Project

General

Profile

7zones27-CD34v2.xml

Jean-Michel Gautrand, 12/18/2020 05:42 PM

Download (109 KB)

 
1
<?xml version="1.0" encoding="UTF-8" ?>
2

    
3
<firewall name="/usr/share/era/modeles/7zones27-CD34v3.xml" netbios="1" qos="0" version="2.42">
4
    <zones>
5
        <zone name="exterieur" level="10" ip="%%adresse_ip_eth0" network="%%adresse_network_eth0" netmask="%%adresse_netmask_eth0" interface="%%nom_zone_eth0"/>
6
        <zone name="invite" level="20" ip="%%vlan_id_eth4[2].vlan_ip_eth4" network="%%vlan_id_eth4[2].vlan_network_eth4" netmask="%%vlan_id_eth4[2].vlan_netmask_eth4" interface="vlan%%vlan_id_eth4[2]"/>
7
        <zone name="dmz" level="30" ip="%%adresse_ip_eth3" network="%%adresse_network_eth3" netmask="%%adresse_netmask_eth3" interface="%%nom_zone_eth3"/>
8
        <zone name="wifipeda" level="35" ip="%%vlan_id_eth4[1].vlan_ip_eth4" network="%%vlan_id_eth4[1].vlan_network_eth4" netmask="%%vlan_id_eth4[1].vlan_netmask_eth4" interface="vlan%%vlan_id_eth4[1]"/>
9
        <zone name="pedago" level="40" ip="%%adresse_ip_eth2" network="%%adresse_network_eth2" netmask="%%adresse_netmask_eth2" interface="%%nom_zone_eth2"/>
10
        <zone name="admin" level="50" ip="%%adresse_ip_eth1" network="%%adresse_network_eth1" netmask="%%adresse_netmask_eth1" interface="%%nom_zone_eth1"/>
11
        <zone name="management" level="60" ip="%%vlan_id_eth4[0].vlan_ip_eth4" network="%%vlan_id_eth4[0].vlan_network_eth4" netmask="%%vlan_id_eth4[0].vlan_netmask_eth4" interface="vlan%%vlan_id_eth4[0]"/>
12
        <zone name="bastion" level="100" ip="127.0.0.1" network="0.0.0.0" netmask="255.255.255.255" interface="lo"/>
13
    </zones>
14
    <include>
15
## INCLUSIONS_STATIQUES_GENERALES
16
##  EXT-DMZ: redirection des ports autorises sur les serveurs DMZ
17
##  IP PUB 1 : serveur WWW
18
%if %%nb_ip_pub in ('1','2','3','4','5','6','7','8') and %%ip_pub1 != ''
19
   /sbin/iptables -t nat -I PREROUTING -d %%ip_pub1/32 -i %%nom_zone_eth0 -p tcp -m tcp -m multiport --dports 20:22,80,81,389,443,636,1723,4129,4200 --tcp-flags SYN,RST,ACK SYN -j DNAT --to-destination %%ip_serveur_web1
20
   /sbin/iptables -t nat -I PREROUTING -d %%ip_pub1/32 -i %%nom_zone_eth0 -p tcp -m tcp -m multiport --dports 7070,8008,8090,8443,20100,44123,49300,49400,49500 --tcp-flags SYN,RST,ACK SYN -j DNAT --to-destination %%ip_serveur_web1
21
   /sbin/iptables -t filter -I ext-dmz -d %%ip_serveur_web1/32 -i %%nom_zone_eth0 -o %%nom_zone_eth3 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j ACCEPT
22
   /sbin/iptables -t nat -I POSTROUTING -s %%ip_serveur_web1/32 -o %%nom_zone_eth0 -j SNAT --to-source %%adresse_ip_eth0
23
%end if
24
##  IP PUB 2 : serveur NOTES
25
%if %%nb_ip_pub in ('2','3','4','5','6','7','8') and %%ip_pub2 != ''
26
   /sbin/iptables -t nat -I PREROUTING -d %%ip_pub2/32 -i %%nom_zone_eth0 -p tcp -m tcp -m multiport --dports 20:22,80,81,389,443,636,1723,4129,4200 --tcp-flags SYN,RST,ACK SYN -j DNAT --to-destination %%ip_serveur_web2
27
   /sbin/iptables -t nat -I PREROUTING -d %%ip_pub2/32 -i %%nom_zone_eth0 -p tcp -m tcp -m multiport --dports 7070,8008,8090,8443,20100,44123,49300,49400,49500 --tcp-flags SYN,RST,ACK SYN -j DNAT --to-destination %%ip_serveur_web2
28
   /sbin/iptables -t filter -I ext-dmz -d %%ip_serveur_web2/32 -i %%nom_zone_eth0 -o %%nom_zone_eth3 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j ACCEPT
29
   /sbin/iptables -t nat -I POSTROUTING -s %%ip_serveur_web2/32 -o %%nom_zone_eth0 -j SNAT --to-source %%adresse_ip_eth0
30
%end if
31
##  IP PUB 3 : serveur COURRIER
32
%if %%nb_ip_pub in ('3','4','5','6','7','8') and %%ip_pub3 != ''
33
   /sbin/iptables -t nat -I PREROUTING -d %%ip_pub3/32 -i %%nom_zone_eth0 -p tcp -m tcp -m multiport --dports 20:22,25,80,81,110,143,389,443,585,636,995,1723,4129,4200 --tcp-flags SYN,RST,ACK SYN -j DNAT --to-destination %%ip_serveur_web3
34
   /sbin/iptables -t nat -I PREROUTING -d %%ip_pub3/32 -i %%nom_zone_eth0 -p tcp -m tcp -m multiport --dports 7070,8008,8090,8443,20100,44123,49300,49400,49500 --tcp-flags SYN,RST,ACK SYN -j DNAT --to-destination %%ip_serveur_web3
35
   /sbin/iptables -t filter -I ext-dmz -d %%ip_serveur_web3/32 -i %%nom_zone_eth0 -o %%nom_zone_eth3 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j ACCEPT
36
   /sbin/iptables -t nat -I POSTROUTING -s %%ip_serveur_web3/32 -o %%nom_zone_eth0 -j SNAT --to-source %%adresse_ip_eth0
37
%end if
38
##  IP PUB 4 : serveur DISPO
39
%if %%nb_ip_pub in ('4','5','6','7','8') and %%ip_pub4 != ''
40
   /sbin/iptables -t nat -I PREROUTING -d %%ip_pub4/32 -i %%nom_zone_eth0 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j DNAT --to-destination %%ip_serveur_web4
41
   /sbin/iptables -t nat -I PREROUTING -d %%ip_pub4/32 -i %%nom_zone_eth0 -p udp -m udp -j DNAT --to-destination %%ip_serveur_web4
42
   /sbin/iptables -t filter -I ext-dmz -d %%ip_serveur_web4/32 -i %%nom_zone_eth0 -o %%nom_zone_eth3 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j ACCEPT
43
   /sbin/iptables -t filter -I ext-dmz -d %%ip_serveur_web4/32 -i %%nom_zone_eth0 -o %%nom_zone_eth3 -p udp -j ACCEPT
44
   /sbin/iptables -t nat -I POSTROUTING -s %%ip_serveur_web4/32 -o %%nom_zone_eth0 -j SNAT --to-source %%adresse_ip_eth0
45
%end if
46
##  IP PUB 5 :
47
%if %%nb_ip_pub in ('5','6','7','8') and %%ip_pub5 != ''
48
   /sbin/iptables -t nat -I PREROUTING -d %%ip_pub5/32 -i %%nom_zone_eth0 -p tcp -m tcp -m multiport --dports 20:22,80,81,389,443,636,1723,4129,4200 --tcp-flags SYN,RST,ACK SYN -j DNAT --to-destination %%ip_serveur_web5
49
   /sbin/iptables -t nat -I PREROUTING -d %%ip_pub5/32 -i %%nom_zone_eth0 -p tcp -m tcp -m multiport --dports 7070,8008,8090,8443,20100,44123,49300,49400,49500 --tcp-flags SYN,RST,ACK SYN -j DNAT --to-destination %%ip_serveur_web5
50
   /sbin/iptables -t filter -I ext-dmz -d %%ip_serveur_web5/32 -i %%nom_zone_eth0 -o %%nom_zone_eth3 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j ACCEPT
51
   /sbin/iptables -t nat -I POSTROUTING -s %%ip_serveur_web5/32 -o %%nom_zone_eth0 -j SNAT --to-source %%adresse_ip_eth0
52
%end if
53
##  IP PUB 6 :
54
%if %%nb_ip_pub in ('6','7','8') and %%ip_pub6 != ''
55
   /sbin/iptables -t nat -I PREROUTING -d %%ip_pub6/32 -i %%nom_zone_eth0 -p tcp -m tcp -m multiport --dports 20:22,80,81,389,443,636,1723,4129,4200 --tcp-flags SYN,RST,ACK SYN -j DNAT --to-destination %%ip_serveur_web6
56
   /sbin/iptables -t nat -I PREROUTING -d %%ip_pub6/32 -i %%nom_zone_eth0 -p tcp -m tcp -m multiport --dports 7070,8008,8090,8443,20100,44123,49300,49400,49500 --tcp-flags SYN,RST,ACK SYN -j DNAT --to-destination %%ip_serveur_web6
57
   /sbin/iptables -t filter -I ext-dmz -d %%ip_serveur_web6/32 -i %%nom_zone_eth0 -o %%nom_zone_eth3 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j ACCEPT
58
   /sbin/iptables -t nat -I POSTROUTING -s %%ip_serveur_web6/32 -o %%nom_zone_eth0 -j SNAT --to-source %%adresse_ip_eth0
59
%end if
60
##  IP PUB 7 :
61
%if %%nb_ip_pub in ('7','8') and %%ip_pub7 != ''
62
   /sbin/iptables -t nat -I PREROUTING -d %%ip_pub7/32 -i %%nom_zone_eth0 -p tcp -m tcp -m multiport --dports 20:22,25,80,81,110,143,389,443,585,636,995,1723,4129,4200 --tcp-flags SYN,RST,ACK SYN -j DNAT --to-destination %%ip_serveur_web7
63
   /sbin/iptables -t nat -I PREROUTING -d %%ip_pub7/32 -i %%nom_zone_eth0 -p tcp -m tcp -m multiport --dports 7070,8008,8090,8443,20100,44123,49300,49400,49500 --tcp-flags SYN,RST,ACK SYN -j DNAT --to-destination %%ip_serveur_web7
64
   /sbin/iptables -t filter -I ext-dmz -d %%ip_serveur_web7/32 -i %%nom_zone_eth0 -o %%nom_zone_eth3 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j ACCEPT
65
   /sbin/iptables -t nat -I POSTROUTING -s %%ip_serveur_web7/32 -o %%nom_zone_eth0 -j SNAT --to-source %%adresse_ip_eth0
66
%end if
67
##  IP PUB 8 :
68
%if %%nb_ip_pub in ('8') and %%ip_pub8 != ''
69
   /sbin/iptables -t nat -I PREROUTING -d %%ip_pub8/32 -i %%nom_zone_eth0 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j DNAT --to-destination %%ip_serveur_web8
70
   /sbin/iptables -t nat -I PREROUTING -d %%ip_pub8/32 -i %%nom_zone_eth0 -p udp -m udp -j DNAT --to-destination %%ip_serveur_web8
71
   /sbin/iptables -t filter -I ext-dmz -d %%ip_serveur_web8/32 -i %%nom_zone_eth0 -o %%nom_zone_eth3 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j ACCEPT
72
   /sbin/iptables -t filter -I ext-dmz -d %%ip_serveur_web8/32 -i %%nom_zone_eth0 -o %%nom_zone_eth3 -p udp -j ACCEPT
73
   /sbin/iptables -t nat -I POSTROUTING -s %%ip_serveur_web8/32 -o %%nom_zone_eth0 -j SNAT --to-source %%adresse_ip_eth0
74
%end if
75

    
76
## MAIL POUR SERVEUR PRONOTE
77
%if %%serveur_pronote
78
/sbin/iptables -t nat -I POSTROUTING -s %%serveur_pronote/32 -o %%nom_zone_eth0 -j SNAT --to-source %%adresse_ip_eth0
79
%end if
80

    
81
## EXCEPTIONS au PROXY HTTP et HTTPS
82
## ADMIN : VPN OTP (api.ac-montpellier.fr), HORIZON (172.31.0.0)
83
/sbin/iptables -t nat -I PREROUTING -i %%nom_zone_eth1 -p tcp -m tcp -m multiport --dports 80,443 --tcp-flags SYN,RST,ACK SYN -d api.ac-montpellier.fr -j ACCEPT
84
/sbin/iptables -t nat -I PREROUTING -i %%nom_zone_eth1 -p tcp -m tcp -m multiport --dports 80,443 --tcp-flags SYN,RST,ACK SYN -d 172.31.0.0/16 -j ACCEPT
85
## PEDA : VPN OTP (195.83.226.53), serveur GLPI (195.83.225.232) et client LEGERS
86
/sbin/iptables -t nat -I PREROUTING -i %%nom_zone_eth2 -p tcp -m tcp -m multiport --dports 80,443 --tcp-flags SYN,RST,ACK SYN -d api.ac-montpellier.fr -j ACCEPT
87
/sbin/iptables -t nat -I PREROUTING -i %%nom_zone_eth2 -p tcp -m tcp -m multiport --dports 80,443 --tcp-flags SYN,RST,ACK SYN -d 172.23.0.0/16 -j ACCEPT
88
## DMZ : pas de proxy pour domaine ac-montpellier (SSO pronote ENT)
89
/sbin/iptables -t nat -I PREROUTING -i %%nom_zone_eth3 -p tcp -m tcp -m multiport --dports 80,443 --tcp-flags SYN,RST,ACK SYN -d 195.83.225.0/24 -j ACCEPT
90

    
91
###########################################
92
## Ajout de regles hors CD34             ##
93
###########################################
94
## EXT-BAS: acces au serveur peda depuis le reseau rectorat
95
/sbin/iptables -t nat -I PREROUTING -s 195.83.225.0/24 -d %%adresse_ip_eth0/32 -i %%nom_zone_eth0 -p tcp -m tcp --dport 44123 --tcp-flags SYN,RST,ACK SYN -j DNAT --to-destination %%ip_serveur_pedago
96
/sbin/iptables -t filter -I ext-ped -s 195.83.225.0/24 -d %%ip_serveur_pedago/32 -i %%nom_zone_eth0 -p tcp -m state --state NEW -m tcp --dport 44123 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
97

    
98
## pour NTOP
99
/sbin/iptables -t filter -I adm-bas -m state --state NEW -p tcp --dport 3000 --tcp-flags SYN,RST,ACK SYN -i %%nom_zone_eth1 -s %%adresse_network_eth1/%%adresse_netmask_eth2 -j ACCEPT
100
/sbin/iptables -t filter -I ped-bas -m state --state NEW -p tcp --dport 3000 --tcp-flags SYN,RST,ACK SYN -i %%nom_zone_eth2 -s %%adresse_network_eth2/30 -j ACCEPT
101
/sbin/iptables -t filter -I ext-bas -m state --state NEW -p tcp --dport 3000 --tcp-flags SYN,RST,ACK SYN -i %%nom_zone_eth0 -s 195.83.225.0/255.255.255.0 -j ACCEPT
102

    
103
## Pour shinken
104
/sbin/iptables -t filter -I ext-bas -m state --state NEW -p tcp --dport 6556 --tcp-flags SYN,RST,ACK SYN -i %%nom_zone_eth0 -s 195.83.225.0/255.255.255.0 -j ACCEPT
105

    
106
## Plages horaires pour WIFI LORDI
107
%if %%plage_wifi == 'oui' and %%plage_wifi_debut != '' and %%plage_wifi_fin != '' and %%nom_zone_eth4 != '' and %%vlan_id_eth4[0] != ''
108
   /sbin/iptables -I INPUT -i %%nom_zone_eth4.%%vlan_id_eth4[0] -m time --timestop %%plage_wifi_debut --timestart %%plage_wifi_fin --kerneltz -j DROP
109
%end if
110

    
111
############################################
112
## Ajout de regles pour les COLLECTIVITES ##
113
############################################
114

    
115
## REGION ##
116
%if %%nom_domaine_local.startswith("lyc-") or %%nom_domaine_local.startswith("erea-")
117
## SNAT en IP %%nom_zone_eth2 de la zone pedago etendu si destination zone client leger (inventaire GLPI REGION) pour port 80 et 62354
118
/sbin/iptables -t filter -I ped-ext -s %%adresse_network_eth2/%%adresse_netmask_eth2 -d 172.23.0.0/18 -i %%nom_zone_eth2 -o %%nom_zone_eth0 -p tcp -m tcp --dport 62354 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
119
/sbin/iptables -t nat -I POSTROUTING -s %%adresse_network_eth2/%%adresse_netmask_eth2 -d 172.23.0.0/18 -o %%nom_zone_eth0 -p tcp -m tcp --dport 62354 --tcp-flags SYN,RST,ACK SYN -j SNAT --to-source %%adresse_ip_eth2
120
/sbin/iptables -t filter -I ped-ext -s %%adresse_network_eth2/%%adresse_netmask_eth2 -d 172.23.0.0/18 -i %%nom_zone_eth2 -o %%nom_zone_eth0 -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
121
/sbin/iptables -t nat -I POSTROUTING -s %%adresse_network_eth2/%%adresse_netmask_eth2 -d 172.23.0.0/18 -o %%nom_zone_eth0 -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j SNAT --to-source %%adresse_ip_eth2
122
## acces au serveur peda depuis le reseau Region (comme DANe)
123
/sbin/iptables -t nat -I PREROUTING -s 194.214.141.0/24 -d %%adresse_ip_eth0/32 -i %%nom_zone_eth0 -p tcp -m tcp --dport 44123 --tcp-flags SYN,RST,ACK SYN -j DNAT --to-destination %%ip_serveur_pedago
124
/sbin/iptables -t filter -I ext-ped -s 194.214.141.0/24 -d %%ip_serveur_pedago/32 -i %%nom_zone_eth0 -p tcp -m state --state NEW -m tcp --dport 44123 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
125
%end if
126

    
127
## CD11 ##
128
%if %%numero_etab.startswith("011") and %%nom_domaine_local.startswith("clg-")
129
## Acces RDP port 44123 sur serveur PEDA
130
/sbin/iptables -t nat -I PREROUTING -d %%adresse_ip_eth1/32 -p tcp -m tcp --dport 44123 --tcp-flags SYN,RST,ACK SYN -j DNAT --to-destination %%ip_serveur_pedago
131
/sbin/iptables -t filter -I ext-ped -s 192.168.225.0/24 -d %%ip_serveur_pedago/32 -i %%nom_zone_eth0 -p tcp -m state --state NEW -m tcp --dport 44123 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
132
/sbin/iptables -t filter -I ext-ped -s 10.11.200.0/24 -d %%ip_serveur_pedago/32 -i %%nom_zone_eth0 -p tcp -m state --state NEW -m tcp --dport 44123 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
133
## SNAT pour remontee via tunnel ADMIN des fluc TCP et UDP a destination de AMON-COGITIS
134
/sbin/iptables -t nat -I POSTROUTING -s %%adresse_network_eth2/%%adresse_netmask_eth2 -d 10.11.200.0/24 -j SNAT --to-source %%adresse_ip_eth1
135
/sbin/iptables -t nat -I POSTROUTING -s %%adresse_network_eth3/%%adresse_netmask_eth3 -d 10.11.200.0/24 -j SNAT --to-source %%adresse_ip_eth1
136
## autorisation ports TCP vers COGITIS
137
/sbin/iptables -t filter -I ped-adm -m state --state NEW -p tcp --tcp-flags SYN,RST,ACK SYN  -m multiport --dports 80,161,162,443 -d 10.11.200.0/24 -j ACCEPT
138
## autorisation ports UDP vers COGITIS
139
/sbin/iptables -t filter -I ped-adm -p udp -m udp -m multiport --dports 135,161,162,445,514,24158 -d 10.11.200.0/24 -j ACCEPT
140
/sbin/iptables -t filter -I dmz-adm -p udp -m udp -m multiport --dports 135,161,162,445,514,24158 -d 10.11.200.0/24 -j ACCEPT
141
/sbin/iptables -t nat -I PREROUTING -d %%adresse_ip_eth1/32 -p udp -m udp --dport 24158 -j DNAT --to-destination %%ip_serveur_pedago
142
/sbin/iptables -t filter -I ext-ped -s 10.11.200.0/24 -d %%ip_serveur_pedago/32 -i %%nom_zone_eth0 -p udp -m state --state NEW -m udp --dport 24158 -j ACCEPT
143
## Remontee Inventaire (HTTPS) vers reseau COGITIS via tunnel ADMIN
144
## exception au proxy pour remontee vers reseau COGITIS
145
/sbin/iptables -t nat -I PREROUTING -p tcp -m tcp -m multiport --dports 80,443 --tcp-flags SYN,RST,ACK SYN -d 10.11.200.0/24 -j ACCEPT
146
%end if
147

    
148
## CD30 ##
149
%if %%numero_etab.startswith("030") and %%nom_domaine_local.startswith("clg-")
150
## EDUTICE
151
## les serveurs edutice peuvent sortir pour faire telemaintenance vers l'exterieur
152
/sbin/iptables -t nat -I POSTROUTING -s %%ip_serveur_pedago2/32 -d 91.121.175.129/32 -o %%nom_zone_eth0 -p udp -m udp --dport 1194 -j SNAT --to-source %%adresse_ip_eth0
153
/sbin/iptables -t nat -I POSTROUTING -s %%ip_serveur_antivirus/32 -d 91.121.175.129/32 -o %%nom_zone_eth0 -p udp -m udp --dport 1194 -j SNAT --to-source %%adresse_ip_eth0
154
/sbin/iptables -t filter -I ped-ext -s %%ip_serveur_antivirus/32 -d 91.121.175.129/32 -i %%nom_zone_eth2 -o %%nom_zone_eth0 -p udp -m udp --dport 1194 -j ACCEPT
155
/sbin/iptables -t filter -I ped-ext -s %%ip_serveur_pedago2/32 -d 91.121.175.129/32 -i %%nom_zone_eth2 -o %%nom_zone_eth0 -p udp -m udp --dport 1194 -j ACCEPT
156
## autoriser l'exterieur a faire du 8099 sur ip %%nom_zone_eth0 et renvoyer vers serveur pedago
157
/sbin/iptables -t nat -I PREROUTING -d %%adresse_ip_eth0/32 -i %%nom_zone_eth0 -p tcp -m tcp --dport 8099 --tcp-flags SYN,RST,ACK SYN -j DNAT --to-destination %%ip_serveur_pedago2:8080
158
/sbin/iptables -t filter -I ext-bas -d %%adresse_ip_eth0/32 -i %%nom_zone_eth0 -p tcp -m state --state NEW -m tcp --dport 8099 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
159
## ajout pour les AMON 2.3 pour acces NGINX owncloud
160
/sbin/iptables -t filter -I ext-bas -m state --state NEW -p tcp --dport 443 --tcp-flags SYN,RST,ACK SYN -i %%nom_zone_eth0  -j ACCEPT
161
%end if
162

    
163
## CD34 ##
164
%if %%numero_etab in ('0340109j','0340955d','0341366a','0342326u')
165
## acces CD34 au MDM tablettes via serveur PEDA
166
/sbin/iptables -t nat -I PREROUTING -s 212.51.190.239/32 -d %%adresse_ip_eth0/32 -i %%nom_zone_eth0 -p tcp -m tcp --dport 44123 --tcp-flags SYN,RST,ACK SYN -j DNAT --to-destination %%ip_serveur_pedago
167
/sbin/iptables -t filter -I ext-ped -s 212.51.190.239/32 -d %%ip_serveur_pedago/32 -i %%nom_zone_eth0 -p tcp -m state --state NEW -m tcp --dport 44123 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
168
%end if
169

    
170

    
171
###########################################
172
## Ajout de regles specifiques pour EPLE ##
173
###########################################
174

    
175
## Specificite 0340042L - Lyc Mermoz MPL - plusieurs sous-reseaux
176
%if %%numero_etab == '0340042l'
177
/sbin/iptables -t nat -A POSTROUTING -s 10.134.0.0/16 -o %%nom_zone_eth0 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j SNAT --to-source %%adresse_ip_eth0
178
/sbin/iptables -t nat -A POSTROUTING -s 10.134.0.0/16 -o %%nom_zone_eth0 -p udp  -m udp -j SNAT --to-source %%adresse_ip_eth0
179
%end if
180

    
181
## Specificite 0340076Y - Lyc Curie Sete - port 14000 utilise par client PRONOTE
182
%if %%numero_etab == '0340076y'
183
/sbin/iptables -t nat -I PREROUTING -d %%ip_pub2/32 -i %%nom_zone_eth0 -p tcp -m tcp --dport 14000 --tcp-flags SYN,RST,ACK SYN -j DNAT --to-destination %%ip_serveur_web2
184
%end if
185

    
186
## Specificite 0300052U - Cite Scolaire Chamson Le Vigan - ajout de regles specifiques Wifi
187
%if %%numero_etab == '0300052u'
188
## filtrage acces administration ALCAZAR (reserve reseau rectorat)
189
/sbin/iptables -t nat -I PREROUTING -s 194.214.141.0/24,195.83.225.0/24,194.254.31.192/29,194.254.31.200/29  -d %%adresse_ip_eth0/32 -i %%nom_zone_eth0 -p tcp -m tcp --dport 10022 --tcp-flags SYN,RST,ACK SYN -j DNAT --to-destination 10.230.27.50:22
190
/sbin/iptables -t filter -I ext-dmz -s 194.214.141.0/24,195.83.225.0/24,194.254.31.192/29,194.254.31.200/29 -d 10.230.27.50/32 -i %%nom_zone_eth0 -p tcp -m state --state NEW -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
191
## exeption proxy pour sortie ALCASAR vers internet sans PROXY
192
/sbin/iptables -t nat -I PREROUTING -i %%nom_zone_eth3 -s 10.230.27.50/32 -p tcp -m tcp -m multiport --dports 80,443 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
193
/sbin/iptables -t nat -A POSTROUTING -s 10.230.27.50 -p tcp -m tcp -m multiport --dports 80,443 -o ens160 -j SNAT --to-source %%adresse_ip_eth0
194
%end if
195

    
196
###################################################################################
197
##                                PROJET GSIC pour CD34                          ##
198
###################################################################################
199

    
200
## exception au proxy sur les remontee vers Management CD34 et CodeRNE-PYTHEAS
201
/sbin/iptables -t nat -I PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -d 172.19.34.0/24 -j ACCEPT
202
/sbin/iptables -t nat -I PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -d %%ip_serveur_pytheas/32 -j ACCEPT
203

    
204
## Regle de Filtrage Autorisation depuis les Reseaux Admin/Pedag/WifiPedag vers serveur WSUS Local (filtrer ulterieurement sur IP serveurs WSUS)
205
/sbin/iptables -t filter -I adm-man -p tcp -m state --state NEW --tcp-flags SYN,RST,ACK SYN --dport 8530 -d %%ip_serveur_mgmt/32 -j ACCEPT
206
/sbin/iptables -t filter -I ped-man -p tcp -m state --state NEW --tcp-flags SYN,RST,ACK SYN --dport 8530 -d %%ip_serveur_mgmt/32 -j ACCEPT
207
/sbin/iptables -t filter -I wif-man -p tcp -m state --state NEW --tcp-flags SYN,RST,ACK SYN --dport 8530 -d %%ip_serveur_mgmt/32 -j ACCEPT
208

    
209
## Regle de Filtrage Autorisation depuis les Reseaux Admin/Pedag/WifiPedag vers CodeRNE-PYTHEAS
210
/sbin/iptables -t filter -I adm-man -p tcp -m state --state NEW --tcp-flags SYN,RST,ACK SYN -m multiport --dports 139,445 -d %%ip_serveur_pytheas/32 -j ACCEPT
211
/sbin/iptables -t filter -I ped-man -p tcp -m state --state NEW --tcp-flags SYN,RST,ACK SYN -m multiport --dports 139,445 -d %%ip_serveur_pytheas/32 -j ACCEPT
212
/sbin/iptables -t filter -I wif-man -p tcp -m state --state NEW --tcp-flags SYN,RST,ACK SYN -m multiport --dports 139,445 -d %%ip_serveur_pytheas/32 -j ACCEPT
213
/sbin/iptables -t filter -I adm-man -p udp -m udp -m multiport --dports 69,137,138,139 -d %%ip_serveur_pytheas/32 -j ACCEPT
214
/sbin/iptables -t filter -I ped-man -p udp -m udp -m multiport --dports 69,137,138,139 -d %%ip_serveur_pytheas/32 -j ACCEPT
215
/sbin/iptables -t filter -I wif-man -p udp -m udp -m multiport --dports 69,137,138,139 -d %%ip_serveur_pytheas/32 -j ACCEPT
216
/sbin/iptables -t filter -I adm-man -p tcp -m state --state NEW --tcp-flags SYN,RST,ACK SYN -m multiport --dports 80,443 -d %%ip_serveur_pytheas/32 -j ACCEPT
217
/sbin/iptables -t filter -I ped-man -p tcp -m state --state NEW --tcp-flags SYN,RST,ACK SYN -m multiport --dports 80,443 -d %%ip_serveur_pytheas/32 -j ACCEPT
218
/sbin/iptables -t filter -I wif-man -p tcp -m state --state NEW --tcp-flags SYN,RST,ACK SYN -m multiport --dports 80,443 -d %%ip_serveur_pytheas/32 -j ACCEPT
219

    
220
## Regle de Filtrage Autorisation de tous les flux depuis le reseau Wifipedag vers le Serveur CodeRNE-SRVPEDAG
221
/sbin/iptables -t filter -I wif-ped -d %%ip_serveur_pedago -m state --state NEW -p tcp --tcp-flags SYN,RST,ACK SYN -j ACCEPT
222
/sbin/iptables -t filter -I wif-ped -d %%ip_serveur_pedago -m udp -p udp -j ACCEPT
223
/sbin/iptables -t filter -I wif-ped -d %%ip_serveur_pedago -p icmp -m state --state NEW -m icmp --icmp-type 8 -j ACCEPT
224

    
225
## Regle de Filtrage pour Administrer AMON depuis le reseau de Management
226
/sbin/iptables -I man-bas -p icmp -j ACCEPT
227
/sbin/iptables -t filter -I man-bas -p tcp -m state --state NEW --tcp-flags SYN,RST,ACK SYN -m multiport --dports 22,4200,7000 -j ACCEPT
228

    
229
## Ajout NAT pour sortir sur internet depuis le reseau Management            
230
/sbin/iptables -t nat -I POSTROUTING -s %%vlan_id_eth4[0].vlan_network_eth4/%%vlan_id_eth4[0].vlan_netmask_eth4 -o %%nom_zone_eth0 -j SNAT --to-source %%adresse_ip_eth0
231
    </include>
232
    <services>
233
        <service name="8500" protocol="tcp" ports="8500" id="11" libelle="service 8500" tcpwrapper=""/>
234
        <service name="rsyslog_TCP" protocol="tcp" ports="10514" id="65" libelle="protocole TCP pour rsyslog" tcpwrapper=""/>
235
        <service name="xmpp" protocol="tcp" ports="5222" id="63" libelle="Serveur jabber (XMPP)" tcpwrapper=""/>
236
        <service name="imap4-ssl" protocol="tcp" ports="993" id="23" libelle="service imap4-ssl" tcpwrapper=""/>
237
        <service name="ldm" protocol="tcp" ports="9571" id="86" libelle="Connexion management for LTSP" tcpwrapper=""/>
238
        <service name="samba-udp" protocol="udp" ports="137-139" id="37" libelle="samba" tcpwrapper=""/>
239
        <service name="ftps" protocol="tcp" ports="989-990" id="29" libelle="service ftps" tcpwrapper=""/>
240
        <service name="pop" protocol="tcp" ports="110" id="20" libelle="service pop" tcpwrapper=""/>
241
        <service name="proxy-8080" protocol="tcp" ports="8080" id="12" libelle="proxy" tcpwrapper=""/>
242
        <service name="echo-reply" protocol="ICMP" ports="0" id="echo-reply" libelle="règle icmp echo-reply" tcpwrapper=""/>
243
        <service name="cups" protocol="tcp" ports="631" id="76" libelle="Interface CUPS" tcpwrapper=""/>
244
        <service name="lockd" protocol="tcp" ports="4005" id="61" libelle="" tcpwrapper=""/>
245
        <service name="ead-server" protocol="tcp" ports="4201" id="83" libelle="ead-server" tcpwrapper=""/>
246
        <service name="tftpd-hpa" protocol="udp" ports="69" id="75" libelle="Accès aux serveurs TFTP" tcpwrapper="in.tftpd"/>
247
        <service name="ldaps" protocol="tcp" ports="636" id="24" libelle="service ldaps" tcpwrapper="slapd"/>
248
        <service name="echo-request" protocol="ICMP" ports="0" id="echo-request" libelle="règle icmp echo-request" tcpwrapper=""/>
249
        <service name="https" protocol="tcp" ports="443" id="5" libelle="serveur web sécurisé" tcpwrapper=""/>
250
        <service name="ldap" protocol="tcp" ports="389" id="22" libelle="service d'annuaire" tcpwrapper="slapd"/>
251
        <service name="lightsquid" protocol="tcp" ports="%%lightsquid_port" id="54" libelle="port d'accès à l'application lightsquid" tcpwrapper=""/>
252
        <service name="ltspfsd" protocol="tcp" ports="9220" id="72" libelle="ltspfsd" tcpwrapper=""/>
253
        <service name="udp" protocol="udp" ports="0-65535" id="34" libelle="tous les ports en udp" tcpwrapper=""/>
254
        <service name="proxy2" protocol="tcp" ports="%%proxy2_port" id="55" libelle="port 2eme instance de squid" tcpwrapper=""/>
255
        <service name="ead" protocol="tcp" ports="4200" id="36" libelle="ead" tcpwrapper=""/>
256
        <service name="portmap" protocol="tcp" ports="111" id="60" libelle="" tcpwrapper=""/>
257
        <service name="eole-sso" protocol="tcp" ports="%%eolesso_port" id="45" libelle="Service Eole SSO" tcpwrapper=""/>
258
        <service name="dns-udp" protocol="udp" ports="53" id="7" libelle="serveur de noms" tcpwrapper=""/>
259
        <service name="radius-acct" protocol="udp" ports="1813" id="74" libelle="" tcpwrapper=""/>
260
        <service name="tcp" protocol="tcp" ports="0-65535" id="33" libelle="tous les ports en tcp" tcpwrapper=""/>
261
        <service name="agents_zephir" protocol="tcp" ports="8090" id="46" libelle="Acces web aux agents Zéphir" tcpwrapper=""/>
262
        <service name="ircu" protocol="tcp" ports="6665-6669" id="13" libelle="service ircu" tcpwrapper=""/>
263
        <service name="imap" protocol="tcp" ports="143" id="21" libelle="service imap" tcpwrapper=""/>
264
        <service name="nntps" protocol="tcp" ports="563" id="31" libelle="service nntps" tcpwrapper=""/>
265
        <service name="ircs" protocol="tcp" ports="994" id="16" libelle="service ircs" tcpwrapper=""/>
266
        <service name="msnp" protocol="tcp" ports="1863" id="17" libelle="service msnp" tcpwrapper=""/>
267
        <service name="serveur_nfs" protocol="tcp" ports="2049" id="59" libelle="Serveur NFS" tcpwrapper=""/>
268
        <service name="mountd" protocol="tcp" ports="4003" id="62" libelle="" tcpwrapper=""/>
269
        <service name="webmin" protocol="tcp" ports="10000" id="9" libelle="appliquation web d'administration" tcpwrapper=""/>
270
        <service name="xmpp-ssl" protocol="tcp" ports="5223" id="81" libelle="Serveur jabber SSL (XMPP)" tcpwrapper=""/>
271
        <service name="scribe_vnc2" protocol="tcp" ports="5900" id="41" libelle="vnc 5900" tcpwrapper=""/>
272
        <service name="scribe_vnc1" protocol="tcp" ports="5800" id="40" libelle="vnc 5800" tcpwrapper=""/>
273
        <service name="nbd-client" protocol="tcp" ports="2000" id="71" libelle="nbd-client" tcpwrapper=""/>
274
        <service name="radius" protocol="udp" ports="1812" id="70" libelle="" tcpwrapper=""/>
275
        <service name="scribe-service" protocol="tcp" ports="8788" id="36" libelle="service scribe sur les clients" tcpwrapper=""/>
276
        <service name="pop3s" protocol="tcp" ports="995" id="25" libelle="service pop3s" tcpwrapper=""/>
277
        <service name="smtp" protocol="tcp" ports="25" id="19" libelle="service mail" tcpwrapper=""/>
278
        <service name="raw" protocol="tcp" ports="9100" id="82" libelle="Service d'impression Raw" tcpwrapper=""/>
279
        <service name="sympa-restreint" protocol="tcp" ports="8888" id="57" libelle="sympa domaine restreint" tcpwrapper=""/>
280
        <service name="gen_config" protocol="tcp" ports="7000" id="68" libelle="Accès à gen_config depuis l'extérieur en https" tcpwrapper=""/>
281
        <service name="rsyslog_RELP" protocol="tcp" ports="20514" id="64" libelle="protocole RELP pour rsyslog" tcpwrapper=""/>
282
        <service name="isakmp_500" protocol="udp" ports="500" id="52" libelle="protocol pour ipsec" tcpwrapper=""/>
283
        <service name="ftp" protocol="tcp" ports="21" id="78" libelle="transfert de fichiers sur le port 21" tcpwrapper=""/>
284
        <service name="nbd-server" protocol="tcp" ports="10809" id="85" libelle="Server NBD for Eclair" tcpwrapper=""/>
285
        <service name="esp" protocol="esp" ports="0" id="51" libelle="protocole pour ipsec" tcpwrapper=""/>
286
        <service name="nuauth" protocol="tcp" ports="4129" id="43" libelle="Serveur d'authentification NuFw" tcpwrapper=""/>
287
        <service name="dns-tcp" protocol="tcp" ports="53" id="6" libelle="serveur de noms" tcpwrapper=""/>
288
        <service name="posh-admin" protocol="tcp" ports="7070" id="48" libelle="administration posh" tcpwrapper=""/>
289
        <service name="irc" protocol="tcp" ports="194" id="15" libelle="service irc" tcpwrapper=""/>
290
        <service name="nntp" protocol="tcp" ports="119" id="30" libelle="service nntp" tcpwrapper=""/>
291
        <service name="mdqs" protocol="tcp" ports="666" id="15" libelle="service mdqs" tcpwrapper=""/>
292
        <service name="http" protocol="tcp" ports="80" id="3" libelle="serveur web" tcpwrapper=""/>
293
        <service name="cntlm" protocol="tcp" ports="%%cntlm_port" id="67" libelle="Proxy Cntlm" tcpwrapper=""/>
294
        <service name="samba3" protocol="tcp" ports="445" id="39" libelle="samba3" tcpwrapper=""/>
295
        <service name="ntp" protocol="udp" ports="123" id="56" libelle="serveur de temps" tcpwrapper=""/>
296
        <service name="sympa-internet" protocol="tcp" ports="8787" id="58" libelle="serveur sympa internet" tcpwrapper=""/>
297
        <service name="proxy" protocol="tcp" ports="3128" id="4" libelle="service proxy" tcpwrapper=""/>
298
        <service name="ead-fichier" protocol="tcp" ports="4202" id="84" libelle="ead-fichier" tcpwrapper=""/>
299
        <service name="news" protocol="tcp" ports="2009" id="32" libelle="nouvelles" tcpwrapper=""/>
300
        <service name="ftp-tcp" protocol="tcp" ports="20-21" id="26" libelle="transfert de fichiers" tcpwrapper=""/>
301
        <service name="scribe-controlevnc" protocol="tcp" ports="8789-8790" id="45" libelle="" tcpwrapper=""/>
302
        <service name="gaspacho" protocol="tcp" ports="8080" id="80" libelle="Accès à l'outil Gaspacho" tcpwrapper=""/>
303
        <service name="revprox-sso" protocol="tcp" ports="8443" id="79" libelle="Redirection du service EoleSSO" tcpwrapper=""/>
304
        <service name="pulseaudio" protocol="tcp" ports="16001" id="70" libelle="pulseaudio" tcpwrapper=""/>
305
        <service name="smtps" protocol="tcp" ports="465" id="77" libelle="Service SMTP SSL" tcpwrapper=""/>
306
        <service name="sftp" protocol="tcp" ports="115" id="27" libelle="service sftp" tcpwrapper=""/>
307
        <service name="samba-tcp" protocol="tcp" ports="137-139" id="38" libelle="samba tcp" tcpwrapper=""/>
308
        <service name="tous" protocol="TOUT" ports="0" id="tout" libelle="tous les services" tcpwrapper=""/>
309
        <service name="talk" protocol="tcp" ports="517-518" id="18" libelle="service talk" tcpwrapper=""/>
310
        <service name="pftp" protocol="tcp" ports="662" id="28" libelle="service pftp" tcpwrapper=""/>
311
        <service name="isakmp_4500" protocol="udp" ports="4500" id="53" libelle="protocole pour ipsec" tcpwrapper=""/>
312
        <service name="ead-scribe" protocol="tcp" ports="%%revprox_ead_port" id="73" libelle="port EAD du Scribe avec reverse proxy" tcpwrapper=""/>
313
        <service name="rsyslog_UDP" protocol="udp" ports="514" id="66" libelle="protocole UDP pour rsyslog" tcpwrapper=""/>
314
        <service name="ssh" protocol="tcp" ports="22" id="8" libelle="shell sécurisé" tcpwrapper="sshd"/>
315
        <groupe id="scribe-dmz-pedago" libelle="service Scribe DMZ vers pedago">
316
            <service name="samba-tcp" protocol="tcp" ports="137-139" id="38" libelle="samba tcp" tcpwrapper=""/>
317
            <service name="samba-udp" protocol="udp" ports="137-139" id="37" libelle="samba" tcpwrapper=""/>
318
            <service name="samba3" protocol="tcp" ports="445" id="39" libelle="samba3" tcpwrapper=""/>
319
            <service name="scribe-service" protocol="tcp" ports="8788" id="36" libelle="service scribe sur les clients" tcpwrapper=""/>
320
            <service name="scribe_vnc1" protocol="tcp" ports="5800" id="40" libelle="vnc 5800" tcpwrapper=""/>
321
            <service name="scribe_vnc2" protocol="tcp" ports="5900" id="41" libelle="vnc 5900" tcpwrapper=""/>
322
            <service name="cups" protocol="tcp" ports="631" id="76" libelle="Interface CUPS" tcpwrapper=""/>
323
            <service name="raw" protocol="tcp" ports="9100" id="82" libelle="Service d'impression Raw" tcpwrapper=""/>
324
        </groupe>
325
        <groupe id="vnc" libelle="vnc">
326
            <service name="scribe_vnc1" protocol="tcp" ports="5800" id="40" libelle="vnc 5800" tcpwrapper=""/>
327
            <service name="scribe_vnc2" protocol="tcp" ports="5900" id="41" libelle="vnc 5900" tcpwrapper=""/>
328
        </groupe>
329
        <groupe id="ead_server" libelle="Ports autorises pour l'administration distante d'Amon (backend ead)">
330
            <service name="ead-server" protocol="tcp" ports="4201" id="83" libelle="ead-server" tcpwrapper=""/>
331
            <service name="ead-fichier" protocol="tcp" ports="4202" id="84" libelle="ead-fichier" tcpwrapper=""/>
332
        </groupe>
333
        <groupe id="amonecole-eclair" libelle="LTSP services">
334
            <service name="ldm" protocol="tcp" ports="9571" id="86" libelle="Connexion management for LTSP" tcpwrapper=""/>
335
            <service name="nbd-server" protocol="tcp" ports="10809" id="85" libelle="Server NBD for Eclair" tcpwrapper=""/>
336
            <service name="ssh" protocol="tcp" ports="22" id="8" libelle="shell sécrurisé" tcpwrapper=""/>
337
        </groupe>
338
        <groupe id="gr_redirection_http" libelle="Protocoles http a rediriger vers le proxy">
339
            <service name="http" protocol="tcp" ports="80" id="3" libelle="serveur web" tcpwrapper=""/>
340
            <service name="proxy" protocol="tcp" ports="3128" id="4" libelle="service proxy" tcpwrapper=""/>
341
            <service name="proxy-8080" protocol="tcp" ports="8080" id="12" libelle="proxy" tcpwrapper=""/>
342
        </groupe>
343
        <groupe id="admin_amon" libelle="Port autorise pour l'administration distante d'Amon (ssh, ead, agents zephir)">
344
            <service name="agents_zephir" protocol="tcp" ports="8090" id="46" libelle="Acces web aux agents Zéphir" tcpwrapper=""/>
345
            <service name="ead" protocol="tcp" ports="8501" id="10" libelle="Eole Admin" tcpwrapper=""/>
346
            <service name="lightsquid" protocol="tcp" ports="%%lightsquid_port" id="54" libelle="port d'accès à l'application lightsquid" tcpwrapper=""/>
347
            <service name="echo-request" protocol="ICMP" ports="0" id="echo-request" libelle="règle icmp echo-request" tcpwrapper=""/>
348
        </groupe>
349
        <groupe id="gr_redirection_https" libelle="Https a redifiger vers le proxy">
350
            <service name="https" protocol="tcp" ports="443" id="5" libelle="web sécurisé" tcpwrapper=""/>
351
        </groupe>
352
        <groupe id="gr_pop" libelle="pop3 et pop3s">
353
            <service name="pop" protocol="tcp" ports="110" id="20" libelle="service pop" tcpwrapper=""/>
354
            <service name="pop3s" protocol="tcp" ports="995" id="25" libelle="service pop3s" tcpwrapper=""/>
355
        </groupe>
356
        <groupe id="gr_redirection" libelle="Protocoles a rediriger vers le proxy">
357
            <service name="http" protocol="tcp" ports="80" id="3" libelle="serveur web" tcpwrapper=""/>
358
            <service name="proxy" protocol="tcp" ports="3128" id="4" libelle="service proxy" tcpwrapper=""/>
359
            <service name="proxy-8080" protocol="tcp" ports="8080" id="12" libelle="proxy" tcpwrapper=""/>
360
            <service name="https" protocol="tcp" ports="443" id="5" libelle="web sécurisé" tcpwrapper=""/>
361
        </groupe>
362
        <groupe id="gr_imap" libelle="imap et imap-ssl">
363
            <service name="imap" protocol="tcp" ports="143" id="21" libelle="service imap" tcpwrapper=""/>
364
            <service name="imap4-ssl" protocol="tcp" ports="585" id="23" libelle="service imap4-ssl" tcpwrapper=""/>
365
        </groupe>
366
        <groupe id="ipsec" libelle="Services utilises pas ipsec">
367
            <service name="esp" protocol="esp" ports="0" id="51" libelle="protocole pour ipsec" tcpwrapper=""/>
368
            <service name="isakmp_4500" protocol="udp" ports="4500" id="53" libelle="protocole pour ipsec" tcpwrapper=""/>
369
            <service name="isakmp_500" protocol="udp" ports="500" id="52" libelle="protocol pour ipsec" tcpwrapper=""/>
370
        </groupe>
371
        <groupe id="gr_irc" libelle="interdire l'utilisation des dialogues en direct (icq)">
372
            <service name="talk" protocol="tcp" ports="517-518" id="18" libelle="service talk" tcpwrapper=""/>
373
            <service name="msnp" protocol="tcp" ports="1863" id="17" libelle="service msnp" tcpwrapper=""/>
374
            <service name="mdqs" protocol="tcp" ports="666" id="15" libelle="service mdqs" tcpwrapper=""/>
375
            <service name="ircs" protocol="tcp" ports="994" id="16" libelle="service ircs" tcpwrapper=""/>
376
            <service name="irc" protocol="tcp" ports="194" id="15" libelle="service irc" tcpwrapper=""/>
377
            <service name="ircu" protocol="tcp" ports="6665-6669" id="13" libelle="service ircu" tcpwrapper=""/>
378
        </groupe>
379
        <groupe id="sympa" libelle="serveur sympa">
380
            <service name="sympa-internet" protocol="tcp" ports="8787" id="58" libelle="serveur sympa internet" tcpwrapper=""/>
381
            <service name="sympa-restreint" protocol="tcp" ports="8888" id="57" libelle="sympa domaine restreint" tcpwrapper=""/>
382
        </groupe>
383
        <groupe id="gr_ftp" libelle="">
384
            <service name="ftp-tcp" protocol="tcp" ports="20-21" id="26" libelle="transfert de fichiers" tcpwrapper=""/>
385
            <service name="ftps" protocol="tcp" ports="989-990" id="29" libelle="service ftps" tcpwrapper=""/>
386
            <service name="pftp" protocol="tcp" ports="662" id="28" libelle="service pftp" tcpwrapper=""/>
387
            <service name="sftp" protocol="tcp" ports="115" id="27" libelle="service sftp" tcpwrapper=""/>
388
        </groupe>
389
        <groupe id="samba" libelle="samba proto">
390
            <service name="samba-udp" protocol="udp" ports="137-139" id="37" libelle="samba" tcpwrapper=""/>
391
            <service name="samba-tcp" protocol="tcp" ports="137-139" id="38" libelle="samba tcp" tcpwrapper=""/>
392
            <service name="samba3" protocol="tcp" ports="445" id="39" libelle="samba3" tcpwrapper=""/>
393
        </groupe>
394
        <groupe id="gr_messagerie" libelle="interdire l'utilisation des dialogues en direct (icq)">
395
            <service name="imap" protocol="tcp" ports="143" id="21" libelle="service imap" tcpwrapper=""/>
396
            <service name="imap4-ssl" protocol="tcp" ports="585" id="23" libelle="service imap4-ssl" tcpwrapper=""/>
397
            <service name="ldap" protocol="tcp" ports="389" id="22" libelle="service d'annuaire" tcpwrapper=""/>
398
            <service name="ldaps" protocol="tcp" ports="636" id="24" libelle="service ldaps" tcpwrapper=""/>
399
            <service name="pop" protocol="tcp" ports="110" id="20" libelle="service pop" tcpwrapper=""/>
400
            <service name="pop3s" protocol="tcp" ports="995" id="25" libelle="service pop3s" tcpwrapper=""/>
401
            <service name="smtp" protocol="tcp" ports="25" id="19" libelle="service mail" tcpwrapper=""/>
402
            <service name="smtps" protocol="tcp" ports="465" id="77" libelle="Service SMTP SSL" tcpwrapper=""/>
403
        </groupe>
404
        <groupe id="gr_forum" libelle="interdire l'utilisation des forums">
405
            <service name="nntp" protocol="tcp" ports="119" id="30" libelle="service nntp" tcpwrapper=""/>
406
            <service name="nntps" protocol="tcp" ports="563" id="31" libelle="service nntps" tcpwrapper=""/>
407
            <service name="news" protocol="tcp" ports="2009" id="32" libelle="nouvelles" tcpwrapper=""/>
408
        </groupe>
409
        <groupe id="gr_redirection_proxy" libelle="Protocoles proxy a rediriger vers le proxy">
410
            <service name="proxy" protocol="tcp" ports="3128" id="4" libelle="service proxy" tcpwrapper=""/>
411
            <service name="proxy-8080" protocol="tcp" ports="8080" id="12" libelle="proxy" tcpwrapper=""/>
412
        </groupe>
413
        <groupe id="eclair-dmz" libelle="Eclair en DMZ">
414
            <service name="ltspfsd" protocol="tcp" ports="9220" id="72" libelle="ltspfsd" tcpwrapper=""/>
415
            <service name="nbd-client" protocol="tcp" ports="2000" id="71" libelle="nbd-client" tcpwrapper=""/>
416
            <service name="pulseaudio" protocol="tcp" ports="16001" id="70" libelle="pulseaudio" tcpwrapper=""/>
417
            <service name="scribe_vnc2" protocol="tcp" ports="5900" id="41" libelle="vnc 5900" tcpwrapper=""/>
418
        </groupe>
419
        <groupe id="gr_smtp" libelle="smtp et smtps">
420
            <service name="smtp" protocol="tcp" ports="25" id="19" libelle="service mail" tcpwrapper=""/>
421
            <service name="smtps" protocol="tcp" ports="465" id="77" libelle="Service SMTP SSL" tcpwrapper=""/>
422
        </groupe>
423
        <groupe id="gr_restreint" libelle="on ferme tout sauf l'utilisation du web par le proxy">
424
            <service name="tcp" protocol="tcp" ports="0-65535" id="33" libelle="tous les ports en tcp" tcpwrapper=""/>
425
            <service name="udp" protocol="udp" ports="0-65535" id="34" libelle="tous les ports en udp" tcpwrapper=""/>
426
        </groupe>
427
        <groupe id="scribe_ext" libelle="services extranet scribe ">
428
            <service name="ftp-tcp" protocol="tcp" ports="20-21" id="26" libelle="transfert de fichiers" tcpwrapper=""/>
429
            <service name="https" protocol="tcp" ports="443" id="5" libelle="web sécurisé" tcpwrapper=""/>
430
        </groupe>
431
        <groupe id="scribe-pedago-dmz" libelle="client scribe vers la DMZ">
432
            <service name="ldap" protocol="tcp" ports="389" id="22" libelle="service d'annuaire" tcpwrapper=""/>
433
            <service name="ldaps" protocol="tcp" ports="636" id="24" libelle="service ldaps" tcpwrapper=""/>
434
            <service name="samba-tcp" protocol="tcp" ports="137-139" id="38" libelle="samba tcp" tcpwrapper=""/>
435
            <service name="samba-udp" protocol="udp" ports="137-139" id="37" libelle="samba" tcpwrapper=""/>
436
            <service name="samba3" protocol="tcp" ports="445" id="39" libelle="samba3" tcpwrapper=""/>
437
            <service name="scribe-controlevnc" protocol="tcp" ports="8789-8790" id="45" libelle="" tcpwrapper=""/>
438
            <service name="scribe_vnc1" protocol="tcp" ports="5800" id="40" libelle="vnc 5800" tcpwrapper=""/>
439
            <service name="scribe_vnc2" protocol="tcp" ports="5900" id="41" libelle="vnc 5900" tcpwrapper=""/>
440
        </groupe>
441
        <groupe id="nfs" libelle="Serveur NFS + portmap">
442
            <service name="portmap" protocol="tcp" ports="111" id="60" libelle="" tcpwrapper=""/>
443
            <service name="lockd" protocol="tcp" ports="4005" id="61" libelle="" tcpwrapper=""/>
444
            <service name="mountd" protocol="tcp" ports="4003" id="62" libelle="" tcpwrapper=""/>
445
            <service name="serveur_nfs" protocol="tcp" ports="2049" id="59" libelle="Serveur NFS" tcpwrapper=""/>
446
        </groupe>
447
        <groupe id="dns" libelle="dns tcp et udp">
448
            <service name="dns-udp" protocol="udp" ports="53" id="7" libelle="serveur de noms" tcpwrapper=""/>
449
            <service name="dns-tcp" protocol="tcp" ports="53" id="6" libelle="serveur de noms" tcpwrapper=""/>
450
        </groupe>
451
        <groupe id="gr_radius" libelle="Serveur radius (UDP)">
452
            <service name="radius" protocol="udp" ports="1812" id="70" libelle="" tcpwrapper=""/>
453
            <service name="radius-acct" protocol="udp" ports="1813" id="74" libelle="" tcpwrapper=""/>
454
        </groupe>
455
        <groupe id="scribe-posh" libelle="Ouverture des ports pour l'utilisation de nginx pour Posh">
456
            <service name="http" protocol="tcp" ports="80" id="3" libelle="serveur web" tcpwrapper=""/>
457
            <service name="https" protocol="tcp" ports="443" id="5" libelle="web sécurisé" tcpwrapper=""/>
458
            <service name="posh-admin" protocol="tcp" ports="7070" id="48" libelle="administration posh" tcpwrapper=""/>
459
        </groupe>
460
        <groupe id="amonecole-eclair-partage" libelle="Services in partage container for Eclair">
461
            <service name="tftpd-hpa" protocol="udp" ports="69" id="75" libelle="Accès aux serveurs TFTP" tcpwrapper="in.tftpd"/>
462
        </groupe>
463
    </services>
464
    <qosclasses upload="" download="">
465
    </qosclasses>
466
    <extremites>
467
        <extremite zone="admin" name="admin_restreint" libelle="zone restreinte" netmask="%%adresse_netmask_eth1" subnet="1" type="" interface="" container="">
468
            <ip address="%%adresse_network_eth1"/>
469
        </extremite>
470
        <extremite zone="exterieur" name="pedago_bastion" libelle="" netmask="255.255.255.255" subnet="0" type="" interface="" container="">
471
            <ip address="%%adresse_ip_eth2"/>
472
        </extremite>
473
        <extremite zone="exterieur" name="exterieur_admin" libelle="reseau autorise a administrer depuis l'exterieur" netmask="%%netmask_admin_eth0" subnet="1" type="" interface="" container="">
474
            <ip address="%%ip_admin_eth0"/>
475
        </extremite>
476
        <extremite zone="admin" name="admin_admin" libelle="reseau autorise a administrer depuis le reseau administratif" netmask="%%netmask_admin_eth1" subnet="1" type="" interface="" container="">
477
            <ip address="%%ip_admin_eth1"/>
478
        </extremite>
479
        <extremite zone="dmz" name="dmz_admin" libelle="reseau autorise a administrer depuis la dmz" netmask="%%netmask_admin_eth3" subnet="1" type="" interface="" container="">
480
            <ip address="%%ip_admin_eth3"/>
481
        </extremite>
482
        <extremite zone="dmz" name="dmz_restreint" libelle="zone restreinte" netmask="%%adresse_netmask_eth3" subnet="1" type="" interface="" container="">
483
            <ip address="%%adresse_network_eth3"/>
484
        </extremite>
485
        <extremite zone="bastion" name="bastion_exterieur" libelle="Bastion sur la zone exterieur" netmask="255.255.255.255" subnet="0" type="normal" interface="eth0" container="">
486
            <ip address="%%adresse_ip_eth0"/>
487
        </extremite>
488
        <extremite zone="exterieur" name="exterieur_backend_ead" libelle="reseau autorise a acceder au backend EAD depuis l'exterieur" netmask="%%netmask_frontend_ead_distant_eth0" subnet="1" type="" interface="" container="">
489
            <ip address="%%ip_frontend_ead_distant_eth0"/>
490
        </extremite>
491
        <extremite zone="exterieur" name="admin_bastion" libelle="adresse du bastion sur le reseau admin" netmask="255.255.255.255" subnet="0" type="" interface="" container="">
492
            <ip address="%%adresse_ip_eth1"/>
493
        </extremite>
494
        <extremite zone="bastion" name="internet_eth2" libelle="eth2 dans le conteneur internet" netmask="255.255.255.255" subnet="0" type="conteneur" interface="eth2" container="internet">
495
            <ip address="%%adresse_ip_eth2_proxy_link"/>
496
        </extremite>
497
        <extremite zone="management" name="management" libelle="Zone entière" netmask="%%vlan_id_eth4[0].vlan_netmask_eth4" subnet="1" type="normal" interface="" container="">
498
            <ip address="%%vlan_id_eth4[0].vlan_ip_eth4"/>
499
        </extremite>
500
        <extremite zone="admin" name="admin_ssh" libelle="reseau autorise a se connecter a ssh depuis le reseau administratif" netmask="%%netmask_ssh_eth1" subnet="1" type="" interface="" container="">
501
            <ip address="%%ip_ssh_eth1"/>
502
        </extremite>
503
        <extremite zone="management" name="management_restreint" libelle="zone restreinte" netmask="%%vlan_id_eth4[0].vlan_netmask_eth4" subnet="1" type="normal" interface="" container="">
504
            <ip address="%%vlan_id_eth4[0].vlan_network_eth4"/>
505
        </extremite>
506
        <extremite zone="pedago" name="pedago_ssh" libelle="reseau autorise a se connecter a ssh depuis le reseau pedagogique" netmask="%%netmask_ssh_eth2" subnet="1" type="" interface="" container="">
507
            <ip address="%%ip_ssh_eth2"/>
508
        </extremite>
509
        <extremite zone="pedago" name="pedago" libelle="Zone entière" netmask="%%adresse_netmask_eth2" subnet="1" type="" interface="" container="">
510
            <ip address="%%adresse_ip_eth2"/>
511
        </extremite>
512
        <extremite zone="bastion" name="bastion" libelle="Zone entière" netmask="255.255.255.255" subnet="1" type="" interface="" container="">
513
            <ip address="127.0.0.1"/>
514
        </extremite>
515
        <extremite zone="bastion" name="internet" libelle="conteneur internet" netmask="255.255.255.255" subnet="0" type="conteneur" interface="containers" container="internet">
516
            <ip address="%%container_ip_internet"/>
517
        </extremite>
518
        <extremite zone="exterieur" name="exterieur_bastion" libelle="IP de bastion sur la zone exterieur" netmask="255.255.255.255" subnet="0" type="" interface="" container="">
519
            <ip address="%%adresse_ip_eth0"/>
520
        </extremite>
521
        <extremite zone="invite" name="invite" libelle="Zone entière" netmask="%%vlan_id_eth4[2].vlan_netmask_eth4" subnet="1" type="normal" interface="" container="">
522
            <ip address="%%vlan_id_eth4[2].vlan_ip_eth4"/>
523
        </extremite>
524
        <extremite zone="exterieur" name="exterieur" libelle="Zone entière" netmask="%%adresse_netmask_eth0" subnet="1" type="" interface="" container="">
525
            <ip address="%%adresse_ip_eth0"/>
526
        </extremite>
527
        <extremite zone="bastion" name="internet_eth1" libelle="eth1 dans le conteneur internet" netmask="255.255.255.255" subnet="0" type="conteneur" interface="eth1" container="internet">
528
            <ip address="%%adresse_ip_eth1_proxy_link"/>
529
        </extremite>
530
        <extremite zone="exterieur" name="exterieur_restreint" libelle="zone restreinte" netmask="%%adresse_netmask_eth0" subnet="1" type="" interface="" container="">
531
            <ip address="%%adresse_network_eth0"/>
532
        </extremite>
533
        <extremite zone="admin" name="admin_backend_ead" libelle="reseau autorise a acceder au backend EAD depuis le reseau administratif" netmask="%%netmask_frontend_ead_distant_eth1" subnet="1" type="" interface="" container="">
534
            <ip address="%%ip_frontend_ead_distant_eth1"/>
535
        </extremite>
536
        <extremite zone="exterieur" name="clients_relp_rsyslog" libelle="clients de l'agrégateur de logs en relp" netmask="%%netmask_client_logs_relp" subnet="0" type="" interface="" container="">
537
            <ip address="%%adresses_ip_clients_logs_relp"/>
538
        </extremite>
539
        <extremite zone="dmz" name="dmz_ssh" libelle="reseau autorise a se connecter a ssh depuis la dmz" netmask="%%netmask_ssh_eth3" subnet="1" type="" interface="" container="">
540
            <ip address="%%ip_ssh_eth3"/>
541
        </extremite>
542
        <extremite zone="exterieur" name="clients_udp_rsyslog" libelle="clients de l'agrégateur de logs en udp" netmask="%%netmask_client_logs_udp" subnet="0" type="" interface="" container="">
543
            <ip address="%%adresses_ip_clients_logs_udp"/>
544
        </extremite>
545
        <extremite zone="invite" name="invite_restreint" libelle="zone restreinte" netmask="%%vlan_id_eth4[2].vlan_netmask_eth4" subnet="1" type="normal" interface="" container="">
546
            <ip address="%%vlan_id_eth4[2].vlan_network_eth4"/>
547
        </extremite>
548
        <extremite zone="dmz" name="dmz_backend_ead" libelle="reseau autorise a acceder au backend EAD depuis la dmz" netmask="%%netmask_frontend_ead_distant_eth3" subnet="1" type="" interface="" container="">
549
            <ip address="%%ip_frontend_ead_distant_eth3"/>
550
        </extremite>
551
        <extremite zone="pedago" name="pedago_admin" libelle="reseau autorise a administrer depuis le reseau pedagogique" netmask="%%netmask_admin_eth2" subnet="1" type="" interface="" container="">
552
            <ip address="%%ip_admin_eth2"/>
553
        </extremite>
554
        <extremite zone="wifipeda" name="wifipeda" libelle="Zone entière" netmask="%%vlan_id_eth4[1].vlan_netmask_eth4" subnet="1" type="normal" interface="" container="">
555
            <ip address="%%vlan_id_eth4[1].vlan_ip_eth4"/>
556
        </extremite>
557
        <extremite zone="wifipeda" name="wifipeda_restreint" libelle="zone restreinte" netmask="%%vlan_id_eth4[1].vlan_netmask_eth4" subnet="1" type="normal" interface="" container="">
558
            <ip address="%%vlan_id_eth4[1].vlan_network_eth4"/>
559
        </extremite>
560
        <extremite zone="exterieur" name="clients_tcp_rsyslog" libelle="clients de l'agrégateur de logs en tcp" netmask="%%netmask_client_logs_tcp" subnet="0" type="" interface="" container="">
561
            <ip address="%%adresses_ip_clients_logs_tcp"/>
562
        </extremite>
563
        <extremite zone="admin" name="admin" libelle="Zone entière" netmask="%%adresse_netmask_eth1" subnet="1" type="" interface="" container="">
564
            <ip address="%%adresse_ip_eth1"/>
565
        </extremite>
566
        <extremite zone="pedago" name="pedago_restreint" libelle="zone restreinte" netmask="%%adresse_netmask_eth2" subnet="1" type="" interface="" container="">
567
            <ip address="%%adresse_network_eth2"/>
568
        </extremite>
569
        <extremite zone="exterieur" name="exterieur_ssh" libelle="reseau autorise a se connecter a ssh" netmask="%%netmask_ssh_eth0" subnet="1" type="" interface="" container="">
570
            <ip address="%%ip_ssh_eth0"/>
571
        </extremite>
572
        <extremite zone="pedago" name="pedago_backend_ead" libelle="reseau autorise a acceder au backend EAD depuis le reseau pedagogique" netmask="%%netmask_frontend_ead_distant_eth2" subnet="1" type="" interface="" container="">
573
            <ip address="%%ip_frontend_ead_distant_eth2"/>
574
        </extremite>
575
        <extremite zone="dmz" name="dmz" libelle="Zone entière" netmask="%%adresse_netmask_eth3" subnet="1" type="" interface="" container="">
576
            <ip address="%%adresse_ip_eth3"/>
577
        </extremite>
578
        <extremite zone="dmz" name="serveur_scribe_dmz" libelle="serveur scribe sur DMZ" netmask="255.255.255.255" subnet="0" type="" interface="" container="">
579
            <ip address="%%ip_serveur_scribe_dmz"/>
580
        </extremite>
581
    </extremites>
582
    <ranges>
583
    </ranges>
584
    <user_groups>
585
    </user_groups>
586
    <applications>
587
    </applications>
588
    <flux-list>
589
        <flux zoneA="bastion" zoneB="exterieur">
590
            <montantes default_policy="0">
591
                <directive tag="ActiverNGINX" service="scribe-posh" priority="1" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="ouverture de posh a travers de nginx" ipsec="0" accept="0">
592
                    <source name="exterieur"/>
593
                    <destination name="bastion"/>
594
                </directive>
595
                <directive tag="ead_scribe" service="ead-scribe" priority="2" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="ouverture de l'EAD Scribe a travers de nginx" ipsec="0" accept="0">
596
                    <source name="exterieur"/>
597
                    <destination name="bastion"/>
598
                </directive>
599
                <directive tag="SSHDepuisEth0" service="ssh" priority="3" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="ssh exterieur vers Amon" ipsec="0" accept="0">
600
                    <source name="exterieur_ssh"/>
601
                    <destination name="bastion"/>
602
                </directive>
603
                <directive tag="AdminDepuisEth0" service="admin_amon" priority="4" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="administration exterieure vers Amon" ipsec="0" accept="0">
604
                    <source name="exterieur_admin"/>
605
                    <destination name="bastion"/>
606
                </directive>
607
                <directive tag="BackendEADDepuisEth0" service="ead_server" priority="5" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="Acces backend EAD exterieure vers Amon" ipsec="0" accept="0">
608
                    <source name="exterieur_backend_ead"/>
609
                    <destination name="bastion"/>
610
                </directive>
611
                <directive tag="lightsquid0" service="lightsquid" priority="6" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="administration exterieure vers Amon" ipsec="0" accept="0">
612
                    <source name="exterieur_admin"/>
613
                    <destination name="bastion"/>
614
                </directive>
615
                <directive tag="eole_sso" service="eole-sso" priority="7" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="pas de description" ipsec="0" accept="0">
616
                    <source name="exterieur"/>
617
                    <destination name="bastion"/>
618
                </directive>
619
                <directive tag="revprox_sso" service="revprox-sso" priority="8" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="redirection du service EoleSSO par le proxy inverse" ipsec="0" accept="0">
620
                    <source name="exterieur"/>
621
                    <destination name="bastion"/>
622
                </directive>
623
                <directive service="ipsec" priority="9" action="2" attrs="0" src_inv="0" dest_inv="0" serv_inv="0" libelle="Autoriser ipsec" ipsec="0" accept="0">
624
                    <source name="exterieur"/>
625
                    <destination name="bastion"/>
626
                </directive>
627
                <directive tag="SSHDepuisEth0" service="gen_config" priority="10" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="gen_config exterieur vers Amon" ipsec="0" accept="0">
628
                    <source name="exterieur_ssh"/>
629
                    <destination name="bastion"/>
630
                </directive>
631
                <directive tag="ClientRsyslogRELP" service="rsyslog_RELP" priority="11" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="pas de description" ipsec="0" accept="0">
632
                    <source name="clients_relp_rsyslog"/>
633
                    <destination name="bastion"/>
634
                </directive>
635
                <directive tag="ClientRsyslogTCP" service="rsyslog_TCP" priority="12" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="pas de description" ipsec="0" accept="0">
636
                    <source name="clients_tcp_rsyslog"/>
637
                    <destination name="bastion"/>
638
                </directive>
639
                <directive tag="ClientRsyslogUDP" service="rsyslog_UDP" priority="13" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="pas de description" ipsec="0" accept="0">
640
                    <source name="clients_udp_rsyslog"/>
641
                    <destination name="bastion"/>
642
                </directive>
643
            </montantes>
644
            <descendantes default_policy="1">
645
            </descendantes>
646
        </flux>
647
        <flux zoneA="exterieur" zoneB="admin">
648
            <montantes default_policy="0">
649
            </montantes>
650
            <descendantes default_policy="1">
651
                <directive service="tous" priority="1" action="16" attrs="0" nat_extr="exterieur_bastion" nat_port="0" src_inv="0" dest_inv="0" serv_inv="0" libelle="pas de description" ipsec="0" accept="0">
652
                    <source name="admin_restreint"/>
653
                    <destination name="exterieur"/>
654
                </directive>
655
                <directive tag="ProxyBypass1" service="gr_redirection_proxy" priority="2" action="4" attrs="17" nat_port="3128" src_inv="0" dest_inv="0" serv_inv="0" libelle="Redirection des flux http avec proxy alternatif" ipsec="0" accept="0">
656
                    <source name="admin"/>
657
                    <destination name="exterieur"/>
658
                    <exception name="" ip="" eolvar="%%proxy_bypass_src_network_eth1/%%calc_classe(%%proxy_bypass_src_netmask_eth1)" src="1" dest="0"/>
659
                    <exception name="" ip="" eolvar="%%proxy_bypass_network_eth1/%%calc_classe(%%proxy_bypass_netmask_eth1)" src="0" dest="1"/>
660
                    <exception name="" ip="" eolvar="%%proxy_bypass_domain_eth1" src="0" dest="1"/>
661
                </directive>
662
                <directive tag="ProxyBypass1" service="http" priority="3" action="4" attrs="17" nat_port="81" src_inv="0" dest_inv="1" serv_inv="0" libelle="Redirection des flux http sans proxy vers une page d'erreur" ipsec="0" accept="0">
663
                    <source name="admin"/>
664
                    <destination name="exterieur_bastion"/>
665
                    <exception name="" ip="" eolvar="%%proxy_bypass_src_network_eth1/%%calc_classe(%%proxy_bypass_src_netmask_eth1)" src="1" dest="0"/>
666
                    <exception name="" ip="" eolvar="%%proxy_bypass_network_eth1/%%calc_classe(%%proxy_bypass_netmask_eth1)" src="0" dest="1"/>
667
                    <exception name="" ip="" eolvar="%%proxy_bypass_domain_eth1" src="0" dest="1"/>
668
                </directive>
669
                <directive tag="ProxyBypass1" service="gr_redirection_https" priority="4" action="4" attrs="17" nat_port="82" src_inv="0" dest_inv="0" serv_inv="0" libelle="Redirection des flux https sans proxy vers une page d'erreur" ipsec="0" accept="0">
670
                    <source name="admin"/>
671
                    <destination name="exterieur"/>
672
                    <exception name="" ip="" eolvar="%%proxy_bypass_src_network_eth1/%%calc_classe(%%proxy_bypass_src_netmask_eth1)" src="1" dest="0"/>
673
                    <exception name="" ip="" eolvar="%%proxy_bypass_network_eth1/%%calc_classe(%%proxy_bypass_netmask_eth1)" src="0" dest="1"/>
674
                    <exception name="" ip="" eolvar="%%proxy_bypass_domain_eth1" src="0" dest="1"/>
675
                </directive>
676
                <directive tag="ForceProxy1" service="gr_redirection_proxy" priority="5" action="4" attrs="17" nat_port="3128" src_inv="0" dest_inv="0" serv_inv="0" libelle="Redirection des flux http avec proxy alternatif" ipsec="0" accept="0">
677
                    <source name="admin"/>
678
                    <destination name="exterieur"/>
679
                    <exception name="" ip="" eolvar="%%proxy_bypass_src_network_eth1/%%calc_classe(%%proxy_bypass_src_netmask_eth1)" src="1" dest="0"/>
680
                    <exception name="" ip="" eolvar="%%proxy_bypass_domain_eth1" src="0" dest="1"/>
681
                </directive>
682
                <directive tag="ForceProxy1" service="http" priority="6" action="4" attrs="17" nat_port="81" src_inv="0" dest_inv="1" serv_inv="0" libelle="Redirection des flux http sans proxy vers une page d'erreur" ipsec="0" accept="0">
683
                    <source name="admin"/>
684
                    <destination name="exterieur_bastion"/>
685
                    <exception name="" ip="" eolvar="%%proxy_bypass_src_network_eth1/%%calc_classe(%%proxy_bypass_src_netmask_eth1)" src="1" dest="0"/>
686
                    <exception name="" ip="" eolvar="%%proxy_bypass_domain_eth1" src="0" dest="1"/>
687
                </directive>
688
                <directive tag="ForceProxy1" service="gr_redirection_https" priority="7" action="4" attrs="17" nat_port="82" src_inv="0" dest_inv="0" serv_inv="0" libelle="Redirection des flux https sans proxy vers une page d'erreur" ipsec="0" accept="0">
689
                    <source name="admin"/>
690
                    <destination name="exterieur"/>
691
                    <exception name="" ip="" eolvar="%%proxy_bypass_src_network_eth1/%%calc_classe(%%proxy_bypass_src_netmask_eth1)" src="1" dest="0"/>
692
                    <exception name="" ip="" eolvar="%%proxy_bypass_domain_eth1" src="0" dest="1"/>
693
                </directive>
694
            </descendantes>
695
        </flux>
696
        <flux zoneA="bastion" zoneB="admin">
697
            <montantes default_policy="0">
698
                <directive tag="SSHDepuisEth1" service="ssh" priority="1" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="ssh admin vers Amon" ipsec="0" accept="0">
699
                    <source name="admin_ssh"/>
700
                    <destination name="bastion"/>
701
                </directive>
702
                <directive tag="AdminDepuisEth1" service="admin_amon" priority="2" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="administration admin vers Amon" ipsec="0" accept="0">
703
                    <source name="admin_admin"/>
704
                    <destination name="bastion"/>
705
                </directive>
706
                <directive tag="BackendEADDepuisEth1" service="ead_server" priority="3" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="Acces backend EAD admin vers Amon" ipsec="0" accept="0">
707
                    <source name="admin_backend_ead"/>
708
                    <destination name="bastion"/>
709
                </directive>
710
                <directive service="dns-tcp" priority="4" action="2" attrs="0" src_inv="0" dest_inv="0" serv_inv="0" libelle="pas de description" ipsec="0" accept="0">
711
                    <source name="admin"/>
712
                    <destination name="internet_eth1"/>
713
                </directive>
714
                <directive service="dns-udp" priority="5" action="2" attrs="0" src_inv="0" dest_inv="0" serv_inv="0" libelle="pas de description" ipsec="0" accept="0">
715
                    <source name="admin"/>
716
                    <destination name="internet_eth1"/>
717
                </directive>
718
                <directive tag="auth_nufw" service="nuauth" priority="6" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="autoriser l'acces a Nuauth" ipsec="0" accept="0">
719
                    <source name="admin"/>
720
                    <destination name="bastion"/>
721
                </directive>
722
                <directive tag="eole_sso" service="eole-sso" priority="7" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="pas de description" ipsec="0" accept="0">
723
                    <source name="admin"/>
724
                    <destination name="bastion"/>
725
                </directive>
726
                <directive service="proxy" priority="8" action="2" attrs="0" src_inv="0" dest_inv="0" serv_inv="0" libelle="pas de description" ipsec="0" accept="0">
727
                    <source name="admin"/>
728
                    <destination name="internet_eth1"/>
729
                </directive>
730
                <directive tag="Activer squid2" service="proxy2" priority="9" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="pas de description" ipsec="0" accept="0">
731
                    <source name="admin"/>
732
                    <destination name="internet_eth1"/>
733
                </directive>
734
                <directive tag="cntlm" service="cntlm" priority="10" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="pas de description" ipsec="0" accept="0">
735
                    <source name="admin"/>
736
                    <destination name="internet_eth1"/>
737
                </directive>
738
                <directive tag="SSHDepuisEth1" service="gen_config" priority="11" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="gen_config admin vers Amon" ipsec="0" accept="0">
739
                    <source name="admin_ssh"/>
740
                    <destination name="bastion"/>
741
                </directive>
742
                <directive tag="ActiverRadiuseth1" service="gr_radius" priority="12" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="raduis admin vers Amon" ipsec="0" accept="0">
743
                    <source name="admin"/>
744
                    <destination name="bastion"/>
745
                </directive>
746
                <directive service="http" priority="13" action="2" attrs="0" src_inv="0" dest_inv="0" serv_inv="0" libelle="Autorisation reverse proxy + WPAD" ipsec="0" accept="0">
747
                    <source name="admin"/>
748
                    <destination name="bastion_exterieur"/>
749
                </directive>
750
                <directive service="ntp" priority="14" action="2" attrs="0" src_inv="0" dest_inv="0" serv_inv="0" libelle="Autoriser ntp depuis admin" ipsec="0" accept="0">
751
                    <source name="admin"/>
752
                    <destination name="bastion"/>
753
                </directive>
754
            </montantes>
755
            <descendantes default_policy="1">
756
            </descendantes>
757
        </flux>
758
        <flux zoneA="exterieur" zoneB="pedago">
759
            <montantes default_policy="0">
760
            </montantes>
761
            <descendantes default_policy="1">
762
                <directive service="tous" priority="1" action="16" attrs="0" nat_extr="exterieur_bastion" nat_port="0" src_inv="0" dest_inv="0" serv_inv="0" libelle="pas de description" ipsec="0" accept="0">
763
                    <source name="pedago_restreint"/>
764
                    <destination name="exterieur"/>
765
                </directive>
766
                <directive tag="Interdiction des forums" service="gr_forum" priority="2" action="1" attrs="1" src_inv="0" dest_inv="0" serv_inv="0" libelle="pedago -> exterieur : interdire les protocoles de news, forums ..." ipsec="0" accept="0">
767
                    <source name="pedago"/>
768
                    <destination name="exterieur"/>
769
                </directive>
770
                <directive tag="Interdire les connexions FTP" service="gr_ftp" priority="3" action="1" attrs="1" src_inv="0" dest_inv="0" serv_inv="0" libelle="Interdire les connexions FTP" ipsec="0" accept="0">
771
                    <source name="pedago"/>
772
                    <destination name="exterieur"/>
773
                </directive>
774
                <directive tag="Interdire l'utilisation des dialogues en direct" service="gr_irc" priority="4" action="1" attrs="1" src_inv="0" dest_inv="0" serv_inv="0" libelle="pedago -> exterieur : interdire les protocoles de discussion en ligne (irc ...)" ipsec="0" accept="0">
775
                    <source name="pedago"/>
776
                    <destination name="exterieur"/>
777
                </directive>
778
                <directive tag="Interdiction des protocoles de messagerie" service="gr_messagerie" priority="5" action="1" attrs="1" src_inv="0" dest_inv="0" serv_inv="0" libelle="pedago -> exterieur : interdire les protocoles de messagerie (pop, imap ...)" ipsec="0" accept="0">
779
                    <source name="pedago"/>
780
                    <destination name="exterieur"/>
781
                </directive>
782
                <directive tag="Internet restreint" service="gr_restreint" priority="6" action="1" attrs="1" src_inv="0" dest_inv="0" serv_inv="0" libelle="pedago -> exterieur : tout interdire (sauf le web via le proxy)" ipsec="0" accept="0">
783
                    <source name="pedago"/>
784
                    <destination name="exterieur"/>
785
                </directive>
786
                <directive tag="ProxyBypass2" service="gr_redirection_proxy" priority="7" action="4" attrs="17" nat_port="3128" src_inv="0" dest_inv="0" serv_inv="0" libelle="Redirection des flux http avec proxy alternatif" ipsec="0" accept="0">
787
                    <source name="pedago"/>
788
                    <destination name="exterieur"/>
789
                    <exception name="" ip="" eolvar="%%proxy_bypass_src_network_eth2/%%calc_classe(%%proxy_bypass_src_netmask_eth2)" src="1" dest="0"/>
790
                    <exception name="" ip="" eolvar="%%proxy_bypass_network_eth2/%%calc_classe(%%proxy_bypass_netmask_eth2)" src="0" dest="1"/>
791
                    <exception name="" ip="" eolvar="%%proxy_bypass_domain_eth2" src="0" dest="1"/>
792
                </directive>
793
                <directive tag="ProxyBypass2" service="http" priority="8" action="4" attrs="17" nat_port="81" src_inv="0" dest_inv="1" serv_inv="0" libelle="Redirection des flux http sans proxy" ipsec="0" accept="0">
794
                    <source name="pedago"/>
795
                    <destination name="exterieur_bastion"/>
796
                    <exception name="" ip="" eolvar="%%proxy_bypass_src_network_eth2/%%calc_classe(%%proxy_bypass_src_netmask_eth2)" src="1" dest="0"/>
797
                    <exception name="" ip="" eolvar="%%proxy_bypass_network_eth2/%%calc_classe(%%proxy_bypass_netmask_eth2)" src="0" dest="1"/>
798
                    <exception name="" ip="" eolvar="%%proxy_bypass_domain_eth2" src="0" dest="1"/>
799
                </directive>
800
                <directive tag="ProxyBypass2" service="gr_redirection_https" priority="9" action="4" attrs="17" nat_port="82" src_inv="0" dest_inv="0" serv_inv="0" libelle="Redirection des flux https sans proxy vers une page d'erreur" ipsec="0" accept="0">
801
                    <source name="pedago"/>
802
                    <destination name="exterieur"/>
803
                    <exception name="" ip="" eolvar="%%proxy_bypass_src_network_eth2/%%calc_classe(%%proxy_bypass_src_netmask_eth2)" src="1" dest="0"/>
804
                    <exception name="" ip="" eolvar="%%proxy_bypass_network_eth2/%%calc_classe(%%proxy_bypass_netmask_eth2)" src="0" dest="1"/>
805
                    <exception name="" ip="" eolvar="%%proxy_bypass_domain_eth2" src="0" dest="1"/>
806
                </directive>
807
                <directive tag="ForceProxy2" service="gr_redirection_proxy" priority="10" action="4" attrs="17" nat_port="3128" src_inv="0" dest_inv="0" serv_inv="0" libelle="Redirection des flux http avec proxy alternatif" ipsec="0" accept="0">
808
                    <source name="pedago"/>
809
                    <destination name="exterieur"/>
810
                    <exception name="" ip="" eolvar="%%proxy_bypass_src_network_eth2/%%calc_classe(%%proxy_bypass_src_netmask_eth2)" src="1" dest="0"/>
811
                    <exception name="" ip="" eolvar="%%proxy_bypass_domain_eth2" src="0" dest="1"/>
812
                </directive>
813
                <directive tag="ForceProxy2" service="http" priority="11" action="4" attrs="17" nat_port="81" src_inv="0" dest_inv="1" serv_inv="0" libelle="Redirection des flux http sans proxy vers une page d'erreur" ipsec="0" accept="0">
814
                    <source name="pedago"/>
815
                    <destination name="exterieur_bastion"/>
816
                    <exception name="" ip="" eolvar="%%proxy_bypass_src_network_eth2/%%calc_classe(%%proxy_bypass_src_netmask_eth2)" src="1" dest="0"/>
817
                    <exception name="" ip="" eolvar="%%proxy_bypass_domain_eth2" src="0" dest="1"/>
818
                </directive>
819
                <directive tag="ForceProxy2" service="gr_redirection_https" priority="12" action="4" attrs="17" nat_port="82" src_inv="0" dest_inv="0" serv_inv="0" libelle="Redirection des flux https sans proxy vers une page d'erreur" ipsec="0" accept="0">
820
                    <source name="pedago"/>
821
                    <destination name="exterieur"/>
822
                    <exception name="" ip="" eolvar="%%proxy_bypass_src_network_eth2/%%calc_classe(%%proxy_bypass_src_netmask_eth2)" src="1" dest="0"/>
823
                    <exception name="" ip="" eolvar="%%proxy_bypass_domain_eth2" src="0" dest="1"/>
824
                </directive>
825
            </descendantes>
826
        </flux>
827
        <flux zoneA="admin" zoneB="pedago">
828
            <montantes default_policy="0">
829
            </montantes>
830
            <descendantes default_policy="1">
831
            </descendantes>
832
        </flux>
833
        <flux zoneA="bastion" zoneB="pedago">
834
            <montantes default_policy="0">
835
                <directive tag="SSHDepuisEth2" service="ssh" priority="1" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="ssh pedago vers Amon" ipsec="0" accept="0">
836
                    <source name="pedago_ssh"/>
837
                    <destination name="bastion"/>
838
                </directive>
839
                <directive tag="AdminDepuisEth2" service="admin_amon" priority="2" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="administration pedago vers Amon" ipsec="0" accept="0">
840
                    <source name="pedago_admin"/>
841
                    <destination name="bastion"/>
842
                </directive>
843
                <directive tag="lightsquid2" service="lightsquid" priority="3" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="administration pedago vers Amon" ipsec="0" accept="0">
844
                    <source name="pedago_admin"/>
845
                    <destination name="bastion"/>
846
                </directive>
847
                <directive service="dns-tcp" priority="4" action="2" attrs="0" src_inv="0" dest_inv="0" serv_inv="0" libelle="pas de description" ipsec="0" accept="0">
848
                    <source name="pedago"/>
849
                    <destination name="internet_eth2"/>
850
                </directive>
851
                <directive service="dns-udp" priority="5" action="2" attrs="0" src_inv="0" dest_inv="0" serv_inv="0" libelle="pas de description" ipsec="0" accept="0">
852
                    <source name="pedago"/>
853
                    <destination name="internet_eth2"/>
854
                </directive>
855
                <directive tag="auth_nufw" service="nuauth" priority="6" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="autoriser l'acces a Nuauth" ipsec="0" accept="0">
856
                    <source name="pedago"/>
857
                    <destination name="bastion"/>
858
                </directive>
859
                <directive tag="eole_sso" service="eole-sso" priority="7" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="pas de description" ipsec="0" accept="0">
860
                    <source name="pedago"/>
861
                    <destination name="bastion"/>
862
                </directive>
863
                <directive service="proxy" priority="8" action="2" attrs="0" src_inv="0" dest_inv="0" serv_inv="0" libelle="pas de description" ipsec="0" accept="0">
864
                    <source name="pedago"/>
865
                    <destination name="internet_eth2"/>
866
                </directive>
867
                <directive tag="Activer squid2" service="proxy2" priority="9" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="pas de description" ipsec="0" accept="0">
868
                    <source name="pedago"/>
869
                    <destination name="internet_eth2"/>
870
                </directive>
871
                <directive tag="cntlm" service="cntlm" priority="10" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="pas de description" ipsec="0" accept="0">
872
                    <source name="pedago"/>
873
                    <destination name="internet_eth2"/>
874
                </directive>
875
                <directive tag="SSHDepuisEth2" service="gen_config" priority="11" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="gen_config pedago vers Amon" ipsec="0" accept="0">
876
                    <source name="pedago_ssh"/>
877
                    <destination name="bastion"/>
878
                </directive>
879
                <directive tag="BackendEADDepuisEth2" service="ead_server" priority="12" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="Acces backend EAD pedago vers Amon" ipsec="0" accept="0">
880
                    <source name="pedago_backend_ead"/>
881
                    <destination name="bastion"/>
882
                </directive>
883
                <directive tag="ActiverRadiuseth2" service="gr_radius" priority="13" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="raduis admin vers Amon" ipsec="0" accept="0">
884
                    <source name="pedago"/>
885
                    <destination name="bastion"/>
886
                </directive>
887
                <directive service="http" priority="14" action="2" attrs="0" src_inv="0" dest_inv="0" serv_inv="0" libelle="Autorisation reverse proxy + WPAD" ipsec="0" accept="0">
888
                    <source name="pedago"/>
889
                    <destination name="bastion_exterieur"/>
890
                </directive>
891
                <directive service="ntp" priority="15" action="2" attrs="0" src_inv="0" dest_inv="0" serv_inv="0" libelle="Autoriser ntp depuis pedago" ipsec="0" accept="0">
892
                    <source name="pedago"/>
893
                    <destination name="bastion"/>
894
                </directive>
895
            </montantes>
896
            <descendantes default_policy="1">
897
            </descendantes>
898
        </flux>
899
        <flux zoneA="exterieur" zoneB="dmz">
900
            <montantes default_policy="0">
901
            </montantes>
902
            <descendantes default_policy="1">
903
                <directive tag="ProxyBypass3" service="gr_redirection_proxy" priority="1" action="4" attrs="17" nat_port="3128" src_inv="0" dest_inv="0" serv_inv="0" libelle="Redirection des flux http avec proxy alternatif" ipsec="0" accept="0">
904
                    <source name="dmz"/>
905
                    <destination name="exterieur"/>
906
                    <exception name="" ip="" eolvar="%%proxy_bypass_src_network_eth3/%%calc_classe(%%proxy_bypass_src_netmask_eth3)" src="1" dest="0"/>
907
                    <exception name="" ip="" eolvar="%%proxy_bypass_network_eth3/%%calc_classe(%%proxy_bypass_netmask_eth3)" src="0" dest="1"/>
908
                    <exception name="" ip="" eolvar="%%proxy_bypass_domain_eth3" src="0" dest="1"/>
909
                </directive>
910
                <directive tag="ProxyBypass3" service="http" priority="2" action="4" attrs="17" nat_port="81" src_inv="0" dest_inv="1" serv_inv="0" libelle="Redirection des flux http sans proxy vers une page d'erreur" ipsec="0" accept="0">
911
                    <source name="dmz"/>
912
                    <destination name="exterieur_bastion"/>
913
                    <exception name="" ip="" eolvar="%%proxy_bypass_src_network_eth3/%%calc_classe(%%proxy_bypass_src_netmask_eth3)" src="1" dest="0"/>
914
                    <exception name="" ip="" eolvar="%%proxy_bypass_network_eth3/%%calc_classe(%%proxy_bypass_netmask_eth3)" src="0" dest="1"/>
915
                    <exception name="" ip="" eolvar="%%proxy_bypass_domain_eth3" src="0" dest="1"/>
916
                </directive>
917
                <directive tag="ProxyBypass3" service="gr_redirection_https" priority="3" action="4" attrs="17" nat_port="82" src_inv="0" dest_inv="0" serv_inv="0" libelle="Redirection des flux https sans proxy vers une page d'erreur" ipsec="0" accept="0">
918
                    <source name="dmz"/>
919
                    <destination name="exterieur"/>
920
                    <exception name="" ip="" eolvar="%%proxy_bypass_src_network_eth3/%%calc_classe(%%proxy_bypass_src_netmask_eth3)" src="1" dest="0"/>
921
                    <exception name="" ip="" eolvar="%%proxy_bypass_network_eth3/%%calc_classe(%%proxy_bypass_netmask_eth3)" src="0" dest="1"/>
922
                    <exception name="" ip="" eolvar="%%proxy_bypass_domain_eth3" src="0" dest="1"/>
923
                </directive>
924
                <directive tag="ForceProxy3" service="gr_redirection_proxy" priority="4" action="4" attrs="17" nat_port="3128" src_inv="0" dest_inv="0" serv_inv="0" libelle="Redirection des flux http avec proxy alternatif" ipsec="0" accept="0">
925
                    <source name="dmz"/>
926
                    <destination name="exterieur"/>
927
                    <exception name="" ip="" eolvar="%%proxy_bypass_src_network_eth3/%%calc_classe(%%proxy_bypass_src_netmask_eth3)" src="1" dest="0"/>
928
                    <exception name="" ip="" eolvar="%%proxy_bypass_domain_eth3" src="0" dest="1"/>
929
                </directive>
930
                <directive tag="ForceProxy3" service="http" priority="5" action="4" attrs="17" nat_port="81" src_inv="0" dest_inv="1" serv_inv="0" libelle="Redirection des flux http sans proxy vers une page d'erreur" ipsec="0" accept="0">
931
                    <source name="dmz"/>
932
                    <destination name="exterieur_bastion"/>
933
                    <exception name="" ip="" eolvar="%%proxy_bypass_src_network_eth3/%%calc_classe(%%proxy_bypass_src_netmask_eth3)" src="1" dest="0"/>
934
                    <exception name="" ip="" eolvar="%%proxy_bypass_domain_eth3" src="0" dest="1"/>
935
                </directive>
936
                <directive tag="ForceProxy3" service="gr_redirection_https" priority="6" action="4" attrs="17" nat_port="82" src_inv="0" dest_inv="0" serv_inv="0" libelle="Redirection des flux https sans proxy vers une page d'erreur" ipsec="0" accept="0">
937
                    <source name="dmz"/>
938
                    <destination name="exterieur"/>
939
                    <exception name="" ip="" eolvar="%%proxy_bypass_src_network_eth3/%%calc_classe(%%proxy_bypass_src_netmask_eth3)" src="1" dest="0"/>
940
                    <exception name="" ip="" eolvar="%%proxy_bypass_domain_eth3" src="0" dest="1"/>
941
                </directive>
942
                <directive tag="ScribeDMZ" service="tous" priority="7" action="16" attrs="17" nat_extr="exterieur_bastion" nat_port="0" src_inv="0" dest_inv="0" serv_inv="0" libelle="autoriser scribe a sortir sur Internet" ipsec="0" accept="0">
943
                    <source name="serveur_scribe_dmz"/>
944
                    <destination name="exterieur"/>
945
                </directive>
946
            </descendantes>
947
        </flux>
948
        <flux zoneA="admin" zoneB="dmz">
949
            <montantes default_policy="0">
950
            </montantes>
951
            <descendantes default_policy="1">
952
            </descendantes>
953
        </flux>
954
        <flux zoneA="bastion" zoneB="dmz">
955
            <montantes default_policy="0">
956
                <directive service="http" priority="1" action="2" attrs="0" src_inv="0" dest_inv="0" serv_inv="0" libelle="Autorisation reverse proxy + WPAD" ipsec="0" accept="0">
957
                    <source name="dmz"/>
958
                    <destination name="bastion_exterieur"/>
959
                </directive>
960
                <directive tag="SSHDepuisEth3" service="ssh" priority="2" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="ssh dmz vers Amon" ipsec="0" accept="0">
961
                    <source name="dmz_ssh"/>
962
                    <destination name="bastion"/>
963
                </directive>
964
                <directive tag="AdminDepuisEth3" service="admin_amon" priority="3" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="administration dmz vers Amon" ipsec="0" accept="0">
965
                    <source name="dmz_admin"/>
966
                    <destination name="bastion"/>
967
                </directive>
968
                <directive tag="BackendEADDepuisEth3" service="ead_server" priority="4" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="Acces backend EAD dmz vers Amon" ipsec="0" accept="0">
969
                    <source name="dmz_backend_ead"/>
970
                    <destination name="bastion"/>
971
                </directive>
972
                <directive tag="lightsquid3" service="lightsquid" priority="5" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="administration dmz vers Amon" ipsec="0" accept="0">
973
                    <source name="dmz_admin"/>
974
                    <destination name="bastion"/>
975
                </directive>
976
                <directive service="dns-tcp" priority="6" action="2" attrs="0" src_inv="0" dest_inv="0" serv_inv="0" libelle="pas de description" ipsec="0" accept="0">
977
                    <source name="dmz"/>
978
                    <destination name="internet"/>
979
                </directive>
980
                <directive service="dns-udp" priority="7" action="2" attrs="0" src_inv="0" dest_inv="0" serv_inv="0" libelle="pas de description" ipsec="0" accept="0">
981
                    <source name="dmz"/>
982
                    <destination name="internet"/>
983
                </directive>
984
                <directive tag="eole_sso" service="eole-sso" priority="8" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="pas de description" ipsec="0" accept="0">
985
                    <source name="dmz"/>
986
                    <destination name="bastion"/>
987
                </directive>
988
                <directive service="proxy" priority="9" action="2" attrs="0" src_inv="0" dest_inv="0" serv_inv="0" libelle="pas de description" ipsec="0" accept="0">
989
                    <source name="dmz"/>
990
                    <destination name="internet"/>
991
                </directive>
992
                <directive tag="Activer squid2" service="proxy2" priority="10" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="pas de description" ipsec="0" accept="0">
993
                    <source name="dmz"/>
994
                    <destination name="internet"/>
995
                </directive>
996
                <directive tag="cntlm" service="cntlm" priority="11" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="pas de description" ipsec="0" accept="0">
997
                    <source name="dmz"/>
998
                    <destination name="internet"/>
999
                </directive>
1000
                <directive tag="SSHDepuisEth3" service="gen_config" priority="12" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="gen_config dmz vers Amon" ipsec="0" accept="0">
1001
                    <source name="dmz_ssh"/>
1002
                    <destination name="bastion"/>
1003
                </directive>
1004
                <directive service="ntp" priority="13" action="2" attrs="0" src_inv="0" dest_inv="0" serv_inv="0" libelle="Autoriser ntp depuis dmz" ipsec="0" accept="0">
1005
                    <source name="dmz"/>
1006
                    <destination name="bastion"/>
1007
                </directive>
1008
            </montantes>
1009
            <descendantes default_policy="1">
1010
            </descendantes>
1011
        </flux>
1012
        <flux zoneA="pedago" zoneB="dmz">
1013
            <montantes default_policy="0">
1014
                <directive tag="ScribeDMZ" service="scribe-dmz-pedago" priority="1" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="autoriser scribe a se connecter au reseau pedago" ipsec="0" accept="0">
1015
                    <source name="serveur_scribe_dmz"/>
1016
                    <destination name="pedago"/>
1017
                </directive>
1018
            </montantes>
1019
            <descendantes default_policy="1">
1020
            </descendantes>
1021
        </flux>
1022
        <flux zoneA="exterieur" zoneB="invite">
1023
            <montantes default_policy="0">
1024
            </montantes>
1025
            <descendantes default_policy="1">
1026
                <directive service="tous" priority="1" action="16" attrs="0" nat_extr="exterieur_bastion" nat_port="0" src_inv="0" dest_inv="0" serv_inv="0" libelle="pas de description" ipsec="0" accept="0">
1027
                    <source name="invite_restreint"/>
1028
                    <destination name="exterieur"/>
1029
                </directive>
1030
                <directive tag="Interdiction des forums" service="gr_forum" priority="2" action="1" attrs="1" src_inv="0" dest_inv="0" serv_inv="0" libelle="invite -> exterieur : interdire les protocoles de news, forums ..." ipsec="0" accept="0">
1031
                    <source name="invite"/>
1032
                    <destination name="exterieur"/>
1033
                </directive>
1034
                <directive tag="Interdire les connexions FTP" service="gr_ftp" priority="3" action="1" attrs="1" src_inv="0" dest_inv="0" serv_inv="0" libelle="Interdire les connexions FTP" ipsec="0" accept="0">
1035
                    <source name="invite"/>
1036
                    <destination name="exterieur"/>
1037
                </directive>
1038
                <directive tag="Interdire l'utilisation des dialogues en direct" service="gr_irc" priority="4" action="1" attrs="1" src_inv="0" dest_inv="0" serv_inv="0" libelle="invite -> exterieur : interdire les protocoles de discussion en ligne (irc ...)" ipsec="0" accept="0">
1039
                    <source name="invite"/>
1040
                    <destination name="exterieur"/>
1041
                </directive>
1042
                <directive tag="Interdiction des protocoles de messagerie" service="gr_messagerie" priority="5" action="1" attrs="1" src_inv="0" dest_inv="0" serv_inv="0" libelle="invite -> exterieur : interdire les protocoles de messagerie (pop, imap ...)" ipsec="0" accept="0">
1043
                    <source name="invite"/>
1044
                    <destination name="exterieur"/>
1045
                </directive>
1046
                <directive tag="Internet restreint" service="gr_restreint" priority="6" action="1" attrs="1" src_inv="0" dest_inv="0" serv_inv="0" libelle="invite -> exterieur : tout interdire (sauf le web via le proxy)" ipsec="0" accept="0">
1047
                    <source name="invite"/>
1048
                    <destination name="exterieur"/>
1049
                </directive>
1050
                <directive tag="ProxyBypass2" service="gr_redirection_proxy" priority="7" action="4" attrs="17" nat_port="3128" src_inv="0" dest_inv="0" serv_inv="0" libelle="Redirection des flux http avec proxy alternatif" ipsec="0" accept="0">
1051
                    <source name="invite"/>
1052
                    <destination name="exterieur"/>
1053
                    <exception name="" ip="" eolvar="%%proxy_bypass_src_network_eth2/%%calc_classe(%%proxy_bypass_src_netmask_eth2)" src="1" dest="0"/>
1054
                    <exception name="" ip="" eolvar="%%proxy_bypass_network_eth2/%%calc_classe(%%proxy_bypass_netmask_eth2)" src="0" dest="1"/>
1055
                    <exception name="" ip="" eolvar="%%proxy_bypass_domain_eth2" src="0" dest="1"/>
1056
                </directive>
1057
                <directive tag="ProxyBypass2" service="http" priority="8" action="4" attrs="17" nat_port="81" src_inv="0" dest_inv="1" serv_inv="0" libelle="Redirection des flux http sans proxy" ipsec="0" accept="0">
1058
                    <source name="invite"/>
1059
                    <destination name="exterieur_bastion"/>
1060
                    <exception name="" ip="" eolvar="%%proxy_bypass_src_network_eth2/%%calc_classe(%%proxy_bypass_src_netmask_eth2)" src="1" dest="0"/>
1061
                    <exception name="" ip="" eolvar="%%proxy_bypass_network_eth2/%%calc_classe(%%proxy_bypass_netmask_eth2)" src="0" dest="1"/>
1062
                    <exception name="" ip="" eolvar="%%proxy_bypass_domain_eth2" src="0" dest="1"/>
1063
                </directive>
1064
                <directive tag="ProxyBypass2" service="gr_redirection_https" priority="9" action="4" attrs="17" nat_port="82" src_inv="0" dest_inv="0" serv_inv="0" libelle="Redirection des flux https sans proxy vers une page d'erreur" ipsec="0" accept="0">
1065
                    <source name="invite"/>
1066
                    <destination name="exterieur"/>
1067
                    <exception name="" ip="" eolvar="%%proxy_bypass_src_network_eth2/%%calc_classe(%%proxy_bypass_src_netmask_eth2)" src="1" dest="0"/>
1068
                    <exception name="" ip="" eolvar="%%proxy_bypass_network_eth2/%%calc_classe(%%proxy_bypass_netmask_eth2)" src="0" dest="1"/>
1069
                    <exception name="" ip="" eolvar="%%proxy_bypass_domain_eth2" src="0" dest="1"/>
1070
                </directive>
1071
                <directive tag="ForceProxy2" service="gr_redirection_proxy" priority="10" action="4" attrs="17" nat_port="3128" src_inv="0" dest_inv="0" serv_inv="0" libelle="Redirection des flux http avec proxy alternatif" ipsec="0" accept="0">
1072
                    <source name="invite"/>
1073
                    <destination name="exterieur"/>
1074
                    <exception name="" ip="" eolvar="%%proxy_bypass_src_network_eth2/%%calc_classe(%%proxy_bypass_src_netmask_eth2)" src="1" dest="0"/>
1075
                    <exception name="" ip="" eolvar="%%proxy_bypass_domain_eth2" src="0" dest="1"/>
1076
                </directive>
1077
                <directive tag="ForceProxy2" service="http" priority="11" action="4" attrs="17" nat_port="81" src_inv="0" dest_inv="1" serv_inv="0" libelle="Redirection des flux http sans proxy vers une page d'erreur" ipsec="0" accept="0">
1078
                    <source name="invite"/>
1079
                    <destination name="exterieur_bastion"/>
1080
                    <exception name="" ip="" eolvar="%%proxy_bypass_src_network_eth2/%%calc_classe(%%proxy_bypass_src_netmask_eth2)" src="1" dest="0"/>
1081
                    <exception name="" ip="" eolvar="%%proxy_bypass_domain_eth2" src="0" dest="1"/>
1082
                </directive>
1083
                <directive tag="ForceProxy2" service="gr_redirection_https" priority="12" action="4" attrs="17" nat_port="82" src_inv="0" dest_inv="0" serv_inv="0" libelle="Redirection des flux https sans proxy vers une page d'erreur" ipsec="0" accept="0">
1084
                    <source name="invite"/>
1085
                    <destination name="exterieur"/>
1086
                    <exception name="" ip="" eolvar="%%proxy_bypass_src_network_eth2/%%calc_classe(%%proxy_bypass_src_netmask_eth2)" src="1" dest="0"/>
1087
                    <exception name="" ip="" eolvar="%%proxy_bypass_domain_eth2" src="0" dest="1"/>
1088
                </directive>
1089
            </descendantes>
1090
        </flux>
1091
        <flux zoneA="dmz" zoneB="invite">
1092
            <montantes default_policy="0">
1093
            </montantes>
1094
            <descendantes default_policy="1">
1095
            </descendantes>
1096
        </flux>
1097
        <flux zoneA="pedago" zoneB="invite">
1098
            <montantes default_policy="0">
1099
            </montantes>
1100
            <descendantes default_policy="1">
1101
            </descendantes>
1102
        </flux>
1103
        <flux zoneA="admin" zoneB="invite">
1104
            <montantes default_policy="0">
1105
            </montantes>
1106
            <descendantes default_policy="1">
1107
            </descendantes>
1108
        </flux>
1109
        <flux zoneA="bastion" zoneB="invite">
1110
            <montantes default_policy="0">
1111
                <directive service="dns-tcp" priority="4" action="2" attrs="0" src_inv="0" dest_inv="0" serv_inv="0" libelle="pas de description" ipsec="0" accept="0">
1112
                    <source name="invite"/>
1113
                    <destination name="internet_eth2"/>
1114
                </directive>
1115
                <directive service="dns-udp" priority="5" action="2" attrs="0" src_inv="0" dest_inv="0" serv_inv="0" libelle="pas de description" ipsec="0" accept="0">
1116
                    <source name="invite"/>
1117
                    <destination name="internet_eth2"/>
1118
                </directive>
1119
                <directive service="proxy" priority="8" action="2" attrs="0" src_inv="0" dest_inv="0" serv_inv="0" libelle="pas de description" ipsec="0" accept="0">
1120
                    <source name="invite"/>
1121
                    <destination name="internet_eth2"/>
1122
                </directive>
1123
                <directive tag="Activer squid2" service="proxy2" priority="9" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="pas de description" ipsec="0" accept="0">
1124
                    <source name="invite"/>
1125
                    <destination name="internet_eth2"/>
1126
                </directive>
1127
                <directive tag="cntlm" service="cntlm" priority="10" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="pas de description" ipsec="0" accept="0">
1128
                    <source name="invite"/>
1129
                    <destination name="internet_eth2"/>
1130
                </directive>
1131
                <directive service="http" priority="13" action="2" attrs="0" src_inv="0" dest_inv="0" serv_inv="0" libelle="Autorisation reverse proxy + WPAD" ipsec="0" accept="0">
1132
                    <source name="invite"/>
1133
                    <destination name="bastion_exterieur"/>
1134
                </directive>
1135
            </montantes>
1136
            <descendantes default_policy="1">
1137
            </descendantes>
1138
        </flux>
1139
        <flux zoneA="exterieur" zoneB="wifipeda">
1140
            <montantes default_policy="0">
1141
            </montantes>
1142
            <descendantes default_policy="1">
1143
                <directive service="tous" priority="1" action="16" attrs="0" nat_extr="exterieur_bastion" nat_port="0" src_inv="0" dest_inv="0" serv_inv="0" libelle="pas de description" ipsec="0" accept="0">
1144
                    <source name="wifipeda_restreint"/>
1145
                    <destination name="exterieur"/>
1146
                </directive>
1147
                <directive tag="Interdiction des forums" service="gr_forum" priority="2" action="1" attrs="1" src_inv="0" dest_inv="0" serv_inv="0" libelle="wifipeda -> exterieur : interdire les protocoles de news, forums ..." ipsec="0" accept="0">
1148
                    <source name="wifipeda"/>
1149
                    <destination name="exterieur"/>
1150
                </directive>
1151
                <directive tag="Interdire les connexions FTP" service="gr_ftp" priority="3" action="1" attrs="1" src_inv="0" dest_inv="0" serv_inv="0" libelle="Interdire les connexions FTP" ipsec="0" accept="0">
1152
                    <source name="wifipeda"/>
1153
                    <destination name="exterieur"/>
1154
                </directive>
1155
                <directive tag="Interdire l'utilisation des dialogues en direct" service="gr_irc" priority="4" action="1" attrs="1" src_inv="0" dest_inv="0" serv_inv="0" libelle="wifipeda -> exterieur : interdire les protocoles de discussion en ligne (irc ...)" ipsec="0" accept="0">
1156
                    <source name="wifipeda"/>
1157
                    <destination name="exterieur"/>
1158
                </directive>
1159
                <directive tag="Interdiction des protocoles de messagerie" service="gr_messagerie" priority="5" action="1" attrs="1" src_inv="0" dest_inv="0" serv_inv="0" libelle="wifipeda -> exterieur : interdire les protocoles de messagerie (pop, imap ...)" ipsec="0" accept="0">
1160
                    <source name="wifipeda"/>
1161
                    <destination name="exterieur"/>
1162
                </directive>
1163
                <directive tag="Internet restreint" service="gr_restreint" priority="6" action="1" attrs="1" src_inv="0" dest_inv="0" serv_inv="0" libelle="wifipeda -> exterieur : tout interdire (sauf le web via le proxy)" ipsec="0" accept="0">
1164
                    <source name="wifipeda"/>
1165
                    <destination name="exterieur"/>
1166
                </directive>
1167
                <directive tag="ProxyBypass2" service="gr_redirection_proxy" priority="7" action="4" attrs="17" nat_port="3128" src_inv="0" dest_inv="0" serv_inv="0" libelle="Redirection des flux http avec proxy alternatif" ipsec="0" accept="0">
1168
                    <source name="wifipeda"/>
1169
                    <destination name="exterieur"/>
1170
                    <exception name="" ip="" eolvar="%%proxy_bypass_src_network_eth2/%%calc_classe(%%proxy_bypass_src_netmask_eth2)" src="1" dest="0"/>
1171
                    <exception name="" ip="" eolvar="%%proxy_bypass_network_eth2/%%calc_classe(%%proxy_bypass_netmask_eth2)" src="0" dest="1"/>
1172
                    <exception name="" ip="" eolvar="%%proxy_bypass_domain_eth2" src="0" dest="1"/>
1173
                </directive>
1174
                <directive tag="ProxyBypass2" service="http" priority="8" action="4" attrs="17" nat_port="81" src_inv="0" dest_inv="1" serv_inv="0" libelle="Redirection des flux http sans proxy" ipsec="0" accept="0">
1175
                    <source name="wifipeda"/>
1176
                    <destination name="exterieur_bastion"/>
1177
                    <exception name="" ip="" eolvar="%%proxy_bypass_src_network_eth2/%%calc_classe(%%proxy_bypass_src_netmask_eth2)" src="1" dest="0"/>
1178
                    <exception name="" ip="" eolvar="%%proxy_bypass_network_eth2/%%calc_classe(%%proxy_bypass_netmask_eth2)" src="0" dest="1"/>
1179
                    <exception name="" ip="" eolvar="%%proxy_bypass_domain_eth2" src="0" dest="1"/>
1180
                </directive>
1181
                <directive tag="ProxyBypass2" service="gr_redirection_https" priority="9" action="4" attrs="17" nat_port="82" src_inv="0" dest_inv="0" serv_inv="0" libelle="Redirection des flux https sans proxy vers une page d'erreur" ipsec="0" accept="0">
1182
                    <source name="wifipeda"/>
1183
                    <destination name="exterieur"/>
1184
                    <exception name="" ip="" eolvar="%%proxy_bypass_src_network_eth2/%%calc_classe(%%proxy_bypass_src_netmask_eth2)" src="1" dest="0"/>
1185
                    <exception name="" ip="" eolvar="%%proxy_bypass_network_eth2/%%calc_classe(%%proxy_bypass_netmask_eth2)" src="0" dest="1"/>
1186
                    <exception name="" ip="" eolvar="%%proxy_bypass_domain_eth2" src="0" dest="1"/>
1187
                </directive>
1188
                <directive tag="ForceProxy2" service="gr_redirection_proxy" priority="10" action="4" attrs="17" nat_port="3128" src_inv="0" dest_inv="0" serv_inv="0" libelle="Redirection des flux http avec proxy alternatif" ipsec="0" accept="0">
1189
                    <source name="wifipeda"/>
1190
                    <destination name="exterieur"/>
1191
                    <exception name="" ip="" eolvar="%%proxy_bypass_src_network_eth2/%%calc_classe(%%proxy_bypass_src_netmask_eth2)" src="1" dest="0"/>
1192
                    <exception name="" ip="" eolvar="%%proxy_bypass_domain_eth2" src="0" dest="1"/>
1193
                </directive>
1194
                <directive tag="ForceProxy2" service="http" priority="11" action="4" attrs="17" nat_port="81" src_inv="0" dest_inv="1" serv_inv="0" libelle="Redirection des flux http sans proxy vers une page d'erreur" ipsec="0" accept="0">
1195
                    <source name="wifipeda"/>
1196
                    <destination name="exterieur_bastion"/>
1197
                    <exception name="" ip="" eolvar="%%proxy_bypass_src_network_eth2/%%calc_classe(%%proxy_bypass_src_netmask_eth2)" src="1" dest="0"/>
1198
                    <exception name="" ip="" eolvar="%%proxy_bypass_domain_eth2" src="0" dest="1"/>
1199
                </directive>
1200
                <directive tag="ForceProxy2" service="gr_redirection_https" priority="12" action="4" attrs="17" nat_port="82" src_inv="0" dest_inv="0" serv_inv="0" libelle="Redirection des flux https sans proxy vers une page d'erreur" ipsec="0" accept="0">
1201
                    <source name="wifipeda"/>
1202
                    <destination name="exterieur"/>
1203
                    <exception name="" ip="" eolvar="%%proxy_bypass_src_network_eth2/%%calc_classe(%%proxy_bypass_src_netmask_eth2)" src="1" dest="0"/>
1204
                    <exception name="" ip="" eolvar="%%proxy_bypass_domain_eth2" src="0" dest="1"/>
1205
                </directive>
1206
            </descendantes>
1207
        </flux>
1208
        <flux zoneA="invite" zoneB="wifipeda">
1209
            <montantes default_policy="0">
1210
            </montantes>
1211
            <descendantes default_policy="1">
1212
            </descendantes>
1213
        </flux>
1214
        <flux zoneA="dmz" zoneB="wifipeda">
1215
            <montantes default_policy="0">
1216
            </montantes>
1217
            <descendantes default_policy="1">
1218
            </descendantes>
1219
        </flux>
1220
        <flux zoneA="pedago" zoneB="wifipeda">
1221
            <montantes default_policy="0">
1222
            </montantes>
1223
            <descendantes default_policy="1">
1224
            </descendantes>
1225
        </flux>
1226
        <flux zoneA="admin" zoneB="wifipeda">
1227
            <montantes default_policy="0">
1228
            </montantes>
1229
            <descendantes default_policy="1">
1230
            </descendantes>
1231
        </flux>
1232
        <flux zoneA="bastion" zoneB="wifipeda">
1233
            <montantes default_policy="0">
1234
            </montantes>
1235
            <descendantes default_policy="1">
1236
            </descendantes>
1237
        </flux>
1238
        <flux zoneA="exterieur" zoneB="management">
1239
            <montantes default_policy="0">
1240
            </montantes>
1241
            <descendantes default_policy="1">
1242
            </descendantes>
1243
        </flux>
1244
        <flux zoneA="invite" zoneB="management">
1245
            <montantes default_policy="0">
1246
            </montantes>
1247
            <descendantes default_policy="1">
1248
            </descendantes>
1249
        </flux>
1250
        <flux zoneA="dmz" zoneB="management">
1251
            <montantes default_policy="0">
1252
            </montantes>
1253
            <descendantes default_policy="1">
1254
            </descendantes>
1255
        </flux>
1256
        <flux zoneA="wifipeda" zoneB="management">
1257
            <montantes default_policy="0">
1258
            </montantes>
1259
            <descendantes default_policy="1">
1260
            </descendantes>
1261
        </flux>
1262
        <flux zoneA="pedago" zoneB="management">
1263
            <montantes default_policy="0">
1264
            </montantes>
1265
            <descendantes default_policy="1">
1266
            </descendantes>
1267
        </flux>
1268
        <flux zoneA="admin" zoneB="management">
1269
            <montantes default_policy="0">
1270
            </montantes>
1271
            <descendantes default_policy="1">
1272
            </descendantes>
1273
        </flux>
1274
        <flux zoneA="bastion" zoneB="management">
1275
            <montantes default_policy="0">
1276
                <directive tag="SSHDepuisManagement" service="ssh" priority="1" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="ssh management vers Amon" ipsec="0" accept="0">
1277
                    <source name="management"/>
1278
                    <destination name="bastion"/>
1279
                </directive>
1280
                <directive tag="AdminDepuisManagement" service="admin_amon" priority="2" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="administration management vers Amon" ipsec="0" accept="0">
1281
                    <source name="management"/>
1282
                    <destination name="bastion"/>
1283
                </directive>
1284
                <directive service="dns-tcp" priority="3" action="2" attrs="0" src_inv="0" dest_inv="0" serv_inv="0" libelle="pas de description" ipsec="0" accept="0">
1285
                    <source name="management"/>
1286
                    <destination name="bastion"/>
1287
                </directive>
1288
                <directive service="dns-udp" priority="4" action="2" attrs="0" src_inv="0" dest_inv="0" serv_inv="0" libelle="pas de description" ipsec="0" accept="0">
1289
                    <source name="management"/>
1290
                    <destination name="bastion"/>
1291
                </directive>
1292
                <directive tag="auth_nufw" service="nuauth" priority="5" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="autoriser l'acces a Nuauth" ipsec="0" accept="0">
1293
                    <source name="management"/>
1294
                    <destination name="bastion"/>
1295
                </directive>
1296
                <directive tag="eole_sso" service="eole-sso" priority="6" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="pas de description" ipsec="0" accept="0">
1297
                    <source name="management"/>
1298
                    <destination name="bastion"/>
1299
                </directive>
1300
                <directive service="proxy" priority="7" action="2" attrs="0" src_inv="0" dest_inv="0" serv_inv="0" libelle="pas de description" ipsec="0" accept="0">
1301
                    <source name="management"/>
1302
                    <destination name="bastion"/>
1303
                </directive>
1304
                <directive tag="Activer squid2" service="proxy2" priority="8" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="pas de description" ipsec="0" accept="0">
1305
                    <source name="management"/>
1306
                    <destination name="bastion"/>
1307
                </directive>
1308
                <directive tag="cntlm" service="cntlm" priority="9" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="pas de description" ipsec="0" accept="0">
1309
                    <source name="management"/>
1310
                    <destination name="bastion"/>
1311
                </directive>
1312
                <directive tag="ActiverRadiusmgt" service="gr_radius" priority="11" action="2" attrs="17" src_inv="0" dest_inv="0" serv_inv="0" libelle="radius mgt vers Amon" ipsec="0" accept="0">
1313
                    <source name="management"/>
1314
                    <destination name="bastion"/>
1315
                </directive>
1316
                <directive service="http" priority="12" action="2" attrs="0" src_inv="0" dest_inv="0" serv_inv="0" libelle="Autorisation reverse proxy + WPAD" ipsec="0" accept="0">
1317
                    <source name="management"/>
1318
                    <destination name="bastion_exterieur"/>
1319
                </directive>
1320
            </montantes>
1321
            <descendantes default_policy="1">
1322
            </descendantes>
1323
        </flux>
1324
    </flux-list>
1325
</firewall>