jcarr
/
wit-network-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
320 Commits 1 Branch 0 Tags 268 KiB
Commit Graph

54 Commits

Author SHA1 Message Date
toby 78a2a7b13f better comments on firewall rules 2019-05-01 05:04:29 +00:00
toby 313ea1085f adding local connections for zebra/frr to the individual services. I can't believe I have not yet noticed this. seems like-frr reload is however relying on this 2019-05-01 04:37:44 +00:00
toby b37d2b5c74 adding new 3300 port for ceph msgr2 protocol 2019-04-29 07:06:51 +00:00
toby a000b9e2de firewall: moving the http rule to ipv6 - doh - and killing the etcd/stackapi rules again since we decided to go without them 2019-04-09 22:47:57 +00:00
toby 47b2e0b3e6 adding firewall http over VPN rule for bastion cert exchange and possibly more in the future 2019-04-09 21:27:28 +00:00
toby b8e6a8a418 doh, ipv6 we want not ipv4 ;) 2019-04-05 00:17:39 +00:00
toby 30eecc7f51 allowing stackapi traffic over the VPN 2019-04-04 23:35:07 +00:00
toby d2a7099392 pulling out all the bastion related rules and moving them to tha bastion ansible... this may break shit... 2019-03-29 22:40:03 +00:00
toby 9fa840a956 fixing typo in firewall rules 2019-03-13 01:32:01 +00:00
toby 73b2389f08 adding iptables comments to all rules 2019-03-13 00:14:17 +00:00
toby 0c2e02c1b8 removing old prometheus rules that were once hosted in aws 2019-03-11 21:51:06 +00:00
toby c760ae7c2c firewall: updating mirrors.wit.com to allow the new location in usw1 over ipv6 2019-03-11 21:48:58 +00:00
toby 5363feff09 firewall: adding new approach to stackapi over VPN, ipsec.conf: no changes, just nicer grouping 2019-02-09 19:48:51 -08:00
toby 90e3484f5c firewall: adding TTL hop-check on the BGP firewall rules. this makes it a bit more secure on fairly wide open BGP rules 2019-02-05 20:42:36 -08:00
toby b9d53909b8 starting to use ceph on ipv6 as well .... 2019-02-05 20:23:44 -08:00
toby c3df5d6f12 just some comments and to test the new signing machinery ... 2019-01-23 14:50:54 -08:00
toby a1d5439422 firewall: allowing ipmi calles to be routed so that VPN clients and other boxes can make calls to ipmi 2019-01-11 18:09:37 +01:00
toby e88b13e51d adding customer interface bgp firewall fules 2019-01-02 22:29:23 +01:00
toby 2a4150aa41 firewall cleanup and organization 2018-12-21 17:41:04 +01:00
toby 83332a7f74 just formatting 2018-12-20 15:28:27 +01:00
Tim Sogard dfa58f6089 Allow hosts to communicate with prometheus exporters 2018-12-20 02:27:37 -05:00
toby 7fb7552c90 firewall: removing upstream NTP and adding bgp rules for edge ibgp links 2018-12-07 23:27:09 +01:00
toby 83e0ccc728 adding firewall restart to postinst script. firewall is now restarted on upgrade, may break kickstart, need to test 2018-11-28 18:14:08 +01:00
toby fcaa400452 removing ceph rgw 8080 for now since it's not in use 2018-11-26 19:17:31 +01:00
toby 2ff6566d2e firewall house-keeping 2018-11-26 18:39:18 +01:00
toby e5b6e96c2e adding bastion2 to firewalls for potential failover 2018-11-19 00:32:12 +01:00
toby e3fba4ecad prepping to flip back bastion to a loopback ip. setting firewall rule accordingly 2018-11-18 02:22:04 +01:00
toby 9028be6de6 fixing live migration iptables rules 2018-11-17 02:06:37 +01:00
toby a0d2d87355 adding ceph rgw rules to firewall 2018-11-16 18:26:57 +01:00
toby 26f34e482f adding smarthost to the firewall 2018-11-13 20:41:41 +01:00
toby 045736616f fixng small console error so that systemd actually thinks firewall started successfully 2018-11-12 21:08:25 +01:00
toby 1855169a42 adding bastion firewall rules to all firewalls. this is precausion so that we have the blocking rules in any event. the rest of bastion gets deployed through ansible but since if ansible gets forgotton or other things happen this will make sure the most critical things are there 2018-11-04 21:13:13 +01:00
toby 7aabd41def simplifying and adding flexibility to the NOTRACK rules 2018-11-04 19:19:09 +00:00
toby f925ad46a0 updated IP for new mirrors in usw2 2018-10-24 23:07:54 +02:00
toby d67b225792 cleanup firewall rules and making unnumbered bgp rules a tad more restrictive 2018-10-21 23:08:58 +02:00
toby c7d116d1c1 adding firewall rules for edge boxes 2018-10-20 18:55:45 +02:00
toby a343ade9c4 adding new firewall rule for stackapi 2018-10-05 22:27:10 +00:00
toby b5860daf1d typo in firewall rule 2018-10-01 18:25:50 +02:00
toby 7a948a6fbf adding ipv6 ssh support from bastion (in theory we should actually only need that, but keep ipv4 for now ... just in case) 2018-10-01 15:04:23 +02:00
toby 1c50cecdb5 adding direct ssh access on default for bastion, and migrating to admin domain instead of 3 different zones 2018-10-01 10:39:17 +02:00
toby b18d2c03c8 adding mirrors.wit.com to the firewall 2018-09-26 23:47:01 +02:00
Adam Frank 6a01e4988b adding local ceph traffic rules 2018-09-22 04:57:07 +00:00
toby c8195a9cf8 adding first estimated rules for ceph 2018-09-20 16:40:25 +02:00
toby 37c69ab507 adding ipv6 tunnel to strongswan and matching firewall rules 2018-09-17 21:28:02 +02:00
toby 002d2e0221 fixing firewall scirpt and rolling back to hardcoded IP till I get the systemd unit file 2018-09-13 23:41:28 +02:00
toby 2e95eb7bad orginizing the firewall a little bit, no changes in theory 2018-09-13 12:08:40 +02:00
toby 8bdbba3016 orginizing the firewall a little bit, no changes in theory 2018-09-13 01:17:40 +02:00
toby dc6a02d0d4 fixing ipv6 mgmt firewall rules (again) and setting mgmt1 interface to be dhcp as well (not just auto) 2018-09-10 21:03:57 +02:00
toby 7d30951603 fixing DHCP6 offer packets on firewall to come through 2018-09-09 23:37:24 +02:00
toby d96371752d adding DHCP6 offer packets on firewall to come through 2018-09-09 23:20:30 +02:00