35 lines
1.2 KiB
Django/Jinja
35 lines
1.2 KiB
Django/Jinja
{#- vim: set sw=4 ts=4 sts=4 et : #}
|
|
table inet filter {
|
|
set domain_controllers {
|
|
type ipv4_addr
|
|
elements = {
|
|
dc0.pyrocufflink.blue,
|
|
dc1.pyrocufflink.blue,
|
|
}
|
|
}
|
|
|
|
set vpn_subnets {
|
|
type ipv4_addr
|
|
flags interval
|
|
elements = {
|
|
172.31.0.64/28,
|
|
{% for prefix in firemon_networks %}
|
|
{{ prefix }},
|
|
{% endfor %}
|
|
}
|
|
}
|
|
|
|
chain forward {
|
|
ct state established,related accept
|
|
iifname {{ dch_networks.guest.router_iface }} oif != {{ internet_iface }} drop
|
|
iif != {{ internet_iface }} oifname {{ dch_networks.guest.router_iface }} drop
|
|
iifname {{ dch_networks.mgmt.router_iface }} ip daddr @domain_controllers udp dport { ntp, radius } counter accept
|
|
iifname {{ dch_networks.mgmt.router_iface }} counter drop
|
|
iif != {{ internet_iface }} oif != {{ internet_iface }} counter accept
|
|
iif {{ internet_iface }} ip saddr @vpn_subnets counter accept
|
|
iif != {{ internet_iface }} ip daddr @vpn_subnets counter accept
|
|
tcp dport smtp counter reject with icmpx type host-unreachable
|
|
oif {{ internet_iface }} accept
|
|
}
|
|
}
|