54 lines
1,000 B
Plaintext
54 lines
1,000 B
Plaintext
table inet firewall {
|
|
|
|
set dmz_whitelist_web{
|
|
# helper set to quickly add a web server to the whitelist
|
|
type ipv4_addr
|
|
elements = {
|
|
# jarvis (librenms)
|
|
193.54.193.11,
|
|
# fafnir (passbolt)
|
|
193.54.193.23,
|
|
# thor (re2o)
|
|
193.54.193.25,
|
|
# urdarbrunn (wiki)
|
|
193.54.193.26,
|
|
# loki (contrôleur de bornes)
|
|
193.54.193.27,
|
|
# brokkr (gitlab)
|
|
193.54.193.31,
|
|
# verdandi (icinga)
|
|
193.54.193.33,
|
|
}
|
|
}
|
|
|
|
set dmz_whitelist_tcp {
|
|
type ipv4_addr . inet_service
|
|
elements = {
|
|
# frigg (radius)
|
|
193.54.193.20 . 1812,
|
|
193.54.193.20 . 1813,
|
|
}
|
|
}
|
|
|
|
set dmz_whitelist_udp {
|
|
type ipv4_addr . inet_service
|
|
elements = {
|
|
# frigg (radius)
|
|
193.54.193.20 . 1812,
|
|
193.54.193.20 . 1813,
|
|
}
|
|
}
|
|
|
|
chain to_dmz {
|
|
ip daddr @dmz_whitelist_web tcp dport {http, https} accept
|
|
ip daddr . tcp dport @dmz_whitelist_tcp accept
|
|
ip daddr . udp dport @dmz_whitelist_udp accept
|
|
counter log prefix "Invalid access to dmz:" drop
|
|
}
|
|
|
|
chain from_dmz {
|
|
accept
|
|
}
|
|
|
|
}
|