modification

modif
incrémentation des modif
2023-02-07 17:02:52 +01:00 · 2023-02-03 09:51:32 +01:00 · 2023-02-03 09:37:13 +01:00 · 2023-02-03 09:21:56 +01:00
3 changed files with 30 additions and 9 deletions
--- a/roles/fw-ferm/files/ferm-vp1.conf
+++ b/roles/fw-ferm/files/ferm-vp1.conf
--- a/roles/fw-ferm/files/ferm.conf.r-vp1
+++ b/roles/fw-ferm/files/ferm.conf.r-vp1
@ -4,7 +4,7 @@

@def $DEV_PRIVATE = enp0s8;
@def $DEV_WORLD = enp0s9;
-
+@def $DEV_VPN= wg0;
@def $NET_PRIVATE = 172.16.0.0/24;

 table filter {
@ -45,11 +45,21 @@ table filter {
    }#FIN INPUT

    # outgoing connections are not limited
-    chain OUTPUT policy ACCEPT;
+    chain OUTPUT {policy ACCEPT;
+    }#FIN OUTPUT

    chain FORWARD {
        policy ACCEPT;

+        interface $DEV_VPN{
+            # respond to ping
+            proto icmp icmp-type echo-request ACCEPT;
+            # disallow ssh
+            saddr($DEV_VPN) proto tcp dport ssh DROP;
+            # allow ssh
+            daddr($DEV_VPN) proto tcp dport ssh ACCEPT;
+
+        }
        # connection tracking
        mod state state INVALID DROP;
        mod state state (ESTABLISHED RELATED) ACCEPT;
--- a/roles/fw-ferm/files/ferm.conf.r-vp2
+++ b/roles/fw-ferm/files/ferm.conf.r-vp2
@ -4,7 +4,7 @@

@def $DEV_PRIVATE = enp0s9;
@def $DEV_WORLD = enp0s8;
-
+@def $DEV_VPN= wg0;
@def $NET_PRIVATE = 172.16.0.0/24;

 table filter {
@ -34,7 +34,12 @@ table filter {
            proto (udp tcp) dport domain ACCEPT;
            proto udp dport bootps ACCEPT;
        }
-
+        interface $DEV_VPN{
+        # respond to ping
+        proto icmp icmp-type echo-request ACCEPT;
+        # disallow ssh
+        saddr proto tcp dport ssh ACCEPT;
+        }
        # interface réseau
        interface $DEV_WORLD {

@ -44,8 +49,14 @@ table filter {
    }#FIN INPUT

    # outgoing connections are not limited
-    chain OUTPUT policy ACCEPT;
-
+    chain OUTPUT {policy ACCEPT;
+        interface $DEV_VPN{
+        # allow ssh
+        daddr proto tcp dport ssh DROP;
+        # respond to ping
+        proto icmp icmp-type echo-request ACCEPT;
+        }
+}
    chain FORWARD {
        policy ACCEPT;
Author	SHA1	Message	Date
root	272ef9ac07	modification	2023-02-07 17:02:52 +01:00
Johan Largy	81478df279	modif	2023-02-03 09:51:32 +01:00
Johan Largy	75126890b3	incrémentation des modif	2023-02-03 09:37:13 +01:00
root	851543db0a	ajout ferm vpn	2023-02-03 09:21:56 +01:00