Structure du filtrage dmz

7 years ago · 230d583110
2 changed files with 33 additions and 5 deletions
--- a/zones/adherent.nft
+++ b/zones/adherent.nft
@ -20,7 +20,7 @@ table inet firewall {
 		elements = {
 			$if_admin,
 			$if_supelec,
-			$if_adherent, # Utile ?
+			$if_adherent,
 		}
 	}

--- a/zones/dmz.nft
+++ b/zones/dmz.nft
@ -10,17 +10,45 @@ table inet firewall {
 		flags interval
 		elements = {
 			# Si l'on souhaite ajouter des ranges d'ip c'est ici
-			193.48.225.1-193.48.225.9,
+			193.48.225.224/27,
 		}
 	}

+	set dmz_allowed_tcp_in {
+		type ipv4_addr . inet_service
+		flags interval
+		elements = {
+		}
+	}
+	set dmz_allowed_tcp_out {
+		type ipv4_addr . inet_service
+		flags interval
+		elements = {
+		}
+	}
+	set dmz_allowed_udp_in {
+		type ipv4_addr . inet_service
+		flags interval
+		elements = {
+		}
+	}
+	set dmz_allowed_udp_out {
+		type ipv4_addr . inet_service
+		flags interval
+		elements = {
+		}
+	}
+
+
 	chain to_dmz {
-		# DMZ, tout le monde entre
-		accept;
+		ip daddr . tcp dport @dmz_allowed_tcp_in accept;
+		ip daddr . udp dport @dmz_allowed_udp_in accept;
+		drop;
 	}

 	chain from_dmz {
-		# DMZ, tout le monde sort
+		ip saddr . tcp dport @dmz_allowed_tcp_out accept;
+		ip saddr . udp dport @dmz_allowed_udp_out accept;
 	}

 }