firewall/zones/dmz.nft

#! /sbin/nft -f

# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.

# Copyright © 2018-2019 Hugo Levy-Falk <hugo@klafyvel.me>

table inet firewall {

	set dns {
		type ipv4_addr
		flags interval
		elements = { 193.48.225.248, 193.48.225.204, 193.48.225.213, 193.48.225.29 }
	}

	set www {
		type ipv4_addr
		flags interval
		elements = { 193.48.225.241, 193.48.225.242, 193.48.225.243, 193.48.225.247, 193.48.225.200, 193.48.225.3, 193.48.225.32, 193.48.225.34, 193.48.225.225, 193.48.225.25, 193.48.225.36, 193.48.225.42, 193.48.225.60, 193.48.225.61, 193.48.225.62, 193.48.225.63, 193.48.225.45, 193.48.225.20, 193.48.225.101}
	}

	set irc {
		type ipv4_addr
		flags interval
		elements = {193.48.225.244}
	}

	set znc {
		type ipv4_addr
		flags interval
		elements = { 193.48.225.242 }
	}

	set smtp {
		type ipv4_addr
		flags interval
		elements = { 193.48.225.207, 193.48.225.37 }
	}

	set letsencrypt {
		type ipv4_addr
		flags interval
		elements = {193.48.225.246, 193.48.225.248, 193.48.225.249, 193.48.225.20}
	}

	set federez {
		type ipv4_addr
		flags interval
		elements = {193.48.225.201}
	}

	set gitlab {
		type ipv4_addr
		flags interval
		elements = { 193.48.225.243 }
	}

	set video {
		type ipv4_addr
		flags interval
		elements = { 193.48.225.240 }
	}

	set ldap {
		type ipv4_addr
		flags interval
		elements = { 193.48.225.246, 193.48.225.248 }
	}

	set ldap_clients {
		type ipv4_addr
		flags interval
		elements = { 10.7.0.0/24, 10.69.0.0/20, 185.230.78.37, 51.15.178.125, 193.48.225.0/24, 193.54.193.103 }
	}

	set mysql {
		type ipv4_addr
		flags interval
		elements = {10.7.0.243}
	}

	set minecraft {
		type ipv4_addr
		flags interval
		elements = {193.48.225.202}
	}

	set latoilescoute {
		type ipv4_addr
		flags interval
		elements = {193.48.225.203}
	}

        set dns_rennais {
                type ipv4_addr
                flags interval
                elements = {193.48.225.205}

        }

	set wireguard {
		type ipv4_addr
		flags interval
		elements = { 193.48.225.209 }
	}

	set radius {
		type ipv4_addr
		flags interval
		elements = { 193.48.225.20 }
	}

        set dns_recursif {
                type ipv4_addr
                flags interval
                elements = { 193.48.225.30 }
        }

	chain to_dmz {
		ip saddr 10.70.0.0/16 accept

		ip daddr @smtp tcp dport { 22, 25, 80, 443, 143, 993, 587} accept
		ip daddr @dns tcp dport { 22, 53 } accept
		ip daddr @dns udp dport { 53 } accept
		ip daddr @dns_rennais tcp dport { 22, 53 } accept
		ip daddr @dns_rennais udp dport { 53 } accept
		ip daddr @www tcp dport { 21, 22, 80, 443, 3000 } accept
		ip daddr @federez tcp dport { 22, 53, 80, 443, 389 } accept
		ip daddr @federez udp dport { 53, 636 } accept
		ip daddr @znc tcp dport { 6667 } accept
		ip daddr @letsencrypt tcp dport { 80, 443 } accept
		ip daddr @irc tcp dport { 22, 6667, 6697, 6767, 7000, 9090 } accept
		ip daddr @video tcp dport { 37700, 6754 } accept
		ip daddr @video udp dport { 37800 } accept
		ip daddr @video tcp dport { 5678 } accept
		ip daddr @wireguard udp dport { 51820 } accept
		ip saddr $monitoring udp dport { 161 } accept
		
		ip daddr @minecraft tcp dport { 22, 25565 } accept
		ip daddr @minecraft udp dport { 22, 25565 } accept
                ip daddr @latoilescoute udp dport { 22, 161, 16384-32768 } accept
		ip daddr @latoilescoute tcp dport { 22 } accept
		ip saddr @ldap_clients ip daddr @ldap tcp dport { 389, 636 } accept
		ip saddr @ldap_clients ip daddr @ldap udp dport { 636 } accept
		
		ip daddr @radius udp dport { 1812, 1814 } accept
		ip daddr @dns_recursif udp dport { 53, 853, 443 } accept
		ip daddr @dns_recursif tcp dport { 53, 853, 443 } accept
		drop
	}

	chain from_dmz {
		ip daddr 10.0.0.0/8 accept
		ip daddr @mysql ip saddr != @www tcp dport 3306 drop
		ip daddr @mysql ip saddr != @smtp tcp dport 3306 drop
	}

}
Premier jet du firewall 2018-10-14 16:49:38 +00:00			`#! /sbin/nft -f`

License 2019-12-20 18:18:10 +00:00			`# This program is free software: you can redistribute it and/or modify`
			`# it under the terms of the GNU General Public License as published by`
			`# the Free Software Foundation, either version 3 of the License, or`
			`# (at your option) any later version.`
			`#`
			`# This program is distributed in the hope that it will be useful,`
			`# but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`# GNU General Public License for more details.`
			`#`
			`# You should have received a copy of the GNU General Public License`
			`# along with this program. If not, see <http://www.gnu.org/licenses/>.`

			`# Copyright © 2018-2019 Hugo Levy-Falk <hugo@klafyvel.me>`
Premier jet du firewall 2018-10-14 16:49:38 +00:00
			`table inet firewall {`

Chaîne filtrage 2019-03-30 13:36:03 +00:00			`set dns {`
			`type ipv4_addr`
			`flags interval`
Commit running configuration 2022-08-01 10:10:08 +00:00			`elements = { 193.48.225.248, 193.48.225.204, 193.48.225.213, 193.48.225.29 }`
Chaîne filtrage 2019-03-30 13:36:03 +00:00			`}`

			`set www {`
			`type ipv4_addr`
			`flags interval`
add new dmz ip 2023-01-06 09:50:47 +00:00			`elements = { 193.48.225.241, 193.48.225.242, 193.48.225.243, 193.48.225.247, 193.48.225.200, 193.48.225.3, 193.48.225.32, 193.48.225.34, 193.48.225.225, 193.48.225.25, 193.48.225.36, 193.48.225.42, 193.48.225.60, 193.48.225.61, 193.48.225.62, 193.48.225.63, 193.48.225.45, 193.48.225.20, 193.48.225.101}`
Chaîne filtrage 2019-03-30 13:36:03 +00:00			`}`

			`set irc {`
			`type ipv4_addr`
			`flags interval`
			`elements = {193.48.225.244}`
			`}`

			`set znc {`
			`type ipv4_addr`
			`flags interval`
			`elements = { 193.48.225.242 }`
			`}`

			`set smtp {`
			`type ipv4_addr`
			`flags interval`
Commit running configuration 2022-08-01 10:10:08 +00:00			`elements = { 193.48.225.207, 193.48.225.37 }`
Chaîne filtrage 2019-03-30 13:36:03 +00:00			`}`

			`set letsencrypt {`
			`type ipv4_addr`
			`flags interval`
Commit running configuration 2022-08-01 10:10:08 +00:00			`elements = {193.48.225.246, 193.48.225.248, 193.48.225.249, 193.48.225.20}`
Chaîne filtrage 2019-03-30 13:36:03 +00:00			`}`

			`set federez {`
			`type ipv4_addr`
			`flags interval`
			`elements = {193.48.225.201}`
			`}`
Premier jet du firewall 2018-10-14 16:49:38 +00:00
Chaîne filtrage 2019-03-30 13:36:03 +00:00			`set gitlab {`
SNAT 2019-02-09 09:23:05 +00:00			`type ipv4_addr`
Premier jet du firewall 2018-10-14 16:49:38 +00:00			`flags interval`
Chaîne filtrage 2019-03-30 13:36:03 +00:00			`elements = { 193.48.225.243 }`
Premier jet du firewall 2018-10-14 16:49:38 +00:00			`}`

Chaîne filtrage 2019-03-30 13:36:03 +00:00			`set video {`
			`type ipv4_addr`
			`flags interval`
			`elements = { 193.48.225.240 }`
Structure du filtrage dmz 2019-01-09 23:04:58 +00:00			`}`
Chaîne filtrage 2019-03-30 13:36:03 +00:00
			`set ldap {`
			`type ipv4_addr`
			`flags interval`
Correct LDAP server 2019-05-06 21:01:29 +00:00			`elements = { 193.48.225.246, 193.48.225.248 }`
Structure du filtrage dmz 2019-01-09 23:04:58 +00:00			`}`
Chaîne filtrage 2019-03-30 13:36:03 +00:00
			`set ldap_clients {`
			`type ipv4_addr`
			`flags interval`
Add arawn to ldap clients 2020-11-11 15:28:15 +00:00			`elements = { 10.7.0.0/24, 10.69.0.0/20, 185.230.78.37, 51.15.178.125, 193.48.225.0/24, 193.54.193.103 }`
Structure du filtrage dmz 2019-01-09 23:04:58 +00:00			`}`
Chaîne filtrage 2019-03-30 13:36:03 +00:00
			`set mysql {`
			`type ipv4_addr`
			`flags interval`
			`elements = {10.7.0.243}`
Structure du filtrage dmz 2019-01-09 23:04:58 +00:00			`}`

Open ports for minecraft. 2019-12-03 16:34:34 +00:00			`set minecraft {`
			`type ipv4_addr`
			`flags interval`
			`elements = {193.48.225.202}`
			`}`

Add latoilescout and dns 2020-04-30 23:40:39 +00:00			`set latoilescoute {`
			`type ipv4_addr`
			`flags interval`
			`elements = {193.48.225.203}`
			`}`

Ajout des droits pour la VM des rennais (DNS) 2020-06-11 20:19:23 +00:00			`set dns_rennais {`
			`type ipv4_addr`
			`flags interval`
			`elements = {193.48.225.205}`

			`}`

Commit running configuration 2022-08-01 10:10:08 +00:00			`set wireguard {`
			`type ipv4_addr`
			`flags interval`
			`elements = { 193.48.225.209 }`
			`}`

			`set radius {`
			`type ipv4_addr`
			`flags interval`
			`elements = { 193.48.225.20 }`
			`}`

			`set dns_recursif {`
			`type ipv4_addr`
			`flags interval`
			`elements = { 193.48.225.30 }`
			`}`

Premier jet du firewall 2018-10-14 16:49:38 +00:00			`chain to_dmz {`
Commit running configuration 2022-08-01 10:10:08 +00:00			`ip saddr 10.70.0.0/16 accept`
Fix nat and filtering 2019-04-29 22:12:26 +00:00
Add turms and gitea 2020-10-07 13:43:50 +00:00			`ip daddr @smtp tcp dport { 22, 25, 80, 443, 143, 993, 587} accept`
Chaîne filtrage 2019-03-30 13:36:03 +00:00			`ip daddr @dns tcp dport { 22, 53 } accept`
			`ip daddr @dns udp dport { 53 } accept`
Ajout des droits pour la VM des rennais (DNS) 2020-06-11 20:19:23 +00:00			`ip daddr @dns_rennais tcp dport { 22, 53 } accept`
			`ip daddr @dns_rennais udp dport { 53 } accept`
Add turms and gitea 2020-10-07 13:43:50 +00:00			`ip daddr @www tcp dport { 21, 22, 80, 443, 3000 } accept`
Chaîne filtrage 2019-03-30 13:36:03 +00:00			`ip daddr @federez tcp dport { 22, 53, 80, 443, 389 } accept`
			`ip daddr @federez udp dport { 53, 636 } accept`
			`ip daddr @znc tcp dport { 6667 } accept`
			`ip daddr @letsencrypt tcp dport { 80, 443 } accept`
			`ip daddr @irc tcp dport { 22, 6667, 6697, 6767, 7000, 9090 } accept`
			`ip daddr @video tcp dport { 37700, 6754 } accept`
			`ip daddr @video udp dport { 37800 } accept`
			`ip daddr @video tcp dport { 5678 } accept`
Commit running configuration 2022-08-01 10:10:08 +00:00			`ip daddr @wireguard udp dport { 51820 } accept`
Port 161 de la DMZ ouvert pour eon 2019-09-17 21:24:58 +00:00			`ip saddr $monitoring udp dport { 161 } accept`
Commit running configuration 2022-08-01 10:10:08 +00:00
Add latoilescout and dns 2020-04-30 23:40:39 +00:00			`ip daddr @minecraft tcp dport { 22, 25565 } accept`
			`ip daddr @minecraft udp dport { 22, 25565 } accept`
add bigbluebutton port range 2020-11-01 20:01:45 +00:00			`ip daddr @latoilescoute udp dport { 22, 161, 16384-32768 } accept`
Add latoilescout and dns 2020-04-30 23:40:39 +00:00			`ip daddr @latoilescoute tcp dport { 22 } accept`
Fix nat and filtering 2019-04-29 22:12:26 +00:00			`ip saddr @ldap_clients ip daddr @ldap tcp dport { 389, 636 } accept`
			`ip saddr @ldap_clients ip daddr @ldap udp dport { 636 } accept`
Commit running configuration 2022-08-01 10:10:08 +00:00
			`ip daddr @radius udp dport { 1812, 1814 } accept`
			`ip daddr @dns_recursif udp dport { 53, 853, 443 } accept`
			`ip daddr @dns_recursif tcp dport { 53, 853, 443 } accept`
Chaîne filtrage 2019-03-30 13:36:03 +00:00			`drop`
Premier jet du firewall 2018-10-14 16:49:38 +00:00			`}`

			`chain from_dmz {`
Fix nat and filtering 2019-04-29 22:12:26 +00:00			`ip daddr 10.0.0.0/8 accept`
Chaîne filtrage 2019-03-30 13:36:03 +00:00			`ip daddr @mysql ip saddr != @www tcp dport 3306 drop`
			`ip daddr @mysql ip saddr != @smtp tcp dport 3306 drop`
Premier jet du firewall 2018-10-14 16:49:38 +00:00			`}`

			`}`