1 files changed, 58 insertions, 0 deletions

diff --git a/ansible/roles/router/files/ferm.conf b/ansible/roles/router/files/ferm.conf
new file mode 100644
index 0000000..c1bd652
--- /dev/null
+++ b/ansible/roles/router/files/ferm.conf
@@ -0,0 +1,58 @@
+# Firewall configuration for a router with a dynamic IP.
+#
+# Based on example by Max Kellermann <max@duempel.org>
+# <http://ferm.foo-projects.org/download/examples/dsl_router.ferm>
+
+# Interface towards the Internet.
+@def $DEV_WORLD = eth0;
+
+# Interfaces towards LAN.
+@def $DEV_PRIVATE = (eth1 eth2 eth3);
+
+# Address range for LAN.
+@def $NET_PRIVATE = 10.0.0.0/16;
+
+table filter {
+    chain INPUT {
+        policy DROP;
+
+        # connection tracking
+        mod state state INVALID DROP;
+        mod state state (ESTABLISHED RELATED) ACCEPT;
+
+        # allow local connections
+        interface lo ACCEPT;
+
+        # respond to ping
+        proto icmp icmp-type echo-request ACCEPT;
+
+        # allow SSH connections from the private network and all
+        # Internet hosts. We do not want to restrict ssh to only a
+        # small number of "well known" hosts, since there's often a
+        # need to connect from net cafes and customer sites.
+        proto tcp dport ssh ACCEPT;
+    }
+
+    # outgoing connections are not limited
+    chain OUTPUT policy ACCEPT;
+
+    chain FORWARD {
+        policy DROP;
+
+        # connection tracking
+        mod state state INVALID DROP;
+        mod state state (ESTABLISHED RELATED) ACCEPT;
+
+        # connections from the internal net to the internet or to other
+        # internal nets are allowed
+        interface $DEV_PRIVATE ACCEPT;
+    }
+}
+
+table nat {
+    chain POSTROUTING {
+        # masquerade private IP addresses
+#        saddr $NET_PRIVATE outerface $DEV_WORLD MASQUERADE;
+        MASQUERADE;
+    }
+}