dustin/configpolicy
1
1
Fork 0
Code Issues Releases Activity

dch-gw: Host Pyrocufflink VPN locally

Browse Source 
This commit adjusts the firewall and networking configuration on dc0 to
host the Pyrocufflink remote access IPsec VPN locally instead of
forwarding it to the internal VPN server.
This commit is contained in:
Dustin
2018-05-20 13:00:46 -05:00
parent 42b8d2e54f
commit f8641cb912
6 changed files with 19 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
roles/dch-gw/templates/forward.nft.j2
View File

@@ -1,9 +1,10 @@
{#- vim: set sw=4 ts=4 sts=4 et : #}
table inet filter {
set firemon {
set vpn_subnets {
type ipv4_addr
flags interval
elements = {
172.31.0.64/28,
{% for prefix in firemon_networks %}
{{ prefix }},
{% endfor %}
@@ -15,7 +16,8 @@ table inet filter {
iifname {{ dch_networks.guest.router_iface }} oif != {{ internet_iface }} drop
iif != {{ internet_iface }} oifname {{ dch_networks.guest.router_iface }} drop
iif != {{ internet_iface }} oif != {{ internet_iface }} counter accept
ip daddr @firemon counter accept
iif {{ internet_iface }} ip saddr @vpn_subnets counter accept
iif != {{ internet_iface }} ip daddr @vpn_subnets counter accept
tcp dport smtp counter reject with icmpx type host-unreachable
oif {{ internet_iface }} accept
}