Commit 5eb840ae authored by Gabriel Detraz's avatar Gabriel Detraz

Interdit l'accès au vlan switches depuis les routeurs

parent 790df726
...@@ -13,7 +13,7 @@ class firewall(base.firewall_routeur): ...@@ -13,7 +13,7 @@ class firewall(base.firewall_routeur):
self.reloadable.update({ self.reloadable.update({
'log_all' : self.log_all, 'log_all' : self.log_all,
'admin_vlan' : self.admin_vlan, 'admin_vlans' : self.admin_vlans,
'clamp_mss' : self.clamp_mss, 'clamp_mss' : self.clamp_mss,
'ingress_filtering' : self.ingress_filtering, 'ingress_filtering' : self.ingress_filtering,
'ssh_on_https' : self.ssh_on_https, 'ssh_on_https' : self.ssh_on_https,
...@@ -109,7 +109,7 @@ class firewall(base.firewall_routeur): ...@@ -109,7 +109,7 @@ class firewall(base.firewall_routeur):
self.add(table, chain, '-i lo -j ACCEPT') self.add(table, chain, '-i lo -j ACCEPT')
self.add(table, chain, '-j %s' % self.reseaux_non_routable(table, fill_ipset=True)) self.add(table, chain, '-j %s' % self.reseaux_non_routable(table, fill_ipset=True))
self.add(table, chain, '-p icmp -j ACCEPT') self.add(table, chain, '-p icmp -j ACCEPT')
self.add(table, chain, '-j %s' % self.admin_vlan(table)) self.add(table, chain, '-j %s' % self.admin_vlans(table))
self.add(table, chain, '-j %s' % blacklist_soft_chain) self.add(table, chain, '-j %s' % blacklist_soft_chain)
self.add(table, chain, '-i %s -j %s' % (dev['out'], blacklist_hard_chain)) self.add(table, chain, '-i %s -j %s' % (dev['out'], blacklist_hard_chain))
self.add(table, chain, '-o %s -j %s' % (dev['out'], blacklist_hard_chain)) self.add(table, chain, '-o %s -j %s' % (dev['out'], blacklist_hard_chain))
...@@ -216,12 +216,12 @@ class firewall(base.firewall_routeur): ...@@ -216,12 +216,12 @@ class firewall(base.firewall_routeur):
self.apply(table, chain) self.apply(table, chain)
return chain return chain
def admin_vlan(self, table=None, apply=False): def admin_vlans(self, table=None, apply=False):
chain = 'VLAN-ADM' chain = 'VLAN-ADMINS'
if table == 'filter': if table == 'filter':
pretty_print(table, chain) pretty_print(table, chain)
for net in base.config.NETs['adm']: for net in base.config.NETs['adm'] + base.config.NETs['switches']:
self.add(table, chain, '-o %s -s %s -j ACCEPT' % (dev['tun-soyouz'], net)) self.add(table, chain, '-o %s -s %s -j ACCEPT' % (dev['tun-soyouz'], net))
self.add(table, chain, '-i %s -d %s -j ACCEPT' % (dev['tun-soyouz'], net)) self.add(table, chain, '-i %s -d %s -j ACCEPT' % (dev['tun-soyouz'], net))
self.add(table, chain, '-d %s -j REJECT' % net) self.add(table, chain, '-d %s -j REJECT' % net)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment