# -*- shell-script -*-
#
#  Configuration file for ferm(1).
#

@def $DEV_ADM	= enp0s3;
@def $DEV_VPN	= enp0s8;
@def $DEV_EXT	= enp0s9;

@def $NET_ADM=192.168.99.112/24;
@def $NET_VPN=192.168.0.51/24;
@def $NET_EXT=192.168.1.2/30;

table filter {
    chain INPUT {
        policy DROP;

        # connection tracking
        mod state state INVALID DROP;
        mod state state (ESTABLISHED RELATED) ACCEPT;

        # allow local packet
        interface lo ACCEPT;

        # allow SSH connections
        #interface ($DEV_VPN) {
	proto tcp dport ssh ACCEPT;
	#}

        # allow DNS connections
	proto udp sport domain ACCEPT;
	proto udp dport domain ACCEPT;
		

        # allow IPsec
        interface ($DEV_VPN) {
        proto udp sport 500 ACCEPT;
        proto udp dport 500 ACCEPT;
        proto esp ACCEPT;
	}

        # Autoriser nat-t-ike
        interface ($DEV_VPN) {
        proto udp sport 4500 ACCEPT;
        proto udp dport 5500 ACCEPT;
	}

        # allow DNS connections
        #interface ($DEV_INT) {
#	proto (udp tcp) dport domain ACCEPT;
	#}

	# autoriser supervision
	proto udp sport 161 ACCEPT;

	# autoriser NTP
	proto udp sport 123 ACCEPT;

        # respond to ping
        proto icmp mod limit limit 30/minut ACCEPT; 

    }
    chain OUTPUT {
        policy ACCEPT;

        # connection tracking
        # mod state state INVALID DROP;
        # mod state state (ESTABLISHED RELATED) ACCEPT;
    }
    chain FORWARD {
        policy ACCEPT;

        # connection tracking
        mod state state INVALID DROP;
        mod state state (ESTABLISHED RELATED) ACCEPT;
    }
}