--- firewall__zones: adm-legacy: addrs: - 2a09:6840:128::/64 - 10.128.0.0/16 ups: addrs: - 2a09:6840:201::/64 - 10.201.0.0/16 back: addrs: - 2a09:6840:203::/64 - 10.203.0.0/16 monit: addrs: - 2a09:6840:204::/64 - 10.204.0.0/16 wifi: addrs: - 2a09:6840:205::/64 - 10.205.0.0/16 int: addrs: - 2a09:6840:206::/64 - 10.206.0.0/16 sw: addrs: - 2a09:6840:207::/64 - 10.207.0.0/16 bmc: addrs: - 2a09:6840:208::/64 - 10.208.0.0/16 pve: addrs: - 2a09:6840:209::/64 - 10.209.0.0/16 isp: addrs: - 2a09:6840:210::/64 - 10.210.0.0/16 ext: addrs: - 2a09:6840:211::/64 - 10.211.0.0/16 pub: addrs: - 2a09:6840:215::/64 - 45.66.111.204/30 vpn-clients: addrs: - 2a09:6840:212::/64 - 10.212.0.0/16 vpn: addrs: - 2a09:6840:213::/64 - 10.213.0.0/16 infra: zones: - adm-legacy - ups - back - monit - wifi - int - sw - bmc - pve - isp - ext - pub - vpn internet: negate: true addrs: - 2a09:6840::/32 - 2a09:6841::/32 - 2a09:6842::/32 - 45.66.108.0/22 - 10.0.0.0/8 - 100.64.0.0/10 prometheus.int: addrs: - 2a09:6840:204::1:1 - 10.204.1.1 - 2a09:6840:204::1:2 - 10.204.1.2 grafana.adm: addrs: - 2a09:6840:128::98 - 10.128.0.98 nextcloud.adm: addrs: - 2a09:6840:128::58 - 10.128.0.58 dns.int: addrs: - 2a09:6840:206::1:1 - 10.206.1.1 - 2a09:6840:206::1:2 - 10.206.1.2 ntp.int: addrs: - 2a09:6840:206::1:5 - 10.206.1.5 - 2a09:6840:206::1:6 - 10.206.1.6 docker-ovh.adm: addrs: - 2a09:6840:128::150 - 10.128.0.150 mx.test: addrs: - 2a09:6840:211::1:5 - 45.66.111.205 - 10.128.1.5 proxy.pub: addrs: - 2a09:6840:215::1:1 - 45.66.111.206 firewall__input: - iif: - back0 # FIXME link-local - vpn0 verdict: accept - src: - back - vpn verdict: accept - src: monit protocols: tcp: dport: 9100 verdict: accept - src: monit protocols: tcp: dport: 9324 verdict: accept - protocols: icmp: true verdict: accept - protocols: tcp: dport: 22 verdict: accept - verdict: drop firewall__output: - verdict: accept firewall__forward: - src: back dst: infra verdict: accept - src: infra # FIXME: temporary dst: internet verdict: accept - src: monit dst: bmc protocols: icmp: true verdict: accept - dst: mx.test protocols: icmp: true verdict: accept - dst: mx.test protocols: tcp: dport: - 25 - 465 - 993 verdict: accept # SNMP - src: monit dst: - sw - ups protocols: udp: dport: 161 verdict: accept # Alertmanager - src: monit dst: docker-ovh.adm protocols: tcp: dport: 9093 verdict: accept - src: adm-legacy dst: bmc verdict: accept # Prometheus for Grafana - src: grafana.adm dst: prometheus.int protocols: tcp: dport: 9090 verdict: accept # Admin VPN clients - src: vpn-clients dst: infra verdict: accept # Prometheus node - src: monit dst: infra protocols: tcp: dport: 9100 verdict: accept # Prometheus bird - src: monit dst: back protocols: tcp: dport: 9324 verdict: accept # Prometheus kresd - src: monit dst: dns.int protocols: tcp: dport: 8453 verdict: accept # Allow DNS from infra to dns-{1,2} - src: infra dst: dns.int protocols: udp: dport: 53 verdict: accept - src: infra dst: dns.int protocols: tcp: dport: 53 verdict: accept # Allow NTP from infra to ntp-{1,2} - src: infra dst: ntp.int protocols: udp: dport: 123 verdict: accept # Admin Wireguard - dst: - 2a09:6840:211::1:1 - 45.66.111.204 - 10.211.1.1 protocols: udp: dport: 5121 verdict: accept # Proxy web - dst: proxy.pub protocols: tcp: dport: - 80 - 443 verdict: accept - src: proxy.pub dst: grafana.adm protocols: tcp: dport: 3000 verdict: accept - src: proxy.pub dst: nextcloud.adm protocols: tcp: dport: 8080 - src: proxy.pub dst: adm-legacy protocols: tcp: dport: - 80 - 443 verdict: accept # ICMP to public vlan - dst: pub protocols: icmp: true verdict: accept firewall__nat: - src: 10.0.0.0/8 dst: internet protocols: null snat: addr: 45.66.111.200/32 #- src: monit # dst: adm-legacy # protocols: null # snat: # addr: 10.203.1.3/32 ...