From 7fb7552c90e0b6cc66709f832978a41fee9c312d Mon Sep 17 00:00:00 2001 From: toby Date: Fri, 7 Dec 2018 23:27:09 +0100 Subject: [PATCH] firewall: removing upstream NTP and adding bgp rules for edge ibgp links --- files/firewall | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/files/firewall b/files/firewall index a66e5db..c63479d 100755 --- a/files/firewall +++ b/files/firewall @@ -101,8 +101,6 @@ case $1 in ip6tables -A INPUT -s 2604:bbc0:0:113::1 -p udp --sport 53 -j ACCEPT # dns replies from bastion ip6tables -A INPUT -s 2604:bbc0:0:113::b -p tcp --dport 22 -j ACCEPT # ssh from bastion2 ip6tables -A INPUT -s 2604:bbc0:0:113::b -p udp --sport 53 -j ACCEPT # dns replies from bastion2 - ip6tables -A INPUT -s 2001:67c:1560:8003::c7 -p udp --sport 123 -j ACCEPT # ntp - ip6tables -A INPUT -s 2001:67c:1560:8003::c8 -p udp --sport 123 -j ACCEPT # ntp ## traffic we want to see encrypted over the VPN ip6tables -A INPUT -m policy --pol ipsec --dir in -p tcp --dport 22 -j ACCEPT # ssh if coming over the VPN @@ -113,6 +111,8 @@ case $1 in ## rules for edge nodes, these should be more specific but for now, it'll do ip6tables -A INPUT -s fe80::/10 -i gre+ -p tcp --sport 179 -j ACCEPT # bgp (allow init as well as responding) ip6tables -A INPUT -s fe80::/10 -i gre+ -p tcp --dport 179 -j ACCEPT # bgp (allow init as well as responding) + ip6tables -A INPUT -s fe80::/10 -i ibgp+ -p tcp --sport 179 -j ACCEPT # bgp (allow init as well as responding) + ip6tables -A INPUT -s fe80::/10 -i ibgp+ -p tcp --dport 179 -j ACCEPT # bgp (allow init as well as responding) ip6tables -A INPUT -i up+ -p tcp --dport 179 -j ACCEPT # bgp to public peer ip6tables -A INPUT -i up+ -p tcp --sport 179 -j ACCEPT # bgp from public peer