diff --git a/roles/fw-ferm/files/ferm2.conf b/roles/fw-ferm/files/ferm-vp1.conf
similarity index 84%
rename from roles/fw-ferm/files/ferm2.conf
rename to roles/fw-ferm/files/ferm-vp1.conf
index bf0cde2..5d5d94f 100644
--- a/roles/fw-ferm/files/ferm2.conf
+++ b/roles/fw-ferm/files/ferm-vp1.conf
@@ -1,3 +1,5 @@
+# -*- shell-script -*-
+
 @def $DEV_VPN= wg0;
 
 table filter {
@@ -10,22 +12,23 @@ table filter {
 
         # allow local connections
         interface lo ACCEPT;
-
+        interface $DEV_VPN{
         # respond to ping
         proto icmp icmp-type echo-request ACCEPT;
         # disallow ssh
-        proto tcp dport ssh ACCEPT;
-  
+        saddr proto tcp dport ssh DROP;
+        }
     }#FIN INPUT
 
     # outgoing connections are not limited
     chain OUTPUT {
         policy ACCEPT;
+        interface $DEV_VPN{
         # allow ssh
-        proto tcp dport ssh DROP; 
+        daddr proto tcp dport ssh ACCEPT;
         # respond to ping
         proto icmp icmp-type echo-request ACCEPT;
-
+        }
      }#FIN OUTPUT
 
     chain FORWARD {
diff --git a/roles/fw-ferm/files/ferm.conf.r-vp1 b/roles/fw-ferm/files/ferm.conf.r-vp1
index 0097688..00249d7 100644
--- a/roles/fw-ferm/files/ferm.conf.r-vp1
+++ b/roles/fw-ferm/files/ferm.conf.r-vp1
@@ -4,7 +4,7 @@
 
 @def $DEV_PRIVATE = enp0s8;
 @def $DEV_WORLD = enp0s9;
-
+@def $DEV_VPN= wg0;
 @def $NET_PRIVATE = 172.16.0.0/24;
 
 table filter {
@@ -33,8 +33,15 @@ table filter {
         # we provide DNS and SMTP services for the internal net
         interface $DEV_PRIVATE saddr $NET_PRIVATE {
             proto (udp tcp) dport domain ACCEPT;
-            proto udp dport bootps ACCEPT;            
+            proto udp dport bootps ACCEPT; 
         }
+        interface $DEV_VPN{
+        # respond to ping
+        proto icmp icmp-type echo-request ACCEPT;
+        # disallow ssh
+        saddr proto tcp dport ssh DROP;
+        }           
+        
 
         # interface réseau 
         interface $DEV_WORLD {
@@ -45,8 +52,14 @@ table filter {
     }#FIN INPUT
 
     # outgoing connections are not limited
-    chain OUTPUT policy ACCEPT;
-
+    chain OUTPUT {policy ACCEPT;
+        interface $DEV_VPN{
+        # allow ssh
+        daddr proto tcp dport ssh ACCEPT;
+        # respond to ping
+        proto icmp icmp-type echo-request ACCEPT;
+        }
+     }#FIN OUTPUT
     chain FORWARD {
         policy ACCEPT;
 
diff --git a/roles/fw-ferm/files/ferm.conf.r-vp2 b/roles/fw-ferm/files/ferm.conf.r-vp2
index 1c0c40b..6c4886a 100644
--- a/roles/fw-ferm/files/ferm.conf.r-vp2
+++ b/roles/fw-ferm/files/ferm.conf.r-vp2
@@ -4,7 +4,7 @@
 
 @def $DEV_PRIVATE = enp0s9;
 @def $DEV_WORLD = enp0s8;
-
+@def $DEV_VPN= wg0;
 @def $NET_PRIVATE = 172.16.0.0/24;
 
 table filter {
@@ -34,7 +34,12 @@ table filter {
             proto (udp tcp) dport domain ACCEPT;
             proto udp dport bootps ACCEPT;
         }
-
+        interface $DEV_VPN{
+        # respond to ping
+        proto icmp icmp-type echo-request ACCEPT;
+        # disallow ssh
+        saddr proto tcp dport ssh ACCEPT;
+        }
         # interface réseau
         interface $DEV_WORLD {
 
@@ -44,8 +49,14 @@ table filter {
     }#FIN INPUT
 
     # outgoing connections are not limited
-    chain OUTPUT policy ACCEPT;
-
+    chain OUTPUT {policy ACCEPT;
+        interface $DEV_VPN{
+        # allow ssh
+        daddr proto tcp dport ssh DROP;
+        # respond to ping
+        proto icmp icmp-type echo-request ACCEPT;
+        }
+}
     chain FORWARD {
         policy ACCEPT;