r-vp2.yml

@@ -18,7 +18,7 @@
 #   - firewall-vpn-l
    - wireguard-l
 #   - x509-l
-   - post
+   - fw-ferm
    - ssh-cli
    - syslog-cli
-   - fw-ferm
+   - post

roles/fw-ferm/files/ferm-vp1.conf

@@ -0,0 +1,47 @@
+# -*- shell-script -*-
+
+@def $DEV_VPN= wg0;
+
+table filter {
+    chain INPUT {
+        policy DROP;
+
+        # connection tracking
+        mod state state INVALID DROP;
+        mod state state (ESTABLISHED RELATED) ACCEPT;
+
+        # allow local connections
+        interface lo ACCEPT;
+        interface $DEV_VPN{
+        # respond to ping
+        proto icmp icmp-type echo-request ACCEPT;
+        # disallow ssh
+        saddr proto tcp dport ssh DROP;
+        }
+    }#FIN INPUT
+
+    # outgoing connections are not limited
+    chain OUTPUT {
+        policy ACCEPT;
+        interface $DEV_VPN{
+        # allow ssh
+        daddr proto tcp dport ssh ACCEPT;
+        # respond to ping
+        proto icmp icmp-type echo-request ACCEPT;
+        }
+     }#FIN OUTPUT
+
+    chain FORWARD {
+        policy ACCEPT;
+
+        # connection tracking
+        mod state state INVALID DROP;
+        mod state state (ESTABLISHED RELATED) ACCEPT;
+
+        # connections from the internal net to the internet or to other
+        # internal nets are allowed
+        interface $DEV_VPN ACCEPT;
+
+        # the rest is dropped by the above policy
+    }#FIN FO
+}

roles/fw-ferm/files/ferm.conf.r-vp1

@@ -50,7 +50,15 @@ table filter {
 
     chain FORWARD {
         policy ACCEPT;
-        proto icmp icmp-type echo-request ACCEPT;
+
+        interface $DEV_VPN{
+            # respond to ping
+            proto icmp icmp-type echo-request ACCEPT;
+            # disallow ssh
+            saddr($DEV_VPN) proto tcp dport ssh DROP;
+            # allow ssh
+            daddr($DEV_VPN) proto tcp dport ssh ACCEPT;
+
         }
         # connection tracking
         mod state state INVALID DROP;