ctucx.git: ansible-configs

My personal ansible roles and playbooks [deprecated in favor of nixos]

commit 1007732075405be83f03bee4abf2cba6778de15f
parent ada31f0eaad600d0391c367127026a37a9cc25d9
Author: Leah (ctucx) <leah@ctu.cx>
Date: Tue, 23 Feb 2021 19:26:36 +0100

delete ferm config

1 file changed, 0 insertions(+), 101 deletions(-)
D
config-files/ferm/lollo.conf
|
101
-------------------------------------------------------------------------------
diff --git a/config-files/ferm/lollo.conf b/config-files/ferm/lollo.conf
@@ -1,100 +0,0 @@
-# -*- shell-script -*-
-# Firewall configuration for a router with a dynamic IP.
-
-@def $DEV_LAN = brlan;
-@def $DEV_WAN = enp2s0;
-
-@def $NET_LAN = 10.0.0.0/24;
-
-# globally accessible services
-@def $WAN_TCP = ( 22 53 80 443 22000 5201 );
-@def $WAN_UDP = ( 53 21027 5201 );
-# ( ssh dns http https syncthing iperf3 )
-# ( dns syncthing iperf3 )
-
-# locally accessible services
-# @def $LAN_TCP = ( 53 22 80 443 );
-# @def $LAN_UDP = ( 53 67 );
-# ( dns ssh http https )
-# ( dns dhcp )
-
-# generic input and forwarding rules for ipv4 and ipv6
-domain (ip ip6) {
-    table filter {
-        chain INPUT {
-            policy DROP;
-
-            # connection tracking
-            mod state state INVALID DROP;
-            mod state state (ESTABLISHED RELATED) ACCEPT;
-
-            # allow local connections
-            interface lo ACCEPT;
-            interface $DEV_LAN ACCEPT;
-
-            # respond to ping
-            proto icmp ACCEPT;
-
-#           # local services
-#           interface $DEV_LAN {
-#               proto tcp dport $LAN_TCP ACCEPT;
-#               proto udp mod multiport destination-ports $LAN_UDP ACCEPT;
-#           }
-
-            proto tcp dport $WAN_TCP ACCEPT;
-            proto udp dport $WAN_UDP ACCEPT;
-        }
-
-        # outgoing connections are not limited
-        chain OUTPUT policy ACCEPT;
-
-        chain FORWARD {
-            policy DROP;
-
-            # connection tracking
-            mod state state INVALID DROP;
-            mod state state (ESTABLISHED RELATED) ACCEPT;
-
-            # local clients can do whatever
-            interface $DEV_LAN ACCEPT;
-
-            #allow icmp
-            proto icmp ACCEPT;
-
-            #make public ips world accessible 
-            daddr 195.39.246.33/29 ACCEPT;
-            daddr 195.39.246.40/29 ACCEPT;
-
-            mod conntrack ctstate DNAT ACCEPT;
-            # the rest is dropped by the above policy
-        }
-    }
-}
-
-# nat only for ipv4
-domain ip {
-    table nat {
-        chain PREROUTING {
-            policy ACCEPT;
-
-            # port forwards, ala daddr $WAN_IP dport 65522 DNAT to 192.168.0.2:22;
-        }
-
-        chain POSTROUTING {
-            policy ACCEPT;
-
-            outerface $DEV_WAN MASQUERADE;
-            saddr $NET_LAN mod conntrack ctstate DNAT MASQUERADE; # needle point loopback
-        }
-    }
-}
-
-domain ip6 {
-    table filter {
-        chain INPUT {
-            proto ipv6-icmp icmpv6-type redirect DROP;
-            proto ipv6-icmp icmpv6-type 139 DROP;
-            proto ipv6-icmp ACCEPT;
-        }
-    }
-}-
\ No newline at end of file