Commit 5eb840ae authored by Gabriel Detraz's avatar Gabriel Detraz

Interdit l'accès au vlan switches depuis les routeurs

parent 790df726
......@@ -13,7 +13,7 @@ class firewall(base.firewall_routeur):
'log_all' : self.log_all,
'admin_vlan' : self.admin_vlan,
'admin_vlans' : self.admin_vlans,
'clamp_mss' : self.clamp_mss,
'ingress_filtering' : self.ingress_filtering,
'ssh_on_https' : self.ssh_on_https,
......@@ -109,7 +109,7 @@ class firewall(base.firewall_routeur):
self.add(table, chain, '-i lo -j ACCEPT')
self.add(table, chain, '-j %s' % self.reseaux_non_routable(table, fill_ipset=True))
self.add(table, chain, '-p icmp -j ACCEPT')
self.add(table, chain, '-j %s' % self.admin_vlan(table))
self.add(table, chain, '-j %s' % self.admin_vlans(table))
self.add(table, chain, '-j %s' % blacklist_soft_chain)
self.add(table, chain, '-i %s -j %s' % (dev['out'], blacklist_hard_chain))
self.add(table, chain, '-o %s -j %s' % (dev['out'], blacklist_hard_chain))
......@@ -216,12 +216,12 @@ class firewall(base.firewall_routeur):
self.apply(table, chain)
return chain
def admin_vlan(self, table=None, apply=False):
chain = 'VLAN-ADM'
def admin_vlans(self, table=None, apply=False):
chain = 'VLAN-ADMINS'
if table == 'filter':
pretty_print(table, chain)
for net in base.config.NETs['adm']:
for net in base.config.NETs['adm'] + base.config.NETs['switches']:
self.add(table, chain, '-o %s -s %s -j ACCEPT' % (dev['tun-soyouz'], net))
self.add(table, chain, '-i %s -d %s -j ACCEPT' % (dev['tun-soyouz'], net))
self.add(table, chain, '-d %s -j REJECT' % net)
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment