diff --git a/gestion/gen_confs/firewall4.py b/gestion/gen_confs/firewall4.py index 5dc48eac..98586a3b 100755 --- a/gestion/gen_confs/firewall4.py +++ b/gestion/gen_confs/firewall4.py @@ -933,10 +933,7 @@ class firewall_zamok(firewall_base): chain='ADMIN-VLAN' if table == 'filter': - for user in adm_users: - try: self.add(table, chain, '-m owner --uid-owner %d -j ACCEPT' % pwd.getpwnam(user)[2]) - except KeyError: print "Utilisateur %s inconnu" % user - + pretty_print(table, chain) # ldap et dns toujours joinable self.add(table, chain, '-p tcp --dport ldap -j ACCEPT') self.add(table, chain, '-p tcp --dport domain -j ACCEPT') @@ -945,8 +942,16 @@ class firewall_zamok(firewall_base): # Pour le nfs (le paquet à laisser passer n'a pas d'owner) self.add(table, chain, '-d daath.adm.crans.org -j ACCEPT') + for user in adm_users: + try: self.add(table, chain, '-m owner --uid-owner %d -j ACCEPT' % pwd.getpwnam(user)[2]) + except KeyError: print "Utilisateur %s inconnu" % user + + for nounou in conn.search("droits=%s" % lc_ldap.attributs.nounou): + self.add(table, chain, '-m owner --uid-owner %s -j RETURN' % nounou['uidNumber'][0]) + # Rien d'autre ne passe self.add(table, chain, '-j REJECT --reject-with icmp-net-prohibited') + print OK if apply: self.apply(table, chain) @@ -963,12 +968,14 @@ class firewall_zamok(firewall_base): chain='BLACKLIST-OUTPUT' if table == 'filter': - self.add(table, chain, '-d 127.0.0.1/8 -j ACCEPT') + pretty_print(table, chain) + self.add(table, chain, '-d 127.0.0.1/8 -j RETURN') for net in NETs['all']: - self.add(table, chain, '-d %s -j ACCEPT' % net) + self.add(table, chain, '-d %s -j RETURN' % net) for adh in self.blacklisted_adherents(): if 'uidNumber' in adh.attrs.keys(): self.add(table, chain, '-m owner --uid-owner %s -j REJECT' % adh['uidNumber'][0]) + print OK if apply: self.apply(table, chain)