From 5363feff09d7d21f38d8fc90acab7cb04fe9030e Mon Sep 17 00:00:00 2001
From: toby <toby@wit.com>
Date: Sat, 9 Feb 2019 19:48:51 -0800
Subject: [PATCH] firewall: adding new approach to stackapi over VPN,
 ipsec.conf: no changes, just nicer grouping

---
 files/firewall       |  7 ++++---
 files/ipsec.conf.wit | 14 +++++++-------
 2 files changed, 11 insertions(+), 10 deletions(-)

diff --git a/files/firewall b/files/firewall
index 88f3a17..e651d2e 100755
--- a/files/firewall
+++ b/files/firewall
@@ -114,9 +114,10 @@ case $1 in
         ip6tables -A INPUT -m policy --pol ipsec --dir in  -m multiport      -p tcp   --sports  6800:7300                 -j ACCEPT   # ceph osd traffic
 
        ## traffic we want to see encrypted over the VPN
-        ip6tables -A INPUT -m policy --pol ipsec --dir in                    -p tcp   --dport    22                       -j ACCEPT   # ssh if coming over the VPN
-        ip6tables -A INPUT -m policy --pol ipsec --dir in                    -p udp   --sport    53                       -j ACCEPT   # dns replies from anything over the VPN
-        ip6tables -A INPUT -m policy --pol ipsec --dir in                    -p udp   --sport   123                       -j ACCEPT   # ntp if coming over the VPN
+        ip6tables -A INPUT -m policy --pol ipsec --dir in                    -p tcp   --dport     22                      -j ACCEPT   # ssh if coming over the VPN
+        ip6tables -A INPUT -m policy --pol ipsec --dir in                    -p udp   --sport     53                      -j ACCEPT   # dns replies from anything over the VPN
+        ip6tables -A INPUT -m policy --pol ipsec --dir in                    -p udp   --sport    123                      -j ACCEPT   # ntp if coming over the VPN
+        ip6tables -A INPUT -m policy --pol ipsec --dir in                    -p tcp   --sport   2379                      -j ACCEPT   # etcd replies from stackapi
         ip6tables -A INPUT -m policy --pol ipsec --dir in  -m multiport      -p tcp   --dports 49152:49215                -j ACCEPT   # libvirt live migration
         ip6tables -A INPUT -m policy --pol ipsec --dir in  -m multiport      -p tcp   --sports 49152:49215                -j ACCEPT   # libvirt live migration
 
diff --git a/files/ipsec.conf.wit b/files/ipsec.conf.wit
index c7ca729..52c16a2 100644
--- a/files/ipsec.conf.wit
+++ b/files/ipsec.conf.wit
@@ -33,13 +33,6 @@ conn local4
     type = passthrough
 
 
-conn loopback4
-    left = LOOPBACKv4
-    leftsubnet = LOOPBACKv4
-    right = IPSEC_IPV4_SUBNETS
-    rightsubnet = IPSEC_IPV4_SUBNETS
-
-
 conn local6
     left = LOOPBACKv6
     leftsubnet = LOOPBACKv6
@@ -49,6 +42,13 @@ conn local6
     type = passthrough
 
 
+conn loopback4
+    left = LOOPBACKv4
+    leftsubnet = LOOPBACKv4
+    right = IPSEC_IPV4_SUBNETS
+    rightsubnet = IPSEC_IPV4_SUBNETS
+
+
 conn loopback6
     left = LOOPBACKv6
     leftsubnet = LOOPBACKv6