diff --git a/eole/era/2zones-amonecole-cuques.xml b/eole/era/3zones-amonecole-cuques.xml
similarity index 58%
rename from eole/era/2zones-amonecole-cuques.xml
rename to eole/era/3zones-amonecole-cuques.xml
index af58f434d03ab43fb84056e3c608589be5673360..7d11f36e077e7324f91af8d9d9467c270e39afd3 100644
--- a/eole/era/2zones-amonecole-cuques.xml
+++ b/eole/era/3zones-amonecole-cuques.xml
@@ -1,6 +1,6 @@
<?xml version="1.0" encoding="UTF-8" ?>
-<firewall name="/usr/share/era/modeles/2zones-amonecole-cuques.xml" model="/usr/share/era/modeles/2zones-amonecole.xml" version="2.42">
+<firewall name="/usr/share/era/modeles/3zones-amonecole-cuques.xml" model="/usr/share/era/modeles/3zones-amonecole.xml" version="2.42">
<zones>
</zones>
<include>
@@ -54,10 +54,41 @@
</descendantes>
</flux>
- <flux zoneA="bastion" zoneB="pedago">
+ <flux zoneA="bastion" zoneB="admin">
<montantes default_policy="0">
<directive service="apt-cacher-ng" priority="40" action="2" attrs="0" mark_operator="None" mark_value="" src_inv="0" dest_inv="0" serv_inv="0" libelle="pas de description" ipsec="0" accept="0">
- <source name="pedago"/>
+ <source name="admin"/>
+ <destination name="bastion"/>
+ </directive>
+ </montantes>
+ <descendantes default_policy="1">
+ </descendantes>
+ </flux>
+ <flux zoneA="bastion" zoneB="admin">
+ <montantes default_policy="0">
+ <directive service="registry" priority="41" action="2" attrs="0" src_inv="0" dest_inv="0" serv_inv="0" libelle="pas de description" ipsec="0" accept="0">
+ <source name="admin"/>
+ <destination name="partage_eth2"/>
+ </directive>
+ </montantes>
+ <descendantes default_policy="1">
+ </descendantes>
+ </flux>
+ <flux zoneA="bastion" zoneB="admin">
+ <montantes default_policy="0">
+ <directive service="cups" priority="42" action="2" attrs="0" src_inv="0" dest_inv="0" serv_inv="0" libelle="pas de description" ipsec="0" accept="0">
+ <source name="admin"/>
+ <destination name="partage_eth2"/>
+ </directive>
+ </montantes>
+ <descendantes default_policy="1">
+ </descendantes>
+ </flux>
+
+ <flux zoneA="bastion" zoneB="admin">
+ <montantes default_policy="0">
+ <directive service="apt-cacher-ng" priority="40" action="2" attrs="0" mark_operator="None" mark_value="" src_inv="0" dest_inv="0" serv_inv="0" libelle="pas de description" ipsec="0" accept="0">
+ <source name="admin"/>
<destination name="bastion"/>
</directive>
</montantes>
diff --git a/eole/era/3zones-amonecole.xml b/eole/era/3zones-amonecole.xml
new file mode 100644
index 0000000000000000000000000000000000000000..513093d6b6b4c8bacdd4b2aba752c16c6bf12376
--- /dev/null
+++ b/eole/era/3zones-amonecole.xml
@@ -0,0 +1,902 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<firewall name="Concatenated_Do_Not_Edit" netbios="1" qos="0" version="2.42">
+ <zones>
+ <zone interface="%%nom_zone_eth0" ip="%%adresse_ip_eth0" level="10" name="exterieur" netmask="%%adresse_netmask_eth0" network="%%adresse_network_eth0" />
+ <zone interface="lo" ip="127.0.0.1" level="100" name="bastion" netmask="255.255.255.255" network="0.0.0.0" />
+ <zone interface="%%nom_zone_eth1" ip="%%adresse_ip_eth1" level="40" name="pedago" netmask="%%adresse_netmask_eth1" network="%%adresse_network_eth1" />
+ <zone interface="%%nom_zone_eth2" ip="%%adresse_ip_eth2" level="40" name="admin" netmask="%%adresse_netmask_eth2" network="%%adresse_network_eth2" />
+ </zones><include>
+
+ </include><services>
+ <service id="11" libelle="service 8500" name="8500" ports="8500" protocol="tcp" tcpwrapper="" />
+ <service id="46" libelle="Acces web aux agents Zéphir" name="agents_zephir" ports="8090" protocol="tcp" tcpwrapper="" />
+ <service id="6" libelle="serveur de noms" name="dns-tcp" ports="53" protocol="tcp" tcpwrapper="" />
+ <service id="7" libelle="serveur de noms" name="dns-udp" ports="53" protocol="udp" tcpwrapper="" />
+ <service id="36" libelle="ead" name="ead" ports="4200" protocol="tcp" tcpwrapper="" />
+ <service id="83" libelle="ead-server" name="ead-server" ports="4201" protocol="tcp" tcpwrapper="" />
+ <service id="84" libelle="ead-fichier" name="ead-fichier" ports="4202" protocol="tcp" tcpwrapper="" />
+ <service id="73" libelle="port EAD du Scribe avec reverse proxy" name="ead-scribe" ports="%%revprox_ead_port" protocol="tcp" tcpwrapper="" />
+ <service id="echo-reply" libelle="règle icmp echo-reply" name="echo-reply" ports="0" protocol="ICMP" tcpwrapper="" />
+ <service id="echo-request" libelle="règle icmp echo-request" name="echo-request" ports="0" protocol="ICMP" tcpwrapper="" />
+ <service id="45" libelle="Service Eole SSO" name="eole-sso" ports="%%eolesso_port" protocol="tcp" tcpwrapper="" />
+ <service id="79" libelle="Redirection du service EoleSSO" name="revprox-sso" ports="8443" protocol="tcp" tcpwrapper="" />
+ <service id="51" libelle="protocole pour ipsec" name="esp" ports="0" protocol="esp" tcpwrapper="" />
+ <service id="78" libelle="transfert de fichiers sur le port 21" name="ftp" ports="21" protocol="tcp" tcpwrapper="" />
+ <service id="26" libelle="transfert de fichiers" name="ftp-tcp" ports="20-21" protocol="tcp" tcpwrapper="" />
+ <service id="29" libelle="service ftps" name="ftps" ports="989-990" protocol="tcp" tcpwrapper="" />
+ <service id="3" libelle="serveur web" name="http" ports="80" protocol="tcp" tcpwrapper="" />
+ <service id="5" libelle="serveur web sécurisé" name="https" ports="443" protocol="tcp" tcpwrapper="" />
+ <service id="21" libelle="service imap" name="imap" ports="143" protocol="tcp" tcpwrapper="" />
+ <service id="23" libelle="service imap4-ssl" name="imap4-ssl" ports="993" protocol="tcp" tcpwrapper="" />
+ <service id="15" libelle="service irc" name="irc" ports="194" protocol="tcp" tcpwrapper="" />
+ <service id="16" libelle="service ircs" name="ircs" ports="994" protocol="tcp" tcpwrapper="" />
+ <service id="13" libelle="service ircu" name="ircu" ports="6665-6669" protocol="tcp" tcpwrapper="" />
+ <service id="53" libelle="protocole pour ipsec" name="isakmp_4500" ports="4500" protocol="udp" tcpwrapper="" />
+ <service id="52" libelle="protocol pour ipsec" name="isakmp_500" ports="500" protocol="udp" tcpwrapper="" />
+ <service id="22" libelle="service d'annuaire" name="ldap" ports="389" protocol="tcp" tcpwrapper="slapd" />
+ <service id="24" libelle="service ldaps" name="ldaps" ports="636" protocol="tcp" tcpwrapper="slapd" />
+ <service id="86" libelle="Connexion management for LTSP" name="ldm" ports="9571" protocol="tcp" tcpwrapper="" />
+ <service id="54" libelle="port d'accès à l'application lightsquid" name="lightsquid" ports="%%lightsquid_port" protocol="tcp" tcpwrapper="" />
+ <service id="72" libelle="ltspfsd" name="ltspfsd" ports="9220" protocol="tcp" tcpwrapper="" />
+ <service id="15" libelle="service mdqs" name="mdqs" ports="666" protocol="tcp" tcpwrapper="" />
+ <service id="17" libelle="service msnp" name="msnp" ports="1863" protocol="tcp" tcpwrapper="" />
+ <service id="71" libelle="nbd-client" name="nbd-client" ports="2000" protocol="tcp" tcpwrapper="" />
+ <service id="85" libelle="Server NBD for Eclair" name="nbd-server" ports="10809" protocol="tcp" tcpwrapper="" />
+ <service id="32" libelle="nouvelles" name="news" ports="2009" protocol="tcp" tcpwrapper="" />
+ <service id="30" libelle="service nntp" name="nntp" ports="119" protocol="tcp" tcpwrapper="" />
+ <service id="31" libelle="service nntps" name="nntps" ports="563" protocol="tcp" tcpwrapper="" />
+ <service id="43" libelle="Serveur d'authentification NuFw" name="nuauth" ports="4129" protocol="tcp" tcpwrapper="" />
+ <service id="28" libelle="service pftp" name="pftp" ports="662" protocol="tcp" tcpwrapper="" />
+ <service id="20" libelle="service pop" name="pop" ports="110" protocol="tcp" tcpwrapper="" />
+ <service id="25" libelle="service pop3s" name="pop3s" ports="995" protocol="tcp" tcpwrapper="" />
+ <service id="60" libelle="" name="portmap" ports="111" protocol="tcp" tcpwrapper="" />
+ <service id="61" libelle="" name="lockd" ports="4005" protocol="tcp" tcpwrapper="" />
+ <service id="62" libelle="" name="mountd" ports="4003" protocol="tcp" tcpwrapper="" />
+ <service id="48" libelle="administration posh" name="posh-admin" ports="7070" protocol="tcp" tcpwrapper="" />
+ <service id="4" libelle="service proxy" name="proxy" ports="3128" protocol="tcp" tcpwrapper="" />
+ <service id="12" libelle="proxy" name="proxy-8080" ports="8080" protocol="tcp" tcpwrapper="" />
+ <service id="70" libelle="pulseaudio" name="pulseaudio" ports="16001" protocol="tcp" tcpwrapper="" />
+ <service id="64" libelle="protocole RELP pour rsyslog" name="rsyslog_RELP" ports="20514" protocol="tcp" tcpwrapper="" />
+ <service id="65" libelle="protocole TCP pour rsyslog" name="rsyslog_TCP" ports="10514" protocol="tcp" tcpwrapper="" />
+ <service id="66" libelle="protocole UDP pour rsyslog" name="rsyslog_UDP" ports="514" protocol="udp" tcpwrapper="" />
+ <service id="38" libelle="samba tcp" name="samba-tcp" ports="137-139" protocol="tcp" tcpwrapper="" />
+ <service id="37" libelle="samba" name="samba-udp" ports="137-139" protocol="udp" tcpwrapper="" />
+ <service id="39" libelle="samba3" name="samba3" ports="445" protocol="tcp" tcpwrapper="" />
+ <service id="45" libelle="" name="scribe-controlevnc" ports="8789-8790" protocol="tcp" tcpwrapper="" />
+ <service id="36" libelle="service scribe sur les clients" name="scribe-service" ports="8788" protocol="tcp" tcpwrapper="" />
+ <service id="40" libelle="vnc 5800" name="scribe_vnc1" ports="5800" protocol="tcp" tcpwrapper="" />
+ <service id="41" libelle="vnc 5900" name="scribe_vnc2" ports="5900" protocol="tcp" tcpwrapper="" />
+ <service id="59" libelle="Serveur NFS" name="serveur_nfs" ports="2049" protocol="tcp" tcpwrapper="" />
+ <service id="27" libelle="service sftp" name="sftp" ports="115" protocol="tcp" tcpwrapper="" />
+ <service id="19" libelle="service mail" name="smtp" ports="25" protocol="tcp" tcpwrapper="" />
+ <service id="77" libelle="Service SMTP SSL" name="smtps" ports="465" protocol="tcp" tcpwrapper="" />
+ <service id="8" libelle="shell sécurisé" name="ssh" ports="22" protocol="tcp" tcpwrapper="sshd" />
+ <service id="58" libelle="serveur sympa internet" name="sympa-internet" ports="8787" protocol="tcp" tcpwrapper="" />
+ <service id="57" libelle="sympa domaine restreint" name="sympa-restreint" ports="8888" protocol="tcp" tcpwrapper="" />
+ <service id="18" libelle="service talk" name="talk" ports="517-518" protocol="tcp" tcpwrapper="" />
+ <service id="33" libelle="tous les ports en tcp" name="tcp" ports="0-65535" protocol="tcp" tcpwrapper="" />
+ <service id="tout" libelle="tous les services" name="tous" ports="0" protocol="TOUT" tcpwrapper="" />
+ <service id="34" libelle="tous les ports en udp" name="udp" ports="0-65535" protocol="udp" tcpwrapper="" />
+ <service id="9" libelle="appliquation web d'administration" name="webmin" ports="10000" protocol="tcp" tcpwrapper="" />
+ <service id="55" libelle="port 2eme instance de squid" name="proxy2" ports="%%proxy2_port" protocol="tcp" tcpwrapper="" />
+ <service id="56" libelle="serveur de temps" name="ntp" ports="123" protocol="udp" tcpwrapper="" />
+ <service id="63" libelle="Serveur jabber (XMPP)" name="xmpp" ports="5222" protocol="tcp" tcpwrapper="" />
+ <service id="81" libelle="Serveur jabber SSL (XMPP)" name="xmpp-ssl" ports="5223" protocol="tcp" tcpwrapper="" />
+ <service id="67" libelle="Proxy Cntlm" name="cntlm" ports="%%cntlm_port" protocol="tcp" tcpwrapper="" />
+ <service id="68" libelle="Accès à gen_config depuis l'extérieur en https" name="gen_config" ports="7000" protocol="tcp" tcpwrapper="" />
+ <service id="70" libelle="" name="radius" ports="1812" protocol="udp" tcpwrapper="" />
+ <service id="74" libelle="" name="radius-acct" ports="1813" protocol="udp" tcpwrapper="" />
+ <service id="75" libelle="Accès aux serveurs TFTP" name="tftpd-hpa" ports="69" protocol="udp" tcpwrapper="in.tftpd" />
+ <service id="76" libelle="Interface CUPS" name="cups" ports="631" protocol="tcp" tcpwrapper="" />
+ <service id="82" libelle="Service d'impression Raw" name="raw" ports="9100" protocol="tcp" tcpwrapper="" />
+ <service id="80" libelle="Accès à l'outil Gaspacho" name="gaspacho" ports="8080" protocol="tcp" tcpwrapper="" />
+ <groupe id="admin_amon" libelle="Port autorise pour l'administration distante d'Amon (ssh, ead, agents zephir)">
+ <service id="46" libelle="Acces web aux agents Zéphir" name="agents_zephir" ports="8090" protocol="tcp" tcpwrapper="" />
+ <service id="36" libelle="ead" name="ead" ports="4200" protocol="tcp" tcpwrapper="" />
+ <service id="54" libelle="port d'accès à l'application lightsquid" name="lightsquid" ports="%%lightsquid_port" protocol="tcp" tcpwrapper="" />
+ <service id="echo-request" libelle="règle icmp echo-request" name="echo-request" ports="0" protocol="ICMP" tcpwrapper="" />
+ </groupe>
+ <groupe id="ead_server" libelle="Ports autorises pour l'administration distante d'Amon (backend ead)">
+ <service id="83" libelle="ead-server" name="ead-server" ports="4201" protocol="tcp" tcpwrapper="" />
+ <service id="84" libelle="ead-fichier" name="ead-fichier" ports="4202" protocol="tcp" tcpwrapper="" />
+ </groupe>
+ <groupe id="dns" libelle="dns tcp et udp">
+ <service id="7" libelle="serveur de noms" name="dns-udp" ports="53" protocol="udp" tcpwrapper="" />
+ <service id="6" libelle="serveur de noms" name="dns-tcp" ports="53" protocol="tcp" tcpwrapper="" />
+ </groupe>
+ <groupe id="eclair-dmz" libelle="Eclair en DMZ">
+ <service id="72" libelle="ltspfsd" name="ltspfsd" ports="9220" protocol="tcp" tcpwrapper="" />
+ <service id="71" libelle="nbd-client" name="nbd-client" ports="2000" protocol="tcp" tcpwrapper="" />
+ <service id="70" libelle="pulseaudio" name="pulseaudio" ports="16001" protocol="tcp" tcpwrapper="" />
+ <service id="41" libelle="vnc 5900" name="scribe_vnc2" ports="5900" protocol="tcp" tcpwrapper="" />
+ </groupe>
+ <groupe id="gr_forum" libelle="interdire l'utilisation des forums">
+ <service id="30" libelle="service nntp" name="nntp" ports="119" protocol="tcp" tcpwrapper="" />
+ <service id="31" libelle="service nntps" name="nntps" ports="563" protocol="tcp" tcpwrapper="" />
+ <service id="32" libelle="nouvelles" name="news" ports="2009" protocol="tcp" tcpwrapper="" />
+ </groupe>
+ <groupe id="gr_ftp" libelle="">
+ <service id="26" libelle="transfert de fichiers" name="ftp-tcp" ports="20-21" protocol="tcp" tcpwrapper="" />
+ <service id="29" libelle="service ftps" name="ftps" ports="989-990" protocol="tcp" tcpwrapper="" />
+ <service id="28" libelle="service pftp" name="pftp" ports="662" protocol="tcp" tcpwrapper="" />
+ <service id="27" libelle="service sftp" name="sftp" ports="115" protocol="tcp" tcpwrapper="" />
+ </groupe>
+ <groupe id="gr_irc" libelle="interdire l'utilisation des dialogues en direct (icq)">
+ <service id="18" libelle="service talk" name="talk" ports="517-518" protocol="tcp" tcpwrapper="" />
+ <service id="17" libelle="service msnp" name="msnp" ports="1863" protocol="tcp" tcpwrapper="" />
+ <service id="15" libelle="service mdqs" name="mdqs" ports="666" protocol="tcp" tcpwrapper="" />
+ <service id="16" libelle="service ircs" name="ircs" ports="994" protocol="tcp" tcpwrapper="" />
+ <service id="15" libelle="service irc" name="irc" ports="194" protocol="tcp" tcpwrapper="" />
+ <service id="13" libelle="service ircu" name="ircu" ports="6665-6669" protocol="tcp" tcpwrapper="" />
+ </groupe>
+ <groupe id="gr_messagerie" libelle="interdire l'utilisation des dialogues en direct (icq)">
+ <service id="21" libelle="service imap" name="imap" ports="143" protocol="tcp" tcpwrapper="" />
+ <service id="23" libelle="service imap4-ssl" name="imap4-ssl" ports="993" protocol="tcp" tcpwrapper="" />
+ <service id="22" libelle="service d'annuaire" name="ldap" ports="389" protocol="tcp" tcpwrapper="slapd" />
+ <service id="24" libelle="service ldaps" name="ldaps" ports="636" protocol="tcp" tcpwrapper="slapd" />
+ <service id="20" libelle="service pop" name="pop" ports="110" protocol="tcp" tcpwrapper="" />
+ <service id="25" libelle="service pop3s" name="pop3s" ports="995" protocol="tcp" tcpwrapper="" />
+ <service id="19" libelle="service mail" name="smtp" ports="25" protocol="tcp" tcpwrapper="" />
+ <service id="77" libelle="Service SMTP SSL" name="smtps" ports="465" protocol="tcp" tcpwrapper="" />
+ </groupe>
+ <groupe id="gr_smtp" libelle="smtp et smtps">
+ <service id="19" libelle="service mail" name="smtp" ports="25" protocol="tcp" tcpwrapper="" />
+ <service id="77" libelle="Service SMTP SSL" name="smtps" ports="465" protocol="tcp" tcpwrapper="" />
+ </groupe>
+ <groupe id="gr_pop" libelle="pop3 et pop3s">
+ <service id="20" libelle="service pop" name="pop" ports="110" protocol="tcp" tcpwrapper="" />
+ <service id="25" libelle="service pop3s" name="pop3s" ports="995" protocol="tcp" tcpwrapper="" />
+ </groupe>
+ <groupe id="gr_imap" libelle="imap et imap-ssl">
+ <service id="21" libelle="service imap" name="imap" ports="143" protocol="tcp" tcpwrapper="" />
+ <service id="23" libelle="service imap4-ssl" name="imap4-ssl" ports="993" protocol="tcp" tcpwrapper="" />
+ </groupe>
+ <groupe id="gr_redirection" libelle="Protocoles a rediriger vers le proxy">
+ <service id="3" libelle="serveur web" name="http" ports="80" protocol="tcp" tcpwrapper="" />
+ <service id="4" libelle="service proxy" name="proxy" ports="3128" protocol="tcp" tcpwrapper="" />
+ <service id="12" libelle="proxy" name="proxy-8080" ports="8080" protocol="tcp" tcpwrapper="" />
+ <service id="5" libelle="serveur web sécurisé" name="https" ports="443" protocol="tcp" tcpwrapper="" />
+ </groupe>
+ <groupe id="gr_redirection_proxy" libelle="Protocoles proxy a rediriger vers le proxy">
+ <service id="4" libelle="service proxy" name="proxy" ports="3128" protocol="tcp" tcpwrapper="" />
+ <service id="12" libelle="proxy" name="proxy-8080" ports="8080" protocol="tcp" tcpwrapper="" />
+ </groupe>
+ <groupe id="gr_redirection_http" libelle="Protocoles http a rediriger vers le proxy">
+ <service id="3" libelle="serveur web" name="http" ports="80" protocol="tcp" tcpwrapper="" />
+ <service id="4" libelle="service proxy" name="proxy" ports="3128" protocol="tcp" tcpwrapper="" />
+ <service id="12" libelle="proxy" name="proxy-8080" ports="8080" protocol="tcp" tcpwrapper="" />
+ </groupe>
+ <groupe id="gr_redirection_https" libelle="Https a redifiger vers le proxy">
+ <service id="5" libelle="serveur web sécurisé" name="https" ports="443" protocol="tcp" tcpwrapper="" />
+ </groupe>
+ <groupe id="gr_restreint" libelle="on ferme tout sauf l'utilisation du web par le proxy">
+ <service id="33" libelle="tous les ports en tcp" name="tcp" ports="0-65535" protocol="tcp" tcpwrapper="" />
+ <service id="34" libelle="tous les ports en udp" name="udp" ports="0-65535" protocol="udp" tcpwrapper="" />
+ </groupe>
+ <groupe id="ipsec" libelle="Services utilises pas ipsec">
+ <service id="51" libelle="protocole pour ipsec" name="esp" ports="0" protocol="esp" tcpwrapper="" />
+ <service id="53" libelle="protocole pour ipsec" name="isakmp_4500" ports="4500" protocol="udp" tcpwrapper="" />
+ <service id="52" libelle="protocol pour ipsec" name="isakmp_500" ports="500" protocol="udp" tcpwrapper="" />
+ </groupe>
+ <groupe id="nfs" libelle="Serveur NFS + portmap">
+ <service id="60" libelle="" name="portmap" ports="111" protocol="tcp" tcpwrapper="" />
+ <service id="61" libelle="" name="lockd" ports="4005" protocol="tcp" tcpwrapper="" />
+ <service id="62" libelle="" name="mountd" ports="4003" protocol="tcp" tcpwrapper="" />
+ <service id="59" libelle="Serveur NFS" name="serveur_nfs" ports="2049" protocol="tcp" tcpwrapper="" />
+ </groupe>
+ <groupe id="samba" libelle="samba proto">
+ <service id="37" libelle="samba" name="samba-udp" ports="137-139" protocol="udp" tcpwrapper="" />
+ <service id="38" libelle="samba tcp" name="samba-tcp" ports="137-139" protocol="tcp" tcpwrapper="" />
+ <service id="39" libelle="samba3" name="samba3" ports="445" protocol="tcp" tcpwrapper="" />
+ </groupe>
+ <groupe id="scribe-dmz-pedago" libelle="service Scribe DMZ vers pedago">
+ <service id="38" libelle="samba tcp" name="samba-tcp" ports="137-139" protocol="tcp" tcpwrapper="" />
+ <service id="37" libelle="samba" name="samba-udp" ports="137-139" protocol="udp" tcpwrapper="" />
+ <service id="39" libelle="samba3" name="samba3" ports="445" protocol="tcp" tcpwrapper="" />
+ <service id="36" libelle="service scribe sur les clients" name="scribe-service" ports="8788" protocol="tcp" tcpwrapper="" />
+ <service id="40" libelle="vnc 5800" name="scribe_vnc1" ports="5800" protocol="tcp" tcpwrapper="" />
+ <service id="41" libelle="vnc 5900" name="scribe_vnc2" ports="5900" protocol="tcp" tcpwrapper="" />
+ <service id="76" libelle="Interface CUPS" name="cups" ports="631" protocol="tcp" tcpwrapper="" />
+ <service id="82" libelle="Service d'impression Raw" name="raw" ports="9100" protocol="tcp" tcpwrapper="" />
+ </groupe>
+ <groupe id="scribe-pedago-dmz" libelle="client scribe vers la DMZ">
+ <service id="22" libelle="service d'annuaire" name="ldap" ports="389" protocol="tcp" tcpwrapper="slapd" />
+ <service id="24" libelle="service ldaps" name="ldaps" ports="636" protocol="tcp" tcpwrapper="slapd" />
+ <service id="38" libelle="samba tcp" name="samba-tcp" ports="137-139" protocol="tcp" tcpwrapper="" />
+ <service id="37" libelle="samba" name="samba-udp" ports="137-139" protocol="udp" tcpwrapper="" />
+ <service id="39" libelle="samba3" name="samba3" ports="445" protocol="tcp" tcpwrapper="" />
+ <service id="45" libelle="" name="scribe-controlevnc" ports="8789-8790" protocol="tcp" tcpwrapper="" />
+ <service id="40" libelle="vnc 5800" name="scribe_vnc1" ports="5800" protocol="tcp" tcpwrapper="" />
+ <service id="41" libelle="vnc 5900" name="scribe_vnc2" ports="5900" protocol="tcp" tcpwrapper="" />
+ </groupe>
+ <groupe id="scribe-dmz-admin" libelle="service Scribe DMZ vers admin">
+ <service id="38" libelle="samba tcp" name="samba-tcp" ports="137-139" protocol="tcp" tcpwrapper="" />
+ <service id="37" libelle="samba" name="samba-udp" ports="137-139" protocol="udp" tcpwrapper="" />
+ <service id="39" libelle="samba3" name="samba3" ports="445" protocol="tcp" tcpwrapper="" />
+ <service id="36" libelle="service scribe sur les clients" name="scribe-service" ports="8788" protocol="tcp" tcpwrapper="" />
+ <service id="40" libelle="vnc 5800" name="scribe_vnc1" ports="5800" protocol="tcp" tcpwrapper="" />
+ <service id="41" libelle="vnc 5900" name="scribe_vnc2" ports="5900" protocol="tcp" tcpwrapper="" />
+ <service id="76" libelle="Interface CUPS" name="cups" ports="631" protocol="tcp" tcpwrapper="" />
+ <service id="82" libelle="Service d'impression Raw" name="raw" ports="9100" protocol="tcp" tcpwrapper="" />
+ </groupe>
+ <groupe id="scribe-admin-dmz" libelle="client scribe vers la DMZ">
+ <service id="22" libelle="service d'annuaire" name="ldap" ports="389" protocol="tcp" tcpwrapper="slapd" />
+ <service id="24" libelle="service ldaps" name="ldaps" ports="636" protocol="tcp" tcpwrapper="slapd" />
+ <service id="38" libelle="samba tcp" name="samba-tcp" ports="137-139" protocol="tcp" tcpwrapper="" />
+ <service id="37" libelle="samba" name="samba-udp" ports="137-139" protocol="udp" tcpwrapper="" />
+ <service id="39" libelle="samba3" name="samba3" ports="445" protocol="tcp" tcpwrapper="" />
+ <service id="45" libelle="" name="scribe-controlevnc" ports="8789-8790" protocol="tcp" tcpwrapper="" />
+ <service id="40" libelle="vnc 5800" name="scribe_vnc1" ports="5800" protocol="tcp" tcpwrapper="" />
+ <service id="41" libelle="vnc 5900" name="scribe_vnc2" ports="5900" protocol="tcp" tcpwrapper="" />
+ </groupe>
+ <groupe id="scribe-posh" libelle="Ouverture des ports pour l'utilisation de nginx pour Posh">
+ <service id="3" libelle="serveur web" name="http" ports="80" protocol="tcp" tcpwrapper="" />
+ <service id="5" libelle="serveur web sécurisé" name="https" ports="443" protocol="tcp" tcpwrapper="" />
+ <service id="48" libelle="administration posh" name="posh-admin" ports="7070" protocol="tcp" tcpwrapper="" />
+ </groupe>
+ <groupe id="scribe_ext" libelle="services extranet scribe ">
+ <service id="26" libelle="transfert de fichiers" name="ftp-tcp" ports="20-21" protocol="tcp" tcpwrapper="" />
+ <service id="5" libelle="serveur web sécurisé" name="https" ports="443" protocol="tcp" tcpwrapper="" />
+ </groupe>
+ <groupe id="sympa" libelle="serveur sympa">
+ <service id="58" libelle="serveur sympa internet" name="sympa-internet" ports="8787" protocol="tcp" tcpwrapper="" />
+ <service id="57" libelle="sympa domaine restreint" name="sympa-restreint" ports="8888" protocol="tcp" tcpwrapper="" />
+ </groupe>
+ <groupe id="vnc" libelle="vnc">
+ <service id="40" libelle="vnc 5800" name="scribe_vnc1" ports="5800" protocol="tcp" tcpwrapper="" />
+ <service id="41" libelle="vnc 5900" name="scribe_vnc2" ports="5900" protocol="tcp" tcpwrapper="" />
+ </groupe>
+ <groupe id="gr_radius" libelle="Serveur radius (UDP)">
+ <service id="70" libelle="" name="radius" ports="1812" protocol="udp" tcpwrapper="" />
+ <service id="74" libelle="" name="radius-acct" ports="1813" protocol="udp" tcpwrapper="" />
+ </groupe>
+ <groupe id="amonecole-eclair" libelle="LTSP services">
+ <service id="86" libelle="Connexion management for LTSP" name="ldm" ports="9571" protocol="tcp" tcpwrapper="" />
+ <service id="85" libelle="Server NBD for Eclair" name="nbd-server" ports="10809" protocol="tcp" tcpwrapper="" />
+ <service id="8" libelle="shell sécurisé" name="ssh" ports="22" protocol="tcp" tcpwrapper="sshd" />
+ </groupe>
+ <groupe id="amonecole-eclair-partage" libelle="Services in partage container for Eclair">
+ <service id="75" libelle="Accès aux serveurs TFTP" name="tftpd-hpa" ports="69" protocol="udp" tcpwrapper="in.tftpd" />
+ </groupe>
+ </services><extremites>
+ <extremite container="" interface="" libelle="Zone entière" name="exterieur" netmask="%%adresse_netmask_eth0" subnet="1" type="" zone="exterieur">
+ <ip address="%%adresse_ip_eth0" />
+ </extremite>
+ <extremite container="" interface="" libelle="zone restreinte" name="exterieur_restreint" netmask="%%adresse_netmask_eth0" subnet="1" type="" zone="exterieur">
+ <ip address="%%adresse_network_eth0" />
+ </extremite>
+ <extremite container="" interface="" libelle="reseau autorise a se connecter a ssh" name="exterieur_ssh" netmask="%%netmask_ssh_eth0" subnet="1" type="" zone="exterieur">
+ <ip address="%%ip_ssh_eth0" />
+ </extremite>
+ <extremite container="" interface="" libelle="Zone entière" name="bastion" netmask="255.255.255.255" subnet="1" type="" zone="bastion">
+ <ip address="127.0.0.1" />
+ </extremite>
+ <extremite container="" interface="eth0" libelle="Bastion sur la zone exterieur" name="bastion_exterieur" netmask="255.255.255.255" subnet="0" type="normal" zone="bastion">
+ <ip address="%%adresse_ip_eth0" />
+ </extremite>
+ <extremite container="" interface="" libelle="reseau autorise a administrer depuis l'exterieur" name="exterieur_admin" netmask="%%netmask_admin_eth0" subnet="1" type="" zone="exterieur">
+ <ip address="%%ip_admin_eth0" />
+ </extremite>
+ <extremite container="" interface="" libelle="reseau autorise a acceder au backend EAD depuis l'exterieur" name="exterieur_backend_ead" netmask="%%netmask_frontend_ead_distant_eth0" subnet="1" type="" zone="exterieur">
+ <ip address="%%ip_frontend_ead_distant_eth0" />
+ </extremite>
+ <extremite container="" interface="" libelle="IP de bastion sur la zone exterieur" name="exterieur_bastion" netmask="255.255.255.255" subnet="0" type="" zone="exterieur">
+ <ip address="%%adresse_ip_eth0" />
+ </extremite>
+ <extremite container="internet" interface="containers" libelle="conteneur internet" name="internet" netmask="255.255.255.255" subnet="0" type="conteneur" zone="bastion">
+ <ip address="%%container_ip_internet" />
+ </extremite>
+ <extremite container="" interface="" libelle="reseau autorise a se connecter a ssh depuis le reseau pedagogique" name="pedago_ssh" netmask="%%netmask_ssh_eth1" subnet="1" type="" zone="pedago">
+ <ip address="%%ip_ssh_eth1" />
+ </extremite>
+ <extremite container="" interface="" libelle="" name="pedago_bastion" netmask="255.255.255.255" subnet="0" type="" zone="exterieur">
+ <ip address="%%adresse_ip_eth1" />
+ </extremite>
+ <extremite container="" interface="" libelle="zone restreinte" name="pedago_restreint" netmask="%%adresse_netmask_eth1" subnet="1" type="" zone="pedago">
+ <ip address="%%adresse_network_eth1" />
+ </extremite>
+ <extremite container="" interface="" libelle="Zone entière" name="pedago" netmask="%%adresse_netmask_eth1" subnet="1" type="" zone="pedago">
+ <ip address="%%adresse_ip_eth1" />
+ </extremite>
+ <extremite container="" interface="" libelle="reseau autorise a administrer depuis le reseau pedagogique" name="pedago_admin" netmask="%%netmask_admin_eth1" subnet="1" type="" zone="pedago">
+ <ip address="%%ip_admin_eth1" />
+ </extremite>
+ <extremite container="" interface="" libelle="reseau autorise a acceder au backend EAD depuis le reseau pedagogique" name="pedago_backend_ead" netmask="%%netmask_frontend_ead_distant_eth1" subnet="1" type="" zone="pedago">
+ <ip address="%%ip_frontend_ead_distant_eth1" />
+ </extremite>
+ <extremite container="internet" interface="eth1" libelle="eth1 dans le conteneur internet" name="internet_eth1" netmask="255.255.255.255" subnet="0" type="conteneur" zone="bastion">
+ <ip address="%%adresse_ip_eth1_proxy_link" />
+ </extremite>
+
+ <extremite container="" interface="" libelle="reseau autorise a se connecter a ssh depuis le reseau administratif" name="admin_ssh" netmask="%%netmask_ssh_eth2" subnet="1" type="" zone="admin">
+ <ip address="%%ip_ssh_eth2" />
+ </extremite>
+ <extremite container="" interface="" libelle="" name="admin_bastion" netmask="255.255.255.255" subnet="0" type="" zone="exterieur">
+ <ip address="%%adresse_ip_eth2" />
+ </extremite>
+ <extremite container="" interface="" libelle="zone restreinte" name="admin_restreint" netmask="%%adresse_netmask_eth2" subnet="1" type="" zone="admin">
+ <ip address="%%adresse_network_eth2" />
+ </extremite>
+ <extremite container="" interface="" libelle="Zone entière" name="admin" netmask="%%adresse_netmask_eth2" subnet="1" type="" zone="admin">
+ <ip address="%%adresse_ip_eth2" />
+ </extremite>
+ <extremite container="" interface="" libelle="reseau autorise a administrer depuis le reseau administratif" name="admin_admin" netmask="%%netmask_admin_eth2" subnet="1" type="" zone="admin">
+ <ip address="%%ip_admin_eth2" />
+ </extremite>
+ <extremite container="" interface="" libelle="reseau autorise a acceder au backend EAD depuis le reseau administratif" name="admin_backend_ead" netmask="%%netmask_frontend_ead_distant_eth2" subnet="1" type="" zone="admin">
+ <ip address="%%ip_frontend_ead_distant_eth2" />
+ </extremite>
+ <extremite container="internet" interface="eth2" libelle="eth2 dans le conteneur internet" name="internet_eth2" netmask="255.255.255.255" subnet="0" type="conteneur" zone="bastion">
+ <ip address="%%adresse_ip_eth2_proxy_link" />
+ </extremite>
+
+ <extremite container="" interface="" libelle="clients de l'agrégateur de logs en udp" name="clients_udp_rsyslog" netmask="%%netmask_client_logs_udp" subnet="0" type="" zone="exterieur">
+ <ip address="%%adresses_ip_clients_logs_udp" />
+ </extremite>
+ <extremite container="" interface="" libelle="clients de l'agrégateur de logs en tcp" name="clients_tcp_rsyslog" netmask="%%netmask_client_logs_tcp" subnet="0" type="" zone="exterieur">
+ <ip address="%%adresses_ip_clients_logs_tcp" />
+ </extremite>
+ <extremite container="" interface="" libelle="clients de l'agrégateur de logs en relp" name="clients_relp_rsyslog" netmask="%%netmask_client_logs_relp" subnet="0" type="" zone="exterieur">
+ <ip address="%%adresses_ip_clients_logs_relp" />
+ </extremite>
+ <extremite container="partage" interface="eth1" libelle="eth1 dans le conteneur partage" name="partage_eth1" netmask="255.255.255.255" subnet="0" type="conteneur" zone="bastion">
+ <ip address="%%adresse_ip_fichier_link" />
+ </extremite>
+ <extremite container="partage" interface="eth1" libelle="broadcast eth1 dans le conteneur partage" name="partage_eth1_broadcast" netmask="255.255.255.255" subnet="0" type="conteneur" zone="bastion">
+ <ip address="%%adresse_bcast_eth1_proxy_link" />
+ </extremite>
+ <extremite container="" interface="" libelle="Client NFS" name="client_nfs" netmask="255.255.255.255" subnet="0" type="normal" zone="pedago">
+ <ip address="%%adresses_ip_clients_nfs" />
+ </extremite>
+ <extremite container="partage" interface="containers" libelle="conteneur partage" name="partage" netmask="255.255.255.255" subnet="0" type="conteneur" zone="bastion">
+ <ip address="%%container_ip_partage" />
+ </extremite>
+ <extremite container="reseau" interface="containers" libelle="conteneur reseau" name="reseau" netmask="255.255.255.255" subnet="0" type="conteneur" zone="bastion">
+ <ip address="%%container_ip_reseau" />
+ </extremite>
+ <extremite container="bdd" interface="containers" libelle="conteneur bdd" name="bdd" netmask="255.255.255.255" subnet="0" type="conteneur" zone="bastion">
+ <ip address="%%container_ip_bdd" />
+ </extremite>
+ <extremite container="ltspserver" interface="containers" libelle="LTSP on internal bridge" name="ltspserver" netmask="255.255.255.255" subnet="0" type="conteneur" zone="bastion">
+ <ip address="%%container_ip_ltspserver" />
+ </extremite>
+ <extremite container="ltspserver" interface="eth0" libelle="LTSP server" name="ltspserver_eth0" netmask="255.255.255.255" subnet="0" type="conteneur" zone="bastion">
+ <ip address="%%adresse_ip_eclair_link" />
+ </extremite>
+ </extremites><ranges>
+ </ranges><user_groups>
+ </user_groups><applications>
+ </applications><qosclasses download="" upload="">
+ </qosclasses><flux-list>
+ <flux zoneA="bastion" zoneB="exterieur">
+ <montantes default_policy="0">
+ <directive accept="0" action="2" attrs="17" dest_inv="0" ipsec="0" libelle="ouverture de posh a travers de nginx" priority="1" serv_inv="0" service="scribe-posh" src_inv="0" tag="ActiverNGINX">
+ <source name="exterieur" />
+ <destination name="bastion" />
+ </directive>
+ <directive accept="0" action="2" attrs="17" dest_inv="0" ipsec="0" libelle="ouverture de l'EAD Scribe a travers de nginx" priority="2" serv_inv="0" service="ead-scribe" src_inv="0" tag="ead_scribe">
+ <source name="exterieur" />
+ <destination name="bastion" />
+ </directive>
+ <directive accept="0" action="2" attrs="17" dest_inv="0" ipsec="0" libelle="ssh exterieur vers Amon" priority="3" serv_inv="0" service="ssh" src_inv="0" tag="SSHDepuisEth0">
+ <source name="exterieur_ssh" />
+ <destination name="bastion" />
+ </directive>
+ <directive accept="0" action="2" attrs="17" dest_inv="0" ipsec="0" libelle="administration exterieure vers Amon" priority="4" serv_inv="0" service="admin_amon" src_inv="0" tag="AdminDepuisEth0">
+ <source name="exterieur_admin" />
+ <destination name="bastion" />
+ </directive>
+ <directive accept="0" action="2" attrs="17" dest_inv="0" ipsec="0" libelle="Acces backend EAD exterieure vers Amon" priority="5" serv_inv="0" service="ead_server" src_inv="0" tag="BackendEADDepuisEth0">
+ <source name="exterieur_backend_ead" />
+ <destination name="bastion" />
+ </directive>
+ <directive accept="0" action="2" attrs="17" dest_inv="0" ipsec="0" libelle="administration exterieure vers Amon" priority="6" serv_inv="0" service="lightsquid" src_inv="0" tag="lightsquid0">
+ <source name="exterieur_admin" />
+ <destination name="bastion" />
+ </directive>
+ <directive accept="0" action="2" attrs="17" dest_inv="0" ipsec="0" libelle="pas de description" priority="7" serv_inv="0" service="eole-sso" src_inv="0" tag="eole_sso">
+ <source name="exterieur" />
+ <destination name="bastion" />
+ </directive>
+ <directive accept="0" action="2" attrs="17" dest_inv="0" ipsec="0" libelle="redirection du service EoleSSO par le proxy inverse" priority="8" serv_inv="0" service="revprox-sso" src_inv="0" tag="revprox_sso">
+ <source name="exterieur" />
+ <destination name="bastion" />
+ </directive>
+ <directive accept="0" action="2" attrs="0" dest_inv="0" ipsec="0" libelle="Autoriser ipsec" priority="9" serv_inv="0" service="ipsec" src_inv="0">
+ <source name="exterieur" />
+ <destination name="bastion" />
+ </directive>
+ <directive accept="0" action="2" attrs="17" dest_inv="0" ipsec="0" libelle="gen_config exterieur vers Amon" priority="10" serv_inv="0" service="gen_config" src_inv="0" tag="SSHDepuisEth0">
+ <source name="exterieur_ssh" />
+ <destination name="bastion" />
+ </directive>
+ <directive accept="0" action="2" attrs="17" dest_inv="0" ipsec="0" libelle="pas de description" priority="11" serv_inv="0" service="rsyslog_RELP" src_inv="0" tag="ClientRsyslogRELP">
+ <source name="clients_relp_rsyslog" />
+ <destination name="bastion" />
+ </directive>
+ <directive accept="0" action="2" attrs="17" dest_inv="0" ipsec="0" libelle="pas de description" priority="12" serv_inv="0" service="rsyslog_TCP" src_inv="0" tag="ClientRsyslogTCP">
+ <source name="clients_tcp_rsyslog" />
+ <destination name="bastion" />
+ </directive>
+ <directive accept="0" action="2" attrs="17" dest_inv="0" ipsec="0" libelle="pas de description" priority="13" serv_inv="0" service="rsyslog_UDP" src_inv="0" tag="ClientRsyslogUDP">
+ <source name="clients_udp_rsyslog" />
+ <destination name="bastion" />
+ </directive>
+ <directive accept="0" action="2" attrs="1" dest_inv="0" ipsec="0" libelle="autoriser la reception des mails depuis exterieur" priority="14" serv_inv="0" service="smtp" src_inv="0" tag="autoriser la reception des mails depuis exterieur">
+ <source name="exterieur" />
+ <destination name="reseau" />
+ </directive>
+ <directive accept="0" action="2" attrs="17" dest_inv="0" ipsec="0" libelle="interface web sympa" priority="15" serv_inv="0" service="sympa-internet" src_inv="0" tag="AdminDepuisEth0">
+ <source name="exterieur_admin" />
+ <destination name="reseau" />
+ </directive>
+ </montantes>
+ <descendantes default_policy="1">
+ </descendantes>
+ </flux>
+ <flux zoneA="exterieur" zoneB="pedago">
+ <montantes default_policy="0">
+ </montantes>
+ <descendantes default_policy="1">
+ <directive accept="0" action="16" attrs="0" dest_inv="0" ipsec="0" libelle="pas de description" nat_extr="exterieur_bastion" nat_port="0" priority="1" serv_inv="0" service="tous" src_inv="0">
+ <source name="pedago_restreint" />
+ <destination name="exterieur" />
+ </directive>
+ <directive accept="0" action="1" attrs="1" dest_inv="0" ipsec="0" libelle="pedago -> exterieur : interdire les protocoles de news, forums ..." priority="2" serv_inv="0" service="gr_forum" src_inv="0" tag="Interdiction des forums">
+ <source name="pedago" />
+ <destination name="exterieur" />
+ </directive>
+ <directive accept="0" action="1" attrs="1" dest_inv="0" ipsec="0" libelle="Interdire les connexions FTP" priority="3" serv_inv="0" service="gr_ftp" src_inv="0" tag="Interdire les connexions FTP">
+ <source name="pedago" />
+ <destination name="exterieur" />
+ </directive>
+ <directive accept="0" action="1" attrs="1" dest_inv="0" ipsec="0" libelle="pedago -> exterieur : interdire les protocoles de discussion en ligne (irc ...)" priority="4" serv_inv="0" service="gr_irc" src_inv="0" tag="Interdire l'utilisation des dialogues en direct">
+ <source name="pedago" />
+ <destination name="exterieur" />
+ </directive>
+ <directive accept="0" action="1" attrs="1" dest_inv="0" ipsec="0" libelle="pedago -> exterieur : interdire les protocoles de messagerie (pop, imap ...)" priority="5" serv_inv="0" service="gr_messagerie" src_inv="0" tag="Interdiction des protocoles de messagerie">
+ <source name="pedago" />
+ <destination name="exterieur" />
+ </directive>
+ <directive accept="0" action="1" attrs="1" dest_inv="0" ipsec="0" libelle="pedago -> exterieur : tout interdire (sauf le web via le proxy)" priority="6" serv_inv="0" service="gr_restreint" src_inv="0" tag="Internet restreint">
+ <source name="pedago" />
+ <destination name="exterieur" />
+ </directive>
+ <directive accept="0" action="4" attrs="17" dest_inv="0" ipsec="0" libelle="Redirection des flux http avec proxy alternatif" nat_port="3128" priority="7" serv_inv="0" service="gr_redirection_proxy" src_inv="0" tag="ProxyBypass1">
+ <source name="pedago" />
+ <destination name="exterieur" />
+ <exception dest="0" eolvar="%%proxy_bypass_src_network_eth1/%%calc_classe(%%proxy_bypass_src_netmask_eth1)" ip="" name="" src="1" />
+ <exception dest="1" eolvar="%%proxy_bypass_network_eth1/%%calc_classe(%%proxy_bypass_netmask_eth1)" ip="" name="" src="0" />
+ <exception dest="1" eolvar="%%proxy_bypass_domain_eth1" ip="" name="" src="0" />
+ </directive>
+ <directive accept="0" action="4" attrs="17" dest_inv="1" ipsec="0" libelle="Redirection des flux http sans proxy" nat_port="81" priority="8" serv_inv="0" service="http" src_inv="0" tag="ProxyBypass1">
+ <source name="pedago" />
+ <destination name="exterieur_bastion" />
+ <exception dest="0" eolvar="%%proxy_bypass_src_network_eth1/%%calc_classe(%%proxy_bypass_src_netmask_eth1)" ip="" name="" src="1" />
+ <exception dest="1" eolvar="%%proxy_bypass_network_eth1/%%calc_classe(%%proxy_bypass_netmask_eth1)" ip="" name="" src="0" />
+ <exception dest="1" eolvar="%%proxy_bypass_domain_eth1" ip="" name="" src="0" />
+ </directive>
+ <directive accept="0" action="4" attrs="17" dest_inv="0" ipsec="0" libelle="Redirection des flux https sans proxy vers une page d'erreur" nat_port="82" priority="9" serv_inv="0" service="gr_redirection_https" src_inv="0" tag="ProxyBypass1">
+ <source name="pedago" />
+ <destination name="exterieur" />
+ <exception dest="0" eolvar="%%proxy_bypass_src_network_eth1/%%calc_classe(%%proxy_bypass_src_netmask_eth1)" ip="" name="" src="1" />
+ <exception dest="1" eolvar="%%proxy_bypass_network_eth1/%%calc_classe(%%proxy_bypass_netmask_eth1)" ip="" name="" src="0" />
+ <exception dest="1" eolvar="%%proxy_bypass_domain_eth1" ip="" name="" src="0" />
+ </directive>
+ <directive accept="0" action="4" attrs="17" dest_inv="0" ipsec="0" libelle="Redirection des flux http avec proxy alternatif" nat_port="3128" priority="10" serv_inv="0" service="gr_redirection_proxy" src_inv="0" tag="ForceProxy1">
+ <source name="pedago" />
+ <destination name="exterieur" />
+ <exception dest="0" eolvar="%%proxy_bypass_src_network_eth1/%%calc_classe(%%proxy_bypass_src_netmask_eth1)" ip="" name="" src="1" />
+ <exception dest="1" eolvar="%%proxy_bypass_domain_eth1" ip="" name="" src="0" />
+ </directive>
+ <directive accept="0" action="4" attrs="17" dest_inv="1" ipsec="0" libelle="Redirection des flux http sans proxy vers une page d'erreur" nat_port="81" priority="11" serv_inv="0" service="http" src_inv="0" tag="ForceProxy1">
+ <source name="pedago" />
+ <destination name="exterieur_bastion" />
+ <exception dest="0" eolvar="%%proxy_bypass_src_network_eth1/%%calc_classe(%%proxy_bypass_src_netmask_eth1)" ip="" name="" src="1" />
+ <exception dest="1" eolvar="%%proxy_bypass_domain_eth1" ip="" name="" src="0" />
+ </directive>
+ <directive accept="0" action="4" attrs="17" dest_inv="0" ipsec="0" libelle="Redirection des flux https sans proxy vers une page d'erreur" nat_port="82" priority="12" serv_inv="0" service="gr_redirection_https" src_inv="0" tag="ForceProxy1">
+ <source name="pedago" />
+ <destination name="exterieur" />
+ <exception dest="0" eolvar="%%proxy_bypass_src_network_eth1/%%calc_classe(%%proxy_bypass_src_netmask_eth1)" ip="" name="" src="1" />
+ <exception dest="1" eolvar="%%proxy_bypass_domain_eth1" ip="" name="" src="0" />
+ </directive>
+ </descendantes>
+ </flux>
+ <flux zoneA="bastion" zoneB="pedago">
+ <montantes default_policy="0">
+ <directive accept="0" action="2" attrs="17" dest_inv="0" ipsec="0" libelle="ssh pedago vers Amon" priority="1" serv_inv="0" service="ssh" src_inv="0" tag="SSHDepuisEth1">
+ <source name="pedago_ssh" />
+ <destination name="bastion" />
+ </directive>
+ <directive accept="0" action="2" attrs="17" dest_inv="0" ipsec="0" libelle="administration pedago vers Amon" priority="2" serv_inv="0" service="admin_amon" src_inv="0" tag="AdminDepuisEth1">
+ <source name="pedago_admin" />
+ <destination name="bastion" />
+ </directive>
+ <directive accept="0" action="2" attrs="17" dest_inv="0" ipsec="0" libelle="administration pedago vers Amon" priority="3" serv_inv="0" service="lightsquid" src_inv="0" tag="lightsquid1">
+ <source name="pedago_admin" />
+ <destination name="bastion" />
+ </directive>
+ <directive accept="0" action="2" attrs="0" dest_inv="0" ipsec="0" libelle="pas de description" priority="4" serv_inv="0" service="dns-tcp" src_inv="0">
+ <source name="pedago" />
+ <destination name="internet_eth1" />
+ </directive>
+ <directive accept="0" action="2" attrs="0" dest_inv="0" ipsec="0" libelle="pas de description" priority="5" serv_inv="0" service="dns-udp" src_inv="0">
+ <source name="pedago" />
+ <destination name="internet_eth1" />
+ </directive>
+ <directive accept="0" action="2" attrs="17" dest_inv="0" ipsec="0" libelle="autoriser l'acces a Nuauth" priority="6" serv_inv="0" service="nuauth" src_inv="0" tag="auth_nufw">
+ <source name="pedago" />
+ <destination name="bastion" />
+ </directive>
+ <directive accept="0" action="2" attrs="17" dest_inv="0" ipsec="0" libelle="pas de description" priority="7" serv_inv="0" service="eole-sso" src_inv="0" tag="eole_sso">
+ <source name="pedago" />
+ <destination name="bastion" />
+ </directive>
+ <directive accept="0" action="2" attrs="0" dest_inv="0" ipsec="0" libelle="pas de description" priority="8" serv_inv="0" service="proxy" src_inv="0">
+ <source name="pedago" />
+ <destination name="internet_eth1" />
+ </directive>
+ <directive accept="0" action="2" attrs="17" dest_inv="0" ipsec="0" libelle="pas de description" priority="9" serv_inv="0" service="proxy2" src_inv="0" tag="Activer squid2">
+ <source name="pedago" />
+ <destination name="internet_eth1" />
+ </directive>
+ <directive accept="0" action="2" attrs="17" dest_inv="0" ipsec="0" libelle="pas de description" priority="10" serv_inv="0" service="cntlm" src_inv="0" tag="cntlm">
+ <source name="pedago" />
+ <destination name="internet_eth1" />
+ </directive>
+ <directive accept="0" action="2" attrs="17" dest_inv="0" ipsec="0" libelle="gen_config pedago vers Amon" priority="11" serv_inv="0" service="gen_config" src_inv="0" tag="SSHDepuisEth1">
+ <source name="pedago_ssh" />
+ <destination name="bastion" />
+ </directive>
+ <directive accept="0" action="2" attrs="17" dest_inv="0" ipsec="0" libelle="Acces backend EAD pedago vers Amon" priority="12" serv_inv="0" service="ead_server" src_inv="0" tag="BackendEADDepuisEth1">
+ <source name="pedago_backend_ead" />
+ <destination name="bastion" />
+ </directive>
+ <directive accept="0" action="2" attrs="17" dest_inv="0" ipsec="0" libelle="raduis admin vers Amon" priority="13" serv_inv="0" service="gr_radius" src_inv="0" tag="ActiverRadiuseth1">
+ <source name="pedago" />
+ <destination name="bastion" />
+ </directive>
+ <directive accept="0" action="2" attrs="0" dest_inv="0" ipsec="0" libelle="Autorisation reverse proxy + WPAD" priority="14" serv_inv="0" service="http" src_inv="0">
+ <source name="pedago" />
+ <destination name="bastion_exterieur" />
+ </directive>
+ <directive accept="0" action="2" attrs="0" dest_inv="0" ipsec="0" libelle="Autoriser ntp depuis pedago" priority="15" serv_inv="0" service="ntp" src_inv="0">
+ <source name="pedago" />
+ <destination name="bastion" />
+ </directive>
+ <directive accept="0" action="2" attrs="17" dest_inv="0" ipsec="0" libelle="pas de description" priority="16" serv_inv="0" service="ldap" src_inv="0" tag="activer_ldap">
+ <source name="pedago" />
+ <destination name="bdd" />
+ </directive>
+ <directive accept="0" action="2" attrs="17" dest_inv="0" ipsec="0" libelle="pas de description" priority="17" serv_inv="0" service="ldaps" src_inv="0" tag="activer_ldaps">
+ <source name="pedago" />
+ <destination name="bdd" />
+ </directive>
+ <directive accept="0" action="2" attrs="17" dest_inv="0" ipsec="0" libelle="interface web sympa" priority="18" serv_inv="0" service="sympa-internet" src_inv="0" tag="AdminDepuisEth1">
+ <source name="pedago_admin" />
+ <destination name="reseau" />
+ </directive>
+ <directive accept="0" action="2" attrs="0" dest_inv="0" ipsec="0" libelle="interface web sympa" priority="19" serv_inv="0" service="sympa-restreint" src_inv="0">
+ <source name="pedago" />
+ <destination name="reseau" />
+ </directive>
+ <directive accept="0" action="2" attrs="17" dest_inv="0" ipsec="0" libelle="Activer NFS depuis les clients" priority="20" serv_inv="0" service="nfs" src_inv="0" tag="activer_nfs">
+ <source name="client_nfs" />
+ <destination name="bastion" />
+ </directive>
+ <directive accept="0" action="2" attrs="17" dest_inv="0" ipsec="0" libelle="pas de description" priority="21" serv_inv="0" service="imap" src_inv="0" tag="activer_courrier_imap">
+ <source name="pedago" />
+ <destination name="reseau" />
+ </directive>
+ <directive accept="0" action="2" attrs="17" dest_inv="0" ipsec="0" libelle="pas de description" priority="22" serv_inv="0" service="imap4-ssl" src_inv="0" tag="activer_courrier_imap">
+ <source name="pedago" />
+ <destination name="reseau" />
+ </directive>
+ <directive accept="0" action="2" attrs="17" dest_inv="0" ipsec="0" libelle="pas de description" priority="23" serv_inv="0" service="pop" src_inv="0" tag="activer_courrier_pop">
+ <source name="pedago" />
+ <destination name="reseau" />
+ </directive>
+ <directive accept="0" action="2" attrs="17" dest_inv="0" ipsec="0" libelle="pas de description" priority="24" serv_inv="0" service="pop3s" src_inv="0" tag="activer_courrier_pop">
+ <source name="pedago" />
+ <destination name="reseau" />
+ </directive>
+ <directive accept="0" action="2" attrs="0" dest_inv="0" ipsec="0" libelle="pas de description" priority="25" serv_inv="0" service="smtp" src_inv="0">
+ <source name="pedago" />
+ <destination name="reseau" />
+ </directive>
+ <directive accept="0" action="2" attrs="0" dest_inv="0" ipsec="0" libelle="pas de description" priority="26" serv_inv="0" service="smtps" src_inv="0">
+ <source name="pedago" />
+ <destination name="reseau" />
+ </directive>
+ <directive accept="0" action="2" attrs="17" dest_inv="0" ipsec="0" libelle="pas de description" priority="27" serv_inv="0" service="xmpp" src_inv="0" tag="activer_xmpp">
+ <source name="pedago" />
+ <destination name="reseau" />
+ </directive>
+ <directive accept="0" action="2" attrs="17" dest_inv="0" ipsec="0" libelle="pas de description" priority="28" serv_inv="0" service="xmpp-ssl" src_inv="0" tag="activer_xmpp">
+ <source name="pedago" />
+ <destination name="reseau" />
+ </directive>
+ <directive accept="0" action="2" attrs="17" dest_inv="0" ipsec="0" libelle="pas de description" priority="29" serv_inv="0" service="tftpd-hpa" src_inv="0" tag="activer_tftp">
+ <source name="pedago" />
+ <destination name="bdd" />
+ </directive>
+ <directive accept="0" action="2" attrs="17" dest_inv="0" ipsec="0" libelle="interface web CUPS" priority="30" serv_inv="0" service="cups" src_inv="0" tag="activer_cups1">
+ <source name="pedago_admin" />
+ <destination name="partage_eth1" />
+ </directive>
+ <directive accept="0" action="2" attrs="0" dest_inv="0" ipsec="0" libelle="Controle VNC" priority="31" serv_inv="0" service="scribe-controlevnc" src_inv="0">
+ <source name="pedago" />
+ <destination name="partage_eth1" />
+ </directive>
+ <directive accept="0" action="2" attrs="17" dest_inv="0" ipsec="0" libelle="Controle VNC" priority="32" serv_inv="0" service="ftp" src_inv="0" tag="activer_proftpd">
+ <source name="pedago" />
+ <destination name="partage_eth1" />
+ </directive>
+ <directive accept="0" action="2" attrs="0" dest_inv="0" ipsec="0" libelle="Controle VNC" priority="33" serv_inv="0" service="samba" src_inv="0">
+ <source name="pedago" />
+ <destination name="partage_eth1" />
+ </directive>
+ <directive accept="0" action="2" attrs="0" dest_inv="0" ipsec="0" libelle="Controle VNC" priority="34" serv_inv="0" service="samba" src_inv="0">
+ <source name="pedago" />
+ <destination name="partage_eth1_broadcast" />
+ </directive>
+ <directive accept="0" action="2" attrs="0" dest_inv="0" ipsec="0" libelle="Autorise le ping vers le conteneur" priority="35" serv_inv="0" service="echo-request" src_inv="0">
+ <source name="pedago" />
+ <destination name="partage_eth1" />
+ </directive>
+ <directive accept="0" action="2" attrs="0" dest_inv="0" ipsec="0" libelle="Autorise le ping vers le conteneur" priority="36" serv_inv="0" service="echo-request" src_inv="0">
+ <source name="pedago" />
+ <destination name="internet_eth1" />
+ </directive>
+ <directive accept="0" action="2" attrs="17" dest_inv="0" ipsec="0" libelle="Autoriser l'accès à Gaspacho" priority="37" serv_inv="0" service="gaspacho" src_inv="0" tag="GaspachoEth1">
+ <source name="pedago" />
+ <destination name="partage_eth1" />
+ </directive>
+ <directive accept="0" action="2" attrs="17" dest_inv="0" ipsec="0" libelle="Open Eclair ports on AmonEcole" priority="38" serv_inv="0" service="amonecole-eclair" src_inv="0" tag="activer_eclair_amonecole">
+ <source name="pedago" />
+ <destination name="ltspserver_eth0" />
+ </directive>
+ <directive accept="0" action="2" attrs="17" dest_inv="0" ipsec="0" libelle="Open Gaspacho and TFTPD for Eclair on AmonEcole" priority="39" serv_inv="0" service="amonecole-eclair-partage" src_inv="0" tag="activer_eclair_amonecole">
+ <source name="pedago" />
+ <destination name="partage_eth1" />
+ </directive>
+ </montantes>
+ <descendantes default_policy="1">
+ </descendantes>
+ </flux>
+
+ <flux zoneA="exterieur" zoneB="admin">
+ <montantes default_policy="0">
+ </montantes>
+ <descendantes default_policy="1">
+ <directive accept="0" action="16" attrs="0" dest_inv="0" ipsec="0" libelle="pas de description" nat_extr="exterieur_bastion" nat_port="0" priority="1" serv_inv="0" service="tous" src_inv="0">
+ <source name="admin_restreint" />
+ <destination name="exterieur" />
+ </directive>
+ <directive accept="0" action="1" attrs="1" dest_inv="0" ipsec="0" libelle="admin -> exterieur : interdire les protocoles de news, forums ..." priority="2" serv_inv="0" service="gr_forum" src_inv="0" tag="Interdiction des forums">
+ <source name="admin" />
+ <destination name="exterieur" />
+ </directive>
+ <directive accept="0" action="1" attrs="1" dest_inv="0" ipsec="0" libelle="Interdire les connexions FTP" priority="3" serv_inv="0" service="gr_ftp" src_inv="0" tag="Interdire les connexions FTP">
+ <source name="admin" />
+ <destination name="exterieur" />
+ </directive>
+ <directive accept="0" action="1" attrs="1" dest_inv="0" ipsec="0" libelle="admin -> exterieur : interdire les protocoles de discussion en ligne (irc ...)" priority="4" serv_inv="0" service="gr_irc" src_inv="0" tag="Interdire l'utilisation des dialogues en direct">
+ <source name="admin" />
+ <destination name="exterieur" />
+ </directive>
+ <directive accept="0" action="1" attrs="1" dest_inv="0" ipsec="0" libelle="admin -> exterieur : interdire les protocoles de messagerie (pop, imap ...)" priority="5" serv_inv="0" service="gr_messagerie" src_inv="0" tag="Interdiction des protocoles de messagerie">
+ <source name="admin" />
+ <destination name="exterieur" />
+ </directive>
+ <!--
+ <directive accept="0" action="1" attrs="1" dest_inv="0" ipsec="0" libelle="admin -> exterieur : tout interdire (sauf le web via le proxy)" priority="6" serv_inv="0" service="gr_restreint" src_inv="0" tag="Internet restreint">
+ <source name="admin" />
+ <destination name="exterieur" />
+ </directive>
+ <directive accept="0" action="4" attrs="17" dest_inv="0" ipsec="0" libelle="Redirection des flux http avec proxy alternatif" nat_port="3128" priority="7" serv_inv="0" service="gr_redirection_proxy" src_inv="0" tag="ProxyBypass1">
+ <source name="admin" />
+ <destination name="exterieur" />
+ <exception dest="0" eolvar="%%proxy_bypass_src_network_eth2/%%calc_classe(%%proxy_bypass_src_netmask_eth2)" ip="" name="" src="1" />
+ <exception dest="1" eolvar="%%proxy_bypass_network_eth2/%%calc_classe(%%proxy_bypass_netmask_eth2)" ip="" name="" src="0" />
+ <exception dest="1" eolvar="%%proxy_bypass_domain_eth2" ip="" name="" src="0" />
+ </directive>
+ <directive accept="0" action="4" attrs="17" dest_inv="1" ipsec="0" libelle="Redirection des flux http sans proxy" nat_port="81" priority="8" serv_inv="0" service="http" src_inv="0" tag="ProxyBypass1">
+ <source name="admin" />
+ <destination name="exterieur_bastion" />
+ <exception dest="0" eolvar="%%proxy_bypass_src_network_eth2/%%calc_classe(%%proxy_bypass_src_netmask_eth2)" ip="" name="" src="1" />
+ <exception dest="1" eolvar="%%proxy_bypass_network_eth2/%%calc_classe(%%proxy_bypass_netmask_eth2)" ip="" name="" src="0" />
+ <exception dest="1" eolvar="%%proxy_bypass_domain_eth2" ip="" name="" src="0" />
+ </directive>
+ <directive accept="0" action="4" attrs="17" dest_inv="0" ipsec="0" libelle="Redirection des flux https sans proxy vers une page d'erreur" nat_port="82" priority="9" serv_inv="0" service="gr_redirection_https" src_inv="0" tag="ProxyBypass1">
+ <source name="admin" />
+ <destination name="exterieur" />
+ <exception dest="0" eolvar="%%proxy_bypass_src_network_eth2/%%calc_classe(%%proxy_bypass_src_netmask_eth2)" ip="" name="" src="1" />
+ <exception dest="1" eolvar="%%proxy_bypass_network_eth2/%%calc_classe(%%proxy_bypass_netmask_eth2)" ip="" name="" src="0" />
+ <exception dest="1" eolvar="%%proxy_bypass_domain_eth2" ip="" name="" src="0" />
+ </directive>
+ <directive accept="0" action="4" attrs="17" dest_inv="0" ipsec="0" libelle="Redirection des flux http avec proxy alternatif" nat_port="3128" priority="10" serv_inv="0" service="gr_redirection_proxy" src_inv="0" tag="ForceProxy1">
+ <source name="admin" />
+ <destination name="exterieur" />
+ <exception dest="0" eolvar="%%proxy_bypass_src_network_eth2/%%calc_classe(%%proxy_bypass_src_netmask_eth2)" ip="" name="" src="1" />
+ <exception dest="1" eolvar="%%proxy_bypass_domain_eth2" ip="" name="" src="0" />
+ </directive>
+ <directive accept="0" action="4" attrs="17" dest_inv="1" ipsec="0" libelle="Redirection des flux http sans proxy vers une page d'erreur" nat_port="81" priority="11" serv_inv="0" service="http" src_inv="0" tag="ForceProxy1">
+ <source name="admin" />
+ <destination name="exterieur_bastion" />
+ <exception dest="0" eolvar="%%proxy_bypass_src_network_eth2/%%calc_classe(%%proxy_bypass_src_netmask_eth2)" ip="" name="" src="1" />
+ <exception dest="1" eolvar="%%proxy_bypass_domain_eth2" ip="" name="" src="0" />
+ </directive>
+ <directive accept="0" action="4" attrs="17" dest_inv="0" ipsec="0" libelle="Redirection des flux https sans proxy vers une page d'erreur" nat_port="82" priority="12" serv_inv="0" service="gr_redirection_https" src_inv="0" tag="ForceProxy1">
+ <source name="admin" />
+ <destination name="exterieur" />
+ <exception dest="0" eolvar="%%proxy_bypass_src_network_eth2/%%calc_classe(%%proxy_bypass_src_netmask_eth2)" ip="" name="" src="1" />
+ <exception dest="1" eolvar="%%proxy_bypass_domain_eth2" ip="" name="" src="0" />
+ </directive>
+ -->
+ </descendantes>
+ </flux>
+ <flux zoneA="bastion" zoneB="admin">
+ <montantes default_policy="0">
+ <directive accept="0" action="2" attrs="17" dest_inv="0" ipsec="0" libelle="ssh admin vers Amon" priority="1" serv_inv="0" service="ssh" src_inv="0" tag="SSHDepuiseth2">
+ <source name="admin_ssh" />
+ <destination name="bastion" />
+ </directive>
+ <directive accept="0" action="2" attrs="17" dest_inv="0" ipsec="0" libelle="administration admin vers Amon" priority="2" serv_inv="0" service="admin_amon" src_inv="0" tag="AdminDepuiseth2">
+ <source name="admin_admin" />
+ <destination name="bastion" />
+ </directive>
+ <directive accept="0" action="2" attrs="17" dest_inv="0" ipsec="0" libelle="administration admin vers Amon" priority="3" serv_inv="0" service="lightsquid" src_inv="0" tag="lightsquid1">
+ <source name="admin_admin" />
+ <destination name="bastion" />
+ </directive>
+ <directive accept="0" action="2" attrs="0" dest_inv="0" ipsec="0" libelle="pas de description" priority="4" serv_inv="0" service="dns-tcp" src_inv="0">
+ <source name="admin" />
+ <destination name="internet_eth2" />
+ </directive>
+ <directive accept="0" action="2" attrs="0" dest_inv="0" ipsec="0" libelle="pas de description" priority="5" serv_inv="0" service="dns-udp" src_inv="0">
+ <source name="admin" />
+ <destination name="internet_eth2" />
+ </directive>
+ <directive accept="0" action="2" attrs="17" dest_inv="0" ipsec="0" libelle="autoriser l'acces a Nuauth" priority="6" serv_inv="0" service="nuauth" src_inv="0" tag="auth_nufw">
+ <source name="admin" />
+ <destination name="bastion" />
+ </directive>
+ <directive accept="0" action="2" attrs="17" dest_inv="0" ipsec="0" libelle="pas de description" priority="7" serv_inv="0" service="eole-sso" src_inv="0" tag="eole_sso">
+ <source name="admin" />
+ <destination name="bastion" />
+ </directive>
+ <directive accept="0" action="2" attrs="0" dest_inv="0" ipsec="0" libelle="pas de description" priority="8" serv_inv="0" service="proxy" src_inv="0">
+ <source name="admin" />
+ <destination name="internet_eth2" />
+ </directive>
+ <directive accept="0" action="2" attrs="17" dest_inv="0" ipsec="0" libelle="pas de description" priority="9" serv_inv="0" service="proxy2" src_inv="0" tag="Activer squid2">
+ <source name="admin" />
+ <destination name="internet_eth2" />
+ </directive>
+ <directive accept="0" action="2" attrs="17" dest_inv="0" ipsec="0" libelle="pas de description" priority="10" serv_inv="0" service="cntlm" src_inv="0" tag="cntlm">
+ <source name="admin" />
+ <destination name="internet_eth2" />
+ </directive>
+ <directive accept="0" action="2" attrs="17" dest_inv="0" ipsec="0" libelle="gen_config admin vers Amon" priority="11" serv_inv="0" service="gen_config" src_inv="0" tag="SSHDepuiseth2">
+ <source name="admin_ssh" />
+ <destination name="bastion" />
+ </directive>
+ <directive accept="0" action="2" attrs="17" dest_inv="0" ipsec="0" libelle="Acces backend EAD admin vers Amon" priority="12" serv_inv="0" service="ead_server" src_inv="0" tag="BackendEADDepuiseth2">
+ <source name="admin_backend_ead" />
+ <destination name="bastion" />
+ </directive>
+ <directive accept="0" action="2" attrs="17" dest_inv="0" ipsec="0" libelle="raduis admin vers Amon" priority="13" serv_inv="0" service="gr_radius" src_inv="0" tag="ActiverRadiuseth2">
+ <source name="admin" />
+ <destination name="bastion" />
+ </directive>
+ <directive accept="0" action="2" attrs="0" dest_inv="0" ipsec="0" libelle="Autorisation reverse proxy + WPAD" priority="14" serv_inv="0" service="http" src_inv="0">
+ <source name="admin" />
+ <destination name="bastion_exterieur" />
+ </directive>
+ <directive accept="0" action="2" attrs="0" dest_inv="0" ipsec="0" libelle="Autoriser ntp depuis admin" priority="15" serv_inv="0" service="ntp" src_inv="0">
+ <source name="admin" />
+ <destination name="bastion" />
+ </directive>
+ <directive accept="0" action="2" attrs="17" dest_inv="0" ipsec="0" libelle="pas de description" priority="16" serv_inv="0" service="ldap" src_inv="0" tag="activer_ldap">
+ <source name="admin" />
+ <destination name="bdd" />
+ </directive>
+ <directive accept="0" action="2" attrs="17" dest_inv="0" ipsec="0" libelle="pas de description" priority="17" serv_inv="0" service="ldaps" src_inv="0" tag="activer_ldaps">
+ <source name="admin" />
+ <destination name="bdd" />
+ </directive>
+ <directive accept="0" action="2" attrs="17" dest_inv="0" ipsec="0" libelle="interface web sympa" priority="18" serv_inv="0" service="sympa-internet" src_inv="0" tag="AdminDepuiseth2">
+ <source name="admin_admin" />
+ <destination name="reseau" />
+ </directive>
+ <directive accept="0" action="2" attrs="0" dest_inv="0" ipsec="0" libelle="interface web sympa" priority="19" serv_inv="0" service="sympa-restreint" src_inv="0">
+ <source name="admin" />
+ <destination name="reseau" />
+ </directive>
+ <directive accept="0" action="2" attrs="17" dest_inv="0" ipsec="0" libelle="Activer NFS depuis les clients" priority="20" serv_inv="0" service="nfs" src_inv="0" tag="activer_nfs">
+ <source name="client_nfs" />
+ <destination name="bastion" />
+ </directive>
+ <directive accept="0" action="2" attrs="17" dest_inv="0" ipsec="0" libelle="pas de description" priority="21" serv_inv="0" service="imap" src_inv="0" tag="activer_courrier_imap">
+ <source name="admin" />
+ <destination name="reseau" />
+ </directive>
+ <directive accept="0" action="2" attrs="17" dest_inv="0" ipsec="0" libelle="pas de description" priority="22" serv_inv="0" service="imap4-ssl" src_inv="0" tag="activer_courrier_imap">
+ <source name="admin" />
+ <destination name="reseau" />
+ </directive>
+ <directive accept="0" action="2" attrs="17" dest_inv="0" ipsec="0" libelle="pas de description" priority="23" serv_inv="0" service="pop" src_inv="0" tag="activer_courrier_pop">
+ <source name="admin" />
+ <destination name="reseau" />
+ </directive>
+ <directive accept="0" action="2" attrs="17" dest_inv="0" ipsec="0" libelle="pas de description" priority="24" serv_inv="0" service="pop3s" src_inv="0" tag="activer_courrier_pop">
+ <source name="admin" />
+ <destination name="reseau" />
+ </directive>
+ <directive accept="0" action="2" attrs="0" dest_inv="0" ipsec="0" libelle="pas de description" priority="25" serv_inv="0" service="smtp" src_inv="0">
+ <source name="admin" />
+ <destination name="reseau" />
+ </directive>
+ <directive accept="0" action="2" attrs="0" dest_inv="0" ipsec="0" libelle="pas de description" priority="26" serv_inv="0" service="smtps" src_inv="0">
+ <source name="admin" />
+ <destination name="reseau" />
+ </directive>
+ <directive accept="0" action="2" attrs="17" dest_inv="0" ipsec="0" libelle="pas de description" priority="27" serv_inv="0" service="xmpp" src_inv="0" tag="activer_xmpp">
+ <source name="admin" />
+ <destination name="reseau" />
+ </directive>
+ <directive accept="0" action="2" attrs="17" dest_inv="0" ipsec="0" libelle="pas de description" priority="28" serv_inv="0" service="xmpp-ssl" src_inv="0" tag="activer_xmpp">
+ <source name="admin" />
+ <destination name="reseau" />
+ </directive>
+ <directive accept="0" action="2" attrs="17" dest_inv="0" ipsec="0" libelle="pas de description" priority="29" serv_inv="0" service="tftpd-hpa" src_inv="0" tag="activer_tftp">
+ <source name="admin" />
+ <destination name="bdd" />
+ </directive>
+ <directive accept="0" action="2" attrs="17" dest_inv="0" ipsec="0" libelle="interface web CUPS" priority="30" serv_inv="0" service="cups" src_inv="0" tag="activer_cups1">
+ <source name="admin_admin" />
+ <destination name="partage_eth2" />
+ </directive>
+ <directive accept="0" action="2" attrs="0" dest_inv="0" ipsec="0" libelle="Controle VNC" priority="31" serv_inv="0" service="scribe-controlevnc" src_inv="0">
+ <source name="admin" />
+ <destination name="partage_eth2" />
+ </directive>
+ <directive accept="0" action="2" attrs="17" dest_inv="0" ipsec="0" libelle="Controle VNC" priority="32" serv_inv="0" service="ftp" src_inv="0" tag="activer_proftpd">
+ <source name="admin" />
+ <destination name="partage_eth2" />
+ </directive>
+ <directive accept="0" action="2" attrs="0" dest_inv="0" ipsec="0" libelle="Controle VNC" priority="33" serv_inv="0" service="samba" src_inv="0">
+ <source name="admin" />
+ <destination name="partage_eth2" />
+ </directive>
+ <directive accept="0" action="2" attrs="0" dest_inv="0" ipsec="0" libelle="Controle VNC" priority="34" serv_inv="0" service="samba" src_inv="0">
+ <source name="admin" />
+ <destination name="partage_eth2_broadcast" />
+ </directive>
+ <directive accept="0" action="2" attrs="0" dest_inv="0" ipsec="0" libelle="Autorise le ping vers le conteneur" priority="35" serv_inv="0" service="echo-request" src_inv="0">
+ <source name="admin" />
+ <destination name="partage_eth2" />
+ </directive>
+ <directive accept="0" action="2" attrs="0" dest_inv="0" ipsec="0" libelle="Autorise le ping vers le conteneur" priority="36" serv_inv="0" service="echo-request" src_inv="0">
+ <source name="admin" />
+ <destination name="internet_eth2" />
+ </directive>
+ <directive accept="0" action="2" attrs="17" dest_inv="0" ipsec="0" libelle="Autoriser l'accès à Gaspacho" priority="37" serv_inv="0" service="gaspacho" src_inv="0" tag="Gaspachoeth2">
+ <source name="admin" />
+ <destination name="partage_eth2" />
+ </directive>
+ <directive accept="0" action="2" attrs="17" dest_inv="0" ipsec="0" libelle="Open Eclair ports on AmonEcole" priority="38" serv_inv="0" service="amonecole-eclair" src_inv="0" tag="activer_eclair_amonecole">
+ <source name="admin" />
+ <destination name="ltspserver_eth0" />
+ </directive>
+ <directive accept="0" action="2" attrs="17" dest_inv="0" ipsec="0" libelle="Open Gaspacho and TFTPD for Eclair on AmonEcole" priority="39" serv_inv="0" service="amonecole-eclair-partage" src_inv="0" tag="activer_eclair_amonecole">
+ <source name="admin" />
+ <destination name="partage_eth2" />
+ </directive>
+ </montantes>
+ <descendantes default_policy="1">
+ </descendantes>
+ </flux>
+ </flux-list></firewall>