modification

r-vp2.yml

@@ -18,7 +18,7 @@
 #   - firewall-vpn-l
    - wireguard-l
 #   - x509-l
-   - fw-ferm
+   - post
    - ssh-cli
    - syslog-cli
-   - post
+   - fw-ferm

roles/fw-ferm/files/ferm-vp1.conf

@@ -1,47 +0,0 @@
-# -*- shell-script -*-
-
-@def $DEV_VPN= wg0;
-
-table filter {
-    chain INPUT {
-        policy DROP;
-
-        # connection tracking
-        mod state state INVALID DROP;
-        mod state state (ESTABLISHED RELATED) ACCEPT;
-
-        # allow local connections
-        interface lo ACCEPT;
-        interface $DEV_VPN{
-        # respond to ping
-        proto icmp icmp-type echo-request ACCEPT;
-        # disallow ssh
-        saddr proto tcp dport ssh DROP;
-        }
-    }#FIN INPUT
-
-    # outgoing connections are not limited
-    chain OUTPUT {
-        policy ACCEPT;
-        interface $DEV_VPN{
-        # allow ssh
-        daddr proto tcp dport ssh ACCEPT;
-        # respond to ping
-        proto icmp icmp-type echo-request ACCEPT;
-        }
-     }#FIN OUTPUT
-
-    chain FORWARD {
-        policy ACCEPT;
-
-        # connection tracking
-        mod state state INVALID DROP;
-        mod state state (ESTABLISHED RELATED) ACCEPT;
-
-        # connections from the internal net to the internet or to other
-        # internal nets are allowed
-        interface $DEV_VPN ACCEPT;
-
-        # the rest is dropped by the above policy
-    }#FIN FO
-}

roles/fw-ferm/files/ferm.conf.r-vp1

@@ -50,15 +50,7 @@ table filter {
 
     chain FORWARD {
         policy ACCEPT;
-
-        interface $DEV_VPN{
-            # respond to ping
-            proto icmp icmp-type echo-request ACCEPT;
-            # disallow ssh
-            saddr($DEV_VPN) proto tcp dport ssh DROP;
-            # allow ssh
-            daddr($DEV_VPN) proto tcp dport ssh ACCEPT;
-
+        proto icmp icmp-type echo-request ACCEPT;
         }
         # connection tracking
         mod state state INVALID DROP;