From 4818e80c41a8c2794cd69c44364a6a752f88af79 Mon Sep 17 00:00:00 2001
From: Raphael Cauderlier <cauderlier@crans.org>
Date: Fri, 1 Jun 2012 19:03:54 +0200
Subject: [PATCH] [firewall6] corrections sur le firewall IPv6 de zamok

Ignore-this: fd14c1fed392ba1365ca2bba1dded80e

darcs-hash:20120601170354-dd9a4-c025054653b274e47766da05abf90a2da321e2b9.gz
---
 gestion/gen_confs/firewall6.py | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/gestion/gen_confs/firewall6.py b/gestion/gen_confs/firewall6.py
index e966cf09..b2eb9d1e 100755
--- a/gestion/gen_confs/firewall6.py
+++ b/gestion/gen_confs/firewall6.py
@@ -26,7 +26,7 @@ sys.path.append('/usr/scripts/gestion')
 
 from ldap_crans import hostname
 from config import conf_fw, mid, prefix, role, file_pickle, open_ports
-from config import authorized_icmpv6, mac_wifi, adm_only
+from config import authorized_icmpv6, mac_wifi, adm_only, adm_users
 from ipt import *
 
 # On invoque Ip6tables
@@ -239,9 +239,9 @@ def adherents_server():
 
     dev_adm = iface6('adm')
     # On fait attention à ce qui sort
-    ip6tables.filter.output('-i lo -j ACCEPT')
+    ip6tables.filter.output('-o lo -j ACCEPT')
     ip6tables.filter.output('-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT')
-    ip6tables.filter.output('-i %s -j SRV_OUT_ADM', dev_adm)
+    ip6tables.filter.output('-o %s -j SRV_OUT_ADM' % dev_adm)
 
     # Chaîne SRV_OUT_ADM
     # Seul certains users ont le droit de communiquer sur le vlan adm
@@ -249,7 +249,8 @@ def adherents_server():
         try:
             u_uid = pwd.getpwnam(user)[2]
         except KeyError:
-            raise UnknowUserError(user)
+#            raise UnknowUserError(user)
+            continue
         ip6tables.filter.srv_out_adm('-m owner --uid-owner %d -j ACCEPT' %
                 pwd.getpwnam(user)[2])
 
@@ -258,12 +259,13 @@ def adherents_server():
     ip6tables.filter.srv_out_adm('-p tcp --dport domain -j ACCEPT')
     ip6tables.filter.srv_out_adm('-p udp --dport domain -j ACCEPT')
     # Pour le nfs (le paquet à laisser passer n'a pas d'owner)
-    ip6tables.filter.srv_out_adm('-d nfs.adm.crans.org  -m owner ! \
---uid-owner 0 -j REJECT --reject-with icmp-net-prohibited')
-    ip6tables.filter.srv_out_adm('-d nfs.adm.crans.org -j ACCEPT')
+#    ip6tables.filter.srv_out_adm('-d nfs.adm.crans.org  -m owner ! \
+#--uid-owner 0 -j REJECT --reject-with icmp6-adm-prohibited')
+#    ip6tables.filter.srv_out_adm('-d nfs.adm.crans.org -j ACCEPT')
+    ## A corriger, le nfs a pas l'air de faire de l'ipv6 de toute façon.
 
     # On arrête tout
-    ip6tables.filter.srv_out_adm('-j REJECT --reject-with icmp-net-prohibited')
+    ip6tables.filter.srv_out_adm('-j REJECT --reject-with icmp6-adm-prohibited')
 
 def start():
     ''' Démarre le firewall sur la machine considérée '''