Commit Graph

83 Commits

Author SHA1 Message Date
toby adefd694e4 enabling debug post-script again and removing hardcoded domain name in post-script for subnets lookups 2018-12-01 18:30:10 +01:00
toby bfbd9068e4 minor adjustments to swanctl config template after making all these upgrades to ipsec.conf. ipsec.conf is still the one active, swanctl not cut over yet 2018-12-01 18:29:29 +01:00
toby 91e34ea5e1 ipsec: removing old proposal now that we are 100% upgraded, also tweaking some settings making use of ikev2 2018-11-30 18:27:18 +01:00
toby 83e0ccc728 adding firewall restart to postinst script. firewall is now restarted on upgrade, may break kickstart, need to test 2018-11-28 18:14:08 +01:00
toby fcaa400452 removing ceph rgw 8080 for now since it's not in use 2018-11-26 19:17:31 +01:00
toby 2ff6566d2e firewall house-keeping 2018-11-26 18:39:18 +01:00
toby c65529f6ad adding support for bastions public lo ipv4 2018-11-19 18:35:11 +01:00
toby e5b6e96c2e adding bastion2 to firewalls for potential failover 2018-11-19 00:32:12 +01:00
toby b2b902672b raising dpdtimeout to be 5x the delay, it's much more agressive than defaults but at least its the same multiplier than default 2018-11-18 23:18:29 +01:00
toby 9d11caf8f9 changed my mind about closeaction, we should maybe have that, but trying to use hold instead 2018-11-18 22:14:26 +01:00
toby 86d5c80bbb ipsec changes: IKEv2, and more ipsec changes to hopefully inclrease stability 2018-11-18 22:06:53 +01:00
toby e3fba4ecad prepping to flip back bastion to a loopback ip. setting firewall rule accordingly 2018-11-18 02:22:04 +01:00
toby 9028be6de6 fixing live migration iptables rules 2018-11-17 02:06:37 +01:00
toby a0d2d87355 adding ceph rgw rules to firewall 2018-11-16 18:26:57 +01:00
toby 052aeec779 we obviously wanna remove our private ASNs on IPv6 as well 2018-11-15 21:05:45 +01:00
toby 26f34e482f adding smarthost to the firewall 2018-11-13 20:41:41 +01:00
toby 346f3516d4 more/better bastion support 2018-11-13 17:22:42 +01:00
toby 045736616f fixng small console error so that systemd actually thinks firewall started successfully 2018-11-12 21:08:25 +01:00
toby 039b56b15d fixing issue showing IPs 2018-11-07 17:07:47 +01:00
toby 1855169a42 adding bastion firewall rules to all firewalls. this is precausion so that we have the blocking rules in any event. the rest of bastion gets deployed through ansible but since if ansible gets forgotton or other things happen this will make sure the most critical things are there 2018-11-04 21:13:13 +01:00
toby 0868dd4df3 adding some early work for bastion support 2018-11-04 21:02:07 +01:00
toby 7aabd41def simplifying and adding flexibility to the NOTRACK rules 2018-11-04 19:19:09 +00:00
toby 249e13bac6 adding mgmt IPs on the console output 2018-11-03 20:27:10 +01:00
toby c25c9f4e03 ipsec: swanctl work: binding to only lo and feth interfaces. this should potentially avoid some issues 2018-11-01 16:11:59 +01:00
toby 03a8db740f for now keeping the ikev1, the upgrade to v2 needs to be planned 2018-10-31 23:15:54 +01:00
toby d3161082de ipsec: setting source IP to loopback 2018-10-31 23:06:30 +01:00
toby 633b0a7521 removing hardcoded ike version and also fixing file path for swanctl-conf file 2018-10-28 22:04:16 +01:00
toby 3f2238a090 adding swanctl draft config. not yet used but wanna eventually switch to it 2018-10-28 20:45:20 +01:00
toby 467548f6e8 ipsec: adding new key-proposal that we wanna move towards to. once rolled out, we'd like to deprecate the old weak ones 2018-10-26 21:46:49 +02:00
toby f925ad46a0 updated IP for new mirrors in usw2 2018-10-24 23:07:54 +02:00
toby 31abf06342 setting leftsubnet to only be the local loopback instead of a wide range. this will avoid blackholing traffic for edges and potentially other nodes 2018-10-23 23:28:29 +02:00
toby f9ed8fe88b adding allowas-in 1 to iBGP peergroup. this allows routes coming in from peer-edge over the gre to be learn 2018-10-23 18:27:55 +02:00
toby eb8a990fc8 tiny but major bug in frr config 2018-10-23 17:39:54 +02:00
toby d67b225792 cleanup firewall rules and making unnumbered bgp rules a tad more restrictive 2018-10-21 23:08:58 +02:00
toby c7d116d1c1 adding firewall rules for edge boxes 2018-10-20 18:55:45 +02:00
toby 0eceabfe1d implementing some ad-hoc patches I did yesterday to get it going 2018-10-20 17:51:53 +02:00
toby ea70e243fe more work on edge.... adding support for dynamic ipsec subnets and some more minor patches 2018-10-19 19:57:07 +02:00
toby 587bba4290 more work on edge / dynamic frr config... .making progress but still ways to go,... just taking a backup... 2018-10-19 17:03:43 +02:00
toby 7e1d7993fe more work on edge / dynamic frr config... .making progress but still ways to go,... just taking a backup... 2018-10-19 16:56:11 +02:00
toby cfdc1cd3a9 more work ... .still ways to go,... just taking a backup... 2018-10-18 22:12:43 +02:00
toby 0e9142c15e first major commit for edge boxes support, not nearly done yet 2018-10-16 22:44:57 +02:00
toby 4f7f177cc6 fixing bug in regex of qemu-ifup-public public IP matching 2018-10-08 18:22:22 +02:00
toby 1b891db635 renaming WIT customers prefix-list to be more consistent, in preparation for edge support 2018-10-08 18:20:48 +02:00
toby a343ade9c4 adding new firewall rule for stackapi 2018-10-05 22:27:10 +00:00
toby 928142ce70 updating the qemu-ifup scripts to reflect the new versions usling local files 2018-10-05 18:29:12 +00:00
toby bc97208b34 typo in ipv6 prefix list for new customer blocks 2018-10-04 20:07:50 +02:00
toby 23c5b533c1 adding more IPv6 customer blocks for paul for the new v2 stack in usw2 2018-10-04 18:22:45 +02:00
toby b5860daf1d typo in firewall rule 2018-10-01 18:25:50 +02:00
toby 7a948a6fbf adding ipv6 ssh support from bastion (in theory we should actually only need that, but keep ipv4 for now ... just in case) 2018-10-01 15:04:23 +02:00
toby 1c50cecdb5 adding direct ssh access on default for bastion, and migrating to admin domain instead of 3 different zones 2018-10-01 10:39:17 +02:00