# -*- shell-script -*-
#
#  Configuration file for ferm(1).
#

@def $DEV_ADM	= enp0s3;
@def $DEV_AG	= enp0s8;
@def $DEV_VPN	= enp0s9;

@def $NET_ADM=192.168.99.102/24;
@def $NET_AG=172.16.128.254/24;
@def $NET_VPN=192.168.0.52/24;

table filter {
    chain INPUT {
        policy DROP;

        # connection tracking
        mod state state INVALID DROP;
        mod state state (ESTABLISHED RELATED) ACCEPT;

        # allow local packet
        interface lo ACCEPT;

        # allow SSH connections
	proto tcp dport ssh ACCEPT;

        # allow DNS connections
	proto udp sport domain ACCEPT;
	proto udp dport domain ACCEPT;	

        # allow IPsec
        interface ($DEV_AG $DEV_VPN) {
        proto udp sport 500 ACCEPT;
        proto udp dport 500 ACCEPT;
        proto esp ACCEPT;
	}

        # Autoriser nat-t-ike
 #       interface ($DEV_AG) {
        proto udp sport 4500 ACCEPT;
        proto udp dport 5500 ACCEPT;
#	}

        # allow DNS connections
        #interface ($DEV_INT) {
	proto (udp tcp) dport domain ACCEPT;
	#}

	# autoriser NTP
	proto udp sport 123 ACCEPT;

    }
    chain OUTPUT {
        policy ACCEPT;

        # connection tracking
        # mod state state INVALID DROP;
        # mod state state (ESTABLISHED RELATED) ACCEPT;
    }
    chain FORWARD {
        policy ACCEPT;

        # connection tracking
        mod state state INVALID DROP;
        mod state state (ESTABLISHED RELATED) ACCEPT;
    }
}