1
|
<?xml version="1.0" encoding="UTF-8" ?>
|
2
|
|
3
|
<firewall name="/usr/share/era/modeles/7zones27-CD34v3.xml" netbios="1" qos="0" version="2.42">
|
4
|
<zones>
|
5
|
<zone name="exterieur" level="10" ip="%%adresse_ip_eth0" network="%%adresse_network_eth0" netmask="%%adresse_netmask_eth0" interface="%%nom_zone_eth0"/>
|
6
|
<zone name="invite" level="20" ip="%%vlan_id_eth4[2].vlan_ip_eth4" network="%%vlan_id_eth4[2].vlan_network_eth4" netmask="%%vlan_id_eth4[2].vlan_netmask_eth4" interface="vlan%%vlan_id_eth4[2]"/>
|
7
|
<zone name="dmz" level="30" ip="%%adresse_ip_eth3" network="%%adresse_network_eth3" netmask="%%adresse_netmask_eth3" interface="%%nom_zone_eth3"/>
|
8
|
<zone name="wifipeda" level="35" ip="%%vlan_id_eth4[1].vlan_ip_eth4" network="%%vlan_id_eth4[1].vlan_network_eth4" netmask="%%vlan_id_eth4[1].vlan_netmask_eth4" interface="vlan%%vlan_id_eth4[1]"/>
|
9
|
<zone name="pedago" level="40" ip="%%adresse_ip_eth2" network="%%adresse_network_eth2" netmask="%%adresse_netmask_eth2" interface="%%nom_zone_eth2"/>
|
10
|
<zone name="admin" level="50" ip="%%adresse_ip_eth1" network="%%adresse_network_eth1" netmask="%%adresse_netmask_eth1" interface="%%nom_zone_eth1"/>
|
11
|
<zone name="management" level="60" ip="%%vlan_id_eth4[0].vlan_ip_eth4" network="%%vlan_id_eth4[0].vlan_network_eth4" netmask="%%vlan_id_eth4[0].vlan_netmask_eth4" interface="vlan%%vlan_id_eth4[0]"/>
|
12
|
<zone name="bastion" level="100" ip="127.0.0.1" network="0.0.0.0" netmask="255.255.255.255" interface="lo"/>
|
13
|
</zones>
|
14
|
<include>
|
15
|
## INCLUSIONS_STATIQUES_GENERALES
|
16
|
## EXT-DMZ: redirection des ports autorises sur les serveurs DMZ
|
17
|
## IP PUB 1 : serveur WWW
|
18
|
%if %%nb_ip_pub in ('1','2','3','4','5','6','7','8') and %%ip_pub1 != ''
|
19
|
/sbin/iptables -t nat -I PREROUTING -d %%ip_pub1/32 -i %%nom_zone_eth0 -p tcp -m tcp -m multiport --dports 20:22,80,81,389,443,636,1723,4129,4200 --tcp-flags SYN,RST,ACK SYN -j DNAT --to-destination %%ip_serveur_web1
|
20
|
/sbin/iptables -t nat -I PREROUTING -d %%ip_pub1/32 -i %%nom_zone_eth0 -p tcp -m tcp -m multiport --dports 7070,8008,8090,8443,20100,44123,49300,49400,49500 --tcp-flags SYN,RST,ACK SYN -j DNAT --to-destination %%ip_serveur_web1
|
21
|
/sbin/iptables -t filter -I ext-dmz -d %%ip_serveur_web1/32 -i %%nom_zone_eth0 -o %%nom_zone_eth3 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j ACCEPT
|
22
|
/sbin/iptables -t nat -I POSTROUTING -s %%ip_serveur_web1/32 -o %%nom_zone_eth0 -j SNAT --to-source %%adresse_ip_eth0
|
23
|
%end if
|
24
|
## IP PUB 2 : serveur NOTES
|
25
|
%if %%nb_ip_pub in ('2','3','4','5','6','7','8') and %%ip_pub2 != ''
|
26
|
/sbin/iptables -t nat -I PREROUTING -d %%ip_pub2/32 -i %%nom_zone_eth0 -p tcp -m tcp -m multiport --dports 20:22,80,81,389,443,636,1723,4129,4200 --tcp-flags SYN,RST,ACK SYN -j DNAT --to-destination %%ip_serveur_web2
|
27
|
/sbin/iptables -t nat -I PREROUTING -d %%ip_pub2/32 -i %%nom_zone_eth0 -p tcp -m tcp -m multiport --dports 7070,8008,8090,8443,20100,44123,49300,49400,49500 --tcp-flags SYN,RST,ACK SYN -j DNAT --to-destination %%ip_serveur_web2
|
28
|
/sbin/iptables -t filter -I ext-dmz -d %%ip_serveur_web2/32 -i %%nom_zone_eth0 -o %%nom_zone_eth3 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j ACCEPT
|
29
|
/sbin/iptables -t nat -I POSTROUTING -s %%ip_serveur_web2/32 -o %%nom_zone_eth0 -j SNAT --to-source %%adresse_ip_eth0
|
30
|
%end if
|
31
|
## IP PUB 3 : serveur COURRIER
|
32
|
%if %%nb_ip_pub in ('3','4','5','6','7','8') and %%ip_pub3 != ''
|
33
|
/sbin/iptables -t nat -I PREROUTING -d %%ip_pub3/32 -i %%nom_zone_eth0 -p tcp -m tcp -m multiport --dports 20:22,25,80,81,110,143,389,443,585,636,995,1723,4129,4200 --tcp-flags SYN,RST,ACK SYN -j DNAT --to-destination %%ip_serveur_web3
|
34
|
/sbin/iptables -t nat -I PREROUTING -d %%ip_pub3/32 -i %%nom_zone_eth0 -p tcp -m tcp -m multiport --dports 7070,8008,8090,8443,20100,44123,49300,49400,49500 --tcp-flags SYN,RST,ACK SYN -j DNAT --to-destination %%ip_serveur_web3
|
35
|
/sbin/iptables -t filter -I ext-dmz -d %%ip_serveur_web3/32 -i %%nom_zone_eth0 -o %%nom_zone_eth3 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j ACCEPT
|
36
|
/sbin/iptables -t nat -I POSTROUTING -s %%ip_serveur_web3/32 -o %%nom_zone_eth0 -j SNAT --to-source %%adresse_ip_eth0
|
37
|
%end if
|
38
|
## IP PUB 4 : serveur DISPO
|
39
|
%if %%nb_ip_pub in ('4','5','6','7','8') and %%ip_pub4 != ''
|
40
|
/sbin/iptables -t nat -I PREROUTING -d %%ip_pub4/32 -i %%nom_zone_eth0 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j DNAT --to-destination %%ip_serveur_web4
|
41
|
/sbin/iptables -t nat -I PREROUTING -d %%ip_pub4/32 -i %%nom_zone_eth0 -p udp -m udp -j DNAT --to-destination %%ip_serveur_web4
|
42
|
/sbin/iptables -t filter -I ext-dmz -d %%ip_serveur_web4/32 -i %%nom_zone_eth0 -o %%nom_zone_eth3 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j ACCEPT
|
43
|
/sbin/iptables -t filter -I ext-dmz -d %%ip_serveur_web4/32 -i %%nom_zone_eth0 -o %%nom_zone_eth3 -p udp -j ACCEPT
|
44
|
/sbin/iptables -t nat -I POSTROUTING -s %%ip_serveur_web4/32 -o %%nom_zone_eth0 -j SNAT --to-source %%adresse_ip_eth0
|
45
|
%end if
|
46
|
## IP PUB 5 :
|
47
|
%if %%nb_ip_pub in ('5','6','7','8') and %%ip_pub5 != ''
|
48
|
/sbin/iptables -t nat -I PREROUTING -d %%ip_pub5/32 -i %%nom_zone_eth0 -p tcp -m tcp -m multiport --dports 20:22,80,81,389,443,636,1723,4129,4200 --tcp-flags SYN,RST,ACK SYN -j DNAT --to-destination %%ip_serveur_web5
|
49
|
/sbin/iptables -t nat -I PREROUTING -d %%ip_pub5/32 -i %%nom_zone_eth0 -p tcp -m tcp -m multiport --dports 7070,8008,8090,8443,20100,44123,49300,49400,49500 --tcp-flags SYN,RST,ACK SYN -j DNAT --to-destination %%ip_serveur_web5
|
50
|
/sbin/iptables -t filter -I ext-dmz -d %%ip_serveur_web5/32 -i %%nom_zone_eth0 -o %%nom_zone_eth3 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j ACCEPT
|
51
|
/sbin/iptables -t nat -I POSTROUTING -s %%ip_serveur_web5/32 -o %%nom_zone_eth0 -j SNAT --to-source %%adresse_ip_eth0
|
52
|
%end if
|
53
|
## IP PUB 6 :
|
54
|
%if %%nb_ip_pub in ('6','7','8') and %%ip_pub6 != ''
|
55
|
/sbin/iptables -t nat -I PREROUTING -d %%ip_pub6/32 -i %%nom_zone_eth0 -p tcp -m tcp -m multiport --dports 20:22,80,81,389,443,636,1723,4129,4200 --tcp-flags SYN,RST,ACK SYN -j DNAT --to-destination %%ip_serveur_web6
|
56
|
/sbin/iptables -t nat -I PREROUTING -d %%ip_pub6/32 -i %%nom_zone_eth0 -p tcp -m tcp -m multiport --dports 7070,8008,8090,8443,20100,44123,49300,49400,49500 --tcp-flags SYN,RST,ACK SYN -j DNAT --to-destination %%ip_serveur_web6
|
57
|
/sbin/iptables -t filter -I ext-dmz -d %%ip_serveur_web6/32 -i %%nom_zone_eth0 -o %%nom_zone_eth3 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j ACCEPT
|
58
|
/sbin/iptables -t nat -I POSTROUTING -s %%ip_serveur_web6/32 -o %%nom_zone_eth0 -j SNAT --to-source %%adresse_ip_eth0
|
59
|
%end if
|
60
|
## IP PUB 7 :
|
61
|
%if %%nb_ip_pub in ('7','8') and %%ip_pub7 != ''
|
62
|
/sbin/iptables -t nat -I PREROUTING -d %%ip_pub7/32 -i %%nom_zone_eth0 -p tcp -m tcp -m multiport --dports 20:22,25,80,81,110,143,389,443,585,636,995,1723,4129,4200 --tcp-flags SYN,RST,ACK SYN -j DNAT --to-destination %%ip_serveur_web7
|
63
|
/sbin/iptables -t nat -I PREROUTING -d %%ip_pub7/32 -i %%nom_zone_eth0 -p tcp -m tcp -m multiport --dports 7070,8008,8090,8443,20100,44123,49300,49400,49500 --tcp-flags SYN,RST,ACK SYN -j DNAT --to-destination %%ip_serveur_web7
|
64
|
/sbin/iptables -t filter -I ext-dmz -d %%ip_serveur_web7/32 -i %%nom_zone_eth0 -o %%nom_zone_eth3 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j ACCEPT
|
65
|
/sbin/iptables -t nat -I POSTROUTING -s %%ip_serveur_web7/32 -o %%nom_zone_eth0 -j SNAT --to-source %%adresse_ip_eth0
|
66
|
%end if
|
67
|
## IP PUB 8 :
|
68
|
%if %%nb_ip_pub in ('8') and %%ip_pub8 != ''
|
69
|
/sbin/iptables -t nat -I PREROUTING -d %%ip_pub8/32 -i %%nom_zone_eth0 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j DNAT --to-destination %%ip_serveur_web8
|
70
|
/sbin/iptables -t nat -I PREROUTING -d %%ip_pub8/32 -i %%nom_zone_eth0 -p udp -m udp -j DNAT --to-destination %%ip_serveur_web8
|
71
|
/sbin/iptables -t filter -I ext-dmz -d %%ip_serveur_web8/32 -i %%nom_zone_eth0 -o %%nom_zone_eth3 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j ACCEPT
|
72
|
/sbin/iptables -t filter -I ext-dmz -d %%ip_serveur_web8/32 -i %%nom_zone_eth0 -o %%nom_zone_eth3 -p udp -j ACCEPT
|
73
|
/sbin/iptables -t nat -I POSTROUTING -s %%ip_serveur_web8/32 -o %%nom_zone_eth0 -j SNAT --to-source %%adresse_ip_eth0
|
74
|
%end if
|
75
|
|
76
|
## MAIL POUR SERVEUR PRONOTE
|
77
|
%if %%serveur_pronote
|
78
|
/sbin/iptables -t nat -I POSTROUTING -s %%serveur_pronote/32 -o %%nom_zone_eth0 -j SNAT --to-source %%adresse_ip_eth0
|
79
|
%end if
|
80
|
|
81
|
## EXCEPTIONS au PROXY HTTP et HTTPS
|
82
|
## ADMIN : VPN OTP (api.ac-montpellier.fr), HORIZON (172.31.0.0)
|
83
|
/sbin/iptables -t nat -I PREROUTING -i %%nom_zone_eth1 -p tcp -m tcp -m multiport --dports 80,443 --tcp-flags SYN,RST,ACK SYN -d api.ac-montpellier.fr -j ACCEPT
|
84
|
/sbin/iptables -t nat -I PREROUTING -i %%nom_zone_eth1 -p tcp -m tcp -m multiport --dports 80,443 --tcp-flags SYN,RST,ACK SYN -d 172.31.0.0/16 -j ACCEPT
|
85
|
## PEDA : VPN OTP (195.83.226.53), serveur GLPI (195.83.225.232) et client LEGERS
|
86
|
/sbin/iptables -t nat -I PREROUTING -i %%nom_zone_eth2 -p tcp -m tcp -m multiport --dports 80,443 --tcp-flags SYN,RST,ACK SYN -d api.ac-montpellier.fr -j ACCEPT
|
87
|
/sbin/iptables -t nat -I PREROUTING -i %%nom_zone_eth2 -p tcp -m tcp -m multiport --dports 80,443 --tcp-flags SYN,RST,ACK SYN -d 172.23.0.0/16 -j ACCEPT
|
88
|
## DMZ : pas de proxy pour domaine ac-montpellier (SSO pronote ENT)
|
89
|
/sbin/iptables -t nat -I PREROUTING -i %%nom_zone_eth3 -p tcp -m tcp -m multiport --dports 80,443 --tcp-flags SYN,RST,ACK SYN -d 195.83.225.0/24 -j ACCEPT
|
90
|
|
91
|
###########################################
|
92
|
## Ajout de regles hors CD34 ##
|
93
|
###########################################
|
94
|
## EXT-BAS: acces au serveur peda depuis le reseau rectorat
|
95
|
/sbin/iptables -t nat -I PREROUTING -s 195.83.225.0/24 -d %%adresse_ip_eth0/32 -i %%nom_zone_eth0 -p tcp -m tcp --dport 44123 --tcp-flags SYN,RST,ACK SYN -j DNAT --to-destination %%ip_serveur_pedago
|
96
|
/sbin/iptables -t filter -I ext-ped -s 195.83.225.0/24 -d %%ip_serveur_pedago/32 -i %%nom_zone_eth0 -p tcp -m state --state NEW -m tcp --dport 44123 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
|
97
|
|
98
|
## pour NTOP
|
99
|
/sbin/iptables -t filter -I adm-bas -m state --state NEW -p tcp --dport 3000 --tcp-flags SYN,RST,ACK SYN -i %%nom_zone_eth1 -s %%adresse_network_eth1/%%adresse_netmask_eth2 -j ACCEPT
|
100
|
/sbin/iptables -t filter -I ped-bas -m state --state NEW -p tcp --dport 3000 --tcp-flags SYN,RST,ACK SYN -i %%nom_zone_eth2 -s %%adresse_network_eth2/30 -j ACCEPT
|
101
|
/sbin/iptables -t filter -I ext-bas -m state --state NEW -p tcp --dport 3000 --tcp-flags SYN,RST,ACK SYN -i %%nom_zone_eth0 -s 195.83.225.0/255.255.255.0 -j ACCEPT
|
102
|
|
103
|
## Pour shinken
|
104
|
/sbin/iptables -t filter -I ext-bas -m state --state NEW -p tcp --dport 6556 --tcp-flags SYN,RST,ACK SYN -i %%nom_zone_eth0 -s 195.83.225.0/255.255.255.0 -j ACCEPT
|
105
|
|
106
|
## Plages horaires pour WIFI LORDI
|
107
|
%if %%plage_wifi == 'oui' and %%plage_wifi_debut != '' and %%plage_wifi_fin != '' and %%nom_zone_eth4 != '' and %%vlan_id_eth4[0] != ''
|
108
|
/sbin/iptables -I INPUT -i %%nom_zone_eth4.%%vlan_id_eth4[0] -m time --timestop %%plage_wifi_debut --timestart %%plage_wifi_fin --kerneltz -j DROP
|
109
|
%end if
|
110
|
|
111
|
############################################
|
112
|
## Ajout de regles pour les COLLECTIVITES ##
|
113
|
############################################
|
114
|
|
115
|
## REGION ##
|
116
|
%if %%nom_domaine_local.startswith("lyc-") or %%nom_domaine_local.startswith("erea-")
|
117
|
## SNAT en IP %%nom_zone_eth2 de la zone pedago etendu si destination zone client leger (inventaire GLPI REGION) pour port 80 et 62354
|
118
|
/sbin/iptables -t filter -I ped-ext -s %%adresse_network_eth2/%%adresse_netmask_eth2 -d 172.23.0.0/18 -i %%nom_zone_eth2 -o %%nom_zone_eth0 -p tcp -m tcp --dport 62354 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
|
119
|
/sbin/iptables -t nat -I POSTROUTING -s %%adresse_network_eth2/%%adresse_netmask_eth2 -d 172.23.0.0/18 -o %%nom_zone_eth0 -p tcp -m tcp --dport 62354 --tcp-flags SYN,RST,ACK SYN -j SNAT --to-source %%adresse_ip_eth2
|
120
|
/sbin/iptables -t filter -I ped-ext -s %%adresse_network_eth2/%%adresse_netmask_eth2 -d 172.23.0.0/18 -i %%nom_zone_eth2 -o %%nom_zone_eth0 -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
|
121
|
/sbin/iptables -t nat -I POSTROUTING -s %%adresse_network_eth2/%%adresse_netmask_eth2 -d 172.23.0.0/18 -o %%nom_zone_eth0 -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j SNAT --to-source %%adresse_ip_eth2
|
122
|
## acces au serveur peda depuis le reseau Region (comme DANe)
|
123
|
/sbin/iptables -t nat -I PREROUTING -s 194.214.141.0/24 -d %%adresse_ip_eth0/32 -i %%nom_zone_eth0 -p tcp -m tcp --dport 44123 --tcp-flags SYN,RST,ACK SYN -j DNAT --to-destination %%ip_serveur_pedago
|
124
|
/sbin/iptables -t filter -I ext-ped -s 194.214.141.0/24 -d %%ip_serveur_pedago/32 -i %%nom_zone_eth0 -p tcp -m state --state NEW -m tcp --dport 44123 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
|
125
|
%end if
|
126
|
|
127
|
## CD11 ##
|
128
|
%if %%numero_etab.startswith("011") and %%nom_domaine_local.startswith("clg-")
|
129
|
## Acces RDP port 44123 sur serveur PEDA
|
130
|
/sbin/iptables -t nat -I PREROUTING -d %%adresse_ip_eth1/32 -p tcp -m tcp --dport 44123 --tcp-flags SYN,RST,ACK SYN -j DNAT --to-destination %%ip_serveur_pedago
|
131
|
/sbin/iptables -t filter -I ext-ped -s 192.168.225.0/24 -d %%ip_serveur_pedago/32 -i %%nom_zone_eth0 -p tcp -m state --state NEW -m tcp --dport 44123 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
|
132
|
/sbin/iptables -t filter -I ext-ped -s 10.11.200.0/24 -d %%ip_serveur_pedago/32 -i %%nom_zone_eth0 -p tcp -m state --state NEW -m tcp --dport 44123 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
|
133
|
## SNAT pour remontee via tunnel ADMIN des fluc TCP et UDP a destination de AMON-COGITIS
|
134
|
/sbin/iptables -t nat -I POSTROUTING -s %%adresse_network_eth2/%%adresse_netmask_eth2 -d 10.11.200.0/24 -j SNAT --to-source %%adresse_ip_eth1
|
135
|
/sbin/iptables -t nat -I POSTROUTING -s %%adresse_network_eth3/%%adresse_netmask_eth3 -d 10.11.200.0/24 -j SNAT --to-source %%adresse_ip_eth1
|
136
|
## autorisation ports TCP vers COGITIS
|
137
|
/sbin/iptables -t filter -I ped-adm -m state --state NEW -p tcp --tcp-flags SYN,RST,ACK SYN -m multiport --dports 80,161,162,443 -d 10.11.200.0/24 -j ACCEPT
|
138
|
## autorisation ports UDP vers COGITIS
|
139
|
/sbin/iptables -t filter -I ped-adm -p udp -m udp -m multiport --dports 135,161,162,445,514,24158 -d 10.11.200.0/24 -j ACCEPT
|
140
|
/sbin/iptables -t filter -I dmz-adm -p udp -m udp -m multiport --dports 135,161,162,445,514,24158 -d 10.11.200.0/24 -j ACCEPT
|
141
|
/sbin/iptables -t nat -I PREROUTING -d %%adresse_ip_eth1/32 -p udp -m udp --dport 24158 -j DNAT --to-destination %%ip_serveur_pedago
|
142
|
/sbin/iptables -t filter -I ext-ped -s 10.11.200.0/24 -d %%ip_serveur_pedago/32 -i %%nom_zone_eth0 -p udp -m state --state NEW -m udp --dport 24158 -j ACCEPT
|
143
|
## Remontee Inventaire (HTTPS) vers reseau COGITIS via tunnel ADMIN
|
144
|
## exception au proxy pour remontee vers reseau COGITIS
|
145
|
/sbin/iptables -t nat -I PREROUTING -p tcp -m tcp -m multiport --dports 80,443 --tcp-flags SYN,RST,ACK SYN -d 10.11.200.0/24 -j ACCEPT
|
146
|
%end if
|
147
|
|
148
|
## CD30 ##
|
149
|
%if %%numero_etab.startswith("030") and %%nom_domaine_local.startswith("clg-")
|
150
|
## EDUTICE
|
151
|
## les serveurs edutice peuvent sortir pour faire telemaintenance vers l'exterieur
|
152
|
/sbin/iptables -t nat -I POSTROUTING -s %%ip_serveur_pedago2/32 -d 91.121.175.129/32 -o %%nom_zone_eth0 -p udp -m udp --dport 1194 -j SNAT --to-source %%adresse_ip_eth0
|
153
|
/sbin/iptables -t nat -I POSTROUTING -s %%ip_serveur_antivirus/32 -d 91.121.175.129/32 -o %%nom_zone_eth0 -p udp -m udp --dport 1194 -j SNAT --to-source %%adresse_ip_eth0
|
154
|
/sbin/iptables -t filter -I ped-ext -s %%ip_serveur_antivirus/32 -d 91.121.175.129/32 -i %%nom_zone_eth2 -o %%nom_zone_eth0 -p udp -m udp --dport 1194 -j ACCEPT
|
155
|
/sbin/iptables -t filter -I ped-ext -s %%ip_serveur_pedago2/32 -d 91.121.175.129/32 -i %%nom_zone_eth2 -o %%nom_zone_eth0 -p udp -m udp --dport 1194 -j ACCEPT
|
156
|
## autoriser l'exterieur a faire du 8099 sur ip %%nom_zone_eth0 et renvoyer vers serveur pedago
|
157
|
/sbin/iptables -t nat -I PREROUTING -d %%adresse_ip_eth0/32 -i %%nom_zone_eth0 -p tcp -m tcp --dport 8099 --tcp-flags SYN,RST,ACK SYN -j DNAT --to-destination %%ip_serveur_pedago2:8080
|
158
|
/sbin/iptables -t filter -I ext-bas -d %%adresse_ip_eth0/32 -i %%nom_zone_eth0 -p tcp -m state --state NEW -m tcp --dport 8099 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
|
159
|
## ajout pour les AMON 2.3 pour acces NGINX owncloud
|
160
|
/sbin/iptables -t filter -I ext-bas -m state --state NEW -p tcp --dport 443 --tcp-flags SYN,RST,ACK SYN -i %%nom_zone_eth0 -j ACCEPT
|
161
|
%end if
|
162
|
|
163
|
## CD34 ##
|
164
|
%if %%numero_etab in ('0340109j','0340955d','0341366a','0342326u')
|
165
|
## acces CD34 au MDM tablettes via serveur PEDA
|
166
|
/sbin/iptables -t nat -I PREROUTING -s 212.51.190.239/32 -d %%adresse_ip_eth0/32 -i %%nom_zone_eth0 -p tcp -m tcp --dport 44123 --tcp-flags SYN,RST,ACK SYN -j DNAT --to-destination %%ip_serveur_pedago
|
167
|
/sbin/iptables -t filter -I ext-ped -s 212.51.190.239/32 -d %%ip_serveur_pedago/32 -i %%nom_zone_eth0 -p tcp -m state --state NEW -m tcp --dport 44123 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
|
168
|
%end if
|
169
|
|
170
|
|
171
|
###########################################
|
172
|
## Ajout de regles specifiques pour EPLE ##
|
173
|
###########################################
|
174
|
|
175
|
## Specificite 0340042L - Lyc Mermoz MPL - plusieurs sous-reseaux
|
176
|
%if %%numero_etab == '0340042l'
|
177
|
/sbin/iptables -t nat -A POSTROUTING -s 10.134.0.0/16 -o %%nom_zone_eth0 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j SNAT --to-source %%adresse_ip_eth0
|
178
|
/sbin/iptables -t nat -A POSTROUTING -s 10.134.0.0/16 -o %%nom_zone_eth0 -p udp -m udp -j SNAT --to-source %%adresse_ip_eth0
|
179
|
%end if
|
180
|
|
181
|
## Specificite 0340076Y - Lyc Curie Sete - port 14000 utilise par client PRONOTE
|
182
|
%if %%numero_etab == '0340076y'
|
183
|
/sbin/iptables -t nat -I PREROUTING -d %%ip_pub2/32 -i %%nom_zone_eth0 -p tcp -m tcp --dport 14000 --tcp-flags SYN,RST,ACK SYN -j DNAT --to-destination %%ip_serveur_web2
|
184
|
%end if
|
185
|
|
186
|
## Specificite 0300052U - Cite Scolaire Chamson Le Vigan - ajout de regles specifiques Wifi
|
187
|
%if %%numero_etab == '0300052u'
|
188
|
## filtrage acces administration ALCAZAR (reserve reseau rectorat)
|
189
|
/sbin/iptables -t nat -I PREROUTING -s 194.214.141.0/24,195.83.225.0/24,194.254.31.192/29,194.254.31.200/29 -d %%adresse_ip_eth0/32 -i %%nom_zone_eth0 -p tcp -m tcp --dport 10022 --tcp-flags SYN,RST,ACK SYN -j DNAT --to-destination 10.230.27.50:22
|
190
|
/sbin/iptables -t filter -I ext-dmz -s 194.214.141.0/24,195.83.225.0/24,194.254.31.192/29,194.254.31.200/29 -d 10.230.27.50/32 -i %%nom_zone_eth0 -p tcp -m state --state NEW -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
|
191
|
## exeption proxy pour sortie ALCASAR vers internet sans PROXY
|
192
|
/sbin/iptables -t nat -I PREROUTING -i %%nom_zone_eth3 -s 10.230.27.50/32 -p tcp -m tcp -m multiport --dports 80,443 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
|
193
|
/sbin/iptables -t nat -A POSTROUTING -s 10.230.27.50 -p tcp -m tcp -m multiport --dports 80,443 -o ens160 -j SNAT --to-source %%adresse_ip_eth0
|
194
|
%end if
|
195
|
|
196
|
###################################################################################
|
197
|
## PROJET GSIC pour CD34 ##
|
198
|
###################################################################################
|
199
|
|
200
|
## exception au proxy sur les remontee vers Management CD34 et CodeRNE-PYTHEAS
|
201
|
/sbin/iptables -t nat -I PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -d 172.19.34.0/24 -j ACCEPT
|
202
|
/sbin/iptables -t nat -I PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -d %%ip_serveur_pytheas/32 -j ACCEPT
|
203
|
|
204
|
## Regle de Filtrage Autorisation depuis les Reseaux Admin/Pedag/WifiPedag vers serveur WSUS Local (filtrer ulterieurement sur IP serveurs WSUS)
|
205
|
/sbin/iptables -t filter -I adm-man -p tcp -m state --state NEW --tcp-flags SYN,RST,ACK SYN --dport 8530 -d %%ip_serveur_mgmt/32 -j ACCEPT
|
206
|
/sbin/iptables -t filter -I ped-man -p tcp -m state --state NEW --tcp-flags SYN,RST,ACK SYN --dport 8530 -d %%ip_serveur_mgmt/32 -j ACCEPT
|
207
|
/sbin/iptables -t filter -I wif-man -p tcp -m state --state NEW --tcp-flags SYN,RST,ACK SYN --dport 8530 -d %%ip_serveur_mgmt/32 -j ACCEPT
|
208
|
|
209
|
## Regle de Filtrage Autorisation depuis les Reseaux Admin/Pedag/WifiPedag vers CodeRNE-PYTHEAS
|
210
|
/sbin/iptables -t filter -I adm-man -p tcp -m state --state NEW --tcp-flags SYN,RST,ACK SYN -m multiport --dports 139,445 -d %%ip_serveur_pytheas/32 -j ACCEPT
|
211
|
/sbin/iptables -t filter -I ped-man -p tcp -m state --state NEW --tcp-flags SYN,RST,ACK SYN -m multiport --dports 139,445 -d %%ip_serveur_pytheas/32 -j ACCEPT
|
212
|
/sbin/iptables -t filter -I wif-man -p tcp -m state --state NEW --tcp-flags SYN,RST,ACK SYN -m multiport --dports 139,445 -d %%ip_serveur_pytheas/32 -j ACCEPT
|
213
|
/sbin/iptables -t filter -I adm-man -p udp -m udp -m multiport --dports 69,137,138,139 -d %%ip_serveur_pytheas/32 -j ACCEPT
|
214
|
/sbin/iptables -t filter -I ped-man -p udp -m udp -m multiport --dports 69,137,138,139 -d %%ip_serveur_pytheas/32 -j ACCEPT
|
215
|
/sbin/iptables -t filter -I wif-man -p udp -m udp -m multiport --dports 69,137,138,139 -d %%ip_serveur_pytheas/32 -j ACCEPT
|
216
|
/sbin/iptables -t filter -I adm-man -p tcp -m state --state NEW --tcp-flags SYN,RST,ACK SYN -m multiport --dports 80,443 -d %%ip_serveur_pytheas/32 -j ACCEPT
|
217
|
/sbin/iptables -t filter -I ped-man -p tcp -m state --state NEW --tcp-flags SYN,RST,ACK SYN -m multiport --dports 80,443 -d %%ip_serveur_pytheas/32 -j ACCEPT
|
218
|
/sbin/iptables -t filter -I wif-man -p tcp -m state --state NEW --tcp-flags SYN,RST,ACK SYN -m multiport --dports 80,443 -d %%ip_serveur_pytheas/32 -j ACCEPT
|
219
|
|
220
|
## Regle de Filtrage Autorisation de tous les flux depuis le reseau Wifipedag vers le Serveur CodeRNE-SRVPEDAG
|
221
|
/sbin/iptables -t filter -I wif-ped -d %%ip_serveur_pedago -m state --state NEW -p tcp --tcp-flags SYN,RST,ACK SYN -j ACCEPT
|
222
|
/sbin/iptables -t filter -I wif-ped -d %%ip_serveur_pedago -m udp -p udp -j ACCEPT
|
223
|
/sbin/iptables -t filter -I wif-ped -d %%ip_serveur_pedago -p icmp -m state --state NEW -m icmp --icmp-type 8 -j ACCEPT
|
224
|
|
225
|
## Regle de Filtrage pour Administrer AMON depuis le reseau de Management
|
226
|
/sbin/iptables -I man-bas -p icmp -j ACCEPT
|
227
|
/sbin/iptables -t filter -I man-bas -p tcp -m state --state NEW --tcp-flags SYN,RST,ACK SYN -m multiport --dports 22,4200,7000 -j ACCEPT
|
228
|
|
229
|
## Ajout NAT pour sortir sur internet depuis le reseau Management
|
230
|
/sbin/iptables -t nat -I POSTROUTING -s %%vlan_id_eth4[0].vlan_network_eth4/%%vlan_id_eth4[0].vlan_netmask_eth4 -o %%nom_zone_eth0 -j SNAT --to-source %%adresse_ip_eth0
|
231
|
</include>
|
232
|
<services>
|
233
|
<service name="8500" protocol="tcp" ports="8500" id="11" libelle="service 8500" tcpwrapper=""/>
|
234
|
<service name="rsyslog_TCP" protocol="tcp" ports="10514" id="65" libelle="protocole TCP pour rsyslog" tcpwrapper=""/>
|
235
|
<service name="xmpp" protocol="tcp" ports="5222" id="63" libelle="Serveur jabber (XMPP)" tcpwrapper=""/>
|
236
|
<service name="imap4-ssl" protocol="tcp" ports="993" id="23" libelle="service imap4-ssl" tcpwrapper=""/>
|
237
|
<service name="ldm" protocol="tcp" ports="9571" id="86" libelle="Connexion management for LTSP" tcpwrapper=""/>
|
238
|
<service name="samba-udp" protocol="udp" ports="137-139" id="37" libelle="samba" tcpwrapper=""/>
|
239
|
<service name="ftps" protocol="tcp" ports="989-990" id="29" libelle="service ftps" tcpwrapper=""/>
|
240
|
<service name="pop" protocol="tcp" ports="110" id="20" libelle="service pop" tcpwrapper=""/>
|
241
|
<service name="proxy-8080" protocol="tcp" ports="8080" id="12" libelle="proxy" tcpwrapper=""/>
|
242
|
<service name="echo-reply" protocol="ICMP" ports="0" id="echo-reply" libelle="règle icmp echo-reply" tcpwrapper=""/>
|
243
|
<service name="cups" protocol="tcp" ports="631" id="76" libelle="Interface CUPS" tcpwrapper=""/>
|
244
|
<service name="lockd" protocol="tcp" ports="4005" id="61" libelle="" tcpwrapper=""/>
|
245
|
<service name="ead-server" protocol="tcp" ports="4201" id="83" libelle="ead-server" tcpwrapper=""/>
|
246
|
<service name="tftpd-hpa" protocol="udp" ports="69" id="75" libelle="Accès aux serveurs TFTP" tcpwrapper="in.tftpd"/>
|
247
|
<service name="ldaps" protocol="tcp" ports="636" id="24" libelle="service ldaps" tcpwrapper="slapd"/>
|
248
|
<service name="echo-request" protocol="ICMP" ports="0" id="echo-request" libelle="règle icmp echo-request" tcpwrapper=""/>
|
249
|
<service name="https" protocol="tcp" ports="443" id="5" libelle="serveur web sécurisé" tcpwrapper=""/>
|
250
|
<service name="ldap" protocol="tcp" ports="389" id="22" libelle="service d'annuaire" tcpwrapper="slapd"/>
|
251
|
<service name="lightsquid" protocol="tcp" ports="%%lightsquid_port" id="54" libelle="port d'accès à l'application lightsquid" tcpwrapper=""/>
|
252
|
<service name="ltspfsd" protocol="tcp" ports="9220" id="72" libelle="ltspfsd" tcpwrapper=""/>
|
253
|
<service name="udp" protocol="udp" ports="0-65535" id="34" libelle="tous les ports en udp" tcpwrapper=""/>
|
254
|
<service name="proxy2" protocol="tcp" ports="%%proxy2_port" id="55" libelle="port 2eme instance de squid" tcpwrapper=""/>
|
255
|
<service name="ead" protocol="tcp" ports="4200" id="36" libelle="ead" tcpwrapper=""/>
|
256
|
<service name="portmap" protocol="tcp" ports="111" id="60" libelle="" tcpwrapper=""/>
|
257
|
<service name="eole-sso" protocol="tcp" ports="%%eolesso_port" id="45" libelle="Service Eole SSO" tcpwrapper=""/>
|
258
|
<service name="dns-udp" protocol="udp" ports="53" id="7" libelle="serveur de noms" tcpwrapper=""/>
|
259
|
<service name="radius-acct" protocol="udp" ports="1813" id="74" libelle="" tcpwrapper=""/>
|
260
|
<service name="tcp" protocol="tcp" ports="0-65535" id="33" libelle="tous les ports en tcp" tcpwrapper=""/>
|
261
|
<service name="agents_zephir" protocol="tcp" ports="8090" id="46" libelle="Acces web aux agents Zéphir" tcpwrapper=""/>
|
262
|
<service name="ircu" protocol="tcp" ports="6665-6669" id="13" libelle="service ircu" tcpwrapper=""/>
|
263
|
<service name="imap" protocol="tcp" ports="143" id="21" libelle="service imap" tcpwrapper=""/>
|
264
|
<service name="nntps" protocol="tcp" ports="563" id="31" libelle="service nntps" tcpwrapper=""/>
|
265
|
<service name="ircs" protocol="tcp" ports="994" id="16" libelle="service ircs" tcpwrapper=""/>
|
266
|
<service name="msnp" protocol="tcp" ports="1863" id="17" libelle="service msnp" tcpwrapper=""/>
|
267
|
<service name="serveur_nfs" protocol="tcp" ports="2049" id="59" libelle="Serveur NFS" tcpwrapper=""/>
|
268
|
<service name="mountd" protocol="tcp" ports="4003" id="62" libelle="" tcpwrapper=""/>
|
269
|
<service name="webmin" protocol="tcp" ports="10000" id="9" libelle="appliquation web d'administration" tcpwrapper=""/>
|
270
|
<service name="xmpp-ssl" protocol="tcp" ports="5223" id="81" libelle="Serveur jabber SSL (XMPP)" tcpwrapper=""/>
|
271
|
<service name="scribe_vnc2" protocol="tcp" ports="5900" id="41" libelle="vnc 5900" tcpwrapper=""/>
|
272
|
<service name="scribe_vnc1" protocol="tcp" ports="5800" id="40" libelle="vnc 5800" tcpwrapper=""/>
|
273
|
<service name="nbd-client" protocol="tcp" ports="2000" id="71" libelle="nbd-client" tcpwrapper=""/>
|
274
|
<service name="radius" protocol="udp" ports="1812" id="70" libelle="" tcpwrapper=""/>
|
275
|
<service name="scribe-service" protocol="tcp" ports="8788" id="36" libelle="service scribe sur les clients" tcpwrapper=""/>
|
276
|
<service name="pop3s" protocol="tcp" ports="995" id="25" libelle="service pop3s" tcpwrapper=""/>
|
277
|
<service name="smtp" protocol="tcp" ports="25" id="19" libelle="service mail" tcpwrapper=""/>
|
278
|
<service name="raw" protocol="tcp" ports="9100" id="82" libelle="Service d'impression Raw" tcpwrapper=""/>
|
279
|
<service name="sympa-restreint" protocol="tcp" ports="8888" id="57" libelle="sympa domaine restreint" tcpwrapper=""/>
|
280
|
<service name="gen_config" protocol="tcp" ports="7000" id="68" libelle="Accès à gen_config depuis l'extérieur en https" tcpwrapper=""/>
|
281
|
<service name="rsyslog_RELP" protocol="tcp" ports="20514" id="64" libelle="protocole RELP pour rsyslog" tcpwrapper=""/>
|
282
|
<service name="isakmp_500" protocol="udp" ports="500" id="52" libelle="protocol pour ipsec" tcpwrapper=""/>
|
283
|
<service name="ftp" protocol="tcp" ports="21" id="78" libelle="transfert de fichiers sur le port 21" tcpwrapper=""/>
|
284
|
<service name="nbd-server" protocol="tcp" ports="10809" id="85" libelle="Server NBD for Eclair" tcpwrapper=""/>
|
285
|
<service name="esp" protocol="esp" ports="0" id="51" libelle="protocole pour ipsec" tcpwrapper=""/>
|
286
|
<service name="nuauth" protocol="tcp" ports="4129" id="43" libelle="Serveur d'authentification NuFw" tcpwrapper=""/>
|
287
|
<service name="dns-tcp" protocol="tcp" ports="53" id="6" libelle="serveur de noms" tcpwrapper=""/>
|
288
|
<service name="posh-admin" protocol="tcp" ports="7070" id="48" libelle="administration posh" tcpwrapper=""/>
|
289
|
<service name="irc" protocol="tcp" ports="194" id="15" libelle="service irc" tcpwrapper=""/>
|
290
|
<service name="nntp" protocol="tcp" ports="119" id="30" libelle="service nntp" tcpwrapper=""/>
|
291
|
<service name="mdqs" protocol="tcp" ports="666" id="15" libelle="service mdqs" tcpwrapper=""/>
|
292
|
<service name="http" protocol="tcp" ports="80" id="3" libelle="serveur web" tcpwrapper=""/>
|
293
|
<service name="cntlm" protocol="tcp" ports="%%cntlm_port" id="67" libelle="Proxy Cntlm" tcpwrapper=""/>
|
294
|
<service name="samba3" protocol="tcp" ports="445" id="39" libelle="samba3" tcpwrapper=""/>
|
295
|
<service name="ntp" protocol="udp" ports="123" id="56" libelle="serveur de temps" tcpwrapper=""/>
|
296
|
<service name="sympa-internet" protocol="tcp" ports="8787" id="58" libelle="serveur sympa internet" tcpwrapper=""/>
|
297
|
<service name="proxy" protocol="tcp" ports="3128" id="4" libelle="service proxy" tcpwrapper=""/>
|
298
|
<service name="ead-fichier" protocol="tcp" ports="4202" id="84" libelle="ead-fichier" tcpwrapper=""/>
|
299
|
<service name="news" protocol="tcp" ports="2009" id="32" libelle="nouvelles" tcpwrapper=""/>
|
300
|
<service name="ftp-tcp" protocol="tcp" ports="20-21" id="26" libelle="transfert de fichiers" tcpwrapper=""/>
|
301
|
<service name="scribe-controlevnc" protocol="tcp" ports="8789-8790" id="45" libelle="" tcpwrapper=""/>
|
302
|
<service name="gaspacho" protocol="tcp" ports="8080" id="80" libelle="Accès à l'outil Gaspacho" tcpwrapper=""/>
|
303
|
<service name="revprox-sso" protocol="tcp" ports="8443" id="79" libelle="Redirection du service EoleSSO" tcpwrapper=""/>
|
304
|
<service name="pulseaudio" protocol="tcp" ports="16001" id="70" libelle="pulseaudio" tcpwrapper=""/>
|
305
|
<service name="smtps" protocol="tcp" ports="465" id="77" libelle="Service SMTP SSL" tcpwrapper=""/>
|
306
|
<service name="sftp" protocol="tcp" ports="115" id="27" libelle="service sftp" tcpwrapper=""/>
|
307
|
<service name="samba-tcp" protocol="tcp" ports="137-139" id="38" libelle="samba tcp" tcpwrapper=""/>
|
308
|
<service name="tous" protocol="TOUT" ports="0" id="tout" libelle="tous les services" tcpwrapper=""/>
|
309
|
<service name="talk" protocol="tcp" ports="517-518" id="18" libelle="service talk" tcpwrapper=""/>
|
310
|
<service name="pftp" protocol="tcp" ports="662" id="28" libelle="service pftp" tcpwrapper=""/>
|
311
|
<service name="isakmp_4500" protocol="udp" ports="4500" id="53" libelle="protocole pour ipsec" tcpwrapper=""/>
|
312
|
<service name="ead-scribe" protocol="tcp" ports="%%revprox_ead_port" id="73" libelle="port EAD du Scribe avec reverse proxy" tcpwrapper=""/>
|
313
|
<service name="rsyslog_UDP" protocol="udp" ports="514" id="66" libelle="protocole UDP pour rsyslog" tcpwrapper=""/>
|
314
|
<service name="ssh" protocol="tcp" ports="22" id="8" libelle="shell sécurisé" tcpwrapper="sshd"/>
|
315
|
<groupe id="scribe-dmz-pedago" libelle="service Scribe DMZ vers pedago">
|
316
|
<service name="samba-tcp" protocol="tcp" ports="137-139" id="38" libelle="samba tcp" tcpwrapper=""/>
|
317
|
<service name="samba-udp" protocol="udp" ports="137-139" id="37" libelle="samba" tcpwrapper=""/>
|
318
|
<service name="samba3" protocol="tcp" ports="445" id="39" libelle="samba3" tcpwrapper=""/>
|
319
|
<service name="scribe-service" protocol="tcp" ports="8788" id="36" libelle="service scribe sur les clients" tcpwrapper=""/>
|
320
|
<service name="scribe_vnc1" protocol="tcp" ports="5800" id="40" libelle="vnc 5800" tcpwrapper=""/>
|
321
|
<service name="scribe_vnc2" protocol="tcp" ports="5900" id="41" libelle="vnc 5900" tcpwrapper=""/>
|
322
|
<service name="cups" protocol="tcp" ports="631" id="76" libelle="Interface CUPS" tcpwrapper=""/>
|
323
|
<service name="raw" protocol="tcp" ports="9100" id="82" libelle="Service d'impression Raw" tcpwrapper=""/>
|
324
|
</groupe>
|
325
|
<groupe id="vnc" libelle="vnc">
|
326
|
<service name="scribe_vnc1" protocol="tcp" ports="5800" id="40" libelle="vnc 5800" tcpwrapper=""/>
|
327
|
<service name="scribe_vnc2" protocol="tcp" ports="5900" id="41" libelle="vnc 5900" tcpwrapper=""/>
|
328
|
</groupe>
|
329
|
<groupe id="ead_server" libelle="Ports autorises pour l'administration distante d'Amon (backend ead)">
|
330
|
<service name="ead-server" protocol="tcp" ports="4201" id="83" libelle="ead-server" tcpwrapper=""/>
|
331
|
<service name="ead-fichier" protocol="tcp" ports="4202" id="84" libelle="ead-fichier" tcpwrapper=""/>
|
332
|
</groupe>
|
333
|
<groupe id="amonecole-eclair" libelle="LTSP services">
|
334
|
<service name="ldm" protocol="tcp" ports="9571" id="86" libelle="Connexion management for LTSP" tcpwrapper=""/>
|
335
|
<service name="nbd-server" protocol="tcp" ports="10809" id="85" libelle="Server NBD for Eclair" tcpwrapper=""/>
|
336
|
<service name="ssh" protocol="tcp" ports="22" id="8" libelle="shell sécrurisé" tcpwrapper=""/>
|
337
|
</groupe>
|
338
|
<groupe id="gr_redirection_http" libelle="Protocoles http a rediriger vers le proxy">
|
339
|
<service name="http" protocol="tcp" ports="80" id="3" libelle="serveur web" tcpwrapper=""/>
|
340
|
<service name="proxy" protocol="tcp" ports="3128" id="4" libelle="service proxy" tcpwrapper=""/>
|
341
|
<service name="proxy-8080" protocol="tcp" ports="8080" id="12" libelle="proxy" tcpwrapper=""/>
|
342
|
</groupe>
|
343
|
<groupe id="admin_amon" libelle="Port autorise pour l'administration distante d'Amon (ssh, ead, agents zephir)">
|
344
|
<service name="agents_zephir" protocol="tcp" ports="8090" id="46" libelle="Acces web aux agents Zéphir" tcpwrapper=""/>
|
345
|
<service name="ead" protocol="tcp" ports="8501" id="10" libelle="Eole Admin" tcpwrapper=""/>
|
346
|
<service name="lightsquid" protocol="tcp" ports="%%lightsquid_port" id="54" libelle="port d'accès à l'application lightsquid" tcpwrapper=""/>
|
347
|
<service name="echo-request" protocol="ICMP" ports="0" id="echo-request" libelle="règle icmp echo-request" tcpwrapper=""/>
|
348
|
</groupe>
|
349
|
<groupe id="gr_redirection_https" libelle="Https a redifiger vers le proxy">
|
350
|
<service name="https" protocol="tcp" ports="443" id="5" libelle="web sécurisé" tcpwrapper=""/>
|
351
|
</groupe>
|
352
|
<groupe id="gr_pop" libelle="pop3 et pop3s">
|
353
|
<service name="pop" protocol="tcp" ports="110" id="20" libelle="service pop" tcpwrapper=""/>
|
354
|
<service name="pop3s" protocol="tcp" ports="995" id="25" libelle="service pop3s" tcpwrapper=""/>
|
355
|
</groupe>
|
356
|
<groupe id="gr_redirection" libelle="Protocoles a rediriger vers le proxy">
|
357
|
<service name="http" protocol="tcp" ports="80" id="3" libelle="serveur web" tcpwrapper=""/>
|
358
|
<service name="proxy" protocol="tcp" ports="3128" id="4" libelle="service proxy" tcpwrapper=""/>
|
359
|
<service name="proxy-8080" protocol="tcp" ports="8080" id="12" libelle="proxy" tcpwrapper=""/>
|
360
|
<service name="https" protocol="tcp" ports="443" id="5" libelle="web sécurisé" tcpwrapper=""/>
|
361
|
</groupe>
|
362
|
<groupe id="gr_imap" libelle="imap et imap-ssl">
|
363
|
<service name="imap" protocol="tcp" ports="143" id="21" libelle="service imap" tcpwrapper=""/>
|
364
|
<service name="imap4-ssl" protocol="tcp" ports="585" id="23" libelle="service imap4-ssl" tcpwrapper=""/>
|
365
|
</groupe>
|
366
|
<groupe id="ipsec" libelle="Services utilises pas ipsec">
|
367
|
<service name="esp" protocol="esp" ports="0" id="51" libelle="protocole pour ipsec" tcpwrapper=""/>
|
368
|
<service name="isakmp_4500" protocol="udp" ports="4500" id="53" libelle="protocole pour ipsec" tcpwrapper=""/>
|
369
|
<service name="isakmp_500" protocol="udp" ports="500" id="52" libelle="protocol pour ipsec" tcpwrapper=""/>
|
370
|
</groupe>
|
371
|
<groupe id="gr_irc" libelle="interdire l'utilisation des dialogues en direct (icq)">
|
372
|
<service name="talk" protocol="tcp" ports="517-518" id="18" libelle="service talk" tcpwrapper=""/>
|
373
|
<service name="msnp" protocol="tcp" ports="1863" id="17" libelle="service msnp" tcpwrapper=""/>
|
374
|
<service name="mdqs" protocol="tcp" ports="666" id="15" libelle="service mdqs" tcpwrapper=""/>
|
375
|
<service name="ircs" protocol="tcp" ports="994" id="16" libelle="service ircs" tcpwrapper=""/>
|
376
|
<service name="irc" protocol="tcp" ports="194" id="15" libelle="service irc" tcpwrapper=""/>
|
377
|
<service name="ircu" protocol="tcp" ports="6665-6669" id="13" libelle="service ircu" tcpwrapper=""/>
|
378
|
</groupe>
|
379
|
<groupe id="sympa" libelle="serveur sympa">
|
380
|
<service name="sympa-internet" protocol="tcp" ports="8787" id="58" libelle="serveur sympa internet" tcpwrapper=""/>
|
381
|
<service name="sympa-restreint" protocol="tcp" ports="8888" id="57" libelle="sympa domaine restreint" tcpwrapper=""/>
|
382
|
</groupe>
|
383
|
<groupe id="gr_ftp" libelle="">
|
384
|
<service name="ftp-tcp" protocol="tcp" ports="20-21" id="26" libelle="transfert de fichiers" tcpwrapper=""/>
|
385
|
<service name="ftps" protocol="tcp" ports="989-990" id="29" libelle="service ftps" tcpwrapper=""/>
|
386
|
<service name="pftp" protocol="tcp" ports="662" id="28" libelle="service pftp" tcpwrapper=""/>
|
387
|
<service name="sftp" protocol="tcp" ports="115" id="27" libelle="service sftp" tcpwrapper=""/>
|
388
|
</groupe>
|
389
|
<groupe id="samba" libelle="samba proto">
|
390
|
<service name="samba-udp" protocol="udp" ports="137-139" id="37" libelle="samba" tcpwrapper=""/>
|
391
|
<service name="samba-tcp" protocol="tcp" ports="137-139" id="38" libelle="samba tcp" tcpwrapper=""/>
|
392
|
<service name="samba3" protocol="tcp" ports="445" id="39" libelle="samba3" tcpwrapper=""/>
|
393
|
</groupe>
|
394
|
<groupe id="gr_messagerie" libelle="interdire l'utilisation des dialogues en direct (icq)">
|
395
|
<service name="imap" protocol="tcp" ports="143" id="21" libelle="service imap" tcpwrapper=""/>
|
396
|
<service name="imap4-ssl" protocol="tcp" ports="585" id="23" libelle="service imap4-ssl" tcpwrapper=""/>
|
397
|
<service name="ldap" protocol="tcp" ports="389" id="22" libelle="service d'annuaire" tcpwrapper=""/>
|
398
|
<service name="ldaps" protocol="tcp" ports="636" id="24" libelle="service ldaps" tcpwrapper=""/>
|
399
|
<service name="pop" protocol="tcp" ports="110" id="20" libelle="service pop" tcpwrapper=""/>
|
400
|
<service name="pop3s" protocol="tcp" ports="995" id="25" libelle="service pop3s" tcpwrapper=""/>
|
401
|
<service name="smtp" protocol="tcp" ports="25" id="19" libelle="service mail" tcpwrapper=""/>
|
402
|
<service name="smtps" protocol="tcp" ports="465" id="77" libelle="Service SMTP SSL" tcpwrapper=""/>
|
403
|
</groupe>
|
404
|
<groupe id="gr_forum" libelle="interdire l'utilisation des forums">
|
405
|
<service name="nntp" protocol="tcp" ports="119" id="30" libelle="service nntp" tcpwrapper=""/>
|
406
|
<service name="nntps" protocol="tcp" ports="563" id="31" libelle="service nntps" tcpwrapper=""/>
|
407
|
<service name="news" protocol="tcp" ports="2009" id="32" libelle="nouvelles" tcpwrapper=""/>
|
408
|
</groupe>
|
409
|
<groupe id="gr_redirection_proxy" libelle="Protocoles proxy a rediriger vers le proxy">
|
410
|
<service name="proxy" protocol="tcp" ports="3128" id="4" libelle="service proxy" tcpwrapper=""/>
|
411
|
<service name="proxy-8080" protocol="tcp" ports="8080" id="12" libelle="proxy" tcpwrapper=""/>
|
412
|
</groupe>
|
413
|
<groupe id="eclair-dmz" libelle="Eclair en DMZ">
|
414
|
<service name="ltspfsd" protocol="tcp" ports="9220" id="72" libelle="ltspfsd" tcpwrapper=""/>
|
415
|
<service name="nbd-client" protocol="tcp" ports="2000" id="71" libelle="nbd-client" tcpwrapper=""/>
|
416
|
<service name="pulseaudio" protocol="tcp" ports="16001" id="70" libelle="pulseaudio" tcpwrapper=""/>
|
417
|
<service name="scribe_vnc2" protocol="tcp" ports="5900" id="41" libelle="vnc 5900" tcpwrapper=""/>
|
418
|
</groupe>
|
419
|
<groupe id="gr_smtp" libelle="smtp et smtps">
|
420
|
<service name="smtp" protocol="tcp" ports="25" id="19" libelle="service mail" tcpwrapper=""/>
|
421
|
<service name="smtps" protocol="tcp" ports="465" id="77" libelle="Service SMTP SSL" tcpwrapper=""/>
|
422
|
</groupe>
|
423
|
<groupe id="gr_restreint" libelle="on ferme tout sauf l'utilisation du web par le proxy">
|
424
|
<service name="tcp" protocol="tcp" ports="0-65535" id="33" libelle="tous les ports en tcp" tcpwrapper=""/>
|
425
|
<service name="udp" protocol="udp" ports="0-65535" id="34" libelle="tous les ports en udp" tcpwrapper=""/>
|
426
|
</groupe>
|
427
|
<groupe id="scribe_ext" libelle="services extranet scribe ">
|
428
|
<service name="ftp-tcp" protocol="tcp" ports="20-21" id="26" libelle="transfert de fichiers" tcpwrapper=""/>
|
429
|
<service name="https" protocol="tcp" ports="443" id="5" libelle="web sécurisé" tcpwrapper=""/>
|
430
|
</groupe>
|
431
|
<groupe id="scribe-pedago-dmz" libelle="client scribe vers la DMZ">
|
432
|
<service name="ldap" protocol="tcp" ports="389" id="22" libelle="service d'annuaire" tcpwrapper=""/>
|
433
|
<service name="ldaps" protocol="tcp" ports="636" id="24" libelle="service ldaps" tcpwrapper=""/>
|
434
|
<service name="samba-tcp" protocol="tcp" ports="137-139" id="38" libelle="samba tcp" tcpwrapper=""/>
|
435
|
<service name="samba-udp" protocol="udp" ports="137-139" id="37" libelle="samba" tcpwrapper=""/>
|
436
|
<service name="samba3" protocol="tcp" ports="445" id="39" libelle="samba3" tcpwrapper=""/>
|
437
|
<service name="scribe-controlevnc" protocol="tcp" ports="8789-8790" id="45" libelle="" tcpwrapper=""/>
|
438
|
<service name="scribe_vnc1" protocol="tcp" ports="5800" id="40" libelle="vnc 5800" tcpwrapper=""/>
|
439
|
<service name="scribe_vnc2" protocol="tcp" ports="5900" id="41" libelle="vnc 5900" tcpwrapper=""/>
|
440
|
</groupe>
|
441
|
<groupe id="nfs" libelle="Serveur NFS + portmap">
|
442
|
<service name="portmap" protocol="tcp" ports="111" id="60" libelle="" tcpwrapper=""/>
|
443
|
<service name="lockd" protocol="tcp" ports="4005" id="61" libelle="" tcpwrapper=""/>
|
444
|
<service name="mountd" protocol="tcp" ports="4003" id="62" libelle="" tcpwrapper=""/>
|
445
|
<service name="serveur_nfs" protocol="tcp" ports="2049" id="59" libelle="Serveur NFS" tcpwrapper=""/>
|
446
|
</groupe>
|
447
|
<groupe id="dns" libelle="dns tcp et udp">
|
448
|
<service name="dns-udp" protocol="udp" ports="53" id="7" libelle="serveur de noms" tcpwrapper=""/>
|
449
|
<service name="dns-tcp" protocol="tcp" ports="53" id="6" libelle="serveur de noms" tcpwrapper=""/>
|
450
|
</groupe>
|
451
|
<groupe id="gr_radius" libelle="Serveur radius (UDP)">
|
452
|
<service name="radius" protocol="udp" ports="1812" id="70" libelle="" tcpwrapper=""/>
|
453
|
<service name="radius-acct" protocol="udp" ports="1813" id="74" libelle="" tcpwrapper=""/>
|
454
|
</groupe>
|
455
|
<groupe id="scribe-posh" libelle="Ouverture des ports pour l'utilisation de nginx pour Posh">
|
456
|
<service name="http" protocol="tcp" ports="80" id="3" libelle="serveur web" tcpwrapper=""/>
|
457
|
<service name="https" protocol="tcp" ports="443" id="5" libelle="web sécurisé" tcpwrapper=""/>
|
458
|
<service name="posh-admin" protocol="tcp" ports="7070" id="48" libelle="administration posh" tcpwrapper=""/>
|
459
|
</groupe>
|
460
|
<groupe id="amonecole-eclair-partage" libelle="Services in partage container for Eclair">
|
461
|
<service name="tftpd-hpa" protocol="udp" ports="69" id="75" libelle="Accès aux serveurs TFTP" tcpwrapper="in.tftpd"/>
|
462
|
</groupe>
|
463
|
</services>
|
464
|
<qosclasses upload="" download="">
|
465
|
</qosclasses>
|
466
|
<extremites>
|
467
|
<extremite zone="admin" name="admin_restreint" libelle="zone restreinte" netmask="%%adresse_netmask_eth1" subnet="1" type="" interface="" container="">
|
468
|
<ip address="%%adresse_network_eth1"/>
|
469
|
</extremite>
|
470
|
<extremite zone="exterieur" name="pedago_bastion" libelle="" netmask="255.255.255.255" subnet="0" type="" interface="" container="">
|
471
|
<ip address="%%adresse_ip_eth2"/>
|
472
|
</extremite>
|
473
|
<extremite zone="exterieur" name="exterieur_admin" libelle="reseau autorise a administrer depuis l'exterieur" netmask="%%netmask_admin_eth0" subnet="1" type="" interface="" container="">
|
474
|
<ip address="%%ip_admin_eth0"/>
|
475
|
</extremite>
|
476
|
<extremite zone="admin" name="admin_admin" libelle="reseau autorise a administrer depuis le reseau administratif" netmask="%%netmask_admin_eth1" subnet="1" type="" interface="" container="">
|
477
|
<ip address="%%ip_admin_eth1"/>
|
478
|
</extremite>
|
479
|
<extremite zone="dmz" name="dmz_admin" libelle="reseau autorise a administrer depuis la dmz" netmask="%%netmask_admin_eth3" subnet="1" type="" interface="" container="">
|
480
|
<ip address="%%ip_admin_eth3"/>
|
481
|
</extremite>
|
482
|
<extremite zone="dmz" name="dmz_restreint" libelle="zone restreinte" netmask="%%adresse_netmask_eth3" subnet="1" type="" interface="" container="">
|
483
|
<ip address="%%adresse_network_eth3"/>
|
484
|
</extremite>
|
485
|
<extremite zone="bastion" name="bastion_exterieur" libelle="Bastion sur la zone exterieur" netmask="255.255.255.255" subnet="0" type="normal" interface="eth0" container="">
|
486
|
<ip address="%%adresse_ip_eth0"/>
|
487
|
</extremite>
|
488
|
<extremite zone="exterieur" name="exterieur_backend_ead" libelle="reseau autorise a acceder au backend EAD depuis l'exterieur" netmask="%%netmask_frontend_ead_distant_eth0" subnet="1" type="" interface="" container="">
|
489
|
<ip address="%%ip_frontend_ead_distant_eth0"/>
|
490
|
</extremite>
|
491
|
<extremite zone="exterieur" name="admin_bastion" libelle="adresse du bastion sur le reseau admin" netmask="255.255.255.255" subnet="0" type="" interface="" container="">
|
492
|
<ip address="%%adresse_ip_eth1"/>
|
493
|
</extremite>
|
494
|
<extremite zone="bastion" name="internet_eth2" libelle="eth2 dans le conteneur internet" netmask="255.255.255.255" subnet="0" type="conteneur" interface="eth2" container="internet">
|
495
|
<ip address="%%adresse_ip_eth2_proxy_link"/>
|
496
|
</extremite>
|
497
|
<extremite zone="management" name="management" libelle="Zone entière" netmask="%%vlan_id_eth4[0].vlan_netmask_eth4" subnet="1" type="normal" interface="" container="">
|
498
|
<ip address="%%vlan_id_eth4[0].vlan_ip_eth4"/>
|
499
|
</extremite>
|
500
|
<extremite zone="admin" name="admin_ssh" libelle="reseau autorise a se connecter a ssh depuis le reseau administratif" netmask="%%netmask_ssh_eth1" subnet="1" type="" interface="" container="">
|
501
|
<ip address="%%ip_ssh_eth1"/>
|
502
|
</extremite>
|
503
|
<extremite zone="management" name="management_restreint" libelle="zone restreinte" netmask="%%vlan_id_eth4[0].vlan_netmask_eth4" subnet="1" type="normal" interface="" container="">
|
504
|
<ip address="%%vlan_id_eth4[0].vlan_network_eth4"/>
|
505
|
</extremite>
|
506
|
<extremite zone="pedago" name="pedago_ssh" libelle="reseau autorise a se connecter a ssh depuis le reseau pedagogique" netmask="%%netmask_ssh_eth2" subnet="1" type="" interface="" container="">
|
507
|
<ip address="%%ip_ssh_eth2"/>
|
508
|
</extremite>
|
509
|
<extremite zone="pedago" name="pedago" libelle="Zone entière" netmask="%%adresse_netmask_eth2" subnet="1" type="" interface="" container="">
|
510
|
<ip address="%%adresse_ip_eth2"/>
|
511
|
</extremite>
|
512
|
<extremite zone="bastion" name="bastion" libelle="Zone entière" netmask="255.255.255.255" subnet="1" type="" interface="" container="">
|
513
|
<ip address="127.0.0.1"/>
|
514
|
</extremite>
|
515
|
<extremite zone="bastion" name="internet" libelle="conteneur internet" netmask="255.255.255.255" subnet="0" type="conteneur" interface="containers" container="internet">
|
516
|
<ip address="%%container_ip_internet"/>
|
517
|
</extremite>
|
518
|
<extremite zone="exterieur" name="exterieur_bastion" libelle="IP de bastion sur la zone exterieur" netmask="255.255.255.255" subnet="0" type="" interface="" container="">
|
519
|
<ip address="%%adresse_ip_eth0"/>
|
520
|
</extremite>
|
521
|
<extremite zone="invite" name="invite" libelle="Zone entière" netmask="%%vlan_id_eth4[2].vlan_netmask_eth4" subnet="1" type="normal" interface="" container="">
|
522
|
<ip address="%%vlan_id_eth4[2].vlan_ip_eth4"/>
|
523
|
</extremite>
|
524
|
<extremite zone="exterieur" name="exterieur" libelle="Zone entière" netmask="%%adresse_netmask_eth0" subnet="1" type="" interface="" container="">
|
525
|
<ip address="%%adresse_ip_eth0"/>
|
526
|
</extremite>
|
527
|
<extremite zone="bastion" name="internet_eth1" libelle="eth1 dans le conteneur internet" netmask="255.255.255.255" subnet="0" type="conteneur" interface="eth1" container="internet">
|
528
|
<ip address="%%adresse_ip_eth1_proxy_link"/>
|
529
|
</extremite>
|
530
|
<extremite zone="exterieur" name="exterieur_restreint" libelle="zone restreinte" netmask="%%adresse_netmask_eth0" subnet="1" type="" interface="" container="">
|
531
|
<ip address="%%adresse_network_eth0"/>
|
532
|
</extremite>
|
533
|
<extremite zone="admin" name="admin_backend_ead" libelle="reseau autorise a acceder au backend EAD depuis le reseau administratif" netmask="%%netmask_frontend_ead_distant_eth1" subnet="1" type="" interface="" container="">
|
534
|
<ip address="%%ip_frontend_ead_distant_eth1"/>
|
535
|
</extremite>
|
536
|
<extremite zone="exterieur" name="clients_relp_rsyslog" libelle="clients de l'agrégateur de logs en relp" netmask="%%netmask_client_logs_relp" subnet="0" type="" interface="" container="">
|
537
|
<ip address="%%adresses_ip_clients_logs_relp"/>
|
538
|
</extremite>
|
539
|
<extremite zone="dmz" name="dmz_ssh" libelle="reseau autorise a se connecter a ssh depuis la dmz" netmask="%%netmask_ssh_eth3" subnet="1" type="" interface="" container="">
|
540
|
<ip address="%%ip_ssh_eth3"/>
|
541
|
</extremite>
|
542
|
<extremite zone="exterieur" name="clients_udp_rsyslog" libelle="clients de l'agrégateur de logs en udp" netmask="%%netmask_client_logs_udp" subnet="0" type="" interface="" container="">
|
543
|
<ip address="%%adresses_ip_clients_logs_udp"/>
|
544
|
</extremite>
|
545
|
<extremite zone="invite" name="invite_restreint" libelle="zone restreinte" netmask="%%vlan_id_eth4[2].vlan_netmask_eth4" subnet="1" type="normal" interface="" container="">
|
546
|
<ip address="%%vlan_id_eth4[2].vlan_network_eth4"/>
|
547
|
</extremite>
|
548
|
<extremite zone="dmz" name="dmz_backend_ead" libelle="reseau autorise a acceder au backend EAD depuis la dmz" netmask="%%netmask_frontend_ead_distant_eth3" subnet="1" type="" interface="" container="">
|
549
|
<ip address="%%ip_frontend_ead_distant_eth3"/>
|
550
|
</extremite>
|
551
|
<extremite zone="pedago" name="pedago_admin" libelle="reseau autorise a administrer depuis le reseau pedagogique" netmask="%%netmask_admin_eth2" subnet="1" type="" interface="" container="">
|
552
|
<ip address="%%ip_admin_eth2"/>
|
553
|
</extremite>
|
554
|
<extremite zone="wifipeda" name="wifipeda" libelle="Zone entière" netmask="%%vlan_id_eth4[1].vlan_netmask_eth4" subnet="1" type="normal" interface="" container="">
|
555
|
<ip address="%%vlan_id_eth4[1].vlan_ip_eth4"/>
|
556
|
</extremite>
|
557
|
<extremite zone="wifipeda" name="wifipeda_restreint" libelle="zone restreinte" netmask="%%vlan_id_eth4[1].vlan_netmask_eth4" subnet="1" type="normal" interface="" container="">
|
558
|
<ip address="%%vlan_id_eth4[1].vlan_network_eth4"/>
|
559
|
</extremite>
|
560
|
<extremite zone="exterieur" name="clients_tcp_rsyslog" libelle="clients de l'agrégateur de logs en tcp" netmask="%%netmask_client_logs_tcp" subnet="0" type="" interface="" container="">
|
561
|
<ip address="%%adresses_ip_clients_logs_tcp"/>
|
562
|
</extremite>
|
563
|
<extremite zone="admin" name="admin" libelle="Zone entière" netmask="%%adresse_netmask_eth1" subnet="1" type="" interface="" container="">
|
564
|
<ip address="%%adresse_ip_eth1"/>
|
565
|
</extremite>
|
566
|
<extremite zone="pedago" name="pedago_restreint" libelle="zone restreinte" netmask="%%adresse_netmask_eth2" subnet="1" type="" interface="" container="">
|
567
|
<ip address="%%adresse_network_eth2"/>
|
568
|
</extremite>
|
569
|
<extremite zone="exterieur" name="exterieur_ssh" libelle="reseau autorise a se connecter a ssh" netmask="%%netmask_ssh_eth0" subnet="1" type="" interface="" container="">
|
570
|
<ip address="%%ip_ssh_eth0"/>
|
571
|
</extremite>
|
572
|
<extremite zone="pedago" name="pedago_backend_ead" libelle="reseau autorise a acceder au backend EAD depuis le reseau pedagogique" netmask="%%netmask_frontend_ead_distant_eth2" subnet="1" type="" interface="" container="">
|
573
|
<ip address="%%ip_frontend_ead_distant_eth2"/>
|
574
|
</extremite>
|
575
|
<extremite zone="dmz" name="dmz" libelle="Zone entière" netmask="%%adresse_netmask_eth3" subnet="1" type="" interface="" container="">
|
576
|
<ip address="%%adresse_ip_eth3"/>
|
577
|
</extremite>
|
578
|
<extremite zone="dmz" name="serveur_scribe_dmz" libelle="serveur scribe sur DMZ" netmask="255.255.255.255" subnet="0" type="" interface="" container="">
|
579
|
<ip address="%%ip_serveur_scribe_dmz"/>
|
580
|
</extremite>
|
581
|
</extremites>
|
582
|
<ranges>
|
583
|
</ranges>
|
584
|
<user_groups>
|
585
|
</user_groups>
|
586
|
<applications>
|
587
|
</applications>
|
588
|
<flux-list>
|
589
|
<flux zoneA="bastion" zoneB="exterieur">
|
590
|
<montantes default_policy="0">
|
591
|
<directive tag="ActiverNGINX" service="scribe-posh" priority="1" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="ouverture de posh a travers de nginx" ipsec="0" accept="0">
|
592
|
<source name="exterieur"/>
|
593
|
<destination name="bastion"/>
|
594
|
</directive>
|
595
|
<directive tag="ead_scribe" service="ead-scribe" priority="2" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="ouverture de l'EAD Scribe a travers de nginx" ipsec="0" accept="0">
|
596
|
<source name="exterieur"/>
|
597
|
<destination name="bastion"/>
|
598
|
</directive>
|
599
|
<directive tag="SSHDepuisEth0" service="ssh" priority="3" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="ssh exterieur vers Amon" ipsec="0" accept="0">
|
600
|
<source name="exterieur_ssh"/>
|
601
|
<destination name="bastion"/>
|
602
|
</directive>
|
603
|
<directive tag="AdminDepuisEth0" service="admin_amon" priority="4" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="administration exterieure vers Amon" ipsec="0" accept="0">
|
604
|
<source name="exterieur_admin"/>
|
605
|
<destination name="bastion"/>
|
606
|
</directive>
|
607
|
<directive tag="BackendEADDepuisEth0" service="ead_server" priority="5" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="Acces backend EAD exterieure vers Amon" ipsec="0" accept="0">
|
608
|
<source name="exterieur_backend_ead"/>
|
609
|
<destination name="bastion"/>
|
610
|
</directive>
|
611
|
<directive tag="lightsquid0" service="lightsquid" priority="6" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="administration exterieure vers Amon" ipsec="0" accept="0">
|
612
|
<source name="exterieur_admin"/>
|
613
|
<destination name="bastion"/>
|
614
|
</directive>
|
615
|
<directive tag="eole_sso" service="eole-sso" priority="7" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="pas de description" ipsec="0" accept="0">
|
616
|
<source name="exterieur"/>
|
617
|
<destination name="bastion"/>
|
618
|
</directive>
|
619
|
<directive tag="revprox_sso" service="revprox-sso" priority="8" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="redirection du service EoleSSO par le proxy inverse" ipsec="0" accept="0">
|
620
|
<source name="exterieur"/>
|
621
|
<destination name="bastion"/>
|
622
|
</directive>
|
623
|
<directive service="ipsec" priority="9" action="2" attrs="0" src_inv="0" dest_inv="0" serv_inv="0" libelle="Autoriser ipsec" ipsec="0" accept="0">
|
624
|
<source name="exterieur"/>
|
625
|
<destination name="bastion"/>
|
626
|
</directive>
|
627
|
<directive tag="SSHDepuisEth0" service="gen_config" priority="10" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="gen_config exterieur vers Amon" ipsec="0" accept="0">
|
628
|
<source name="exterieur_ssh"/>
|
629
|
<destination name="bastion"/>
|
630
|
</directive>
|
631
|
<directive tag="ClientRsyslogRELP" service="rsyslog_RELP" priority="11" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="pas de description" ipsec="0" accept="0">
|
632
|
<source name="clients_relp_rsyslog"/>
|
633
|
<destination name="bastion"/>
|
634
|
</directive>
|
635
|
<directive tag="ClientRsyslogTCP" service="rsyslog_TCP" priority="12" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="pas de description" ipsec="0" accept="0">
|
636
|
<source name="clients_tcp_rsyslog"/>
|
637
|
<destination name="bastion"/>
|
638
|
</directive>
|
639
|
<directive tag="ClientRsyslogUDP" service="rsyslog_UDP" priority="13" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="pas de description" ipsec="0" accept="0">
|
640
|
<source name="clients_udp_rsyslog"/>
|
641
|
<destination name="bastion"/>
|
642
|
</directive>
|
643
|
</montantes>
|
644
|
<descendantes default_policy="1">
|
645
|
</descendantes>
|
646
|
</flux>
|
647
|
<flux zoneA="exterieur" zoneB="admin">
|
648
|
<montantes default_policy="0">
|
649
|
</montantes>
|
650
|
<descendantes default_policy="1">
|
651
|
<directive service="tous" priority="1" action="16" attrs="0" nat_extr="exterieur_bastion" nat_port="0" src_inv="0" dest_inv="0" serv_inv="0" libelle="pas de description" ipsec="0" accept="0">
|
652
|
<source name="admin_restreint"/>
|
653
|
<destination name="exterieur"/>
|
654
|
</directive>
|
655
|
<directive tag="ProxyBypass1" service="gr_redirection_proxy" priority="2" action="4" attrs="17" nat_port="3128" src_inv="0" dest_inv="0" serv_inv="0" libelle="Redirection des flux http avec proxy alternatif" ipsec="0" accept="0">
|
656
|
<source name="admin"/>
|
657
|
<destination name="exterieur"/>
|
658
|
<exception name="" ip="" eolvar="%%proxy_bypass_src_network_eth1/%%calc_classe(%%proxy_bypass_src_netmask_eth1)" src="1" dest="0"/>
|
659
|
<exception name="" ip="" eolvar="%%proxy_bypass_network_eth1/%%calc_classe(%%proxy_bypass_netmask_eth1)" src="0" dest="1"/>
|
660
|
<exception name="" ip="" eolvar="%%proxy_bypass_domain_eth1" src="0" dest="1"/>
|
661
|
</directive>
|
662
|
<directive tag="ProxyBypass1" service="http" priority="3" action="4" attrs="17" nat_port="81" src_inv="0" dest_inv="1" serv_inv="0" libelle="Redirection des flux http sans proxy vers une page d'erreur" ipsec="0" accept="0">
|
663
|
<source name="admin"/>
|
664
|
<destination name="exterieur_bastion"/>
|
665
|
<exception name="" ip="" eolvar="%%proxy_bypass_src_network_eth1/%%calc_classe(%%proxy_bypass_src_netmask_eth1)" src="1" dest="0"/>
|
666
|
<exception name="" ip="" eolvar="%%proxy_bypass_network_eth1/%%calc_classe(%%proxy_bypass_netmask_eth1)" src="0" dest="1"/>
|
667
|
<exception name="" ip="" eolvar="%%proxy_bypass_domain_eth1" src="0" dest="1"/>
|
668
|
</directive>
|
669
|
<directive tag="ProxyBypass1" service="gr_redirection_https" priority="4" action="4" attrs="17" nat_port="82" src_inv="0" dest_inv="0" serv_inv="0" libelle="Redirection des flux https sans proxy vers une page d'erreur" ipsec="0" accept="0">
|
670
|
<source name="admin"/>
|
671
|
<destination name="exterieur"/>
|
672
|
<exception name="" ip="" eolvar="%%proxy_bypass_src_network_eth1/%%calc_classe(%%proxy_bypass_src_netmask_eth1)" src="1" dest="0"/>
|
673
|
<exception name="" ip="" eolvar="%%proxy_bypass_network_eth1/%%calc_classe(%%proxy_bypass_netmask_eth1)" src="0" dest="1"/>
|
674
|
<exception name="" ip="" eolvar="%%proxy_bypass_domain_eth1" src="0" dest="1"/>
|
675
|
</directive>
|
676
|
<directive tag="ForceProxy1" service="gr_redirection_proxy" priority="5" action="4" attrs="17" nat_port="3128" src_inv="0" dest_inv="0" serv_inv="0" libelle="Redirection des flux http avec proxy alternatif" ipsec="0" accept="0">
|
677
|
<source name="admin"/>
|
678
|
<destination name="exterieur"/>
|
679
|
<exception name="" ip="" eolvar="%%proxy_bypass_src_network_eth1/%%calc_classe(%%proxy_bypass_src_netmask_eth1)" src="1" dest="0"/>
|
680
|
<exception name="" ip="" eolvar="%%proxy_bypass_domain_eth1" src="0" dest="1"/>
|
681
|
</directive>
|
682
|
<directive tag="ForceProxy1" service="http" priority="6" action="4" attrs="17" nat_port="81" src_inv="0" dest_inv="1" serv_inv="0" libelle="Redirection des flux http sans proxy vers une page d'erreur" ipsec="0" accept="0">
|
683
|
<source name="admin"/>
|
684
|
<destination name="exterieur_bastion"/>
|
685
|
<exception name="" ip="" eolvar="%%proxy_bypass_src_network_eth1/%%calc_classe(%%proxy_bypass_src_netmask_eth1)" src="1" dest="0"/>
|
686
|
<exception name="" ip="" eolvar="%%proxy_bypass_domain_eth1" src="0" dest="1"/>
|
687
|
</directive>
|
688
|
<directive tag="ForceProxy1" service="gr_redirection_https" priority="7" action="4" attrs="17" nat_port="82" src_inv="0" dest_inv="0" serv_inv="0" libelle="Redirection des flux https sans proxy vers une page d'erreur" ipsec="0" accept="0">
|
689
|
<source name="admin"/>
|
690
|
<destination name="exterieur"/>
|
691
|
<exception name="" ip="" eolvar="%%proxy_bypass_src_network_eth1/%%calc_classe(%%proxy_bypass_src_netmask_eth1)" src="1" dest="0"/>
|
692
|
<exception name="" ip="" eolvar="%%proxy_bypass_domain_eth1" src="0" dest="1"/>
|
693
|
</directive>
|
694
|
</descendantes>
|
695
|
</flux>
|
696
|
<flux zoneA="bastion" zoneB="admin">
|
697
|
<montantes default_policy="0">
|
698
|
<directive tag="SSHDepuisEth1" service="ssh" priority="1" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="ssh admin vers Amon" ipsec="0" accept="0">
|
699
|
<source name="admin_ssh"/>
|
700
|
<destination name="bastion"/>
|
701
|
</directive>
|
702
|
<directive tag="AdminDepuisEth1" service="admin_amon" priority="2" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="administration admin vers Amon" ipsec="0" accept="0">
|
703
|
<source name="admin_admin"/>
|
704
|
<destination name="bastion"/>
|
705
|
</directive>
|
706
|
<directive tag="BackendEADDepuisEth1" service="ead_server" priority="3" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="Acces backend EAD admin vers Amon" ipsec="0" accept="0">
|
707
|
<source name="admin_backend_ead"/>
|
708
|
<destination name="bastion"/>
|
709
|
</directive>
|
710
|
<directive service="dns-tcp" priority="4" action="2" attrs="0" src_inv="0" dest_inv="0" serv_inv="0" libelle="pas de description" ipsec="0" accept="0">
|
711
|
<source name="admin"/>
|
712
|
<destination name="internet_eth1"/>
|
713
|
</directive>
|
714
|
<directive service="dns-udp" priority="5" action="2" attrs="0" src_inv="0" dest_inv="0" serv_inv="0" libelle="pas de description" ipsec="0" accept="0">
|
715
|
<source name="admin"/>
|
716
|
<destination name="internet_eth1"/>
|
717
|
</directive>
|
718
|
<directive tag="auth_nufw" service="nuauth" priority="6" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="autoriser l'acces a Nuauth" ipsec="0" accept="0">
|
719
|
<source name="admin"/>
|
720
|
<destination name="bastion"/>
|
721
|
</directive>
|
722
|
<directive tag="eole_sso" service="eole-sso" priority="7" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="pas de description" ipsec="0" accept="0">
|
723
|
<source name="admin"/>
|
724
|
<destination name="bastion"/>
|
725
|
</directive>
|
726
|
<directive service="proxy" priority="8" action="2" attrs="0" src_inv="0" dest_inv="0" serv_inv="0" libelle="pas de description" ipsec="0" accept="0">
|
727
|
<source name="admin"/>
|
728
|
<destination name="internet_eth1"/>
|
729
|
</directive>
|
730
|
<directive tag="Activer squid2" service="proxy2" priority="9" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="pas de description" ipsec="0" accept="0">
|
731
|
<source name="admin"/>
|
732
|
<destination name="internet_eth1"/>
|
733
|
</directive>
|
734
|
<directive tag="cntlm" service="cntlm" priority="10" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="pas de description" ipsec="0" accept="0">
|
735
|
<source name="admin"/>
|
736
|
<destination name="internet_eth1"/>
|
737
|
</directive>
|
738
|
<directive tag="SSHDepuisEth1" service="gen_config" priority="11" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="gen_config admin vers Amon" ipsec="0" accept="0">
|
739
|
<source name="admin_ssh"/>
|
740
|
<destination name="bastion"/>
|
741
|
</directive>
|
742
|
<directive tag="ActiverRadiuseth1" service="gr_radius" priority="12" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="raduis admin vers Amon" ipsec="0" accept="0">
|
743
|
<source name="admin"/>
|
744
|
<destination name="bastion"/>
|
745
|
</directive>
|
746
|
<directive service="http" priority="13" action="2" attrs="0" src_inv="0" dest_inv="0" serv_inv="0" libelle="Autorisation reverse proxy + WPAD" ipsec="0" accept="0">
|
747
|
<source name="admin"/>
|
748
|
<destination name="bastion_exterieur"/>
|
749
|
</directive>
|
750
|
<directive service="ntp" priority="14" action="2" attrs="0" src_inv="0" dest_inv="0" serv_inv="0" libelle="Autoriser ntp depuis admin" ipsec="0" accept="0">
|
751
|
<source name="admin"/>
|
752
|
<destination name="bastion"/>
|
753
|
</directive>
|
754
|
</montantes>
|
755
|
<descendantes default_policy="1">
|
756
|
</descendantes>
|
757
|
</flux>
|
758
|
<flux zoneA="exterieur" zoneB="pedago">
|
759
|
<montantes default_policy="0">
|
760
|
</montantes>
|
761
|
<descendantes default_policy="1">
|
762
|
<directive service="tous" priority="1" action="16" attrs="0" nat_extr="exterieur_bastion" nat_port="0" src_inv="0" dest_inv="0" serv_inv="0" libelle="pas de description" ipsec="0" accept="0">
|
763
|
<source name="pedago_restreint"/>
|
764
|
<destination name="exterieur"/>
|
765
|
</directive>
|
766
|
<directive tag="Interdiction des forums" service="gr_forum" priority="2" action="1" attrs="1" src_inv="0" dest_inv="0" serv_inv="0" libelle="pedago -> exterieur : interdire les protocoles de news, forums ..." ipsec="0" accept="0">
|
767
|
<source name="pedago"/>
|
768
|
<destination name="exterieur"/>
|
769
|
</directive>
|
770
|
<directive tag="Interdire les connexions FTP" service="gr_ftp" priority="3" action="1" attrs="1" src_inv="0" dest_inv="0" serv_inv="0" libelle="Interdire les connexions FTP" ipsec="0" accept="0">
|
771
|
<source name="pedago"/>
|
772
|
<destination name="exterieur"/>
|
773
|
</directive>
|
774
|
<directive tag="Interdire l'utilisation des dialogues en direct" service="gr_irc" priority="4" action="1" attrs="1" src_inv="0" dest_inv="0" serv_inv="0" libelle="pedago -> exterieur : interdire les protocoles de discussion en ligne (irc ...)" ipsec="0" accept="0">
|
775
|
<source name="pedago"/>
|
776
|
<destination name="exterieur"/>
|
777
|
</directive>
|
778
|
<directive tag="Interdiction des protocoles de messagerie" service="gr_messagerie" priority="5" action="1" attrs="1" src_inv="0" dest_inv="0" serv_inv="0" libelle="pedago -> exterieur : interdire les protocoles de messagerie (pop, imap ...)" ipsec="0" accept="0">
|
779
|
<source name="pedago"/>
|
780
|
<destination name="exterieur"/>
|
781
|
</directive>
|
782
|
<directive tag="Internet restreint" service="gr_restreint" priority="6" action="1" attrs="1" src_inv="0" dest_inv="0" serv_inv="0" libelle="pedago -> exterieur : tout interdire (sauf le web via le proxy)" ipsec="0" accept="0">
|
783
|
<source name="pedago"/>
|
784
|
<destination name="exterieur"/>
|
785
|
</directive>
|
786
|
<directive tag="ProxyBypass2" service="gr_redirection_proxy" priority="7" action="4" attrs="17" nat_port="3128" src_inv="0" dest_inv="0" serv_inv="0" libelle="Redirection des flux http avec proxy alternatif" ipsec="0" accept="0">
|
787
|
<source name="pedago"/>
|
788
|
<destination name="exterieur"/>
|
789
|
<exception name="" ip="" eolvar="%%proxy_bypass_src_network_eth2/%%calc_classe(%%proxy_bypass_src_netmask_eth2)" src="1" dest="0"/>
|
790
|
<exception name="" ip="" eolvar="%%proxy_bypass_network_eth2/%%calc_classe(%%proxy_bypass_netmask_eth2)" src="0" dest="1"/>
|
791
|
<exception name="" ip="" eolvar="%%proxy_bypass_domain_eth2" src="0" dest="1"/>
|
792
|
</directive>
|
793
|
<directive tag="ProxyBypass2" service="http" priority="8" action="4" attrs="17" nat_port="81" src_inv="0" dest_inv="1" serv_inv="0" libelle="Redirection des flux http sans proxy" ipsec="0" accept="0">
|
794
|
<source name="pedago"/>
|
795
|
<destination name="exterieur_bastion"/>
|
796
|
<exception name="" ip="" eolvar="%%proxy_bypass_src_network_eth2/%%calc_classe(%%proxy_bypass_src_netmask_eth2)" src="1" dest="0"/>
|
797
|
<exception name="" ip="" eolvar="%%proxy_bypass_network_eth2/%%calc_classe(%%proxy_bypass_netmask_eth2)" src="0" dest="1"/>
|
798
|
<exception name="" ip="" eolvar="%%proxy_bypass_domain_eth2" src="0" dest="1"/>
|
799
|
</directive>
|
800
|
<directive tag="ProxyBypass2" service="gr_redirection_https" priority="9" action="4" attrs="17" nat_port="82" src_inv="0" dest_inv="0" serv_inv="0" libelle="Redirection des flux https sans proxy vers une page d'erreur" ipsec="0" accept="0">
|
801
|
<source name="pedago"/>
|
802
|
<destination name="exterieur"/>
|
803
|
<exception name="" ip="" eolvar="%%proxy_bypass_src_network_eth2/%%calc_classe(%%proxy_bypass_src_netmask_eth2)" src="1" dest="0"/>
|
804
|
<exception name="" ip="" eolvar="%%proxy_bypass_network_eth2/%%calc_classe(%%proxy_bypass_netmask_eth2)" src="0" dest="1"/>
|
805
|
<exception name="" ip="" eolvar="%%proxy_bypass_domain_eth2" src="0" dest="1"/>
|
806
|
</directive>
|
807
|
<directive tag="ForceProxy2" service="gr_redirection_proxy" priority="10" action="4" attrs="17" nat_port="3128" src_inv="0" dest_inv="0" serv_inv="0" libelle="Redirection des flux http avec proxy alternatif" ipsec="0" accept="0">
|
808
|
<source name="pedago"/>
|
809
|
<destination name="exterieur"/>
|
810
|
<exception name="" ip="" eolvar="%%proxy_bypass_src_network_eth2/%%calc_classe(%%proxy_bypass_src_netmask_eth2)" src="1" dest="0"/>
|
811
|
<exception name="" ip="" eolvar="%%proxy_bypass_domain_eth2" src="0" dest="1"/>
|
812
|
</directive>
|
813
|
<directive tag="ForceProxy2" service="http" priority="11" action="4" attrs="17" nat_port="81" src_inv="0" dest_inv="1" serv_inv="0" libelle="Redirection des flux http sans proxy vers une page d'erreur" ipsec="0" accept="0">
|
814
|
<source name="pedago"/>
|
815
|
<destination name="exterieur_bastion"/>
|
816
|
<exception name="" ip="" eolvar="%%proxy_bypass_src_network_eth2/%%calc_classe(%%proxy_bypass_src_netmask_eth2)" src="1" dest="0"/>
|
817
|
<exception name="" ip="" eolvar="%%proxy_bypass_domain_eth2" src="0" dest="1"/>
|
818
|
</directive>
|
819
|
<directive tag="ForceProxy2" service="gr_redirection_https" priority="12" action="4" attrs="17" nat_port="82" src_inv="0" dest_inv="0" serv_inv="0" libelle="Redirection des flux https sans proxy vers une page d'erreur" ipsec="0" accept="0">
|
820
|
<source name="pedago"/>
|
821
|
<destination name="exterieur"/>
|
822
|
<exception name="" ip="" eolvar="%%proxy_bypass_src_network_eth2/%%calc_classe(%%proxy_bypass_src_netmask_eth2)" src="1" dest="0"/>
|
823
|
<exception name="" ip="" eolvar="%%proxy_bypass_domain_eth2" src="0" dest="1"/>
|
824
|
</directive>
|
825
|
</descendantes>
|
826
|
</flux>
|
827
|
<flux zoneA="admin" zoneB="pedago">
|
828
|
<montantes default_policy="0">
|
829
|
</montantes>
|
830
|
<descendantes default_policy="1">
|
831
|
</descendantes>
|
832
|
</flux>
|
833
|
<flux zoneA="bastion" zoneB="pedago">
|
834
|
<montantes default_policy="0">
|
835
|
<directive tag="SSHDepuisEth2" service="ssh" priority="1" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="ssh pedago vers Amon" ipsec="0" accept="0">
|
836
|
<source name="pedago_ssh"/>
|
837
|
<destination name="bastion"/>
|
838
|
</directive>
|
839
|
<directive tag="AdminDepuisEth2" service="admin_amon" priority="2" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="administration pedago vers Amon" ipsec="0" accept="0">
|
840
|
<source name="pedago_admin"/>
|
841
|
<destination name="bastion"/>
|
842
|
</directive>
|
843
|
<directive tag="lightsquid2" service="lightsquid" priority="3" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="administration pedago vers Amon" ipsec="0" accept="0">
|
844
|
<source name="pedago_admin"/>
|
845
|
<destination name="bastion"/>
|
846
|
</directive>
|
847
|
<directive service="dns-tcp" priority="4" action="2" attrs="0" src_inv="0" dest_inv="0" serv_inv="0" libelle="pas de description" ipsec="0" accept="0">
|
848
|
<source name="pedago"/>
|
849
|
<destination name="internet_eth2"/>
|
850
|
</directive>
|
851
|
<directive service="dns-udp" priority="5" action="2" attrs="0" src_inv="0" dest_inv="0" serv_inv="0" libelle="pas de description" ipsec="0" accept="0">
|
852
|
<source name="pedago"/>
|
853
|
<destination name="internet_eth2"/>
|
854
|
</directive>
|
855
|
<directive tag="auth_nufw" service="nuauth" priority="6" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="autoriser l'acces a Nuauth" ipsec="0" accept="0">
|
856
|
<source name="pedago"/>
|
857
|
<destination name="bastion"/>
|
858
|
</directive>
|
859
|
<directive tag="eole_sso" service="eole-sso" priority="7" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="pas de description" ipsec="0" accept="0">
|
860
|
<source name="pedago"/>
|
861
|
<destination name="bastion"/>
|
862
|
</directive>
|
863
|
<directive service="proxy" priority="8" action="2" attrs="0" src_inv="0" dest_inv="0" serv_inv="0" libelle="pas de description" ipsec="0" accept="0">
|
864
|
<source name="pedago"/>
|
865
|
<destination name="internet_eth2"/>
|
866
|
</directive>
|
867
|
<directive tag="Activer squid2" service="proxy2" priority="9" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="pas de description" ipsec="0" accept="0">
|
868
|
<source name="pedago"/>
|
869
|
<destination name="internet_eth2"/>
|
870
|
</directive>
|
871
|
<directive tag="cntlm" service="cntlm" priority="10" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="pas de description" ipsec="0" accept="0">
|
872
|
<source name="pedago"/>
|
873
|
<destination name="internet_eth2"/>
|
874
|
</directive>
|
875
|
<directive tag="SSHDepuisEth2" service="gen_config" priority="11" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="gen_config pedago vers Amon" ipsec="0" accept="0">
|
876
|
<source name="pedago_ssh"/>
|
877
|
<destination name="bastion"/>
|
878
|
</directive>
|
879
|
<directive tag="BackendEADDepuisEth2" service="ead_server" priority="12" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="Acces backend EAD pedago vers Amon" ipsec="0" accept="0">
|
880
|
<source name="pedago_backend_ead"/>
|
881
|
<destination name="bastion"/>
|
882
|
</directive>
|
883
|
<directive tag="ActiverRadiuseth2" service="gr_radius" priority="13" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="raduis admin vers Amon" ipsec="0" accept="0">
|
884
|
<source name="pedago"/>
|
885
|
<destination name="bastion"/>
|
886
|
</directive>
|
887
|
<directive service="http" priority="14" action="2" attrs="0" src_inv="0" dest_inv="0" serv_inv="0" libelle="Autorisation reverse proxy + WPAD" ipsec="0" accept="0">
|
888
|
<source name="pedago"/>
|
889
|
<destination name="bastion_exterieur"/>
|
890
|
</directive>
|
891
|
<directive service="ntp" priority="15" action="2" attrs="0" src_inv="0" dest_inv="0" serv_inv="0" libelle="Autoriser ntp depuis pedago" ipsec="0" accept="0">
|
892
|
<source name="pedago"/>
|
893
|
<destination name="bastion"/>
|
894
|
</directive>
|
895
|
</montantes>
|
896
|
<descendantes default_policy="1">
|
897
|
</descendantes>
|
898
|
</flux>
|
899
|
<flux zoneA="exterieur" zoneB="dmz">
|
900
|
<montantes default_policy="0">
|
901
|
</montantes>
|
902
|
<descendantes default_policy="1">
|
903
|
<directive tag="ProxyBypass3" service="gr_redirection_proxy" priority="1" action="4" attrs="17" nat_port="3128" src_inv="0" dest_inv="0" serv_inv="0" libelle="Redirection des flux http avec proxy alternatif" ipsec="0" accept="0">
|
904
|
<source name="dmz"/>
|
905
|
<destination name="exterieur"/>
|
906
|
<exception name="" ip="" eolvar="%%proxy_bypass_src_network_eth3/%%calc_classe(%%proxy_bypass_src_netmask_eth3)" src="1" dest="0"/>
|
907
|
<exception name="" ip="" eolvar="%%proxy_bypass_network_eth3/%%calc_classe(%%proxy_bypass_netmask_eth3)" src="0" dest="1"/>
|
908
|
<exception name="" ip="" eolvar="%%proxy_bypass_domain_eth3" src="0" dest="1"/>
|
909
|
</directive>
|
910
|
<directive tag="ProxyBypass3" service="http" priority="2" action="4" attrs="17" nat_port="81" src_inv="0" dest_inv="1" serv_inv="0" libelle="Redirection des flux http sans proxy vers une page d'erreur" ipsec="0" accept="0">
|
911
|
<source name="dmz"/>
|
912
|
<destination name="exterieur_bastion"/>
|
913
|
<exception name="" ip="" eolvar="%%proxy_bypass_src_network_eth3/%%calc_classe(%%proxy_bypass_src_netmask_eth3)" src="1" dest="0"/>
|
914
|
<exception name="" ip="" eolvar="%%proxy_bypass_network_eth3/%%calc_classe(%%proxy_bypass_netmask_eth3)" src="0" dest="1"/>
|
915
|
<exception name="" ip="" eolvar="%%proxy_bypass_domain_eth3" src="0" dest="1"/>
|
916
|
</directive>
|
917
|
<directive tag="ProxyBypass3" service="gr_redirection_https" priority="3" action="4" attrs="17" nat_port="82" src_inv="0" dest_inv="0" serv_inv="0" libelle="Redirection des flux https sans proxy vers une page d'erreur" ipsec="0" accept="0">
|
918
|
<source name="dmz"/>
|
919
|
<destination name="exterieur"/>
|
920
|
<exception name="" ip="" eolvar="%%proxy_bypass_src_network_eth3/%%calc_classe(%%proxy_bypass_src_netmask_eth3)" src="1" dest="0"/>
|
921
|
<exception name="" ip="" eolvar="%%proxy_bypass_network_eth3/%%calc_classe(%%proxy_bypass_netmask_eth3)" src="0" dest="1"/>
|
922
|
<exception name="" ip="" eolvar="%%proxy_bypass_domain_eth3" src="0" dest="1"/>
|
923
|
</directive>
|
924
|
<directive tag="ForceProxy3" service="gr_redirection_proxy" priority="4" action="4" attrs="17" nat_port="3128" src_inv="0" dest_inv="0" serv_inv="0" libelle="Redirection des flux http avec proxy alternatif" ipsec="0" accept="0">
|
925
|
<source name="dmz"/>
|
926
|
<destination name="exterieur"/>
|
927
|
<exception name="" ip="" eolvar="%%proxy_bypass_src_network_eth3/%%calc_classe(%%proxy_bypass_src_netmask_eth3)" src="1" dest="0"/>
|
928
|
<exception name="" ip="" eolvar="%%proxy_bypass_domain_eth3" src="0" dest="1"/>
|
929
|
</directive>
|
930
|
<directive tag="ForceProxy3" service="http" priority="5" action="4" attrs="17" nat_port="81" src_inv="0" dest_inv="1" serv_inv="0" libelle="Redirection des flux http sans proxy vers une page d'erreur" ipsec="0" accept="0">
|
931
|
<source name="dmz"/>
|
932
|
<destination name="exterieur_bastion"/>
|
933
|
<exception name="" ip="" eolvar="%%proxy_bypass_src_network_eth3/%%calc_classe(%%proxy_bypass_src_netmask_eth3)" src="1" dest="0"/>
|
934
|
<exception name="" ip="" eolvar="%%proxy_bypass_domain_eth3" src="0" dest="1"/>
|
935
|
</directive>
|
936
|
<directive tag="ForceProxy3" service="gr_redirection_https" priority="6" action="4" attrs="17" nat_port="82" src_inv="0" dest_inv="0" serv_inv="0" libelle="Redirection des flux https sans proxy vers une page d'erreur" ipsec="0" accept="0">
|
937
|
<source name="dmz"/>
|
938
|
<destination name="exterieur"/>
|
939
|
<exception name="" ip="" eolvar="%%proxy_bypass_src_network_eth3/%%calc_classe(%%proxy_bypass_src_netmask_eth3)" src="1" dest="0"/>
|
940
|
<exception name="" ip="" eolvar="%%proxy_bypass_domain_eth3" src="0" dest="1"/>
|
941
|
</directive>
|
942
|
<directive tag="ScribeDMZ" service="tous" priority="7" action="16" attrs="17" nat_extr="exterieur_bastion" nat_port="0" src_inv="0" dest_inv="0" serv_inv="0" libelle="autoriser scribe a sortir sur Internet" ipsec="0" accept="0">
|
943
|
<source name="serveur_scribe_dmz"/>
|
944
|
<destination name="exterieur"/>
|
945
|
</directive>
|
946
|
</descendantes>
|
947
|
</flux>
|
948
|
<flux zoneA="admin" zoneB="dmz">
|
949
|
<montantes default_policy="0">
|
950
|
</montantes>
|
951
|
<descendantes default_policy="1">
|
952
|
</descendantes>
|
953
|
</flux>
|
954
|
<flux zoneA="bastion" zoneB="dmz">
|
955
|
<montantes default_policy="0">
|
956
|
<directive service="http" priority="1" action="2" attrs="0" src_inv="0" dest_inv="0" serv_inv="0" libelle="Autorisation reverse proxy + WPAD" ipsec="0" accept="0">
|
957
|
<source name="dmz"/>
|
958
|
<destination name="bastion_exterieur"/>
|
959
|
</directive>
|
960
|
<directive tag="SSHDepuisEth3" service="ssh" priority="2" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="ssh dmz vers Amon" ipsec="0" accept="0">
|
961
|
<source name="dmz_ssh"/>
|
962
|
<destination name="bastion"/>
|
963
|
</directive>
|
964
|
<directive tag="AdminDepuisEth3" service="admin_amon" priority="3" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="administration dmz vers Amon" ipsec="0" accept="0">
|
965
|
<source name="dmz_admin"/>
|
966
|
<destination name="bastion"/>
|
967
|
</directive>
|
968
|
<directive tag="BackendEADDepuisEth3" service="ead_server" priority="4" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="Acces backend EAD dmz vers Amon" ipsec="0" accept="0">
|
969
|
<source name="dmz_backend_ead"/>
|
970
|
<destination name="bastion"/>
|
971
|
</directive>
|
972
|
<directive tag="lightsquid3" service="lightsquid" priority="5" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="administration dmz vers Amon" ipsec="0" accept="0">
|
973
|
<source name="dmz_admin"/>
|
974
|
<destination name="bastion"/>
|
975
|
</directive>
|
976
|
<directive service="dns-tcp" priority="6" action="2" attrs="0" src_inv="0" dest_inv="0" serv_inv="0" libelle="pas de description" ipsec="0" accept="0">
|
977
|
<source name="dmz"/>
|
978
|
<destination name="internet"/>
|
979
|
</directive>
|
980
|
<directive service="dns-udp" priority="7" action="2" attrs="0" src_inv="0" dest_inv="0" serv_inv="0" libelle="pas de description" ipsec="0" accept="0">
|
981
|
<source name="dmz"/>
|
982
|
<destination name="internet"/>
|
983
|
</directive>
|
984
|
<directive tag="eole_sso" service="eole-sso" priority="8" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="pas de description" ipsec="0" accept="0">
|
985
|
<source name="dmz"/>
|
986
|
<destination name="bastion"/>
|
987
|
</directive>
|
988
|
<directive service="proxy" priority="9" action="2" attrs="0" src_inv="0" dest_inv="0" serv_inv="0" libelle="pas de description" ipsec="0" accept="0">
|
989
|
<source name="dmz"/>
|
990
|
<destination name="internet"/>
|
991
|
</directive>
|
992
|
<directive tag="Activer squid2" service="proxy2" priority="10" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="pas de description" ipsec="0" accept="0">
|
993
|
<source name="dmz"/>
|
994
|
<destination name="internet"/>
|
995
|
</directive>
|
996
|
<directive tag="cntlm" service="cntlm" priority="11" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="pas de description" ipsec="0" accept="0">
|
997
|
<source name="dmz"/>
|
998
|
<destination name="internet"/>
|
999
|
</directive>
|
1000
|
<directive tag="SSHDepuisEth3" service="gen_config" priority="12" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="gen_config dmz vers Amon" ipsec="0" accept="0">
|
1001
|
<source name="dmz_ssh"/>
|
1002
|
<destination name="bastion"/>
|
1003
|
</directive>
|
1004
|
<directive service="ntp" priority="13" action="2" attrs="0" src_inv="0" dest_inv="0" serv_inv="0" libelle="Autoriser ntp depuis dmz" ipsec="0" accept="0">
|
1005
|
<source name="dmz"/>
|
1006
|
<destination name="bastion"/>
|
1007
|
</directive>
|
1008
|
</montantes>
|
1009
|
<descendantes default_policy="1">
|
1010
|
</descendantes>
|
1011
|
</flux>
|
1012
|
<flux zoneA="pedago" zoneB="dmz">
|
1013
|
<montantes default_policy="0">
|
1014
|
<directive tag="ScribeDMZ" service="scribe-dmz-pedago" priority="1" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="autoriser scribe a se connecter au reseau pedago" ipsec="0" accept="0">
|
1015
|
<source name="serveur_scribe_dmz"/>
|
1016
|
<destination name="pedago"/>
|
1017
|
</directive>
|
1018
|
</montantes>
|
1019
|
<descendantes default_policy="1">
|
1020
|
</descendantes>
|
1021
|
</flux>
|
1022
|
<flux zoneA="exterieur" zoneB="invite">
|
1023
|
<montantes default_policy="0">
|
1024
|
</montantes>
|
1025
|
<descendantes default_policy="1">
|
1026
|
<directive service="tous" priority="1" action="16" attrs="0" nat_extr="exterieur_bastion" nat_port="0" src_inv="0" dest_inv="0" serv_inv="0" libelle="pas de description" ipsec="0" accept="0">
|
1027
|
<source name="invite_restreint"/>
|
1028
|
<destination name="exterieur"/>
|
1029
|
</directive>
|
1030
|
<directive tag="Interdiction des forums" service="gr_forum" priority="2" action="1" attrs="1" src_inv="0" dest_inv="0" serv_inv="0" libelle="invite -> exterieur : interdire les protocoles de news, forums ..." ipsec="0" accept="0">
|
1031
|
<source name="invite"/>
|
1032
|
<destination name="exterieur"/>
|
1033
|
</directive>
|
1034
|
<directive tag="Interdire les connexions FTP" service="gr_ftp" priority="3" action="1" attrs="1" src_inv="0" dest_inv="0" serv_inv="0" libelle="Interdire les connexions FTP" ipsec="0" accept="0">
|
1035
|
<source name="invite"/>
|
1036
|
<destination name="exterieur"/>
|
1037
|
</directive>
|
1038
|
<directive tag="Interdire l'utilisation des dialogues en direct" service="gr_irc" priority="4" action="1" attrs="1" src_inv="0" dest_inv="0" serv_inv="0" libelle="invite -> exterieur : interdire les protocoles de discussion en ligne (irc ...)" ipsec="0" accept="0">
|
1039
|
<source name="invite"/>
|
1040
|
<destination name="exterieur"/>
|
1041
|
</directive>
|
1042
|
<directive tag="Interdiction des protocoles de messagerie" service="gr_messagerie" priority="5" action="1" attrs="1" src_inv="0" dest_inv="0" serv_inv="0" libelle="invite -> exterieur : interdire les protocoles de messagerie (pop, imap ...)" ipsec="0" accept="0">
|
1043
|
<source name="invite"/>
|
1044
|
<destination name="exterieur"/>
|
1045
|
</directive>
|
1046
|
<directive tag="Internet restreint" service="gr_restreint" priority="6" action="1" attrs="1" src_inv="0" dest_inv="0" serv_inv="0" libelle="invite -> exterieur : tout interdire (sauf le web via le proxy)" ipsec="0" accept="0">
|
1047
|
<source name="invite"/>
|
1048
|
<destination name="exterieur"/>
|
1049
|
</directive>
|
1050
|
<directive tag="ProxyBypass2" service="gr_redirection_proxy" priority="7" action="4" attrs="17" nat_port="3128" src_inv="0" dest_inv="0" serv_inv="0" libelle="Redirection des flux http avec proxy alternatif" ipsec="0" accept="0">
|
1051
|
<source name="invite"/>
|
1052
|
<destination name="exterieur"/>
|
1053
|
<exception name="" ip="" eolvar="%%proxy_bypass_src_network_eth2/%%calc_classe(%%proxy_bypass_src_netmask_eth2)" src="1" dest="0"/>
|
1054
|
<exception name="" ip="" eolvar="%%proxy_bypass_network_eth2/%%calc_classe(%%proxy_bypass_netmask_eth2)" src="0" dest="1"/>
|
1055
|
<exception name="" ip="" eolvar="%%proxy_bypass_domain_eth2" src="0" dest="1"/>
|
1056
|
</directive>
|
1057
|
<directive tag="ProxyBypass2" service="http" priority="8" action="4" attrs="17" nat_port="81" src_inv="0" dest_inv="1" serv_inv="0" libelle="Redirection des flux http sans proxy" ipsec="0" accept="0">
|
1058
|
<source name="invite"/>
|
1059
|
<destination name="exterieur_bastion"/>
|
1060
|
<exception name="" ip="" eolvar="%%proxy_bypass_src_network_eth2/%%calc_classe(%%proxy_bypass_src_netmask_eth2)" src="1" dest="0"/>
|
1061
|
<exception name="" ip="" eolvar="%%proxy_bypass_network_eth2/%%calc_classe(%%proxy_bypass_netmask_eth2)" src="0" dest="1"/>
|
1062
|
<exception name="" ip="" eolvar="%%proxy_bypass_domain_eth2" src="0" dest="1"/>
|
1063
|
</directive>
|
1064
|
<directive tag="ProxyBypass2" service="gr_redirection_https" priority="9" action="4" attrs="17" nat_port="82" src_inv="0" dest_inv="0" serv_inv="0" libelle="Redirection des flux https sans proxy vers une page d'erreur" ipsec="0" accept="0">
|
1065
|
<source name="invite"/>
|
1066
|
<destination name="exterieur"/>
|
1067
|
<exception name="" ip="" eolvar="%%proxy_bypass_src_network_eth2/%%calc_classe(%%proxy_bypass_src_netmask_eth2)" src="1" dest="0"/>
|
1068
|
<exception name="" ip="" eolvar="%%proxy_bypass_network_eth2/%%calc_classe(%%proxy_bypass_netmask_eth2)" src="0" dest="1"/>
|
1069
|
<exception name="" ip="" eolvar="%%proxy_bypass_domain_eth2" src="0" dest="1"/>
|
1070
|
</directive>
|
1071
|
<directive tag="ForceProxy2" service="gr_redirection_proxy" priority="10" action="4" attrs="17" nat_port="3128" src_inv="0" dest_inv="0" serv_inv="0" libelle="Redirection des flux http avec proxy alternatif" ipsec="0" accept="0">
|
1072
|
<source name="invite"/>
|
1073
|
<destination name="exterieur"/>
|
1074
|
<exception name="" ip="" eolvar="%%proxy_bypass_src_network_eth2/%%calc_classe(%%proxy_bypass_src_netmask_eth2)" src="1" dest="0"/>
|
1075
|
<exception name="" ip="" eolvar="%%proxy_bypass_domain_eth2" src="0" dest="1"/>
|
1076
|
</directive>
|
1077
|
<directive tag="ForceProxy2" service="http" priority="11" action="4" attrs="17" nat_port="81" src_inv="0" dest_inv="1" serv_inv="0" libelle="Redirection des flux http sans proxy vers une page d'erreur" ipsec="0" accept="0">
|
1078
|
<source name="invite"/>
|
1079
|
<destination name="exterieur_bastion"/>
|
1080
|
<exception name="" ip="" eolvar="%%proxy_bypass_src_network_eth2/%%calc_classe(%%proxy_bypass_src_netmask_eth2)" src="1" dest="0"/>
|
1081
|
<exception name="" ip="" eolvar="%%proxy_bypass_domain_eth2" src="0" dest="1"/>
|
1082
|
</directive>
|
1083
|
<directive tag="ForceProxy2" service="gr_redirection_https" priority="12" action="4" attrs="17" nat_port="82" src_inv="0" dest_inv="0" serv_inv="0" libelle="Redirection des flux https sans proxy vers une page d'erreur" ipsec="0" accept="0">
|
1084
|
<source name="invite"/>
|
1085
|
<destination name="exterieur"/>
|
1086
|
<exception name="" ip="" eolvar="%%proxy_bypass_src_network_eth2/%%calc_classe(%%proxy_bypass_src_netmask_eth2)" src="1" dest="0"/>
|
1087
|
<exception name="" ip="" eolvar="%%proxy_bypass_domain_eth2" src="0" dest="1"/>
|
1088
|
</directive>
|
1089
|
</descendantes>
|
1090
|
</flux>
|
1091
|
<flux zoneA="dmz" zoneB="invite">
|
1092
|
<montantes default_policy="0">
|
1093
|
</montantes>
|
1094
|
<descendantes default_policy="1">
|
1095
|
</descendantes>
|
1096
|
</flux>
|
1097
|
<flux zoneA="pedago" zoneB="invite">
|
1098
|
<montantes default_policy="0">
|
1099
|
</montantes>
|
1100
|
<descendantes default_policy="1">
|
1101
|
</descendantes>
|
1102
|
</flux>
|
1103
|
<flux zoneA="admin" zoneB="invite">
|
1104
|
<montantes default_policy="0">
|
1105
|
</montantes>
|
1106
|
<descendantes default_policy="1">
|
1107
|
</descendantes>
|
1108
|
</flux>
|
1109
|
<flux zoneA="bastion" zoneB="invite">
|
1110
|
<montantes default_policy="0">
|
1111
|
<directive service="dns-tcp" priority="4" action="2" attrs="0" src_inv="0" dest_inv="0" serv_inv="0" libelle="pas de description" ipsec="0" accept="0">
|
1112
|
<source name="invite"/>
|
1113
|
<destination name="internet_eth2"/>
|
1114
|
</directive>
|
1115
|
<directive service="dns-udp" priority="5" action="2" attrs="0" src_inv="0" dest_inv="0" serv_inv="0" libelle="pas de description" ipsec="0" accept="0">
|
1116
|
<source name="invite"/>
|
1117
|
<destination name="internet_eth2"/>
|
1118
|
</directive>
|
1119
|
<directive service="proxy" priority="8" action="2" attrs="0" src_inv="0" dest_inv="0" serv_inv="0" libelle="pas de description" ipsec="0" accept="0">
|
1120
|
<source name="invite"/>
|
1121
|
<destination name="internet_eth2"/>
|
1122
|
</directive>
|
1123
|
<directive tag="Activer squid2" service="proxy2" priority="9" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="pas de description" ipsec="0" accept="0">
|
1124
|
<source name="invite"/>
|
1125
|
<destination name="internet_eth2"/>
|
1126
|
</directive>
|
1127
|
<directive tag="cntlm" service="cntlm" priority="10" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="pas de description" ipsec="0" accept="0">
|
1128
|
<source name="invite"/>
|
1129
|
<destination name="internet_eth2"/>
|
1130
|
</directive>
|
1131
|
<directive service="http" priority="13" action="2" attrs="0" src_inv="0" dest_inv="0" serv_inv="0" libelle="Autorisation reverse proxy + WPAD" ipsec="0" accept="0">
|
1132
|
<source name="invite"/>
|
1133
|
<destination name="bastion_exterieur"/>
|
1134
|
</directive>
|
1135
|
</montantes>
|
1136
|
<descendantes default_policy="1">
|
1137
|
</descendantes>
|
1138
|
</flux>
|
1139
|
<flux zoneA="exterieur" zoneB="wifipeda">
|
1140
|
<montantes default_policy="0">
|
1141
|
</montantes>
|
1142
|
<descendantes default_policy="1">
|
1143
|
<directive service="tous" priority="1" action="16" attrs="0" nat_extr="exterieur_bastion" nat_port="0" src_inv="0" dest_inv="0" serv_inv="0" libelle="pas de description" ipsec="0" accept="0">
|
1144
|
<source name="wifipeda_restreint"/>
|
1145
|
<destination name="exterieur"/>
|
1146
|
</directive>
|
1147
|
<directive tag="Interdiction des forums" service="gr_forum" priority="2" action="1" attrs="1" src_inv="0" dest_inv="0" serv_inv="0" libelle="wifipeda -> exterieur : interdire les protocoles de news, forums ..." ipsec="0" accept="0">
|
1148
|
<source name="wifipeda"/>
|
1149
|
<destination name="exterieur"/>
|
1150
|
</directive>
|
1151
|
<directive tag="Interdire les connexions FTP" service="gr_ftp" priority="3" action="1" attrs="1" src_inv="0" dest_inv="0" serv_inv="0" libelle="Interdire les connexions FTP" ipsec="0" accept="0">
|
1152
|
<source name="wifipeda"/>
|
1153
|
<destination name="exterieur"/>
|
1154
|
</directive>
|
1155
|
<directive tag="Interdire l'utilisation des dialogues en direct" service="gr_irc" priority="4" action="1" attrs="1" src_inv="0" dest_inv="0" serv_inv="0" libelle="wifipeda -> exterieur : interdire les protocoles de discussion en ligne (irc ...)" ipsec="0" accept="0">
|
1156
|
<source name="wifipeda"/>
|
1157
|
<destination name="exterieur"/>
|
1158
|
</directive>
|
1159
|
<directive tag="Interdiction des protocoles de messagerie" service="gr_messagerie" priority="5" action="1" attrs="1" src_inv="0" dest_inv="0" serv_inv="0" libelle="wifipeda -> exterieur : interdire les protocoles de messagerie (pop, imap ...)" ipsec="0" accept="0">
|
1160
|
<source name="wifipeda"/>
|
1161
|
<destination name="exterieur"/>
|
1162
|
</directive>
|
1163
|
<directive tag="Internet restreint" service="gr_restreint" priority="6" action="1" attrs="1" src_inv="0" dest_inv="0" serv_inv="0" libelle="wifipeda -> exterieur : tout interdire (sauf le web via le proxy)" ipsec="0" accept="0">
|
1164
|
<source name="wifipeda"/>
|
1165
|
<destination name="exterieur"/>
|
1166
|
</directive>
|
1167
|
<directive tag="ProxyBypass2" service="gr_redirection_proxy" priority="7" action="4" attrs="17" nat_port="3128" src_inv="0" dest_inv="0" serv_inv="0" libelle="Redirection des flux http avec proxy alternatif" ipsec="0" accept="0">
|
1168
|
<source name="wifipeda"/>
|
1169
|
<destination name="exterieur"/>
|
1170
|
<exception name="" ip="" eolvar="%%proxy_bypass_src_network_eth2/%%calc_classe(%%proxy_bypass_src_netmask_eth2)" src="1" dest="0"/>
|
1171
|
<exception name="" ip="" eolvar="%%proxy_bypass_network_eth2/%%calc_classe(%%proxy_bypass_netmask_eth2)" src="0" dest="1"/>
|
1172
|
<exception name="" ip="" eolvar="%%proxy_bypass_domain_eth2" src="0" dest="1"/>
|
1173
|
</directive>
|
1174
|
<directive tag="ProxyBypass2" service="http" priority="8" action="4" attrs="17" nat_port="81" src_inv="0" dest_inv="1" serv_inv="0" libelle="Redirection des flux http sans proxy" ipsec="0" accept="0">
|
1175
|
<source name="wifipeda"/>
|
1176
|
<destination name="exterieur_bastion"/>
|
1177
|
<exception name="" ip="" eolvar="%%proxy_bypass_src_network_eth2/%%calc_classe(%%proxy_bypass_src_netmask_eth2)" src="1" dest="0"/>
|
1178
|
<exception name="" ip="" eolvar="%%proxy_bypass_network_eth2/%%calc_classe(%%proxy_bypass_netmask_eth2)" src="0" dest="1"/>
|
1179
|
<exception name="" ip="" eolvar="%%proxy_bypass_domain_eth2" src="0" dest="1"/>
|
1180
|
</directive>
|
1181
|
<directive tag="ProxyBypass2" service="gr_redirection_https" priority="9" action="4" attrs="17" nat_port="82" src_inv="0" dest_inv="0" serv_inv="0" libelle="Redirection des flux https sans proxy vers une page d'erreur" ipsec="0" accept="0">
|
1182
|
<source name="wifipeda"/>
|
1183
|
<destination name="exterieur"/>
|
1184
|
<exception name="" ip="" eolvar="%%proxy_bypass_src_network_eth2/%%calc_classe(%%proxy_bypass_src_netmask_eth2)" src="1" dest="0"/>
|
1185
|
<exception name="" ip="" eolvar="%%proxy_bypass_network_eth2/%%calc_classe(%%proxy_bypass_netmask_eth2)" src="0" dest="1"/>
|
1186
|
<exception name="" ip="" eolvar="%%proxy_bypass_domain_eth2" src="0" dest="1"/>
|
1187
|
</directive>
|
1188
|
<directive tag="ForceProxy2" service="gr_redirection_proxy" priority="10" action="4" attrs="17" nat_port="3128" src_inv="0" dest_inv="0" serv_inv="0" libelle="Redirection des flux http avec proxy alternatif" ipsec="0" accept="0">
|
1189
|
<source name="wifipeda"/>
|
1190
|
<destination name="exterieur"/>
|
1191
|
<exception name="" ip="" eolvar="%%proxy_bypass_src_network_eth2/%%calc_classe(%%proxy_bypass_src_netmask_eth2)" src="1" dest="0"/>
|
1192
|
<exception name="" ip="" eolvar="%%proxy_bypass_domain_eth2" src="0" dest="1"/>
|
1193
|
</directive>
|
1194
|
<directive tag="ForceProxy2" service="http" priority="11" action="4" attrs="17" nat_port="81" src_inv="0" dest_inv="1" serv_inv="0" libelle="Redirection des flux http sans proxy vers une page d'erreur" ipsec="0" accept="0">
|
1195
|
<source name="wifipeda"/>
|
1196
|
<destination name="exterieur_bastion"/>
|
1197
|
<exception name="" ip="" eolvar="%%proxy_bypass_src_network_eth2/%%calc_classe(%%proxy_bypass_src_netmask_eth2)" src="1" dest="0"/>
|
1198
|
<exception name="" ip="" eolvar="%%proxy_bypass_domain_eth2" src="0" dest="1"/>
|
1199
|
</directive>
|
1200
|
<directive tag="ForceProxy2" service="gr_redirection_https" priority="12" action="4" attrs="17" nat_port="82" src_inv="0" dest_inv="0" serv_inv="0" libelle="Redirection des flux https sans proxy vers une page d'erreur" ipsec="0" accept="0">
|
1201
|
<source name="wifipeda"/>
|
1202
|
<destination name="exterieur"/>
|
1203
|
<exception name="" ip="" eolvar="%%proxy_bypass_src_network_eth2/%%calc_classe(%%proxy_bypass_src_netmask_eth2)" src="1" dest="0"/>
|
1204
|
<exception name="" ip="" eolvar="%%proxy_bypass_domain_eth2" src="0" dest="1"/>
|
1205
|
</directive>
|
1206
|
</descendantes>
|
1207
|
</flux>
|
1208
|
<flux zoneA="invite" zoneB="wifipeda">
|
1209
|
<montantes default_policy="0">
|
1210
|
</montantes>
|
1211
|
<descendantes default_policy="1">
|
1212
|
</descendantes>
|
1213
|
</flux>
|
1214
|
<flux zoneA="dmz" zoneB="wifipeda">
|
1215
|
<montantes default_policy="0">
|
1216
|
</montantes>
|
1217
|
<descendantes default_policy="1">
|
1218
|
</descendantes>
|
1219
|
</flux>
|
1220
|
<flux zoneA="pedago" zoneB="wifipeda">
|
1221
|
<montantes default_policy="0">
|
1222
|
</montantes>
|
1223
|
<descendantes default_policy="1">
|
1224
|
</descendantes>
|
1225
|
</flux>
|
1226
|
<flux zoneA="admin" zoneB="wifipeda">
|
1227
|
<montantes default_policy="0">
|
1228
|
</montantes>
|
1229
|
<descendantes default_policy="1">
|
1230
|
</descendantes>
|
1231
|
</flux>
|
1232
|
<flux zoneA="bastion" zoneB="wifipeda">
|
1233
|
<montantes default_policy="0">
|
1234
|
</montantes>
|
1235
|
<descendantes default_policy="1">
|
1236
|
</descendantes>
|
1237
|
</flux>
|
1238
|
<flux zoneA="exterieur" zoneB="management">
|
1239
|
<montantes default_policy="0">
|
1240
|
</montantes>
|
1241
|
<descendantes default_policy="1">
|
1242
|
</descendantes>
|
1243
|
</flux>
|
1244
|
<flux zoneA="invite" zoneB="management">
|
1245
|
<montantes default_policy="0">
|
1246
|
</montantes>
|
1247
|
<descendantes default_policy="1">
|
1248
|
</descendantes>
|
1249
|
</flux>
|
1250
|
<flux zoneA="dmz" zoneB="management">
|
1251
|
<montantes default_policy="0">
|
1252
|
</montantes>
|
1253
|
<descendantes default_policy="1">
|
1254
|
</descendantes>
|
1255
|
</flux>
|
1256
|
<flux zoneA="wifipeda" zoneB="management">
|
1257
|
<montantes default_policy="0">
|
1258
|
</montantes>
|
1259
|
<descendantes default_policy="1">
|
1260
|
</descendantes>
|
1261
|
</flux>
|
1262
|
<flux zoneA="pedago" zoneB="management">
|
1263
|
<montantes default_policy="0">
|
1264
|
</montantes>
|
1265
|
<descendantes default_policy="1">
|
1266
|
</descendantes>
|
1267
|
</flux>
|
1268
|
<flux zoneA="admin" zoneB="management">
|
1269
|
<montantes default_policy="0">
|
1270
|
</montantes>
|
1271
|
<descendantes default_policy="1">
|
1272
|
</descendantes>
|
1273
|
</flux>
|
1274
|
<flux zoneA="bastion" zoneB="management">
|
1275
|
<montantes default_policy="0">
|
1276
|
<directive tag="SSHDepuisManagement" service="ssh" priority="1" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="ssh management vers Amon" ipsec="0" accept="0">
|
1277
|
<source name="management"/>
|
1278
|
<destination name="bastion"/>
|
1279
|
</directive>
|
1280
|
<directive tag="AdminDepuisManagement" service="admin_amon" priority="2" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="administration management vers Amon" ipsec="0" accept="0">
|
1281
|
<source name="management"/>
|
1282
|
<destination name="bastion"/>
|
1283
|
</directive>
|
1284
|
<directive service="dns-tcp" priority="3" action="2" attrs="0" src_inv="0" dest_inv="0" serv_inv="0" libelle="pas de description" ipsec="0" accept="0">
|
1285
|
<source name="management"/>
|
1286
|
<destination name="bastion"/>
|
1287
|
</directive>
|
1288
|
<directive service="dns-udp" priority="4" action="2" attrs="0" src_inv="0" dest_inv="0" serv_inv="0" libelle="pas de description" ipsec="0" accept="0">
|
1289
|
<source name="management"/>
|
1290
|
<destination name="bastion"/>
|
1291
|
</directive>
|
1292
|
<directive tag="auth_nufw" service="nuauth" priority="5" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="autoriser l'acces a Nuauth" ipsec="0" accept="0">
|
1293
|
<source name="management"/>
|
1294
|
<destination name="bastion"/>
|
1295
|
</directive>
|
1296
|
<directive tag="eole_sso" service="eole-sso" priority="6" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="pas de description" ipsec="0" accept="0">
|
1297
|
<source name="management"/>
|
1298
|
<destination name="bastion"/>
|
1299
|
</directive>
|
1300
|
<directive service="proxy" priority="7" action="2" attrs="0" src_inv="0" dest_inv="0" serv_inv="0" libelle="pas de description" ipsec="0" accept="0">
|
1301
|
<source name="management"/>
|
1302
|
<destination name="bastion"/>
|
1303
|
</directive>
|
1304
|
<directive tag="Activer squid2" service="proxy2" priority="8" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="pas de description" ipsec="0" accept="0">
|
1305
|
<source name="management"/>
|
1306
|
<destination name="bastion"/>
|
1307
|
</directive>
|
1308
|
<directive tag="cntlm" service="cntlm" priority="9" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="pas de description" ipsec="0" accept="0">
|
1309
|
<source name="management"/>
|
1310
|
<destination name="bastion"/>
|
1311
|
</directive>
|
1312
|
<directive tag="ActiverRadiusmgt" service="gr_radius" priority="11" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="radius mgt vers Amon" ipsec="0" accept="0">
|
1313
|
<source name="management"/>
|
1314
|
<destination name="bastion"/>
|
1315
|
</directive>
|
1316
|
<directive service="http" priority="12" action="2" attrs="0" src_inv="0" dest_inv="0" serv_inv="0" libelle="Autorisation reverse proxy + WPAD" ipsec="0" accept="0">
|
1317
|
<source name="management"/>
|
1318
|
<destination name="bastion_exterieur"/>
|
1319
|
</directive>
|
1320
|
</montantes>
|
1321
|
<descendantes default_policy="1">
|
1322
|
</descendantes>
|
1323
|
</flux>
|
1324
|
</flux-list>
|
1325
|
</firewall>
|