diff --git a/files/firewall b/files/firewall index e651d2e..e71ea3c 100755 --- a/files/firewall +++ b/files/firewall @@ -39,7 +39,6 @@ case $1 in ## external services we depend upon iptables -A INPUT -s 170.199.216.1 -p tcp --sport 2379 -j ACCEPT # etcd replies stackapi - iptables -A INPUT -s 170.199.216.13 -p tcp --sport 443 -j ACCEPT # mirrors.wit.com iptables -A INPUT -s 170.199.216.13 -p tcp --sport 25 -j ACCEPT # allow email smart host ## rules for edge nodes, these should be more specific but for now, it'll do @@ -102,6 +101,7 @@ case $1 in ## external services we depend upon ip6tables -A INPUT -s 2600:1f14:3f:1b01:e296:593a:484a:64d2 -p tcp --sport 9091 -j ACCEPT # prometheus pushgateway ip6tables -A INPUT -s 2600:1f14:3f:1b01:e296:593a:484a:64d2 -p tcp --sport 9103 -j ACCEPT # prometheus collectd-exporter + ip6tables -A INPUT -s 2604:bbc0:1:20::a001 -p tcp --sport 443 -j ACCEPT # mirrors.wit.com ## ceph ip6tables -A INPUT -i lo -p tcp --dport 6789 -j ACCEPT # ceph mon traffic @@ -121,7 +121,7 @@ case $1 in ip6tables -A INPUT -m policy --pol ipsec --dir in -m multiport -p tcp --dports 49152:49215 -j ACCEPT # libvirt live migration ip6tables -A INPUT -m policy --pol ipsec --dir in -m multiport -p tcp --sports 49152:49215 -j ACCEPT # libvirt live migration - ## rules for edge nodes, these should be more specific but for now, it'll do + ## rules for edge nodes, shouldn't ever end up matching on "normal nodes" ip6tables -A INPUT -s fe80::/10 -i gre+ -m hl --hl-eq 1 -p tcp --sport 179 -j ACCEPT # bgp (allow init as well as responding) ip6tables -A INPUT -s fe80::/10 -i gre+ -m hl --hl-eq 1 -p tcp --dport 179 -j ACCEPT # bgp (allow init as well as responding) ip6tables -A INPUT -s fe80::/10 -i ibgp+ -m hl --hl-eq 1 -p tcp --sport 179 -j ACCEPT # bgp (allow init as well as responding)