From 0fead051cec0716ee18c074b971d776cce53a5dd Mon Sep 17 00:00:00 2001
From: Lars Wirzenius <liw@liw.fi>
Date: Tue, 6 Sep 2016 16:28:59 +0300
Subject: Some ferm messing up (not working)

---
 ansible/roles/router/files/ferm.conf | 58 ++++++++++++++++++++++++++++++++++++
 ansible/roles/router/tasks/main.yml  | 18 ++++++++---
 2 files changed, 72 insertions(+), 4 deletions(-)
 create mode 100644 ansible/roles/router/files/ferm.conf

(limited to 'ansible')

diff --git a/ansible/roles/router/files/ferm.conf b/ansible/roles/router/files/ferm.conf
new file mode 100644
index 0000000..c1bd652
--- /dev/null
+++ b/ansible/roles/router/files/ferm.conf
@@ -0,0 +1,58 @@
+# Firewall configuration for a router with a dynamic IP.
+#
+# Based on example by Max Kellermann <max@duempel.org>
+# <http://ferm.foo-projects.org/download/examples/dsl_router.ferm>
+
+# Interface towards the Internet.
+@def $DEV_WORLD = eth0;
+
+# Interfaces towards LAN.
+@def $DEV_PRIVATE = (eth1 eth2 eth3);
+
+# Address range for LAN.
+@def $NET_PRIVATE = 10.0.0.0/16;
+
+table filter {
+    chain INPUT {
+        policy DROP;
+
+        # connection tracking
+        mod state state INVALID DROP;
+        mod state state (ESTABLISHED RELATED) ACCEPT;
+
+        # allow local connections
+        interface lo ACCEPT;
+
+        # respond to ping
+        proto icmp icmp-type echo-request ACCEPT;
+
+        # allow SSH connections from the private network and all
+        # Internet hosts. We do not want to restrict ssh to only a
+        # small number of "well known" hosts, since there's often a
+        # need to connect from net cafes and customer sites.
+        proto tcp dport ssh ACCEPT;
+    }
+
+    # outgoing connections are not limited
+    chain OUTPUT policy ACCEPT;
+
+    chain FORWARD {
+        policy DROP;
+
+        # connection tracking
+        mod state state INVALID DROP;
+        mod state state (ESTABLISHED RELATED) ACCEPT;
+
+        # connections from the internal net to the internet or to other
+        # internal nets are allowed
+        interface $DEV_PRIVATE ACCEPT;
+    }
+}
+
+table nat {
+    chain POSTROUTING {
+        # masquerade private IP addresses
+#        saddr $NET_PRIVATE outerface $DEV_WORLD MASQUERADE;
+        MASQUERADE;
+    }
+}
diff --git a/ansible/roles/router/tasks/main.yml b/ansible/roles/router/tasks/main.yml
index 6b76440..3c95278 100644
--- a/ansible/roles/router/tasks/main.yml
+++ b/ansible/roles/router/tasks/main.yml
@@ -1,8 +1,18 @@
-- name: add iptables masquerading rule
+- name: install ferm
+  apt: name=ferm
+
+- name: install ferm.conf
   copy:
-    src: setup-firewall
-    dest: /usr/local/sbin/setup-firewall
-    mode: 0755
+    src: ferm.conf
+    dest: /etc/ferm/ferm.conf
+    owner: root
+    group: root
+    mode: 0640
+
+- name: restart ferm
+  service:
+    name: ferm
+    state: restarted
 
 - name: set up packet forwarding sysctl config
   copy:
-- 
cgit v1.2.1