Merge branch 'main' of https://gitea.lyc-lecastel.fr/gadmin/gsb2023

2023-04-05 10:57:07 +02:00 · 2023-04-05 10:57:07 +02:00 · 5b759a24c9
commit 5b759a24c9
parent a64004d713 dd6d34986b
1 changed files with 8 additions and 3 deletions
--- a/roles/fw-ferm/files/ferm.conf.r-vp1
+++ b/roles/fw-ferm/files/ferm.conf.r-vp1
@ -4,10 +4,12 @@

@def $DEV_PRIVATE = enp0s8;
@def $DEV_WORLD = enp0s9;
+@def $DEV_WORLD = enp0s9;
@def $DEV_VPN= wg0;
@def $NET_PRIVATE = 172.16.0.0/24;

 table filter {
+
    chain (INPUT OUTPUT){
        # allow VPN
 	proto udp dport 51820 ACCEPT;
@ -28,22 +30,22 @@ table filter {

        # allow SSH connections from the private network and from some
        # well-known internet hosts
-        saddr ($NET_PRIVATE 81.209.165.42) proto tcp dport ssh ACCEPT;
+        saddr ($NET_PRIVATE) proto tcp dport ssh ACCEPT;

        # we provide DNS and SMTP services for the internal net
        interface $DEV_PRIVATE saddr $NET_PRIVATE {
            proto (udp tcp) dport domain ACCEPT;
            proto udp dport bootps ACCEPT;
        }
-        # interface réseau

        # the rest is dropped by the above policy
+
    }#FIN INPUT

    # outgoing connections are not limited
+
    chain OUTPUT {
        policy ACCEPT;
-#	interface $DEV_VPN proto ssh dport 22 ACCEPT;

    }#FIN OUTPUT

@ -59,6 +61,9 @@ table filter {
        # internal nets are allowed
        interface $DEV_PRIVATE ACCEPT;

+	interface $DEV_VPN daddr $NET_PRIVATE {
+ 	proto tcp dport ssh DROP;
+        }
        # the rest is dropped by the above policy
    }
 }