From f9e48e7614180169f96ec045019991da6d3d204c Mon Sep 17 00:00:00 2001
From: root <root@ip-10-0-2-15>
Date: Fri, 3 Feb 2023 09:18:11 +0100
Subject: [PATCH] =?UTF-8?q?cr=C3=A9ation=20ferm2.conf?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 roles/fw-ferm/files/ferm2.conf | 47 ++++++++++++++++++++++++++++++++++
 1 file changed, 47 insertions(+)
 create mode 100644 roles/fw-ferm/files/ferm2.conf

diff --git a/roles/fw-ferm/files/ferm2.conf b/roles/fw-ferm/files/ferm2.conf
new file mode 100644
index 0000000..5d5d94f
--- /dev/null
+++ b/roles/fw-ferm/files/ferm2.conf
@@ -0,0 +1,47 @@
+# -*- shell-script -*-
+
+@def $DEV_VPN= wg0;
+
+table filter {
+    chain INPUT {
+        policy DROP;
+
+        # connection tracking
+        mod state state INVALID DROP;
+        mod state state (ESTABLISHED RELATED) ACCEPT;
+
+        # allow local connections
+        interface lo ACCEPT;
+        interface $DEV_VPN{
+        # respond to ping
+        proto icmp icmp-type echo-request ACCEPT;
+        # disallow ssh
+        saddr proto tcp dport ssh DROP;
+        }
+    }#FIN INPUT
+
+    # outgoing connections are not limited
+    chain OUTPUT {
+        policy ACCEPT;
+        interface $DEV_VPN{
+        # allow ssh
+        daddr proto tcp dport ssh ACCEPT;
+        # respond to ping
+        proto icmp icmp-type echo-request ACCEPT;
+        }
+     }#FIN OUTPUT
+
+    chain FORWARD {
+        policy ACCEPT;
+
+        # connection tracking
+        mod state state INVALID DROP;
+        mod state state (ESTABLISHED RELATED) ACCEPT;
+
+        # connections from the internal net to the internet or to other
+        # internal nets are allowed
+        interface $DEV_VPN ACCEPT;
+
+        # the rest is dropped by the above policy
+    }#FIN FO
+}