{{ "firewall"|progress }} { {%- set bgp_multihop_prefixes_v4 = [] %} {%- set bgp_multihop_prefixes_v6 = [] %} {%- for prefix in 'bgp-multihop'|get_netbox_tagged_prefixes %} {%- if prefix|ipv4 %}{% do bgp_multihop_prefixes_v4.append( prefix ) %} {%- elif prefix|ipv6 %}{% do bgp_multihop_prefixes_v6.append( prefix ) %} {%- endif %} {%- endfor %} {%- set bgp_allowed_prefixes_v4 = [] %} {%- set bgp_allowed_prefixes_v6 = [] %} {%- for prefix in 'bgp-allowed'|get_netbox_tagged_prefixes %} {%- if prefix|ipv4 %}{% do bgp_allowed_prefixes_v4.append( prefix ) %} {%- elif prefix|ipv6 %}{% do bgp_allowed_prefixes_v6.append( prefix ) %} {%- endif %} {%- endfor %} {%- set ldp_allowed_prefixes_v4 = [] %} {%- set ldp_allowed_prefixes_v6 = [] %} {%- for prefix in 'ldp-allowed'|get_netbox_tagged_prefixes %} {%- if prefix|ipv4 %}{% do ldp_allowed_prefixes_v4.append( prefix ) %} {%- elif prefix|ipv6 %}{% do ldp_allowed_prefixes_v6.append( prefix ) %} {%- endif %} {%- endfor %} {%- set as_set_prefixes = 59811|get_prefixes_for_asn %} {%- set linknets_ipv4 = [] %} {%- set linknets_ipv6 = [] %} {% for interface in device_interfaces %} {%- set interface_tags = [] %} {%- for tag in interface.tags %} {%- do interface_tags.append(tag.slug) %} {%- endfor %} {%- if 'transit-link' in interface_tags or 'ix-link' in interface_tags or 'pni-link' in interface_tags %} {%- for address in interface|get_addresses %} {%- if address|ipv4 %} {%- do linknets_ipv4.append(address.address.split("/")[0]) %} {%- elif address|ipv6 %} {%- do linknets_ipv6.append(address.address.split("/")[0]) %} {%- endif %} {%- endfor %} {%- endif %} {% endfor %} family inet { filter BCP38-edge-IPv4 { term allow-AS59811-set { from { source-address { {% for prefix in as_set_prefixes['ipv4'] %} {{ prefix['prefix'] }}; {% endfor %} } } then { accept } } term allow-interfaces { from { source-address { {%- for address in linknets_ipv4 %} {{ address }}; {%- endfor %} } } then { accept } } } filter control-plane-protection-IPv4 { {% if bgp_multihop_prefixes_v4 %} term allow-multihop-bgp { from { source-address { {% for prefix in bgp_multihop_prefixes_v4 %} {{ prefix }}; /* {{ prefix.description }} */ {% endfor %} } protocol tcp; port 179; } then { accept; } } {% endif %} {% if bgp_allowed_prefixes_v4 %} term allow-gtsm-bgp { from { protocol tcp; source-address { {% for prefix in bgp_allowed_prefixes_v4 %} {{ prefix }}; /* {{ prefix.description }} */ {% endfor %} } tcp-initial; ttl 255; port 179; } then { accept; } } term allow-established-bgp { from { protocol tcp; source-address { {% for prefix in 'bgp-allowed'|get_netbox_tagged_prefixes %}{% if prefix|ipv4 %} {{ prefix }}; /* {{ prefix.description }} */ {% endif %}{% endfor %} } tcp-established; port 179; } then { accept; } } {% endif %} term reject-bgp { from { protocol tcp; port 179; } then { reject tcp-reset; } } {% if ldp_allowed_prefixes_v4 %} term allow-ldp { from { source-address { {% for prefix in ldp_allowed_prefixes_v4 %} {{ prefix }}; /* {{ prefix.description }} */ {% endfor %} } protocol tcp; port 646; } then { accept; } } {% endif %} term reject-ldp { from { protocol tcp; port 646; } then { reject tcp-reset; } } term else { then { accept; } } } } family inet6 { filter BCP38-edge-IPv6 { term allow-AS59811-set { from { source-address { {% for prefix in as_set_prefixes['ipv6'] %} {{ prefix['prefix'] }}; {% endfor %} } } then { accept } } term allow-interfaces { from { source-address { {%- for address in linknets_ipv6 %} {{ address }}; {%- endfor %} } } then { accept } } } filter control-plane-protection-IPv6 { {% if bgp_multihop_prefixes_v6 %} term allow-multihop-bgp { from { source-address { {% for prefix in bgp_multihop_prefixes_v6 %} {{ prefix }}; /* {{ prefix.description }} */ {% endfor %} } next-header tcp; destination-port 179; } then { accept; } } {% endif %} {% if bgp_allowed_prefixes_v6 %} term allow-gtsm-bgp { from { next-header tcp; source-address { {% for prefix in bgp_allowed_prefixes_v6 %} {{ prefix }}; /* {{ prefix.description }} */ {% endfor %} } hop-limit 255; tcp-initial; destination-port 179; } then { accept; } } term allow-established-bgp { from { next-header tcp; source-address { {% for prefix in bgp_allowed_prefixes_v6 %} {{ prefix }}; /* {{ prefix.description }} */ {% endfor %} } tcp-established; destination-port 179; } then { accept; } } {% endif %} term reject-bgp { from { next-header tcp; destination-port 179; } then { reject tcp-reset; } } {% if ldp_allowed_prefixes_v6 %} term allow-ldp { from { next-header tcp; source-address { {% for prefix in ldp_allowed_prefixes_v6 %} {{ prefix }}; /* {{ prefix.description }} */ {% endfor %} } destination-port 646; } then { accept; } } {% endif %} term reject-ldp { from { next-header tcp; destination-port 646; } then { reject tcp-reset; } } term else { then { accept; } } } } }