From a261ce1981a9d4700883fe2f6cd977661707dcc3 Mon Sep 17 00:00:00 2001
From: Lars Wirzenius <liw@liw.fi>
Date: Tue, 6 Sep 2016 16:41:22 +0300
Subject: Re-enable ferm with minimal NAT/MASQUERADE config

---
 ansible/roles/router/files/ferm.conf | 41 +++---------------------------------
 ansible/roles/router/tasks/main.yml  | 26 +++++++++++------------
 2 files changed, 16 insertions(+), 51 deletions(-)

(limited to 'ansible')

diff --git a/ansible/roles/router/files/ferm.conf b/ansible/roles/router/files/ferm.conf
index c1bd652..1867e84 100644
--- a/ansible/roles/router/files/ferm.conf
+++ b/ansible/roles/router/files/ferm.conf
@@ -13,46 +13,11 @@
 @def $NET_PRIVATE = 10.0.0.0/16;
 
 table filter {
-    chain INPUT {
-        policy DROP;
-
-        # connection tracking
-        mod state state INVALID DROP;
-        mod state state (ESTABLISHED RELATED) ACCEPT;
-
-        # allow local connections
-        interface lo ACCEPT;
-
-        # respond to ping
-        proto icmp icmp-type echo-request ACCEPT;
-
-        # allow SSH connections from the private network and all
-        # Internet hosts. We do not want to restrict ssh to only a
-        # small number of "well known" hosts, since there's often a
-        # need to connect from net cafes and customer sites.
-        proto tcp dport ssh ACCEPT;
-    }
-
-    # outgoing connections are not limited
+    chain INPUT policy ACCEPT;
     chain OUTPUT policy ACCEPT;
-
-    chain FORWARD {
-        policy DROP;
-
-        # connection tracking
-        mod state state INVALID DROP;
-        mod state state (ESTABLISHED RELATED) ACCEPT;
-
-        # connections from the internal net to the internet or to other
-        # internal nets are allowed
-        interface $DEV_PRIVATE ACCEPT;
-    }
+    chain FORWARD policy ACCEPT;
 }
 
 table nat {
-    chain POSTROUTING {
-        # masquerade private IP addresses
-#        saddr $NET_PRIVATE outerface $DEV_WORLD MASQUERADE;
-        MASQUERADE;
-    }
+    chain POSTROUTING MASQUERADE;
 }
diff --git a/ansible/roles/router/tasks/main.yml b/ansible/roles/router/tasks/main.yml
index aa0e6bc..3c95278 100644
--- a/ansible/roles/router/tasks/main.yml
+++ b/ansible/roles/router/tasks/main.yml
@@ -1,18 +1,18 @@
-# - name: install ferm
-#   apt: name=ferm
+- name: install ferm
+  apt: name=ferm
 
-# - name: install ferm.conf
-#   copy:
-#     src: ferm.conf
-#     dest: /etc/ferm/ferm.conf
-#     owner: root
-#     group: root
-#     mode: 0640
+- name: install ferm.conf
+  copy:
+    src: ferm.conf
+    dest: /etc/ferm/ferm.conf
+    owner: root
+    group: root
+    mode: 0640
 
-# - name: restart ferm
-#   service:
-#     name: ferm
-#     state: restarted
+- name: restart ferm
+  service:
+    name: ferm
+    state: restarted
 
 - name: set up packet forwarding sysctl config
   copy:
-- 
cgit v1.2.1