Updated ifg.in (added nft rules for wiki server).

diff --git a/sources/ifg.in/firstboot/nftables.config b/sources/ifg.in/firstboot/nftables.config
index 3b3b08ce67d3bd0997347a0eda721a834d7e51e4..ae8c869e41e767d6e3e7069c04c0b26b15755f87 100644 (file)
--- a/sources/ifg.in/firstboot/nftables.config
+++ b/sources/ifg.in/firstboot/nftables.config
@@ -67,19 +67,17 @@ define IFG_INTERNAL_IPV6 = 2a02:d400:0000:f268:000c:18ff:fe03:6dfe
 define IFG_SR_IPV4 = 192.168.42.254
 define IFG_IN_IPV4 = 192.168.43.254
 
-# dvredmine address (internal network)
-define DVREDMINE_INTERNAL_IPV4 = 10.228.62.193
-
-# minicrm address (internal network)
-define MINICRM_INTERNAL_IPV4 = 10.228.109.133
+# service address (internal network)
+define SVC_INTERNAL_IPV4 = 10.228.109.253
+define SVC_INTERNAL_IPV6 = 2a02:d400:0000:f268:000c:18ff:fe03:6dfd
 
 # store address (internal network)
 define STORE_INTERNAL_IPV4 = 10.228.109.250
 define STORE_INTERNAL_IPV6 = 2a02:d400:0000:f268:da9d:67ff:fe63:dc68
 
-# service address (internal network)
-define SVC_INTERNAL_IPV4 = 10.228.109.253
-define SVC_INTERNAL_IPV6 = 2a02:d400:0000:f268:000c:18ff:fe03:6dfd
+# wiki server address (internal network)
+define WIKI_INTERNAL_IPV4 = 10.228.109.239
+define WIKI_INTERNAL_IPV6 = 2a02:d400:0000:f268:000c:18ff:fe03:6def
 
 # vpn address (internal network)
 define VPN_INTERNAL_IPV4 = 10.228.109.236
@@ -87,10 +85,16 @@ define VPN_INTERNAL_IPV4 = 10.228.109.236
 # primary name server address (internal network)
 define PNS_INTERNAL_IPV4 = 10.228.109.174
 
+# minicrm address (internal network)
+define MINICRM_INTERNAL_IPV4 = 10.228.109.133
+
 # internal name server address (internal network)
 define INS_INTERNAL_IPV4 = 10.228.109.104
 define INS_INTERNAL_IPV6 = 2a02:d400:0000:f268:000c:18ff:fe03:6d68
 
+# dvredmine address (internal network)
+define DVREDMINE_INTERNAL_IPV4 = 10.228.62.193
+
 # worksheet address (internal network)
 define WORKSHEET_SR_IPV4 = 192.168.42.248
 
@@ -277,11 +281,33 @@ add rule ip ifg_filter forward \
     iifname $INTERNAL_IF ip saddr $STORE_INTERNAL_IPV4 tcp sport 80 \
     oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport 1024-65535 \
     counter accept comment "Store replies"
-#add rule ip6 ifg_filter forward \
-#    ct state established \
-#    iifname $INTERNAL_IF ip6 saddr $STORE_INTERNAL_IPV6 tcp sport 80 \
-#    oifname $PERIMETER_IF ip6 daddr $WS_PERIMETER_IPV6 tcp dport 1024-65535 \
-#    counter accept comment "Store replies"
+add rule ip6 ifg_filter forward \
+    ct state established \
+    iifname $INTERNAL_IF ip6 saddr $STORE_INTERNAL_IPV6 tcp sport 80 \
+    oifname $PERIMETER_IF ip6 daddr $WS_PERIMETER_IPV6 tcp dport 1024-65535 \
+    counter accept comment "Store replies"
+
+add rule ip ifg_filter forward \
+    ip protocol tcp \
+    iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IPV4 tcp sport 1024-65535 \
+    oifname $INTERNAL_IF ip daddr $WIKI_INTERNAL_IPV4 tcp dport 80 \
+    counter accept comment "Wiki requests"
+add rule ip6 ifg_filter forward \
+    iifname $PERIMETER_IF ip6 saddr $WS_PERIMETER_IPV6 tcp sport 1024-65535 \
+    oifname $INTERNAL_IF ip6 daddr $WIKI_INTERNAL_IPV6 tcp dport 80 \
+    counter accept comment "Wiki requests"
+
+add rule ip ifg_filter forward \
+    ct state established \
+    ip protocol tcp \
+    iifname $INTERNAL_IF ip saddr $WIKI_INTERNAL_IPV4 tcp sport 80 \
+    oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport 1024-65535 \
+    counter accept comment "Wiki replies"
+add rule ip6 ifg_filter forward \
+    ct state established \
+    iifname $INTERNAL_IF ip6 saddr $WIKI_INTERNAL_IPV6 tcp sport 80 \
+    oifname $PERIMETER_IF ip6 daddr $WS_PERIMETER_IPV6 tcp dport 1024-65535 \
+    counter accept comment "Wiki replies"
 
 add rule ip ifg_filter forward \
     ip protocol tcp \