toby
|
adefd694e4
|
enabling debug post-script again and removing hardcoded domain name in post-script for subnets lookups
|
2018-12-01 18:30:10 +01:00 |
toby
|
bfbd9068e4
|
minor adjustments to swanctl config template after making all these upgrades to ipsec.conf. ipsec.conf is still the one active, swanctl not cut over yet
|
2018-12-01 18:29:29 +01:00 |
toby
|
91e34ea5e1
|
ipsec: removing old proposal now that we are 100% upgraded, also tweaking some settings making use of ikev2
|
2018-11-30 18:27:18 +01:00 |
toby
|
83e0ccc728
|
adding firewall restart to postinst script. firewall is now restarted on upgrade, may break kickstart, need to test
|
2018-11-28 18:14:08 +01:00 |
toby
|
fcaa400452
|
removing ceph rgw 8080 for now since it's not in use
|
2018-11-26 19:17:31 +01:00 |
toby
|
2ff6566d2e
|
firewall house-keeping
|
2018-11-26 18:39:18 +01:00 |
toby
|
c65529f6ad
|
adding support for bastions public lo ipv4
|
2018-11-19 18:35:11 +01:00 |
toby
|
e5b6e96c2e
|
adding bastion2 to firewalls for potential failover
|
2018-11-19 00:32:12 +01:00 |
toby
|
b2b902672b
|
raising dpdtimeout to be 5x the delay, it's much more agressive than defaults but at least its the same multiplier than default
|
2018-11-18 23:18:29 +01:00 |
toby
|
9d11caf8f9
|
changed my mind about closeaction, we should maybe have that, but trying to use hold instead
|
2018-11-18 22:14:26 +01:00 |
toby
|
86d5c80bbb
|
ipsec changes: IKEv2, and more ipsec changes to hopefully inclrease stability
|
2018-11-18 22:06:53 +01:00 |
toby
|
e3fba4ecad
|
prepping to flip back bastion to a loopback ip. setting firewall rule accordingly
|
2018-11-18 02:22:04 +01:00 |
toby
|
9028be6de6
|
fixing live migration iptables rules
|
2018-11-17 02:06:37 +01:00 |
toby
|
a0d2d87355
|
adding ceph rgw rules to firewall
|
2018-11-16 18:26:57 +01:00 |
toby
|
052aeec779
|
we obviously wanna remove our private ASNs on IPv6 as well
|
2018-11-15 21:05:45 +01:00 |
toby
|
26f34e482f
|
adding smarthost to the firewall
|
2018-11-13 20:41:41 +01:00 |
toby
|
346f3516d4
|
more/better bastion support
|
2018-11-13 17:22:42 +01:00 |
toby
|
045736616f
|
fixng small console error so that systemd actually thinks firewall started successfully
|
2018-11-12 21:08:25 +01:00 |
toby
|
039b56b15d
|
fixing issue showing IPs
|
2018-11-07 17:07:47 +01:00 |
toby
|
1855169a42
|
adding bastion firewall rules to all firewalls. this is precausion so that we have the blocking rules in any event. the rest of bastion gets deployed through ansible but since if ansible gets forgotton or other things happen this will make sure the most critical things are there
|
2018-11-04 21:13:13 +01:00 |
toby
|
0868dd4df3
|
adding some early work for bastion support
|
2018-11-04 21:02:07 +01:00 |
toby
|
7aabd41def
|
simplifying and adding flexibility to the NOTRACK rules
|
2018-11-04 19:19:09 +00:00 |
toby
|
249e13bac6
|
adding mgmt IPs on the console output
|
2018-11-03 20:27:10 +01:00 |
toby
|
c25c9f4e03
|
ipsec: swanctl work: binding to only lo and feth interfaces. this should potentially avoid some issues
|
2018-11-01 16:11:59 +01:00 |
toby
|
03a8db740f
|
for now keeping the ikev1, the upgrade to v2 needs to be planned
|
2018-10-31 23:15:54 +01:00 |
toby
|
d3161082de
|
ipsec: setting source IP to loopback
|
2018-10-31 23:06:30 +01:00 |
toby
|
633b0a7521
|
removing hardcoded ike version and also fixing file path for swanctl-conf file
|
2018-10-28 22:04:16 +01:00 |
toby
|
3f2238a090
|
adding swanctl draft config. not yet used but wanna eventually switch to it
|
2018-10-28 20:45:20 +01:00 |
toby
|
467548f6e8
|
ipsec: adding new key-proposal that we wanna move towards to. once rolled out, we'd like to deprecate the old weak ones
|
2018-10-26 21:46:49 +02:00 |
toby
|
f925ad46a0
|
updated IP for new mirrors in usw2
|
2018-10-24 23:07:54 +02:00 |
toby
|
31abf06342
|
setting leftsubnet to only be the local loopback instead of a wide range. this will avoid blackholing traffic for edges and potentially other nodes
|
2018-10-23 23:28:29 +02:00 |
toby
|
f9ed8fe88b
|
adding allowas-in 1 to iBGP peergroup. this allows routes coming in from peer-edge over the gre to be learn
|
2018-10-23 18:27:55 +02:00 |
toby
|
eb8a990fc8
|
tiny but major bug in frr config
|
2018-10-23 17:39:54 +02:00 |
toby
|
d67b225792
|
cleanup firewall rules and making unnumbered bgp rules a tad more restrictive
|
2018-10-21 23:08:58 +02:00 |
toby
|
c7d116d1c1
|
adding firewall rules for edge boxes
|
2018-10-20 18:55:45 +02:00 |
toby
|
0eceabfe1d
|
implementing some ad-hoc patches I did yesterday to get it going
|
2018-10-20 17:51:53 +02:00 |
toby
|
ea70e243fe
|
more work on edge.... adding support for dynamic ipsec subnets and some more minor patches
|
2018-10-19 19:57:07 +02:00 |
toby
|
587bba4290
|
more work on edge / dynamic frr config... .making progress but still ways to go,... just taking a backup...
|
2018-10-19 17:03:43 +02:00 |
toby
|
7e1d7993fe
|
more work on edge / dynamic frr config... .making progress but still ways to go,... just taking a backup...
|
2018-10-19 16:56:11 +02:00 |
toby
|
cfdc1cd3a9
|
more work ... .still ways to go,... just taking a backup...
|
2018-10-18 22:12:43 +02:00 |
toby
|
0e9142c15e
|
first major commit for edge boxes support, not nearly done yet
|
2018-10-16 22:44:57 +02:00 |
toby
|
4f7f177cc6
|
fixing bug in regex of qemu-ifup-public public IP matching
|
2018-10-08 18:22:22 +02:00 |
toby
|
1b891db635
|
renaming WIT customers prefix-list to be more consistent, in preparation for edge support
|
2018-10-08 18:20:48 +02:00 |
toby
|
a343ade9c4
|
adding new firewall rule for stackapi
|
2018-10-05 22:27:10 +00:00 |
toby
|
928142ce70
|
updating the qemu-ifup scripts to reflect the new versions usling local files
|
2018-10-05 18:29:12 +00:00 |
toby
|
bc97208b34
|
typo in ipv6 prefix list for new customer blocks
|
2018-10-04 20:07:50 +02:00 |
toby
|
23c5b533c1
|
adding more IPv6 customer blocks for paul for the new v2 stack in usw2
|
2018-10-04 18:22:45 +02:00 |
toby
|
b5860daf1d
|
typo in firewall rule
|
2018-10-01 18:25:50 +02:00 |
toby
|
7a948a6fbf
|
adding ipv6 ssh support from bastion (in theory we should actually only need that, but keep ipv4 for now ... just in case)
|
2018-10-01 15:04:23 +02:00 |
toby
|
1c50cecdb5
|
adding direct ssh access on default for bastion, and migrating to admin domain instead of 3 different zones
|
2018-10-01 10:39:17 +02:00 |