# IPv6 rules

config template_rule 'ip6_dhcp'
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config template_rule 'ip6_mld'
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config template_rule 'ip6_icmp'
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config template_rule 'ip6_icmp_forward'
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

# Hotspot (dedalo)

config template_zone 'ns_hotspot'
	option name 'hotspot'
	option mtu_fix '1'
	option forward 'DROP'
	option input 'DROP'
	option output 'ACCEPT'
	list forwardings 'ns_hotspot_to_wan'

config template_forwarding 'ns_hotspot_to_wan'
	option src 'hotspot'
	option dest 'wan'

config template_rule 'ns_hs_uamport'
	option name 'Allow-HotSpot-UAM'
	option src 'hotspot'
	option proto 'tcp'
	option dest_port '3990'
	option target 'ACCEPT'
	option direction 'in'

# Guest zone (blue)

config template_zone 'ns_guest'
	option name 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option ns_description 'Guest network with Internet access'
	list forwardings 'ns_guest2wan'
	list forwardings 'ns_lan2guest'

config template_forwarding 'ns_guest2wan'
	option src 'guest'
	option dest 'wan'

config template_forwarding 'ns_lan2guest'
	option src 'lan'
	option dest 'guest'

# Guest zone DHCP and dns

config template_rule 'ns_guest_dns'
	option name 'Allow-DNS'
	option src 'guest'
	option dest_port '53'
	option proto 'udp'
	option target 'ACCEPT'

config template_rule 'ns_guest_dhcp'
	option name 'Allow-DHCP'
	option src 'guest'
	option dest_port '67'
	option proto 'udp'
	option target 'ACCEPT'

# IPSec

config template_rule 'ns_ipsec_esp'
	option name 'Allow-IPsec-ESP'
	option src 'wan'
	option proto 'esp'
	option target 'ACCEPT'

config template_rule 'ns_ipsec_ike'
	option name 'Allow-IPsec-IKE'
	option src 'wan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config template_rule 'ns_ipsec_nat'
	option name 'Allow-IPsec-NAT'
	option src 'wan'
	option dest_port '4500'
	option proto 'udp'
	option target 'ACCEPT'

# Service groups

config template_service_group 'ns_web_secure'
	option name 'Secure web navigation'
	list services '80/tcp/HTTP'
	list services '443/tcp/HTTPS'
	list services '443/udp/QUICK'
	list services '53/udp/DNS'
	list services '853/tcp/DoT'

config template_service_group 'ns_email_secure'
	option name 'Secure E-Mail'
	list services '465/tcp/SMTPS'
	list services '587/tcp/Submission'
	list services '993/tcp/IMAPS'
	list services '995/tcp/POP3S'

config template_service_group 'ns_vpn'
	option name 'VPN'
	list services '1701/udp/L2TP'
	list services '1194/udp/OpenVPN'
	list services '51820/udp/WireGuard'
	list services '995/tcp/POP3S'
	list services '500/udp/IPSEC IKE'
	list services '4500/udp/IPSEC NAT-Traversal'
	list services '50/esp/IPSEC'
	list services '51/ah/IPSEC'

config template_service_group 'ns_voip'
	option name 'VoIP'
	list services '5060/udp/SIP'
	list services '4569/udp/IAX2'
	list services '10000-20000/udp/RTP'

config template_service_group 'ns_voip_secure'
	option name 'VoIP Secure'
	list services '5061/tcp/SIPS'

config template_service_group 'ns_remote_admin'
	option name 'Remote administration'
	list services '22/tcp/SSH'
	list services '9090/tcp/NethServer'
	list services '3389/tcp/RDP'
	list services '5938/tcp/TeamViewer'
	list services '5938/udp/TeamViewer'
	list services '6568/tcp/AnyDesk'
