# -*- shell-script -*-
#
#  Configuration file for ferm(1).
#

@def $DEV_ADM     = enp0s3;
@def $DEV_DMZ     = enp0s8;
@def $DEV_WORLD   = enp0s9;
@def $DEV_VPN     = enp0s10;
@def $DEV_LINK    = enp0s16;

@def $NET_ADM     = 192.168.99.0/24;
@def $NET_DMZ     = 192.168.100.0/24;
@def $NET_WORLD   = 192.168.0.0/24;
@def $NET_LINKV   = 192.168.1.0/30;
@def $NET_LINK    = 192.168.200.0/24;

# mon ip static
#@def $HOST_STATIC = 
@include '/root/tools/ansible/gsb/roles/r-ext/files/mkferm |';
#@def $HOST_PASSERELLEDMZ = 172.16.0.1;

@def &FORWARD_TCP($proto, $port, $dest) = {
        table filter chain FORWARD interface $DEV_WORLD outerface $DEV_DMZ daddr $dest proto $proto dport $port ACCEPT;
        table nat chain PREROUTING interface $DEV_WORLD daddr $HOST_STATIC proto $proto dport $port DNAT to $dest;
}
#@def &FORWARD($proto, $port, $dest) = {
#	table filter chain FORWARD interface $DEV_DMZ outerface $DEV_PRIVATE daddr $dest proto $proto dport $port ACCEPT;
#	table nat chain PREROUTING interface $DEV_DMZ daddr $HOST_PASSERELLEDMZ proto $proto dport $port DNAT to $dest;
#}

#&FORWARD(tcp, 3306, 10.0.0.2);
#&FORWARD_TCP(tcp, http, 192.168.100.254);
#&FORWARD_TCP(tcp, smtp, 192.168.1.3);

table filter {
    chain INPUT {
        policy DROP;

        # connection tracking
        mod state state INVALID DROP;
        mod state state (ESTABLISHED RELATED) ACCEPT;

        # allow local packet
        interface lo ACCEPT;

        # respond to ping
        proto icmp ACCEPT; 

        # allow IPsec
	interface ($DEV_LINK) {
        proto udp dport 500 ACCEPT;
        proto (esp ah) ACCEPT;
	}
        # allow SSH connections
	interface ($DEV_ADM) {
        proto tcp dport ssh ACCEPT;
	}
        # we provide DNS for the internal net
        interface ($DEV_WORLD $DEV_DMZ) {
	        proto (udp tcp) dport domain ACCEPT;
		proto (tcp) dport http ACCEPT;
        }

    }
    chain OUTPUT {
        policy ACCEPT;

        # connection tracking
        #mod state state INVALID DROP;
        mod state state (ESTABLISHED RELATED) ACCEPT;
    }
    chain FORWARD {
        policy DROP;

        # connection tracking
        mod state state INVALID DROP;
        mod state state (ESTABLISHED RELATED) ACCEPT;

        # the DMZ may only access the internet
        interface ($DEV_DMZ $DEV_LINK) {
            outerface $DEV_WORLD ACCEPT;
            # report failure gracefully
            REJECT reject-with icmp-net-prohibited;
        }

        interface ($DEV_WORLD) {
            proto tcp dport http outerface $DEV_DMZ ACCEPT;
            # report failure gracefully
            REJECT reject-with icmp-net-prohibited;
        }
    }
}

table nat {
    chain POSTROUTING {
        # masquerade private IP addresses
        saddr ($NET_LINK) outerface $DEV_WORLD SNAT to $HOST_STATIC;
    }
}



# IPv6:
#domain ip6 {
#    table filter {
#        chain INPUT {
#            policy ACCEPT;
#            # ...
#        }
#        # ...
#    }
#}