diff --git a/roles/router/templates/firewall_config.py b/roles/router/templates/firewall_config.py index 68f66b2..6909b85 100644 --- a/roles/router/templates/firewall_config.py +++ b/roles/router/templates/firewall_config.py @@ -25,14 +25,13 @@ ### Give me a role # previously: routeur4 = routeur IPv4 -role = ['routeur', 'portail'] +role = ['routeur'] ### Specify each interface role interfaces_type = { 'routable' : ['ens20', 'ens21', 'ens23'], - 'routable-portail' : ['ens23'], 'sortie' : ['ens19'], 'admin' : ['ens18'] } @@ -67,24 +66,35 @@ nat = [ 'name': 'Accueil', 'ip_sources': '10.{{ subnet_ids.users_accueil }}.0.0/16', 'extra_nat': { - '10.{{ subnet_ids.users_accueil }}.0.0/16': '45.66.108.25{{ apartment_block_id }}' + '10.{{ subnet_ids.users_accueil }}.1.0/24': '45.66.108.25{{ + apartment_block_id }}', + '10.{{ subnet_ids.users_accueil }}.2.0/24': '45.66.108.25{{ apartment_block_id }}' }, + 'extra_nat_group': 'accueil_ens23_allowed', }, ] -portail = { - "authorized_hosts": { - "tcp": { - "45.66.111.61": ["80", "443"], - "92.222.211.195": ["80", "443"] - }, - "udp": {} - }, - "ip_redirect": { - "0.0.0.0/0": { +# ATTENTION: on doit avoir retry ≥ grace +# ATTENTION: il faut que ip_redirect gère tous les ports +# autorisés dans le profile re2o, sinon on laisse sortir +# du trafic +accueils = [ + { + 'iface': 'ens23', + 'grace_period': 1800, + 'retry_period': 86400, + 'ip_sources': [ + '10.{{ subnet_ids.users_accueil }}.1.0/24', + '10.{{ subnet_ids.users_accueil }}.2.0/24', + ], + 'ip_redirect': { "tcp": { - "45.66.111.61": ["80", "443"] + "10.{{ subnet_ids.users_accueil }}.0.247": ["80", "443"], } - } + }, + 'triggers': [ + ('4', 'tcp', '46.255.53.35', 443), # ComNPay + ('4', 'tcp', '46.255.53.35', 80), + ] } -} +]