           }
       }
       local-zone
   }
   zone wan {
       default-action drop
       from dmz {
           firewall {
               ipv6-name dmz-wan-6
               name dmz-wan
           }
       }
       from lan {
           firewall {
               ipv6-name lan-wan-6
               name lan-wan
           }
       }
       from local {
           firewall {
               ipv6-name local-wan-6
               name local-wan
           }
       }
       interface eth0.10
   }
}
Powered by Zendesk