From a000b9e2de4fcbacfc5b6887c757cf2656163900 Mon Sep 17 00:00:00 2001
From: toby <toby@wit.com>
Date: Tue, 9 Apr 2019 22:47:57 +0000
Subject: [PATCH] firewall: moving the http rule to ipv6 - doh - and killing
 the etcd/stackapi rules again since we decided to go without them

---
 files/firewall | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/files/firewall b/files/firewall
index fc5b054..5383b0a 100755
--- a/files/firewall
+++ b/files/firewall
@@ -35,7 +35,6 @@ case $1 in
         iptables -A INPUT -m policy --pol ipsec --dir in                    -p udp   --dport   4789                                  -j ACCEPT   -m comment --comment "vxlan traffic"
         iptables -A INPUT -m policy --pol ipsec --dir in                    -p udp   --sport    123                                  -j ACCEPT   -m comment --comment "ntp replies for bastion"
         iptables -A INPUT -m policy --pol ipsec --dir in                    -p udp   --sport     53                                  -j ACCEPT   -m comment --comment "dns replies for bastion"
-        iptables -A INPUT -m policy --pol ipsec --dir in                    -p tcp   --sport     80                                  -j ACCEPT   -m comment --comment "http replies for bastion"
         iptables -A INPUT -m policy --pol ipsec --dir in                    -p tcp   --dport     22                                  -j ACCEPT   -m comment --comment "ssh if coming over the VPN"
 
        ## external services we depend upon
@@ -104,9 +103,8 @@ case $1 in
        ## traffic we want to see encrypted over the VPN
         ip6tables -A INPUT -m policy --pol ipsec --dir in                    -p tcp   --dport     22                      -j ACCEPT   -m comment --comment "ssh if coming over the VPN"
         ip6tables -A INPUT -m policy --pol ipsec --dir in                    -p udp   --sport     53                      -j ACCEPT   -m comment --comment "dns replies from anything over the VPN"
+        ip6tables -A INPUT -m policy --pol ipsec --dir in                    -p tcp   --sport     80                      -j ACCEPT   -m comment --comment "http replies for bastion"
         ip6tables -A INPUT -m policy --pol ipsec --dir in                    -p udp   --sport    123                      -j ACCEPT   -m comment --comment "ntp if coming over the VPN"
-        #ip6tables -A INPUT -m policy --pol ipsec --dir in                    -p tcp   --sport   2379                      -j ACCEPT   -m comment --comment "etcd replies from stackapi"
-        ip6tables -A INPUT -m policy --pol ipsec --dir in                    -p tcp   --sport   4000                      -j ACCEPT   -m comment --comment "stackapi replies"
         ip6tables -A INPUT -m policy --pol ipsec --dir in  -m multiport      -p tcp   --dports 49152:49215                -j ACCEPT   -m comment --comment "libvirt live migration"
         ip6tables -A INPUT -m policy --pol ipsec --dir in  -m multiport      -p tcp   --sports 49152:49215                -j ACCEPT   -m comment --comment "libvirt live migration"