Dustin C. Hatch
f8641cb912
This commit adjusts the firewall and networking configuration on dc0 to host the Pyrocufflink remote access IPsec VPN locally instead of forwarding it to the internal VPN server.
32 lines
792 B
Django/Jinja
32 lines
792 B
Django/Jinja
{#- vim: set sw=4 ts=4 sts=4 et : #}
|
|
table inet filter {
|
|
set allow_tcp_out {
|
|
type inet_service
|
|
flags interval
|
|
elements = {
|
|
{% for item in allow_outgoing if item.protocol|d('tcp') == 'tcp' %}
|
|
{{ item.port }},
|
|
{% endfor %}
|
|
}
|
|
}
|
|
|
|
set allow_udp_out {
|
|
type inet_service
|
|
flags interval
|
|
elements = {
|
|
{% for item in allow_outgoing if item.protocol|d('tcp') == 'udp' %}
|
|
{{ item.port }},
|
|
{% endfor %}
|
|
}
|
|
}
|
|
|
|
chain output {
|
|
ct state established,related accept
|
|
oif lo accept
|
|
ip6 nexthdr ipv6-icmp accept
|
|
ip protocol { icmp, esp } accept
|
|
tcp dport @allow_tcp_out ct state new counter accept
|
|
udp dport @allow_udp_out ct state new counter accept
|
|
}
|
|
}
|