scsd/scsd-configs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
scsd-configs/configs/fortigate/vdom_root/firewall.cfg

1133 lines
29 KiB
INI
Raw Blame History

config firewall address
edit "none"
set subnet 0.0.0.0 255.255.255.255
next
edit "login.microsoftonline.com"
set type fqdn
set fqdn "login.microsoftonline.com"
next
edit "login.microsoft.com"
set type fqdn
set fqdn "login.microsoft.com"
next
edit "login.windows.net"
set type fqdn
set fqdn "login.windows.net"
next
edit "gmail.com"
set type fqdn
set fqdn "gmail.com"
next
edit "wildcard.google.com"
set type fqdn
set fqdn "*.google.com"
next
edit "wildcard.dropbox.com"
set type fqdn
set fqdn "*.dropbox.com"
next
edit "all"
next
edit "FIREWALL_AUTH_PORTAL_ADDRESS"
next
edit "FABRIC_DEVICE"
set comment "IPv4 addresses of Fabric Devices."
next
edit "SSLVPN_TUNNEL_ADDR1"
set type iprange
set start-ip 10.212.134.200
set end-ip 10.212.134.210
next
edit "FCTEMS_ALL_FORTICLOUD_SERVERS"
set type dynamic
set sub-type ems-tag
next
end
config firewall multicast-address
edit "all"
set start-ip 224.0.0.0
set end-ip 239.255.255.255
next
edit "all_hosts"
set start-ip 224.0.0.1
set end-ip 224.0.0.1
next
edit "all_routers"
set start-ip 224.0.0.2
set end-ip 224.0.0.2
next
edit "Bonjour"
set start-ip 224.0.0.251
set end-ip 224.0.0.251
next
edit "EIGRP"
set start-ip 224.0.0.10
set end-ip 224.0.0.10
next
edit "OSPF"
set start-ip 224.0.0.5
set end-ip 224.0.0.6
next
end
config firewall address6
edit "SSLVPN_TUNNEL_IPv6_ADDR1"
set ip6 fdff:ffff::/120
next
edit "all"
next
edit "none"
set ip6 ::/128
next
end
config firewall multicast-address6
edit "all"
set ip6 ff00::/8
next
end
config firewall addrgrp
edit "G Suite"
set member "gmail.com" "wildcard.google.com"
next
edit "Microsoft Office 365"
set member "login.microsoftonline.com" "login.microsoft.com" "login.windows.net"
next
end
config firewall wildcard-fqdn custom
edit "g-Adobe Login"
set wildcard-fqdn "*.adobelogin.com"
next
edit "g-Gotomeeting"
set wildcard-fqdn "*.gotomeeting.com"
next
edit "g-Windows update 2"
set wildcard-fqdn "*.windowsupdate.com"
next
edit "g-adobe"
set wildcard-fqdn "*.adobe.com"
next
edit "g-android"
set wildcard-fqdn "*.android.com"
next
edit "g-apple"
set wildcard-fqdn "*.apple.com"
next
edit "g-appstore"
set wildcard-fqdn "*.appstore.com"
next
edit "g-auth.gfx.ms"
set wildcard-fqdn "*.auth.gfx.ms"
next
edit "g-autoupdate.opera.com"
set wildcard-fqdn "*autoupdate.opera.com"
next
edit "g-cdn-apple"
set wildcard-fqdn "*.cdn-apple.com"
next
edit "g-citrix"
set wildcard-fqdn "*.citrixonline.com"
next
edit "g-dropbox.com"
set wildcard-fqdn "*.dropbox.com"
next
edit "g-eease"
set wildcard-fqdn "*.eease.com"
next
edit "g-firefox update server"
set wildcard-fqdn "aus*.mozilla.org"
next
edit "g-fortinet"
set wildcard-fqdn "*.fortinet.com"
next
edit "g-google-drive"
set wildcard-fqdn "*drive.google.com"
next
edit "g-google-play"
set wildcard-fqdn "*play.google.com"
next
edit "g-google-play2"
set wildcard-fqdn "*.ggpht.com"
next
edit "g-google-play3"
set wildcard-fqdn "*.books.google.com"
next
edit "g-googleapis.com"
set wildcard-fqdn "*.googleapis.com"
next
edit "g-icloud"
set wildcard-fqdn "*.icloud.com"
next
edit "g-itunes"
set wildcard-fqdn "*itunes.apple.com"
next
edit "g-live.com"
set wildcard-fqdn "*.live.com"
next
edit "g-microsoft"
set wildcard-fqdn "*.microsoft.com"
next
edit "g-mzstatic-apple"
set wildcard-fqdn "*.mzstatic.com"
next
edit "g-skype"
set wildcard-fqdn "*.messenger.live.com"
next
edit "g-softwareupdate.vmware.com"
set wildcard-fqdn "*.softwareupdate.vmware.com"
next
edit "g-swscan.apple.com"
set wildcard-fqdn "*swscan.apple.com"
next
edit "g-update.microsoft.com"
set wildcard-fqdn "*update.microsoft.com"
next
edit "g-verisign"
set wildcard-fqdn "*.verisign.com"
next
end
config firewall service category
edit "General"
set comment "General services."
next
edit "Web Access"
set comment "Web access."
next
edit "File Access"
set comment "File access."
next
edit "Email"
set comment "Email services."
next
edit "Network Services"
set comment "Network services."
next
edit "Authentication"
set comment "Authentication service."
next
edit "Remote Access"
set comment "Remote access."
next
edit "Tunneling"
set comment "Tunneling service."
next
edit "VoIP, Messaging & Other Applications"
set comment "VoIP, messaging, and other applications."
next
edit "Web Proxy"
set comment "Explicit web proxy."
next
end
config firewall service custom
edit "DNS"
set category "Network Services"
set tcp-portrange 53
set udp-portrange 53
next
edit "HTTP"
set category "Web Access"
set tcp-portrange 80
next
edit "HTTPS"
set category "Web Access"
set tcp-portrange 443
next
edit "IMAP"
set category "Email"
set tcp-portrange 143
next
edit "IMAPS"
set category "Email"
set tcp-portrange 993
next
edit "LDAP"
set category "Authentication"
set tcp-portrange 389
next
edit "DCE-RPC"
set category "Remote Access"
set tcp-portrange 135
set udp-portrange 135
next
edit "POP3"
set category "Email"
set tcp-portrange 110
next
edit "POP3S"
set category "Email"
set tcp-portrange 995
next
edit "SAMBA"
set category "File Access"
set tcp-portrange 139
next
edit "SMTP"
set category "Email"
set tcp-portrange 25
next
edit "SMTPS"
set category "Email"
set tcp-portrange 465
next
edit "KERBEROS"
set category "Authentication"
set tcp-portrange 88 464
set udp-portrange 88 464
next
edit "LDAP_UDP"
set category "Authentication"
set udp-portrange 389
next
edit "SMB"
set category "File Access"
set tcp-portrange 445
next
edit "FTP"
set category "File Access"
set tcp-portrange 21
next
edit "FTP_GET"
set category "File Access"
set tcp-portrange 21
next
edit "FTP_PUT"
set category "File Access"
set tcp-portrange 21
next
edit "ALL"
set category "General"
set protocol IP
next
edit "ALL_TCP"
set category "General"
set tcp-portrange 1-65535
next
edit "ALL_UDP"
set category "General"
set udp-portrange 1-65535
next
edit "ALL_ICMP"
set category "General"
set protocol ICMP
unset icmptype
next
edit "ALL_ICMP6"
set category "General"
set protocol ICMP6
unset icmptype
next
edit "GRE"
set category "Tunneling"
set protocol IP
set protocol-number 47
next
edit "AH"
set category "Tunneling"
set protocol IP
set protocol-number 51
next
edit "ESP"
set category "Tunneling"
set protocol IP
set protocol-number 50
next
edit "AOL"
set visibility disable
set tcp-portrange 5190-5194
next
edit "BGP"
set category "Network Services"
set tcp-portrange 179
next
edit "DHCP"
set category "Network Services"
set udp-portrange 67-68
next
edit "FINGER"
set visibility disable
set tcp-portrange 79
next
edit "GOPHER"
set visibility disable
set tcp-portrange 70
next
edit "H323"
set category "VoIP, Messaging & Other Applications"
set tcp-portrange 1720 1503
set udp-portrange 1719
next
edit "IKE"
set category "Tunneling"
set udp-portrange 500 4500
next
edit "Internet-Locator-Service"
set visibility disable
set tcp-portrange 389
next
edit "IRC"
set category "VoIP, Messaging & Other Applications"
set tcp-portrange 6660-6669
next
edit "L2TP"
set category "Tunneling"
set tcp-portrange 1701
set udp-portrange 1701
next
edit "NetMeeting"
set visibility disable
set tcp-portrange 1720
next
edit "NFS"
set category "File Access"
set tcp-portrange 111 2049
set udp-portrange 111 2049
next
edit "NNTP"
set visibility disable
set tcp-portrange 119
next
edit "NTP"
set category "Network Services"
set tcp-portrange 123
set udp-portrange 123
next
edit "OSPF"
set category "Network Services"
set protocol IP
set protocol-number 89
next
edit "PC-Anywhere"
set category "Remote Access"
set tcp-portrange 5631
set udp-portrange 5632
next
edit "PING"
set category "Network Services"
set protocol ICMP
set icmptype 8
unset icmpcode
next
edit "TIMESTAMP"
set protocol ICMP
set visibility disable
set icmptype 13
unset icmpcode
next
edit "INFO_REQUEST"
set protocol ICMP
set visibility disable
set icmptype 15
unset icmpcode
next
edit "INFO_ADDRESS"
set protocol ICMP
set visibility disable
set icmptype 17
unset icmpcode
next
edit "ONC-RPC"
set category "Remote Access"
set tcp-portrange 111
set udp-portrange 111
next
edit "PPTP"
set category "Tunneling"
set tcp-portrange 1723
next
edit "QUAKE"
set visibility disable
set udp-portrange 26000 27000 27910 27960
next
edit "RAUDIO"
set visibility disable
set udp-portrange 7070
next
edit "REXEC"
set visibility disable
set tcp-portrange 512
next
edit "RIP"
set category "Network Services"
set udp-portrange 520
next
edit "RLOGIN"
set visibility disable
set tcp-portrange 513:512-1023
next
edit "RSH"
set visibility disable
set tcp-portrange 514:512-1023
next
edit "SCCP"
set category "VoIP, Messaging & Other Applications"
set tcp-portrange 2000
next
edit "SIP"
set category "VoIP, Messaging & Other Applications"
set tcp-portrange 5060
set udp-portrange 5060
next
edit "SIP-MSNmessenger"
set category "VoIP, Messaging & Other Applications"
set tcp-portrange 1863
next
edit "SNMP"
set category "Network Services"
set tcp-portrange 161-162
set udp-portrange 161-162
next
edit "SSH"
set category "Remote Access"
set tcp-portrange 22
next
edit "SYSLOG"
set category "Network Services"
set udp-portrange 514
next
edit "TALK"
set visibility disable
set udp-portrange 517-518
next
edit "TELNET"
set category "Remote Access"
set tcp-portrange 23
next
edit "TFTP"
set category "File Access"
set udp-portrange 69
next
edit "MGCP"
set visibility disable
set udp-portrange 2427 2727
next
edit "UUCP"
set visibility disable
set tcp-portrange 540
next
edit "VDOLIVE"
set visibility disable
set tcp-portrange 7000-7010
next
edit "WAIS"
set visibility disable
set tcp-portrange 210
next
edit "WINFRAME"
set visibility disable
set tcp-portrange 1494 2598
next
edit "X-WINDOWS"
set category "Remote Access"
set tcp-portrange 6000-6063
next
edit "PING6"
set protocol ICMP6
set visibility disable
set icmptype 128
unset icmpcode
next
edit "MS-SQL"
set category "VoIP, Messaging & Other Applications"
set tcp-portrange 1433 1434
next
edit "MYSQL"
set category "VoIP, Messaging & Other Applications"
set tcp-portrange 3306
next
edit "RDP"
set category "Remote Access"
set tcp-portrange 3389
next
edit "VNC"
set category "Remote Access"
set tcp-portrange 5900
next
edit "DHCP6"
set category "Network Services"
set udp-portrange 546 547
next
edit "SQUID"
set category "Tunneling"
set tcp-portrange 3128
next
edit "SOCKS"
set category "Tunneling"
set tcp-portrange 1080
set udp-portrange 1080
next
edit "WINS"
set category "Remote Access"
set tcp-portrange 1512
set udp-portrange 1512
next
edit "RADIUS"
set category "Authentication"
set udp-portrange 1812 1813
next
edit "RADIUS-OLD"
set visibility disable
set udp-portrange 1645 1646
next
edit "CVSPSERVER"
set visibility disable
set tcp-portrange 2401
set udp-portrange 2401
next
edit "AFS3"
set category "File Access"
set tcp-portrange 7000-7009
set udp-portrange 7000-7009
next
edit "TRACEROUTE"
set category "Network Services"
set udp-portrange 33434-33535
next
edit "RTSP"
set category "VoIP, Messaging & Other Applications"
set tcp-portrange 554 7070 8554
set udp-portrange 554
next
edit "MMS"
set visibility disable
set tcp-portrange 1755
set udp-portrange 1024-5000
next
edit "NONE"
set visibility disable
set tcp-portrange 0
next
edit "webproxy"
set proxy enable
set category "Web Proxy"
set protocol ALL
set tcp-portrange 0-65535:0-65535
next
end
config firewall service group
edit "Email Access"
set member "DNS" "IMAP" "IMAPS" "POP3" "POP3S" "SMTP" "SMTPS"
next
edit "Web Access"
set member "DNS" "HTTP" "HTTPS"
next
edit "Windows AD"
set member "DCE-RPC" "DNS" "KERBEROS" "LDAP" "LDAP_UDP" "SAMBA" "SMB"
next
edit "Exchange Server"
set member "DCE-RPC" "DNS" "HTTPS"
next
end
config firewall shaper traffic-shaper
edit "high-priority"
set maximum-bandwidth 1048576
set per-policy enable
next
edit "medium-priority"
set maximum-bandwidth 1048576
set priority medium
set per-policy enable
next
edit "low-priority"
set maximum-bandwidth 1048576
set priority low
set per-policy enable
next
edit "guarantee-100kbps"
set guaranteed-bandwidth 100
set maximum-bandwidth 1048576
set per-policy enable
next
edit "shared-1M-pipe"
set maximum-bandwidth 1024
next
end
config firewall schedule recurring
edit "always"
set day sunday monday tuesday wednesday thursday friday saturday
next
edit "none"
next
edit "default-darrp-optimize"
set start 01:00
set end 01:30
set day sunday monday tuesday wednesday thursday friday saturday
next
end
config firewall ssh local-key
edit "g-Fortinet_SSH_DSA1024"
set password ENC *HIDDEN*
set source built-in
next
edit "g-Fortinet_SSH_ECDSA256"
set password ENC *HIDDEN*
set source built-in
next
edit "g-Fortinet_SSH_ECDSA384"
set password ENC *HIDDEN*
set source built-in
next
edit "g-Fortinet_SSH_ECDSA521"
set password ENC *HIDDEN*
set source built-in
next
edit "g-Fortinet_SSH_ED25519"
set password ENC *HIDDEN*
set source built-in
next
edit "g-Fortinet_SSH_RSA2048"
set password ENC *HIDDEN*
set source built-in
next
end
config firewall ssh local-ca
edit "g-Fortinet_SSH_CA"
set password ENC *HIDDEN*
set source built-in
next
edit "g-Fortinet_SSH_CA_Untrusted"
set password ENC *HIDDEN*
set source built-in
next
end
config firewall ssh setting
set caname "g-Fortinet_SSH_CA"
set untrusted-caname "g-Fortinet_SSH_CA_Untrusted"
set hostkey-rsa2048 "g-Fortinet_SSH_RSA2048"
set hostkey-dsa1024 "g-Fortinet_SSH_DSA1024"
set hostkey-ecdsa256 "g-Fortinet_SSH_ECDSA256"
set hostkey-ecdsa384 "g-Fortinet_SSH_ECDSA384"
set hostkey-ecdsa521 "g-Fortinet_SSH_ECDSA521"
set hostkey-ed25519 "g-Fortinet_SSH_ED25519"
end
config firewall profile-protocol-options
edit "default"
set comment "All default services."
config http
set ports 80
unset options
unset post-lang
end
config ftp
set ports 21
set options splice
end
config imap
set ports 143
set options fragmail
end
config mapi
set ports 135
set options fragmail
end
config pop3
set ports 110
set options fragmail
end
config smtp
set ports 25
set options fragmail splice
end
config nntp
set ports 119
set options splice
end
config ssh
unset options
end
config dns
set ports 53
end
config cifs
set ports 445
unset options
end
next
end
config firewall ssl-ssh-profile
edit "deep-inspection"
set comment "Read-only deep inspection profile."
config https
set ports 443
set status deep-inspection
set unsupported-ssl-version allow
end
config ftps
set ports 990
set status deep-inspection
set unsupported-ssl-version allow
end
config imaps
set ports 993
set status deep-inspection
set unsupported-ssl-version allow
end
config pop3s
set ports 995
set status deep-inspection
set unsupported-ssl-version allow
end
config smtps
set ports 465
set status deep-inspection
set unsupported-ssl-version allow
end
config ssh
set ports 22
set status disable
end
config dot
set status disable
end
config ssl-exempt
edit 1
set fortiguard-category 31
next
edit 2
set fortiguard-category 33
next
edit 3
set type wildcard-fqdn
set wildcard-fqdn "g-adobe"
next
edit 4
set type wildcard-fqdn
set wildcard-fqdn "g-Adobe Login"
next
edit 5
set type wildcard-fqdn
set wildcard-fqdn "g-android"
next
edit 6
set type wildcard-fqdn
set wildcard-fqdn "g-apple"
next
edit 7
set type wildcard-fqdn
set wildcard-fqdn "g-appstore"
next
edit 8
set type wildcard-fqdn
set wildcard-fqdn "g-auth.gfx.ms"
next
edit 9
set type wildcard-fqdn
set wildcard-fqdn "g-citrix"
next
edit 10
set type wildcard-fqdn
set wildcard-fqdn "g-dropbox.com"
next
edit 11
set type wildcard-fqdn
set wildcard-fqdn "g-eease"
next
edit 12
set type wildcard-fqdn
set wildcard-fqdn "g-firefox update server"
next
edit 13
set type wildcard-fqdn
set wildcard-fqdn "g-fortinet"
next
edit 14
set type wildcard-fqdn
set wildcard-fqdn "g-googleapis.com"
next
edit 15
set type wildcard-fqdn
set wildcard-fqdn "g-google-drive"
next
edit 16
set type wildcard-fqdn
set wildcard-fqdn "g-google-play2"
next
edit 17
set type wildcard-fqdn
set wildcard-fqdn "g-google-play3"
next
edit 18
set type wildcard-fqdn
set wildcard-fqdn "g-Gotomeeting"
next
edit 19
set type wildcard-fqdn
set wildcard-fqdn "g-icloud"
next
edit 20
set type wildcard-fqdn
set wildcard-fqdn "g-itunes"
next
edit 21
set type wildcard-fqdn
set wildcard-fqdn "g-microsoft"
next
edit 22
set type wildcard-fqdn
set wildcard-fqdn "g-skype"
next
edit 23
set type wildcard-fqdn
set wildcard-fqdn "g-softwareupdate.vmware.com"
next
edit 24
set type wildcard-fqdn
set wildcard-fqdn "g-verisign"
next
edit 25
set type wildcard-fqdn
set wildcard-fqdn "g-Windows update 2"
next
edit 26
set type wildcard-fqdn
set wildcard-fqdn "g-live.com"
next
edit 27
set type wildcard-fqdn
set wildcard-fqdn "g-google-play"
next
edit 28
set type wildcard-fqdn
set wildcard-fqdn "g-update.microsoft.com"
next
edit 29
set type wildcard-fqdn
set wildcard-fqdn "g-swscan.apple.com"
next
edit 30
set type wildcard-fqdn
set wildcard-fqdn "g-autoupdate.opera.com"
next
edit 31
set type wildcard-fqdn
set wildcard-fqdn "g-cdn-apple"
next
edit 32
set type wildcard-fqdn
set wildcard-fqdn "g-mzstatic-apple"
next
end
next
edit "custom-deep-inspection"
set comment "Customizable deep inspection profile."
config https
set ports 443
set status deep-inspection
set unsupported-ssl-version allow
end
config ftps
set ports 990
set status deep-inspection
set unsupported-ssl-version allow
end
config imaps
set ports 993
set status deep-inspection
set unsupported-ssl-version allow
end
config pop3s
set ports 995
set status deep-inspection
set unsupported-ssl-version allow
end
config smtps
set ports 465
set status deep-inspection
set unsupported-ssl-version allow
end
config ssh
set ports 22
set status disable
end
config dot
set status disable
end
config ssl-exempt
edit 1
set fortiguard-category 31
next
edit 2
set fortiguard-category 33
next
edit 3
set type wildcard-fqdn
set wildcard-fqdn "g-adobe"
next
edit 4
set type wildcard-fqdn
set wildcard-fqdn "g-Adobe Login"
next
edit 5
set type wildcard-fqdn
set wildcard-fqdn "g-android"
next
edit 6
set type wildcard-fqdn
set wildcard-fqdn "g-apple"
next
edit 7
set type wildcard-fqdn
set wildcard-fqdn "g-appstore"
next
edit 8
set type wildcard-fqdn
set wildcard-fqdn "g-auth.gfx.ms"
next
edit 9
set type wildcard-fqdn
set wildcard-fqdn "g-citrix"
next
edit 10
set type wildcard-fqdn
set wildcard-fqdn "g-dropbox.com"
next
edit 11
set type wildcard-fqdn
set wildcard-fqdn "g-eease"
next
edit 12
set type wildcard-fqdn
set wildcard-fqdn "g-firefox update server"
next
edit 13
set type wildcard-fqdn
set wildcard-fqdn "g-fortinet"
next
edit 14
set type wildcard-fqdn
set wildcard-fqdn "g-googleapis.com"
next
edit 15
set type wildcard-fqdn
set wildcard-fqdn "g-google-drive"
next
edit 16
set type wildcard-fqdn
set wildcard-fqdn "g-google-play2"
next
edit 17
set type wildcard-fqdn
set wildcard-fqdn "g-google-play3"
next
edit 18
set type wildcard-fqdn
set wildcard-fqdn "g-Gotomeeting"
next
edit 19
set type wildcard-fqdn
set wildcard-fqdn "g-icloud"
next
edit 20
set type wildcard-fqdn
set wildcard-fqdn "g-itunes"
next
edit 21
set type wildcard-fqdn
set wildcard-fqdn "g-microsoft"
next
edit 22
set type wildcard-fqdn
set wildcard-fqdn "g-skype"
next
edit 23
set type wildcard-fqdn
set wildcard-fqdn "g-softwareupdate.vmware.com"
next
edit 24
set type wildcard-fqdn
set wildcard-fqdn "g-verisign"
next
edit 25
set type wildcard-fqdn
set wildcard-fqdn "g-Windows update 2"
next
edit 26
set type wildcard-fqdn
set wildcard-fqdn "g-live.com"
next
edit 27
set type wildcard-fqdn
set wildcard-fqdn "g-google-play"
next
edit 28
set type wildcard-fqdn
set wildcard-fqdn "g-update.microsoft.com"
next
edit 29
set type wildcard-fqdn
set wildcard-fqdn "g-swscan.apple.com"
next
edit 30
set type wildcard-fqdn
set wildcard-fqdn "g-autoupdate.opera.com"
next
edit 31
set type wildcard-fqdn
set wildcard-fqdn "g-cdn-apple"
next
edit 32
set type wildcard-fqdn
set wildcard-fqdn "g-mzstatic-apple"
next
end
next
edit "no-inspection"
set comment "Read-only profile that does no inspection."
config https
set status disable
set unsupported-ssl-version allow
end
config ftps
set status disable
set unsupported-ssl-version allow
end
config imaps
set status disable
set unsupported-ssl-version allow
end
config pop3s
set status disable
set unsupported-ssl-version allow
end
config smtps
set status disable
set unsupported-ssl-version allow
end
config ssh
set ports 22
set status disable
end
config dot
set status disable
end
next
edit "certificate-inspection"
set comment "Read-only SSL handshake inspection profile."
config https
set ports 443
set status certificate-inspection
set unsupported-ssl-version allow
end
config ftps
set status disable
set unsupported-ssl-version allow
end
config imaps
set status disable
set unsupported-ssl-version allow
end
config pop3s
set status disable
set unsupported-ssl-version allow
end
config smtps
set status disable
set unsupported-ssl-version allow
end
config ssh
set ports 22
set status disable
end
config dot
set status disable
end
next
end
Reference in New Issue View Git Blame Copy Permalink