firewall: adding new approach to stackapi over VPN, ipsec.conf: no changes, just nicer grouping

2019-02-09 19:48:51 -08:00 · 2019-02-09 19:48:51 -08:00 · 5363feff09
parent 90e3484f5c
commit 5363feff09
2 changed files with 11 additions and 10 deletions
--- a/files/firewall
+++ b/files/firewall
@ -114,9 +114,10 @@ case $1 in
        ip6tables -A INPUT -m policy --pol ipsec --dir in  -m multiport      -p tcp   --sports  6800:7300                 -j ACCEPT   # ceph osd traffic

       ## traffic we want to see encrypted over the VPN
-        ip6tables -A INPUT -m policy --pol ipsec --dir in                    -p tcp   --dport    22                       -j ACCEPT   # ssh if coming over the VPN
-        ip6tables -A INPUT -m policy --pol ipsec --dir in                    -p udp   --sport    53                       -j ACCEPT   # dns replies from anything over the VPN
-        ip6tables -A INPUT -m policy --pol ipsec --dir in                    -p udp   --sport   123                       -j ACCEPT   # ntp if coming over the VPN
+        ip6tables -A INPUT -m policy --pol ipsec --dir in                    -p tcp   --dport     22                      -j ACCEPT   # ssh if coming over the VPN
+        ip6tables -A INPUT -m policy --pol ipsec --dir in                    -p udp   --sport     53                      -j ACCEPT   # dns replies from anything over the VPN
+        ip6tables -A INPUT -m policy --pol ipsec --dir in                    -p udp   --sport    123                      -j ACCEPT   # ntp if coming over the VPN
+        ip6tables -A INPUT -m policy --pol ipsec --dir in                    -p tcp   --sport   2379                      -j ACCEPT   # etcd replies from stackapi
        ip6tables -A INPUT -m policy --pol ipsec --dir in  -m multiport      -p tcp   --dports 49152:49215                -j ACCEPT   # libvirt live migration
        ip6tables -A INPUT -m policy --pol ipsec --dir in  -m multiport      -p tcp   --sports 49152:49215                -j ACCEPT   # libvirt live migration

--- a/files/ipsec.conf.wit
+++ b/files/ipsec.conf.wit
@ -33,13 +33,6 @@ conn local4
    type = passthrough


-conn loopback4
-    left = LOOPBACKv4
-    leftsubnet = LOOPBACKv4
-    right = IPSEC_IPV4_SUBNETS
-    rightsubnet = IPSEC_IPV4_SUBNETS
-
-
 conn local6
    left = LOOPBACKv6
    leftsubnet = LOOPBACKv6
@ -49,6 +42,13 @@ conn local6
    type = passthrough


+conn loopback4
+    left = LOOPBACKv4
+    leftsubnet = LOOPBACKv4
+    right = IPSEC_IPV4_SUBNETS
+    rightsubnet = IPSEC_IPV4_SUBNETS
+
+
 conn loopback6
    left = LOOPBACKv6
    leftsubnet = LOOPBACKv6