From a261ce1981a9d4700883fe2f6cd977661707dcc3 Mon Sep 17 00:00:00 2001
From: Lars Wirzenius <liw@liw.fi>
Date: Tue, 6 Sep 2016 16:41:22 +0300
Subject: Re-enable ferm with minimal NAT/MASQUERADE config

---
 ansible/roles/router/files/ferm.conf | 41 +++---------------------------------
 1 file changed, 3 insertions(+), 38 deletions(-)

(limited to 'ansible/roles/router/files/ferm.conf')

diff --git a/ansible/roles/router/files/ferm.conf b/ansible/roles/router/files/ferm.conf
index c1bd652..1867e84 100644
--- a/ansible/roles/router/files/ferm.conf
+++ b/ansible/roles/router/files/ferm.conf
@@ -13,46 +13,11 @@
 @def $NET_PRIVATE = 10.0.0.0/16;
 
 table filter {
-    chain INPUT {
-        policy DROP;
-
-        # connection tracking
-        mod state state INVALID DROP;
-        mod state state (ESTABLISHED RELATED) ACCEPT;
-
-        # allow local connections
-        interface lo ACCEPT;
-
-        # respond to ping
-        proto icmp icmp-type echo-request ACCEPT;
-
-        # allow SSH connections from the private network and all
-        # Internet hosts. We do not want to restrict ssh to only a
-        # small number of "well known" hosts, since there's often a
-        # need to connect from net cafes and customer sites.
-        proto tcp dport ssh ACCEPT;
-    }
-
-    # outgoing connections are not limited
+    chain INPUT policy ACCEPT;
     chain OUTPUT policy ACCEPT;
-
-    chain FORWARD {
-        policy DROP;
-
-        # connection tracking
-        mod state state INVALID DROP;
-        mod state state (ESTABLISHED RELATED) ACCEPT;
-
-        # connections from the internal net to the internet or to other
-        # internal nets are allowed
-        interface $DEV_PRIVATE ACCEPT;
-    }
+    chain FORWARD policy ACCEPT;
 }
 
 table nat {
-    chain POSTROUTING {
-        # masquerade private IP addresses
-#        saddr $NET_PRIVATE outerface $DEV_WORLD MASQUERADE;
-        MASQUERADE;
-    }
+    chain POSTROUTING MASQUERADE;
 }
-- 
cgit v1.2.1