From 949c9bbb13b93e36cba74b04f9048aaefcb4b1b2 Mon Sep 17 00:00:00 2001
From: VC <veretcle+framagit@mateu.be>
Date: Fri, 5 Jul 2024 11:53:07 +0200
Subject: [PATCH] =?UTF-8?q?Ajout=20des=20r=C3=A8gles=20pour=20le=20VLAN=20?=
 =?UTF-8?q?IoT=E2=80=AF(406)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 roles/firewall/templates/firewall.j2 | 70 ++++++++++++++++++++++++++++
 1 file changed, 70 insertions(+)

diff --git a/roles/firewall/templates/firewall.j2 b/roles/firewall/templates/firewall.j2
index a0acb32..e10f12c 100644
--- a/roles/firewall/templates/firewall.j2
+++ b/roles/firewall/templates/firewall.j2
@@ -440,6 +440,65 @@ config rule
 	option target 'ACCEPT'
 	option family 'ipv4'
 
+### IoT Rules
+## General Rules
+# ICMP
+config rule
+	option name 'Allow-ICMP'
+	option dest 'iot'
+	list proto 'icmp'
+	option target 'ACCEPT'
+
+config rule
+	option name 'Allow-ICMP'
+	option src 'iot'
+	list proto 'icmp'
+	option target 'ACCEPT'
+
+config rule
+	option name 'Allow-ICMP'
+	option src 'iot'
+	list proto 'icmp'
+	option dest '*'
+	option target 'ACCEPT'
+
+# DHCP rules
+config rule
+	option name 'Allow-DMZ-DHCP'
+	option dest 'iot'
+	list proto 'tcp'
+	list proto 'udp'
+	option dest_port '67-68'
+	option target 'ACCEPT'
+	option family 'ipv4'
+
+config rule
+	option name 'Allow-DMZ-DHCP'
+	option src 'iot'
+	list proto 'tcp'
+	list proto 'udp'
+	option dest_port '67-68'
+	option target 'ACCEPT'
+	option family 'ipv4'
+
+# DNS Resolution
+config rule
+	option name 'Allow-INPUT-DNS'
+	option src 'iot'
+	list proto 'tcp'
+	list proto 'udp'
+	option dest_port '53'
+	option target 'ACCEPT'
+	option family 'ipv4'
+
+# NTP
+config rule
+	option name 'Allow-OUTPUT-NTP'
+	option src 'iot'
+	list proto 'udp'
+	option dest_port '123'
+	option target 'ACCEPT'
+
 ## Default configuration
 config defaults
 	option syn_flood '1'
@@ -462,6 +521,13 @@ config zone
 	option forward 'REJECT'
 	option network 'dmz'
 
+config zone
+	option name 'iot'
+	option input 'REJECT'
+	option output 'REJECT'
+	option forward 'REJECT'
+	option network 'iot'
+
 config zone
 	option name 'wan'
 	option input 'REJECT'
@@ -488,6 +554,10 @@ config forwarding
 	option src 'lan'
 	option dest 'dmz'
 
+config forwarding
+	option src 'lan'
+	option dest 'iot'
+
 config forwarding
 	option src 'lan'
 	option dest 'orig'