Dustin C. Hatch
f8641cb912
This commit adjusts the firewall and networking configuration on dc0 to host the Pyrocufflink remote access IPsec VPN locally instead of forwarding it to the internal VPN server.
36 lines
1.0 KiB
Django/Jinja
36 lines
1.0 KiB
Django/Jinja
{#- vim: set sw=4 ts=4 sts=4 et : #}
|
|
table inet filter {
|
|
set allow_tcp_in {
|
|
type inet_service
|
|
flags interval
|
|
elements = {
|
|
{% for item in allow_incoming if item.protocol|d('tcp') == 'tcp' %}
|
|
{{ item.port }},
|
|
{% endfor %}
|
|
}
|
|
}
|
|
|
|
set allow_udp_in {
|
|
type inet_service
|
|
flags interval
|
|
elements = {
|
|
{% for item in allow_incoming if item.protocol|d('tcp') == 'udp' %}
|
|
{{ item.port }},
|
|
{% endfor %}
|
|
}
|
|
}
|
|
|
|
chain input {
|
|
ct state established,related accept
|
|
iif lo accept
|
|
ip6 nexthdr ipv6-icmp accept
|
|
ip protocol { icmp, esp } accept
|
|
udp sport dhcpv6-server counter accept
|
|
udp dport { isakmp, ipsec-nat-t } ct state new counter accept
|
|
iif != {{ internet_iface }} tcp dport @allow_tcp_in ct state new counter accept
|
|
iif != {{ internet_iface }} udp dport @allow_udp_in ct state new counter accept
|
|
iif {{ internet_iface }} drop
|
|
pkttype != host drop
|
|
}
|
|
}
|