From f7269696c71cfab4ddf4f97effda7ffe78ebd6e2 Mon Sep 17 00:00:00 2001
From: Hugo LEVY-FALK <klafyvel@gmail.com>
Date: Thu, 10 Jan 2019 00:17:02 +0100
Subject: [PATCH] Il ne faut pas accepter dans les chaines from

---
 zones/dmz.nft | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/zones/dmz.nft b/zones/dmz.nft
index 5055085..fad7e9a 100644
--- a/zones/dmz.nft
+++ b/zones/dmz.nft
@@ -47,8 +47,8 @@ table inet firewall {
 	}
 
 	chain from_dmz {
-		ip saddr . tcp dport @dmz_allowed_tcp_out accept;
-		ip saddr . udp dport @dmz_allowed_udp_out accept;
+		not ip saddr . tcp dport @dmz_allowed_tcp_out drop;
+		not ip saddr . udp dport @dmz_allowed_udp_out drop;
 	}
 
 }