ferm/lollo: cleanup and fixes

commit b127c5f96cbeaf4f59a5ff34f296da5e982613ef
parent 9da7771a23ac4bce26dd7165223a1781f53b3651
Author: Leah (ctucx) <leah@ctu.cx>
Date: Mon, 25 Jan 2021 22:46:14 +0100

ferm/lollo: cleanup and fixes

1 file changed, 18 insertions(+), 23 deletions(-)

config-files/ferm/lollo.conf

++++++++++++++++++-----------------------

diff --git a/config-files/ferm/lollo.conf b/config-files/ferm/lollo.conf
@@ -1,11 +1,5 @@
 # -*- shell-script -*-
-#
-# Ferm example script
-#
 # Firewall configuration for a router with a dynamic IP.
-#
-# Author: Max Kellermann <max@duempel.org>
-#
 
 @def $DEV_LAN = brlan;
 @def $DEV_WAN = enp2s0;

@@ -13,16 +7,16 @@
 @def $NET_LAN = 10.0.0.0/24;
 
 # globally accessible services
-@def $WAN_TCP = ( 22 80 443 1234 22000 );
-@def $WAN_UDP = ( 1194 21027 );
-# ( ssh )
-# ( wireguard )
+@def $WAN_TCP = ( 22 80 443 22000 5201 );
+@def $WAN_UDP = ( 21027 5201 );
+# ( ssh http https syncthing iperf3 )
+# ( syncthing iperf3 )
 
 # locally accessible services
-@def $LAN_TCP = ( 53 22 80 443 );
-@def $LAN_UDP = ( 53 67 );
-# ( dns ssh )
-# ( dns dhcp tftp ntp )
+# @def $LAN_TCP = ( 53 22 80 443 );
+# @def $LAN_UDP = ( 53 67 );
+# ( dns ssh http https )
+# ( dns dhcp )
 
 # generic input and forwarding rules for ipv4 and ipv6
 domain (ip ip6) {

@@ -41,16 +35,14 @@ domain (ip ip6) {
             # respond to ping
             proto icmp ACCEPT;
 
-            # local services
-            interface $DEV_LAN {
-                proto tcp dport $LAN_TCP ACCEPT;
-                proto udp mod multiport destination-ports $LAN_UDP ACCEPT;
-            }
+#           # local services
+#           interface $DEV_LAN {
+#               proto tcp dport $LAN_TCP ACCEPT;
+#               proto udp mod multiport destination-ports $LAN_UDP ACCEPT;
+#           }
 
             proto tcp dport $WAN_TCP ACCEPT;
             proto udp dport $WAN_UDP ACCEPT;
-            daddr 195.39.246.33/29 ACCEPT;
-            daddr 195.39.246.40/29 ACCEPT;
         }
 
         # outgoing connections are not limited

@@ -66,11 +58,14 @@ domain (ip ip6) {
             # local clients can do whatever
             interface $DEV_LAN ACCEPT;
 
-
+            #allow icmp
             proto icmp ACCEPT;
 
-            mod conntrack ctstate DNAT ACCEPT;
+            #make public ips world accessible 
+            daddr 195.39.246.33/29 ACCEPT;
+            daddr 195.39.246.40/29 ACCEPT;
 
+            mod conntrack ctstate DNAT ACCEPT;
             # the rest is dropped by the above policy
         }
     }