diff --git a/goss/list-goss b/goss/list-goss new file mode 100644 index 0000000..a13faf9 --- /dev/null +++ b/goss/list-goss @@ -0,0 +1,12 @@ +cd goss/ +goss -g r-vp1.yaml v +goss -g r-vp1.yaml aa wireguard +goss add interface enp0s3 +goss add interface enp0s8 +goss add interface enp0s9 +goss add interface wg0 +goss aa wireguard +goss add package wireguard-tools +goss add service wg-quick@wg0 +goss add command "ping -c4 10.0.0.2" +goss add file "/etc/wireguard/wg0.conf" diff --git a/roles/fw-ferm-1/ferm.conf b/roles/fw-ferm-1/ferm.conf new file mode 100644 index 0000000..0097688 --- /dev/null +++ b/roles/fw-ferm-1/ferm.conf @@ -0,0 +1,63 @@ +# -*- shell-script -*- +# +# Ferm script r-vp1 + +@def $DEV_PRIVATE = enp0s8; +@def $DEV_WORLD = enp0s9; + +@def $NET_PRIVATE = 172.16.0.0/24; + +table filter { + chain (INPUT OUTPUT){ + # allow VPN + proto udp dport 51820 ACCEPT; +} + chain INPUT { + policy DROP; + + # connection tracking + mod state state INVALID DROP; + mod state state (ESTABLISHED RELATED) ACCEPT; + + # allow local connections + interface lo ACCEPT; + + # respond to ping + proto icmp icmp-type echo-request ACCEPT; + + + # allow SSH connections from the private network and from some + # well-known internet hosts + saddr ($NET_PRIVATE 81.209.165.42) proto tcp dport ssh ACCEPT; + + # we provide DNS and SMTP services for the internal net + interface $DEV_PRIVATE saddr $NET_PRIVATE { + proto (udp tcp) dport domain ACCEPT; + proto udp dport bootps ACCEPT; + } + + # interface réseau + interface $DEV_WORLD { + + } + + # the rest is dropped by the above policy + }#FIN INPUT + + # outgoing connections are not limited + chain OUTPUT policy ACCEPT; + + chain FORWARD { + policy ACCEPT; + + # connection tracking + mod state state INVALID DROP; + mod state state (ESTABLISHED RELATED) ACCEPT; + + # connections from the internal net to the internet or to other + # internal nets are allowed + interface $DEV_PRIVATE ACCEPT; + + # the rest is dropped by the above policy + } +}