# -*- shell-script -*- # # Configuration file for ferm(1). # @def $DEV_ADM = enp0s3; @def $DEV_VPN = enp0s8; @def $DEV_EXT = enp0s9; @def $NET_ADM=192.168.99.102/24; @def $NET_VPN=172.16.128.254/24; @def $NET_EXT=192.168.0.52/30; table filter { chain INPUT { policy DROP; # connection tracking mod state state INVALID DROP; mod state state (ESTABLISHED RELATED) ACCEPT; # allow local packet interface lo ACCEPT; # allow SSH connections #interface ($DEV_ADM) { proto tcp dport ssh ACCEPT; #} # allow DNS connections #interface ($DEV_INT) { proto udp sport domain ACCEPT; proto udp dport domain ACCEPT; #} # DHCP proto udp dport (67 68) ACCEPT; # allow IPsec interface ($DEV_VPN $DEV_EXT) { proto udp sport 500 ACCEPT; proto udp dport 500 ACCEPT; proto esp ACCEPT; } # Autoriser nat-t-ike # interface ($DEV_VPN) { proto udp sport 4500 ACCEPT; proto udp dport 5500 ACCEPT; # } # allow DNS connections #interface ($DEV_INT) { proto (udp tcp) dport domain ACCEPT; #} # autoriser supervision proto udp sport 161 ACCEPT; # autoriser NTP proto udp sport 123 ACCEPT; # respond to ping proto icmp mod limit limit 30/minut ACCEPT; } chain OUTPUT { policy DROP; # interface ($DEV_PUB) { # Autoriser SSH proto tcp sport ssh ACCEPT; # Autoriser DNS proto udp dport domain ACCEPT; proto udp sport domain ACCEPT; # DHCP proto udp sport (67 68) ACCEPT; # Autoriser ipsec proto udp dport 500 ACCEPT; proto udp sport 500 ACCEPT; # Autoriser nat-t-ike proto udp dport 4500 ACCEPT; proto udp sport 4500 ACCEPT; # Autoriser supervision proto udp dport 161 ACCEPT; # Autoriser NTP proto udp dport 123 ACCEPT; # respond to ping proto icmp ACCEPT; # } # connection tracking #mod state state INVALID DROP; mod state state (ESTABLISHED RELATED) ACCEPT; } chain FORWARD { policy ACCEPT; # connection tracking mod state state INVALID DROP; mod state state (ESTABLISHED RELATED) ACCEPT; } } # IPv6: #domain ip6 { # table filter { # chain INPUT { # policy ACCEPT; # # ... # } # # ... # } #}