Allow to unblock smb and netbios in config.cfg (#1558)

config.cfg

@@ -108,6 +108,12 @@ unattended_reboot:
 # Block traffic between connected clients
 BetweenClients_DROP: true
 
+# Block SMB/CIFS traffic
+block_smb: true
+
+# Block NETBIOS traffic
+block_netbios: true
+
 congrats:
   common: |
     "#                          Congratulations!                            #"

roles/common/templates/rules.v4.j2

@@ -88,10 +88,10 @@ COMMIT
 # Forward any packet that's part of an established connection
 -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 # Drop SMB/CIFS traffic that requests to be forwarded
--A FORWARD -p tcp --dport 445 -j DROP
+-A FORWARD -p tcp --dport 445 -j {{ "DROP" if block_smb else "ACCEPT" }}
 # Drop NETBIOS trafic that requests to be forwarded
--A FORWARD -p udp -m multiport --ports 137,138 -j DROP
+-A FORWARD -p udp -m multiport --ports 137,138 -j {{ "DROP" if block_netbios else "ACCEPT" }}
--A FORWARD -p tcp -m multiport --ports 137,139 -j DROP
+-A FORWARD -p tcp -m multiport --ports 137,139 -j {{ "DROP" if block_netbios else "ACCEPT" }}
 
 {% if ipsec_enabled %}
 # Forward any IPSEC traffic from the VPN network

roles/common/templates/rules.v6.j2

@@ -91,9 +91,10 @@ COMMIT
 -A OUTPUT -d {{ subnets|join(',') }} -m owner --gid-owner 15000 -j {{ "DROP" if BetweenClients_DROP else "ACCEPT" }}
 
 -A FORWARD -j ICMPV6-CHECK
--A FORWARD -p tcp --dport 445 -j DROP
+-A FORWARD -p tcp --dport 445 -j {{ "DROP" if block_smb else "ACCEPT" }}
--A FORWARD -p udp -m multiport --ports 137,138 -j DROP
+-A FORWARD -p udp -m multiport --ports 137,138 -j {{ "DROP" if block_netbios else "ACCEPT" }}
--A FORWARD -p tcp -m multiport --ports 137,139 -j DROP
+-A FORWARD -p tcp -m multiport --ports 137,139 -j {{ "DROP" if block_netbios else "ACCEPT" }}
+
 -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 {% if ipsec_enabled %}
 -A FORWARD -m conntrack --ctstate NEW -s {{ strongswan_network_ipv6 }} -m policy --pol ipsec --dir in -j ACCEPT