From 0624f3da72c4eb5b8094572abb4fda03063e2a05 Mon Sep 17 00:00:00 2001
From: Johan Largy <johan.largy@ip-192-168-0-38>
Date: Mon, 3 Apr 2023 11:04:13 +0200
Subject: [PATCH] modification

---
 r-vp2.yml                           |  4 +--
 roles/fw-ferm/files/ferm-vp1.conf   | 47 -----------------------------
 roles/fw-ferm/files/ferm.conf.r-vp1 | 10 +-----
 3 files changed, 3 insertions(+), 58 deletions(-)
 delete mode 100644 roles/fw-ferm/files/ferm-vp1.conf

diff --git a/r-vp2.yml b/r-vp2.yml
index a4009fe..25e492e 100644
--- a/r-vp2.yml
+++ b/r-vp2.yml
@@ -18,7 +18,7 @@
 #   - firewall-vpn-l
    - wireguard-l
 #   - x509-l
-   - fw-ferm
+   - post
    - ssh-cli
    - syslog-cli
-   - post
+   - fw-ferm
diff --git a/roles/fw-ferm/files/ferm-vp1.conf b/roles/fw-ferm/files/ferm-vp1.conf
deleted file mode 100644
index 5d5d94f..0000000
--- a/roles/fw-ferm/files/ferm-vp1.conf
+++ /dev/null
@@ -1,47 +0,0 @@
-# -*- shell-script -*-
-
-@def $DEV_VPN= wg0;
-
-table filter {
-    chain INPUT {
-        policy DROP;
-
-        # connection tracking
-        mod state state INVALID DROP;
-        mod state state (ESTABLISHED RELATED) ACCEPT;
-
-        # allow local connections
-        interface lo ACCEPT;
-        interface $DEV_VPN{
-        # respond to ping
-        proto icmp icmp-type echo-request ACCEPT;
-        # disallow ssh
-        saddr proto tcp dport ssh DROP;
-        }
-    }#FIN INPUT
-
-    # outgoing connections are not limited
-    chain OUTPUT {
-        policy ACCEPT;
-        interface $DEV_VPN{
-        # allow ssh
-        daddr proto tcp dport ssh ACCEPT;
-        # respond to ping
-        proto icmp icmp-type echo-request ACCEPT;
-        }
-     }#FIN OUTPUT
-
-    chain FORWARD {
-        policy ACCEPT;
-
-        # connection tracking
-        mod state state INVALID DROP;
-        mod state state (ESTABLISHED RELATED) ACCEPT;
-
-        # connections from the internal net to the internet or to other
-        # internal nets are allowed
-        interface $DEV_VPN ACCEPT;
-
-        # the rest is dropped by the above policy
-    }#FIN FO
-}
diff --git a/roles/fw-ferm/files/ferm.conf.r-vp1 b/roles/fw-ferm/files/ferm.conf.r-vp1
index 635d7e1..4c380d7 100644
--- a/roles/fw-ferm/files/ferm.conf.r-vp1
+++ b/roles/fw-ferm/files/ferm.conf.r-vp1
@@ -50,15 +50,7 @@ table filter {
 
     chain FORWARD {
         policy ACCEPT;
-
-        interface $DEV_VPN{
-            # respond to ping
-            proto icmp icmp-type echo-request ACCEPT;
-            # disallow ssh
-            saddr($DEV_VPN) proto tcp dport ssh DROP;
-            # allow ssh
-            daddr($DEV_VPN) proto tcp dport ssh ACCEPT;
-
+        proto icmp icmp-type echo-request ACCEPT;
         }
         # connection tracking
         mod state state INVALID DROP;