diff --git a/roles/firewall-vpn-l/files/ferm.conf b/roles/firewall-vpn-l/files/ferm.conf
index 1009efc..ad1b38f 100644
--- a/roles/firewall-vpn-l/files/ferm.conf
+++ b/roles/firewall-vpn-l/files/ferm.conf
@@ -4,12 +4,12 @@
 #
 
 @def $DEV_ADM	= enp0s3;
-@def $DEV_VPN	= enp0s8;
-@def $DEV_EXT	= enp0s9;
+@def $DEV_AG	= enp0s8;
+@def $DEV_VPN	= enp0s9;
 
 @def $NET_ADM=192.168.99.102/24;
-@def $NET_VPN=172.16.128.254/24;
-@def $NET_EXT=192.168.0.52/30;
+@def $NET_AG=172.16.128.254/24;
+@def $NET_VPN=192.168.0.52/24;
 
 table filter {
     chain INPUT {
@@ -23,7 +23,7 @@ table filter {
         interface lo ACCEPT;
 
         # allow SSH connections
-        #interface ($DEV_ADM) {
+        #interface ($DEV_VPN) {
 	proto tcp dport ssh ACCEPT;
 	#}
 
@@ -37,14 +37,14 @@ table filter {
         proto udp dport (67 68) ACCEPT;
 
         # allow IPsec
-        interface ($DEV_VPN $DEV_EXT) {
+        interface ($DEV_AG $DEV_VPN) {
         proto udp sport 500 ACCEPT;
         proto udp dport 500 ACCEPT;
         proto esp ACCEPT;
 	}
 
         # Autoriser nat-t-ike
- #       interface ($DEV_VPN) {
+ #       interface ($DEV_AG) {
         proto udp sport 4500 ACCEPT;
         proto udp dport 5500 ACCEPT;
 #	}
@@ -54,52 +54,16 @@ table filter {
 	proto (udp tcp) dport domain ACCEPT;
 	#}
 
-	# autoriser supervision
-	proto udp sport 161 ACCEPT;
-
 	# autoriser NTP
 	proto udp sport 123 ACCEPT;
 
-        # respond to ping
-        proto icmp mod limit limit 30/minut ACCEPT; 
-
     }
     chain OUTPUT {
-        policy DROP;
-#        interface ($DEV_PUB) {
-        
-	# Autoriser SSH
-        proto tcp sport ssh ACCEPT;
-
-	# Autoriser DNS
-        proto udp dport domain ACCEPT;
-        proto udp sport domain ACCEPT;
-
-        # DHCP
-        proto udp sport (67 68) ACCEPT;
-	
-	# Autoriser ipsec
-        proto udp dport 500 ACCEPT;
-        proto udp sport 500 ACCEPT;
-	
-	# Autoriser nat-t-ike
-        proto udp dport 4500 ACCEPT;
-        proto udp sport 4500 ACCEPT;
-        
-	# Autoriser supervision
-        proto udp dport 161 ACCEPT;
-	
-	# Autoriser NTP
-        proto udp dport 123 ACCEPT;
-
-        # respond to ping
-        proto icmp ACCEPT; 
-
-#	}
+        policy ACCEPT;
 
         # connection tracking
-        #mod state state INVALID DROP;
-        mod state state (ESTABLISHED RELATED) ACCEPT;
+        # mod state state INVALID DROP;
+        # mod state state (ESTABLISHED RELATED) ACCEPT;
     }
     chain FORWARD {
         policy ACCEPT;
@@ -108,15 +72,4 @@ table filter {
         mod state state INVALID DROP;
         mod state state (ESTABLISHED RELATED) ACCEPT;
     }
-}
-
-# IPv6:
-#domain ip6 {
-#    table filter {
-#        chain INPUT {
-#            policy ACCEPT;
-#            # ...
-#        }
-#        # ...
-#    }
-#}
+}
\ No newline at end of file