summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLars Wirzenius <liw@liw.fi>2016-09-06 16:28:59 +0300
committerLars Wirzenius <liw@liw.fi>2016-09-06 16:28:59 +0300
commit0fead051cec0716ee18c074b971d776cce53a5dd (patch)
treef16eb2df2d0985ded7536614db0a2044791e24cc
parent8fe447d46c56fb648bf2c1f34fedae47dbbaee2f (diff)
downloadminipc-router-0fead051cec0716ee18c074b971d776cce53a5dd.tar.gz
Some ferm messing up (not working)
-rw-r--r--ansible/roles/router/files/ferm.conf58
-rw-r--r--ansible/roles/router/tasks/main.yml18
2 files changed, 72 insertions, 4 deletions
diff --git a/ansible/roles/router/files/ferm.conf b/ansible/roles/router/files/ferm.conf
new file mode 100644
index 0000000..c1bd652
--- /dev/null
+++ b/ansible/roles/router/files/ferm.conf
@@ -0,0 +1,58 @@
+# Firewall configuration for a router with a dynamic IP.
+#
+# Based on example by Max Kellermann <max@duempel.org>
+# <http://ferm.foo-projects.org/download/examples/dsl_router.ferm>
+
+# Interface towards the Internet.
+@def $DEV_WORLD = eth0;
+
+# Interfaces towards LAN.
+@def $DEV_PRIVATE = (eth1 eth2 eth3);
+
+# Address range for LAN.
+@def $NET_PRIVATE = 10.0.0.0/16;
+
+table filter {
+ chain INPUT {
+ policy DROP;
+
+ # connection tracking
+ mod state state INVALID DROP;
+ mod state state (ESTABLISHED RELATED) ACCEPT;
+
+ # allow local connections
+ interface lo ACCEPT;
+
+ # respond to ping
+ proto icmp icmp-type echo-request ACCEPT;
+
+ # allow SSH connections from the private network and all
+ # Internet hosts. We do not want to restrict ssh to only a
+ # small number of "well known" hosts, since there's often a
+ # need to connect from net cafes and customer sites.
+ proto tcp dport ssh ACCEPT;
+ }
+
+ # outgoing connections are not limited
+ chain OUTPUT policy ACCEPT;
+
+ chain FORWARD {
+ policy DROP;
+
+ # connection tracking
+ mod state state INVALID DROP;
+ mod state state (ESTABLISHED RELATED) ACCEPT;
+
+ # connections from the internal net to the internet or to other
+ # internal nets are allowed
+ interface $DEV_PRIVATE ACCEPT;
+ }
+}
+
+table nat {
+ chain POSTROUTING {
+ # masquerade private IP addresses
+# saddr $NET_PRIVATE outerface $DEV_WORLD MASQUERADE;
+ MASQUERADE;
+ }
+}
diff --git a/ansible/roles/router/tasks/main.yml b/ansible/roles/router/tasks/main.yml
index 6b76440..3c95278 100644
--- a/ansible/roles/router/tasks/main.yml
+++ b/ansible/roles/router/tasks/main.yml
@@ -1,8 +1,18 @@
-- name: add iptables masquerading rule
+- name: install ferm
+ apt: name=ferm
+
+- name: install ferm.conf
copy:
- src: setup-firewall
- dest: /usr/local/sbin/setup-firewall
- mode: 0755
+ src: ferm.conf
+ dest: /etc/ferm/ferm.conf
+ owner: root
+ group: root
+ mode: 0640
+
+- name: restart ferm
+ service:
+ name: ferm
+ state: restarted
- name: set up packet forwarding sysctl config
copy: