First I filter IPv4 traffic coming from other DN42 address (the ‘WAN’) into my DN42 range (the ‘LAN’):
# Define some ports
set firewall group port-group CADDY_PORTS port 80
set firewall group port-group CADDY_PORTS port 443
set firewall group port-group CADDY_PORTS port 8811
# Allow established/related traffic
set firewall ipv4 name DN42_IN default-action drop
set firewall ipv4 name DN42_IN description 'DN42 to internal'
set firewall ipv4 name DN42_IN rule 10 action accept
set firewall ipv4 name DN42_IN rule 10 description 'Allow established/related'
set firewall ipv4 name DN42_IN rule 10 state established
set firewall ipv4 name DN42_IN rule 10 state related
# Allow transit traffic
set firewall ipv4 name DN42_IN rule 20 action accept
set firewall ipv4 name DN42_IN rule 20 description 'Forward DN42 transit traffic - i.e. anything not to/from us'
set firewall ipv4 name DN42_IN rule 20 destination address !172.23.38.64/27
set firewall ipv4 name DN42_IN rule 20 source address !172.23.38.64/27
# Drop packets with invalid state
set firewall ipv4 name DN42_IN rule 30 action drop
set firewall ipv4 name DN42_IN rule 30 description 'Drop invalid state'
set firewall ipv4 name DN42_IN rule 30 state invalid
# Allow DNS to my authoritative DNS server for f333.dn42
set firewall ipv4 name DN42_IN rule 40 action accept
set firewall ipv4 name DN42_IN rule 40 description 'Allow DNS to ns1.f333.dn42'
set firewall ipv4 name DN42_IN rule 40 destination address 172.23.38.68
set firewall ipv4 name DN42_IN rule 40 destination port 53
set firewall ipv4 name DN42_IN rule 40 protocol tcp_udp
# Allow HTTP(s) to this website
set firewall ipv4 name DN42_IN rule 50 action accept
set firewall ipv4 name DN42_IN rule 50 description 'Allow web access to Caddy on www.f333.dn42'
set firewall ipv4 name DN42_IN rule 50 destination address 172.23.38.69
set firewall ipv4 name DN42_IN rule 50 destination group port-group CADDY_PORTS
set firewall ipv4 name DN42_IN rule 50 protocol tcp_udp
# Allow ICMP (pings etc)
set firewall ipv4 name DN42_IN rule 60 action accept
set firewall ipv4 name DN42_IN rule 60 description 'Allow icmp'
set firewall ipv4 name DN42_IN rule 60 protocol icmp
set firewall ipv4 forward filter rule 5 action 'jump'
set firewall ipv4 forward filter rule 5 inbound-interface name 'wg*'
set firewall ipv4 forward filter rule 5 jump-target 'DN42_IN'
Next I block everything except ICMP & BGP from DN42 to the router itself:
set firewall ipv4 name DN42_LOCAL default-action drop
set firewall ipv4 name DN42_LOCAL description 'DN42 to router'
set firewall ipv4 name DN42_LOCAL rule 20 action accept
set firewall ipv4 name DN42_LOCAL rule 20 description 'Allow established/related'
set firewall ipv4 name DN42_LOCAL rule 20 state established
set firewall ipv4 name DN42_LOCAL rule 20 state related
set firewall ipv4 name DN42_LOCAL rule 30 action drop
set firewall ipv4 name DN42_LOCAL rule 30 description 'Drop invalid state'
set firewall ipv4 name DN42_LOCAL rule 30 state invalid
set firewall ipv4 name DN42_LOCAL rule 40 action accept
set firewall ipv4 name DN42_LOCAL rule 40 description 'Allow icmp'
set firewall ipv4 name DN42_LOCAL rule 40 protocol icmp
set firewall ipv4 name DN42_LOCAL rule 50 action accept
set firewall ipv4 name DN42_LOCAL rule 50 description 'Allow BGP'
set firewall ipv4 name DN42_LOCAL rule 50 destination port 179
set firewall ipv4 name DN42_LOCAL rule 50 protocol tcp
set firewall ipv4 input filter rule 5 action 'jump'
set firewall ipv4 input filter rule 5 inbound-interface name 'wg*'
set firewall ipv4 input filter rule 5 jump-target 'DN42_LOCAL'
For IPv6 the rules are similar remembering again to allow transit traffic:
set firewall ipv6 name DN42v6_IN default-action drop
set firewall ipv6 name DN42v6_IN description 'DN42 to internal'
set firewall ipv6 name DN42v6_IN rule 10 action accept
set firewall ipv6 name DN42v6_IN rule 10 description 'Allow established/related sessions'
set firewall ipv6 name DN42v6_IN rule 10 state established
set firewall ipv6 name DN42v6_IN rule 10 state related
set firewall ipv6 name DN42v6_IN rule 20 action accept
set firewall ipv6 name DN42v6_IN rule 20 description 'Forward DN42 transit traffic - i.e. anything not to/from us'
set firewall ipv6 name DN42v6_IN rule 20 destination address !fdb0:f750:cce0::/48
set firewall ipv6 name DN42v6_IN rule 20 source address !fdb0:f750:cce0::/48
set firewall ipv6 name DN42v6_IN rule 30 action drop
set firewall ipv6 name DN42v6_IN rule 30 description 'Drop invalid state'
set firewall ipv6 name DN42v6_IN rule 30 state invalid
set firewall ipv6 name DN42v6_IN rule 40 action accept
set firewall ipv6 name DN42v6_IN rule 40 description 'Allow IPv6 icmp'
set firewall ipv6 name DN42v6_IN rule 40 protocol icmpv6
set firewall ipv6 forward filter rule 5 action 'jump'
set firewall ipv6 forward filter rule 5 inbound-interface name 'wg*'
set firewall ipv6 forward filter rule 5 jump-target 'DN42v6_IN'
set firewall ipv6 name DN42v6_LOCAL default-action drop
set firewall ipv6 name DN42v6_LOCAL description 'DN42 to router'
set firewall ipv6 name DN42v6_LOCAL rule 10 action accept
set firewall ipv6 name DN42v6_LOCAL rule 10 description 'Allow established/related sessions'
set firewall ipv6 name DN42v6_LOCAL rule 10 state established
set firewall ipv6 name DN42v6_LOCAL rule 10 state related
set firewall ipv6 name DN42v6_LOCAL rule 20 action drop
set firewall ipv6 name DN42v6_LOCAL rule 20 description 'Drop invalid state'
set firewall ipv6 name DN42v6_LOCAL rule 20 state invalid
set firewall ipv6 name DN42v6_LOCAL rule 30 action accept
set firewall ipv6 name DN42v6_LOCAL rule 30 description 'Allow IPv6 icmp'
set firewall ipv6 name DN42v6_LOCAL rule 30 protocol icmpv6
set firewall ipv6 name DN42v6_LOCAL rule 40 action accept
set firewall ipv6 name DN42v6_LOCAL rule 40 description 'Allow BGP'
set firewall ipv6 name DN42v6_LOCAL rule 40 destination port 179
set firewall ipv6 name DN42v6_LOCAL rule 40 protocol tcp
set firewall ipv6 input filter rule 5 action 'jump'
set firewall ipv6 input filter rule 5 inbound-interface name 'wg*'
set firewall ipv6 input filter rule 5 jump-target 'DN42v6_LOCAL'