jcarr
/
wit-network-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

firewall: removing upstream NTP and adding bgp rules for edge ibgp links

This commit is contained in:
toby 2018-12-07 23:27:09 +01:00
parent e3fe47275c
commit 7fb7552c90
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
files/firewall
View File

@ -101,8 +101,6 @@ case $1 in
ip6tables -A INPUT -s 2604:bbc0:0:113::1 -p udp --sport 53 -j ACCEPT # dns replies from bastion
ip6tables -A INPUT -s 2604:bbc0:0:113::b -p tcp --dport 22 -j ACCEPT # ssh from bastion2
ip6tables -A INPUT -s 2604:bbc0:0:113::b -p udp --sport 53 -j ACCEPT # dns replies from bastion2
ip6tables -A INPUT -s 2001:67c:1560:8003::c7 -p udp --sport 123 -j ACCEPT # ntp
ip6tables -A INPUT -s 2001:67c:1560:8003::c8 -p udp --sport 123 -j ACCEPT # ntp
## traffic we want to see encrypted over the VPN
ip6tables -A INPUT -m policy --pol ipsec --dir in -p tcp --dport 22 -j ACCEPT # ssh if coming over the VPN
@ -113,6 +111,8 @@ case $1 in
## rules for edge nodes, these should be more specific but for now, it'll do
ip6tables -A INPUT -s fe80::/10 -i gre+ -p tcp --sport 179 -j ACCEPT # bgp (allow init as well as responding)
ip6tables -A INPUT -s fe80::/10 -i gre+ -p tcp --dport 179 -j ACCEPT # bgp (allow init as well as responding)
ip6tables -A INPUT -s fe80::/10 -i ibgp+ -p tcp --sport 179 -j ACCEPT # bgp (allow init as well as responding)
ip6tables -A INPUT -s fe80::/10 -i ibgp+ -p tcp --dport 179 -j ACCEPT # bgp (allow init as well as responding)
ip6tables -A INPUT -i up+ -p tcp --dport 179 -j ACCEPT # bgp to public peer
ip6tables -A INPUT -i up+ -p tcp --sport 179 -j ACCEPT # bgp from public peer