firewall: moving the http rule to ipv6 - doh - and killing the etcd/stackapi rules again since we decided to go without them

2019-04-09 22:47:57 +00:00 · 2019-04-09 22:47:57 +00:00 · a000b9e2de
parent 47b2e0b3e6
commit a000b9e2de
1 changed files with 1 additions and 3 deletions
--- a/files/firewall
+++ b/files/firewall
@ -35,7 +35,6 @@ case $1 in
        iptables -A INPUT -m policy --pol ipsec --dir in                    -p udp   --dport   4789                                  -j ACCEPT   -m comment --comment "vxlan traffic"
        iptables -A INPUT -m policy --pol ipsec --dir in                    -p udp   --sport    123                                  -j ACCEPT   -m comment --comment "ntp replies for bastion"
        iptables -A INPUT -m policy --pol ipsec --dir in                    -p udp   --sport     53                                  -j ACCEPT   -m comment --comment "dns replies for bastion"
-        iptables -A INPUT -m policy --pol ipsec --dir in                    -p tcp   --sport     80                                  -j ACCEPT   -m comment --comment "http replies for bastion"
        iptables -A INPUT -m policy --pol ipsec --dir in                    -p tcp   --dport     22                                  -j ACCEPT   -m comment --comment "ssh if coming over the VPN"

       ## external services we depend upon
@ -104,9 +103,8 @@ case $1 in
       ## traffic we want to see encrypted over the VPN
        ip6tables -A INPUT -m policy --pol ipsec --dir in                    -p tcp   --dport     22                      -j ACCEPT   -m comment --comment "ssh if coming over the VPN"
        ip6tables -A INPUT -m policy --pol ipsec --dir in                    -p udp   --sport     53                      -j ACCEPT   -m comment --comment "dns replies from anything over the VPN"
+        ip6tables -A INPUT -m policy --pol ipsec --dir in                    -p tcp   --sport     80                      -j ACCEPT   -m comment --comment "http replies for bastion"
        ip6tables -A INPUT -m policy --pol ipsec --dir in                    -p udp   --sport    123                      -j ACCEPT   -m comment --comment "ntp if coming over the VPN"
-        #ip6tables -A INPUT -m policy --pol ipsec --dir in                    -p tcp   --sport   2379                      -j ACCEPT   -m comment --comment "etcd replies from stackapi"
-        ip6tables -A INPUT -m policy --pol ipsec --dir in                    -p tcp   --sport   4000                      -j ACCEPT   -m comment --comment "stackapi replies"
        ip6tables -A INPUT -m policy --pol ipsec --dir in  -m multiport      -p tcp   --dports 49152:49215                -j ACCEPT   -m comment --comment "libvirt live migration"
        ip6tables -A INPUT -m policy --pol ipsec --dir in  -m multiport      -p tcp   --sports 49152:49215                -j ACCEPT   -m comment --comment "libvirt live migration"