adding local connections for zebra/frr to the individual services. I can't believe I have not yet noticed this. seems like-frr reload is however relying on this

This commit is contained in:
toby 2019-05-01 04:37:44 +00:00
parent 05bc412860
commit 313ea1085f
2 changed files with 5 additions and 1 deletions

2
debian/postinst vendored
View File

@ -418,7 +418,7 @@ case "$1" in
systemctl enable strongswan || true ## in case we kick-start or done have it enabled for some reason systemctl enable strongswan || true ## in case we kick-start or done have it enabled for some reason
systemctl enable firewall systemctl enable firewall
systemctl restart firewall systemctl restart firewall
systemctl reload frr ## systemctl reload frr ## still too dangerous? failed heavy on last attempt
## END services section ## END services section

View File

@ -23,6 +23,10 @@ case $1 in
iptables -A INPUT -p udp --dport 4500 --sport 4500 -j ACCEPT -m comment --comment "ipsec" iptables -A INPUT -p udp --dport 4500 --sport 4500 -j ACCEPT -m comment --comment "ipsec"
iptables -A INPUT -p icmp -j ACCEPT -m comment --comment "allow pings" iptables -A INPUT -p icmp -j ACCEPT -m comment --comment "allow pings"
## frr local service connections
iptables -A INPUT -i lo -m multiport -p tcp --sports 2600:2618 -j ACCEPT -m comment --comment "local ceph osd traffic"
iptables -A INPUT -i lo -m multiport -p tcp --dports 2600:2618 -j ACCEPT -m comment --comment "local ceph osd traffic"
## local ceph osd services ## local ceph osd services
iptables -A INPUT -i lo -m multiport -p tcp --sports 6800:7300 -j ACCEPT -m comment --comment "local ceph osd traffic" iptables -A INPUT -i lo -m multiport -p tcp --sports 6800:7300 -j ACCEPT -m comment --comment "local ceph osd traffic"
iptables -A INPUT -i lo -m multiport -p tcp --dports 6800:7300 -j ACCEPT -m comment --comment "local ceph osd traffic" iptables -A INPUT -i lo -m multiport -p tcp --dports 6800:7300 -j ACCEPT -m comment --comment "local ceph osd traffic"