From 866b4ac69bca08d8b1fd0f1970933ce6e240d29b Mon Sep 17 00:00:00 2001
From: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>
Date: Wed, 5 Sep 2018 16:43:10 +0300
Subject: setup-dmvpn: configure spoke firewall if active

---
 dmvpn.awall | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100644 dmvpn.awall

(limited to 'dmvpn.awall')

diff --git a/dmvpn.awall b/dmvpn.awall
new file mode 100644
index 0000000..339e571
--- /dev/null
+++ b/dmvpn.awall
@@ -0,0 +1,24 @@
+{
+	"description": "DMVPN router",
+	"zone": {
+		"dmvpn-ipsec": { "addr": "0.0.0.0/0" },
+		"dmvpn-gre": { "addr": "0.0.0.0/0", "ipsec": true },
+		"dmvpn-bgp": {
+			"iface": "$dmvpn_gre_iface", "addr": "0.0.0.0/0"
+		},
+		"dmvpn": { "iface": "$dmvpn_gre_iface", "route-back": true }
+	},
+	"filter": [
+		{
+			"in": "_fw",
+			"service": [ "dns", "http", "https", "ldap", "ldaps" ]
+		},
+		{ "in": "dmvpn-ipsec", "out": "_fw", "service": "ipsec" },
+		{ "in": "_fw", "out": "dmvpn-ipsec", "service": "ipsec" },
+		{ "in": "dmvpn-gre", "out": "_fw", "service": "gre" },
+		{ "in": "_fw", "out": "dmvpn-gre", "service": "gre" },
+		{ "in": "dmvpn-bgp", "out": "_fw", "service": "bgp" },
+		{ "in": "_fw", "out": "dmvpn-bgp", "service": "bgp" },
+		{ "in": "dmvpn", "out": "dmvpn" }
+	]
+}
-- 
cgit v1.2.3