Updated ifg.in (added netlock and slycpx rules).

diff --git a/sources/ifg.in/c3d/firstboot/data/nftables.config b/sources/ifg.in/c3d/firstboot/data/nftables.config
index 0399e0efd78f18ef5c4ee0137c2f511b97a6d51a..f75f2f5bc1b2339c150ae732f4911052876d8dd8 100644 (file)
--- a/sources/ifg.in/c3d/firstboot/data/nftables.config
+++ b/sources/ifg.in/c3d/firstboot/data/nftables.config
@@ -30,7 +30,7 @@ define PUBLIC_NS_IPV4        = 213.253.216.164
 define PUBLIC_STORE_IPV4     = 213.253.216.165
 define PUBLIC_VPN_IPV4       = 213.253.216.166
 define PUBLIC_WS_IPV4        = 213.253.216.167
-define PUBLIC_IPV4_168       = 213.253.216.168
+define PUBLIC_NETLOCK_IPV4   = 213.253.216.168
 define PUBLIC_IPV4_169       = 213.253.216.169
 define PUBLIC_IPV4_170       = 213.253.216.170
 define PUBLIC_IPV4_171       = 213.253.216.171
@@ -101,6 +101,10 @@ define MINICRM_INTERNAL_IPV4 = 10.228.109.133
 define FDC_INTERNAL_IPV4 = 10.228.109.131
 define FDC_INTERNAL_IPV6 = 2001:1aa1:000a:7dae:000c:18ff:fe03:6d83
 
+# slycrm proxy address (internal network)
+define SLYCPX_INTERNAL_IPV4 = 10.228.109.44
+define SLYCPX_INTERNAL_IPV6 = 2001:1aa1:000a:7dae:000c:18ff:fe03:6d2c
+
 # source name server address (internal network)
 define SNS_INTERNAL_IPV4 = 10.228.109.11
 define SNS_INTERNAL_IPV6 = 2001:1aa1:000a:7dae:000c:18ff:fe03:6d0b
@@ -112,6 +116,9 @@ define NS2_INTERNAL_IPV6 = 2001:1aa1:000a:7dae:000c:18ff:fe03:5c9f
 # dvredmine address (internal network)
 define DVREDMINE_INTERNAL_IPV4 = 10.228.62.193
 
+# netlock server address (internal network)
+define NETLOCK_INTERNAL_IPV4 = 10.228.32.197
+
 # worksheet address (internal network)
 define WORKSHEET_SR_IPV4 = 192.168.42.248
 
@@ -309,6 +316,12 @@ add rule ip ifg-filter forward \
     oifname $INTERNAL_IF ip daddr $VPN_INTERNAL_IPV4 udp dport $VPN_PORT \
     counter accept comment "Incoming VPN traffic"
 
+add rule ip ifg-filter forward \
+    ip protocol tcp \
+    iifname $PERIMETER_IF ip saddr != $PERIMETER_NET tcp sport 1024-65535 \
+    oifname $INTERNAL_IF ip daddr $NETLOCK_INTERNAL_IPV4 tcp dport ssh \
+    counter accept comment "Incoming netlock traffic"
+
 add rule ip ifg-filter forward \
     ip protocol tcp \
     iifname $PERIMETER_IF ip saddr != $PERIMETER_NET tcp sport 1024-65535 \
@@ -325,15 +338,17 @@ add rule ip ifg-filter forward \
     iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IPV4 tcp sport 1024-65535 \
     oifname $INTERNAL_IF ip daddr { $DVREDMINE_INTERNAL_IPV4, \
                                     $FDC_INTERNAL_IPV4, \
+                                    $SLYCPX_INTERNAL_IPV4, \
                                     $STORE_INTERNAL_IPV4, \
                                     $WIKI_INTERNAL_IPV4 } tcp dport http \
-    counter accept comment "Fdc, redmine, store and wiki requests"
+    counter accept comment "Fdc, redmine, slycpx, store and wiki requests"
 add rule ip6 ifg-filter forward \
     iifname $PERIMETER_IF ip6 saddr $WS_PERIMETER_IPV6 tcp sport 1024-65535 \
     oifname $INTERNAL_IF ip6 daddr { $FDC_INTERNAL_IPV6, \
+                                     $SLYCPX_INTERNAL_IPV6, \
                                      $STORE_INTERNAL_IPV6, \
                                      $WIKI_INTERNAL_IPV6 } tcp dport http \
-    counter accept comment "Fdc, store and wiki requests"
+    counter accept comment "Fdc, slycpx, store and wiki requests"
 
 add rule ip ifg-filter forward \
     ct state established \