diff options
Diffstat (limited to 'ansible/roles/router/files/ferm.conf')
-rw-r--r-- | ansible/roles/router/files/ferm.conf | 58 |
1 files changed, 58 insertions, 0 deletions
diff --git a/ansible/roles/router/files/ferm.conf b/ansible/roles/router/files/ferm.conf new file mode 100644 index 0000000..c1bd652 --- /dev/null +++ b/ansible/roles/router/files/ferm.conf @@ -0,0 +1,58 @@ +# Firewall configuration for a router with a dynamic IP. +# +# Based on example by Max Kellermann <max@duempel.org> +# <http://ferm.foo-projects.org/download/examples/dsl_router.ferm> + +# Interface towards the Internet. +@def $DEV_WORLD = eth0; + +# Interfaces towards LAN. +@def $DEV_PRIVATE = (eth1 eth2 eth3); + +# Address range for LAN. +@def $NET_PRIVATE = 10.0.0.0/16; + +table filter { + chain INPUT { + policy DROP; + + # connection tracking + mod state state INVALID DROP; + mod state state (ESTABLISHED RELATED) ACCEPT; + + # allow local connections + interface lo ACCEPT; + + # respond to ping + proto icmp icmp-type echo-request ACCEPT; + + # allow SSH connections from the private network and all + # Internet hosts. We do not want to restrict ssh to only a + # small number of "well known" hosts, since there's often a + # need to connect from net cafes and customer sites. + proto tcp dport ssh ACCEPT; + } + + # outgoing connections are not limited + chain OUTPUT policy ACCEPT; + + chain FORWARD { + policy DROP; + + # connection tracking + mod state state INVALID DROP; + mod state state (ESTABLISHED RELATED) ACCEPT; + + # connections from the internal net to the internet or to other + # internal nets are allowed + interface $DEV_PRIVATE ACCEPT; + } +} + +table nat { + chain POSTROUTING { + # masquerade private IP addresses +# saddr $NET_PRIVATE outerface $DEV_WORLD MASQUERADE; + MASQUERADE; + } +} |