2018-10-14 16:49:38 +00:00
|
|
|
#! /sbin/nft -f
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
table inet firewall {
|
|
|
|
|
|
|
|
|
|
# Définition de la DMZ
|
|
|
|
|
|
|
|
|
|
set z_dmz {
|
|
|
|
|
type ipv4_addr;
|
|
|
|
|
flags interval
|
|
|
|
|
elements = {
|
|
|
|
|
# Si l'on souhaite ajouter des ranges d'ip c'est ici
|
2019-01-09 23:04:58 +00:00
|
|
|
193.48.225.224/27,
|
2018-10-14 16:49:38 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2019-01-09 23:04:58 +00:00
|
|
|
set dmz_allowed_tcp_in {
|
|
|
|
|
type ipv4_addr . inet_service
|
|
|
|
|
flags interval
|
|
|
|
|
elements = {
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
set dmz_allowed_tcp_out {
|
|
|
|
|
type ipv4_addr . inet_service
|
|
|
|
|
flags interval
|
|
|
|
|
elements = {
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
set dmz_allowed_udp_in {
|
|
|
|
|
type ipv4_addr . inet_service
|
|
|
|
|
flags interval
|
|
|
|
|
elements = {
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
set dmz_allowed_udp_out {
|
|
|
|
|
type ipv4_addr . inet_service
|
|
|
|
|
flags interval
|
|
|
|
|
elements = {
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2018-10-14 16:49:38 +00:00
|
|
|
chain to_dmz {
|
2019-01-09 23:04:58 +00:00
|
|
|
ip daddr . tcp dport @dmz_allowed_tcp_in accept;
|
|
|
|
|
ip daddr . udp dport @dmz_allowed_udp_in accept;
|
|
|
|
|
drop;
|
2018-10-14 16:49:38 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
chain from_dmz {
|
2019-01-09 23:17:02 +00:00
|
|
|
not ip saddr . tcp dport @dmz_allowed_tcp_out drop;
|
|
|
|
|
not ip saddr . udp dport @dmz_allowed_udp_out drop;
|
2018-10-14 16:49:38 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
