Bascule de la messagerie

roles/firewall/templates/firewall.j2

@@ -61,16 +61,6 @@ config rule
 	option family 'ipv6'
 	option limit '1000/sec'
 
-## Deny IPv6 SMTP
-config rule
-	option name 'Deny-SMTP'
-	option src 'lan'
-	option proto 'tcp'
-	option dest 'wan'
-	option dest_port '25'
-	option target 'REJECT'
-	option family 'ipv6'
-
 ## SSH from VINCI rules
 config rule
 	option name 'Allow-Input-SSH-VINCI'
@@ -92,36 +82,6 @@ config rule
 	option family 'ipv6'
 
 ## Traffic for n0box2 server
-config rule
-	option name 'n0box2-SMTP+SMTPS+SUBMISSION'
-	option src 'wan'
-	option proto 'tcp'
-	option dest 'lan'
-	option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv6']['address'] }}'
-	option dest_port '25 465 587'
-	option target 'ACCEPT'
-	option family 'ipv6'
-
-config rule
-	option name 'n0box2-IMAP+IMAPS'
-	option src 'wan'
-	option proto 'tcp'
-	option dest 'lan'
-	option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv6']['address'] }}'
-	option dest_port '143 993'
-	option target 'ACCEPT'
-	option family 'ipv6'
-
-config rule
-	option name 'n0box2-HTTP+HTTPS'
-	option src 'wan'
-	option proto 'tcp'
-	option dest 'lan'
-	option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv6']['address'] }}'
-	option dest_port '80 443'
-	option target 'ACCEPT'
-	option family 'ipv6'
-
 #config rule
 #	option name 'n0box2-TS-com+com2'
 #	option src 'wan'
@@ -152,56 +112,6 @@ config rule
 #	option target 'ACCEPT'
 #	option family 'ipv6'
 
-config redirect
-	option name 'n0box2-SMTP'
-	option src 'wan'
-	option src_dport '25'
-	option proto 'tcp'
-	option dest 'lan'
-	option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv4']['address'] }}'
-	option dest_port '25'
-	option target 'DNAT'
-
-config redirect
-	option name 'n0box2-SMTPS'
-	option src 'wan'
-	option src_dport '465'
-	option proto 'tcp'
-	option dest 'lan'
-	option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv4']['address'] }}'
-	option dest_port '465'
-	option target 'DNAT'
-
-config redirect
-	option name 'n0box2-SUBMISSION'
-	option src 'wan'
-	option src_dport '587'
-	option proto 'tcp'
-	option dest 'lan'
-	option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv4']['address'] }}'
-	option dest_port '587'
-	option target 'DNAT'
-
-config redirect
-	option name 'n0box2-IMAP'
-	option src 'wan'
-	option src_dport '143'
-	option proto 'tcp'
-	option dest 'lan'
-	option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv4']['address'] }}'
-	option dest_port '143'
-	option target 'DNAT'
-
-config redirect
-	option name 'n0box2-IMAPS'
-	option src 'wan'
-	option src_dport '993'
-	option proto 'tcp'
-	option dest 'lan'
-	option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv4']['address'] }}'
-	option dest_port '993'
-	option target 'DNAT'
-
 #config redirect
 #	option name 'n0box2-TS-com'
 #	option src 'wan'
@@ -318,6 +228,7 @@ config rule
 	option target 'ACCEPT'
 	option family 'ipv6'
 
+# a supprimer le prochain coup
 # Allow traffic to n0box2
 config rule
 	option name 'Allow-OUTPUT-to-n0box2'
@@ -426,17 +337,6 @@ config rule
 	option family 'ipv6'
 {% endfor %}
 
-# Allow SMTP traffic from mail
-config rule
-	option name 'Allow-OUTPUT-SMTP'
-	option src 'dmz'
-	option src_ip '{{ hostvars['mail.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
-	option proto 'tcp'
-	option dest 'wan'
-	option dst_port '25'
-	option target 'ACCEPT'
-	option family 'ipv4'
-
 # Allow XMPP traffic
 config rule
 	option name 'Allow-OUTPUT-XMPP-s2s'
@@ -509,6 +409,87 @@ config redirect
 	option dest_port '64738'
 	option target 'DNAT'
 
+# Allow mail traffic
+config rule
+	option name 'Allow-OUTPUT-SMTP'
+	option src 'dmz'
+	option src_ip '{{ hostvars['mail.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
+	option proto 'tcp'
+	option dest 'wan'
+	option dst_port '25'
+	option target 'ACCEPT'
+	option family 'ipv4'
+
+config rule
+	option name 'Allow-INPUT-SMTP+SMTPS+SUBMISSION'
+	option src 'wan'
+	option proto 'tcp'
+	option dest 'dmz'
+	option dest_ip '{{ hostvars['mail.dmz.mateu.be']['ansible_default_ipv6']['address'] }}'
+	option dest_port '25 465 587'
+	option target 'ACCEPT'
+	option family 'ipv6'
+
+config rule
+	option name 'Allow-INPUT-IMAP+IMAPS'
+	option src 'wan'
+	option proto 'tcp'
+	option dest 'dmz'
+	option dest_ip '{{ hostvars['mail.dmz.mateu.be']['ansible_default_ipv6']['address'] }}'
+	option dest_port '143 993'
+	option target 'ACCEPT'
+	option family 'ipv6'
+
+config redirect
+	option name 'Allow-INPUT-SMTP'
+	option src 'wan'
+	option src_dport '25'
+	option proto 'tcp'
+	option dest 'dmz'
+	option dest_ip '{{ hostvars['mail.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
+	option dest_port '25'
+	option target 'DNAT'
+
+config redirect
+	option name 'Allow-INPUT-SMTPS'
+	option src 'wan'
+	option src_dport '465'
+	option proto 'tcp'
+	option dest 'dmz'
+	option dest_ip '{{ hostvars['mail.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
+	option dest_port '465'
+	option target 'DNAT'
+
+config redirect
+	option name 'Allow-INPUT-SUBMISSION'
+	option src 'wan'
+	option src_dport '587'
+	option proto 'tcp'
+	option dest 'dmz'
+	option dest_ip '{{ hostvars['mail.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
+	option dest_port '587'
+	option target 'DNAT'
+
+config redirect
+	option name 'Allow-INPUT-IMAP'
+	option src 'wan'
+	option src_dport '143'
+	option proto 'tcp'
+	option dest 'dmz'
+	option dest_ip '{{ hostvars['mail.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
+	option dest_port '143'
+	option target 'DNAT'
+
+config redirect
+	option name 'Allow-INPUT-IMAPS'
+	option src 'wan'
+	option src_dport '993'
+	option proto 'tcp'
+	option dest 'lan'
+	option dest_ip '{{ hostvars['mail.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
+	option dest_port '993'
+	option target 'DNAT'
+
 ## Default configuration
 config defaults
 	option syn_flood '1'