45 lines
981 B
Plaintext
45 lines
981 B
Plaintext
table inet firewall {
|
|
|
|
set dmz_whitelist_web{
|
|
# helper set to quickly add a web server to the whitelist
|
|
type ipv4_addr
|
|
elements = {
|
|
193.54.193.11, # jarvis (librenms)
|
|
193.54.193.23, # fafnir (passbolt)
|
|
193.54.193.25, # thor (re2o)
|
|
193.54.193.26, # urdarbrunn (wiki)
|
|
193.54.193.27, # loki (contrôleur de bornes)
|
|
193.54.193.31, # brokkr (gitlab)
|
|
193.54.193.33, # verdandi (icinga)
|
|
}
|
|
}
|
|
|
|
set dmz_whitelist_tcp {
|
|
type ipv4_addr . inet_service
|
|
elements = {
|
|
193.54.193.20 . 1812, # frigg (radius)
|
|
193.54.193.20 . 1813,
|
|
}
|
|
}
|
|
|
|
set dmz_whitelist_udp {
|
|
type ipv4_addr . inet_service
|
|
elements = {
|
|
193.54.193.20 . 1812, # frigg (radius)
|
|
193.54.193.20 . 1813,
|
|
}
|
|
}
|
|
|
|
chain to_dmz {
|
|
ip daddr @dmz_whitelist_web tcp dport {http, https} accept
|
|
ip daddr . tcp dport @dmz_whitelist_tcp accept
|
|
ip daddr . udp dport @dmz_whitelist_udp accept
|
|
counter log group 1 prefix "Invalid access to dmz:" drop
|
|
}
|
|
|
|
chain from_dmz {
|
|
accept
|
|
}
|
|
|
|
}
|