Updated ifg.in (updated nft rules to allow ssh access to ws.pm).

diff --git a/sources/ifg.in/firstboot/nftables.config b/sources/ifg.in/firstboot/nftables.config
index ae8c869e41e767d6e3e7069c04c0b26b15755f87..e8d5f0a79b6bc514b41f456e39553acce86c16a1 100644 (file)
--- a/sources/ifg.in/firstboot/nftables.config
+++ b/sources/ifg.in/firstboot/nftables.config
@@ -124,6 +124,7 @@ define PEEP_BO_NET = 10.162.104.0/24
 ################################
 
 #define MX_PORTS = { 25, 110, 143, 465, 587, 993, 995 }
+define SSH_PORT = 22
 define WS_PORTS = { 80, 443 }
 
 
@@ -233,6 +234,13 @@ add rule ip ifg_filter forward \
     oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport $WS_PORTS \
     counter accept comment "Webserver access"
 
+add rule ip ifg_filter forward \
+    ct state new, established \
+    ip protocol tcp \
+    iifname $INTERNAL_IF ip saddr $INTERNAL_IPV4_NETS tcp sport 1024-65535 \
+    oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport $SSH_PORT \
+    counter accept comment "Webserver SSH access"
+
 add rule ip ifg_filter forward \
     ct state new \
     ip protocol udp \