toby
|
9fa840a956
|
fixing typo in firewall rules
|
2019-03-13 01:32:01 +00:00 |
toby
|
73b2389f08
|
adding iptables comments to all rules
|
2019-03-13 00:14:17 +00:00 |
toby
|
0c2e02c1b8
|
removing old prometheus rules that were once hosted in aws
|
2019-03-11 21:51:06 +00:00 |
toby
|
c760ae7c2c
|
firewall: updating mirrors.wit.com to allow the new location in usw1 over ipv6
|
2019-03-11 21:48:58 +00:00 |
toby
|
eeb6cedbf6
|
bugfix wit-gc: changing the way to quickly add the blackhole route. this way it does not get advertised over BGP (it's considered invalid) and so it doesn't create any hickups if the same route would already be used somewhere else
|
2019-03-11 19:30:52 +00:00 |
toby
|
73ae7b9680
|
accepting up to /56 on ipv6 and bugfixing for wit-gc
|
2019-03-11 18:59:24 +00:00 |
toby
|
2e9317222e
|
minor bugfix on wit-gc... more to come on stale routes
|
2019-03-11 07:19:09 +00:00 |
toby
|
5be0d4b8fc
|
updated qemu scripts and wit-gc to support new ipv4 forwarding
|
2019-03-11 02:16:33 +00:00 |
toby
|
bc47af367a
|
we definitely wanna support more than /64 on ipv6, upping it to /60 for now, but prob wanna do more eventually
|
2019-03-09 13:13:36 -08:00 |
toby
|
f44ff9304e
|
disabling arp on the vm interface all together. we have the static entries from the unnumbered system, reduces the attack surface and DOS potentially on the hypervisor
|
2019-03-09 12:05:45 -08:00 |
toby
|
51d76bc101
|
more testing...
|
2019-03-08 23:37:53 -08:00 |
toby
|
268dd01421
|
another attempt at the rules file
|
2019-03-08 23:21:18 -08:00 |
toby
|
cfeef0de5b
|
... seriously,... running out of ideas ...
|
2019-03-08 23:19:39 -08:00 |
toby
|
396b2899ae
|
... seriously,... running out of ideas ...
|
2019-03-08 22:53:21 -08:00 |
toby
|
b63d21ba83
|
... seriously,... running out of ideas ...
|
2019-03-08 22:42:11 -08:00 |
toby
|
2b1c7b34a6
|
trying a whole new approach, seems like it worked on my wit-vm-router-config package, lets see what it does here ...
|
2019-03-08 22:14:00 -08:00 |
toby
|
1cf4ef12f7
|
migrating to the more conventional static arp/unnumbered ipv4 routing based on the BGP unnumbered RFC just without the BGP ;) ... its nice this way cause if we do decide to add BGP on top on a later time it will look essentially the same, just dynamic... for now it's static though ;)
|
2019-03-08 20:09:13 +00:00 |
toby
|
22b4da07a3
|
removing jumbo frames from uplinks. it aint happening....
|
2019-02-23 06:22:12 +00:00 |
toby
|
af873ce08e
|
adding interface length safety
|
2019-02-23 05:16:27 +00:00 |
toby
|
15c67eae20
|
since we changed the manual vmrun script we can now force the if-variable file to be present in qemu-ifup
|
2019-02-23 05:05:21 +00:00 |
toby
|
a497c70abe
|
adding mgmt dhcp6 - so we get ntp and dns over ipv6 - and timesyncd dhcp6 exit script
|
2019-02-23 04:09:55 +00:00 |
toby
|
fc197c9fce
|
just comments...
|
2019-02-21 04:31:18 +00:00 |
toby
|
fb96f1daa8
|
adding more resiliancy to the ifup-public script. we want it to maybe fail if it doesn't know what to do with the variable. not just silently continue
|
2019-02-21 01:02:35 +00:00 |
toby
|
13be20d519
|
writing out ipsec.secrets through postinst again since apparmor blocks any type of hide/displace action
|
2019-02-14 22:15:36 -08:00 |
toby
|
477b89aa0e
|
fixing major bug in ipsec.secrets
|
2019-02-14 17:46:50 -08:00 |
toby
|
289b42e100
|
fixing sysctl tweak path
|
2019-02-14 17:31:38 -08:00 |
toby
|
3003509bf4
|
trying yet again a different approach to update files correctly upon install
|
2019-02-14 16:43:13 -08:00 |
toby
|
a3934b7014
|
evidently everything is breaking right now, so trying a different approach
|
2019-02-14 14:43:53 -08:00 |
toby
|
1066e48dc7
|
evidently everything is breaking right now, so trying a different approach
|
2019-02-14 14:38:06 -08:00 |
toby
|
7ef14c0794
|
adding some comments to the dynamic files
|
2019-02-14 13:24:08 -08:00 |
toby
|
db0f639547
|
switching the debian install around: all 'templates' are modified in the local folder and are than installed when already modified using isc-dhcp-server as an example in hope to imporove upgrade-consistency.
|
2019-02-14 12:35:33 -08:00 |
toby
|
94b3a68407
|
allow Default fallback route by default on eBGPv6-IN as well
|
2019-02-14 03:25:27 -08:00 |
root
|
30ac6534a3
|
adding first very very basic old-school vlan support
|
2019-02-14 08:34:11 +00:00 |
toby
|
5363feff09
|
firewall: adding new approach to stackapi over VPN, ipsec.conf: no changes, just nicer grouping
|
2019-02-09 19:48:51 -08:00 |
toby
|
90e3484f5c
|
firewall: adding TTL hop-check on the BGP firewall rules. this makes it a bit more secure on fairly wide open BGP rules
|
2019-02-05 20:42:36 -08:00 |
toby
|
b9d53909b8
|
starting to use ceph on ipv6 as well ....
|
2019-02-05 20:23:44 -08:00 |
toby
|
c99727567d
|
frr.conf: setting timers manually that would be set by the --enable-datacenter flag on frr. this way we don't have to compile our own frr. --enable-cumulus at this point only enables and alias for bgp address-family of evpn vs address-family l2vpn evpn. which we don't use anyway or already do it the right way
|
2019-02-05 19:16:03 -08:00 |
toby
|
48abb08b5a
|
setting loopback source IP on all bgp routes for IPv6 as well - did this on ipv4 but may need patching as I wanted to use only the public IP for public routes on IPv4. may still break if for whatever reason it prefers the mgmtgw/ipmigw IP like it just happened on ipv6
|
2019-02-04 18:09:28 -08:00 |
toby
|
d8245c2223
|
limiting lldp to only mgmt interfaces and avoid VMs to see lldp neigh requests
|
2019-01-30 11:36:56 -08:00 |
toby
|
78d6e4d4ff
|
less output on qemu ifup scripts
|
2019-01-29 22:31:07 -08:00 |
toby
|
2af76bb4e8
|
qemu-ifup/public scritps, replaced dig loopback lookup with ip, for more stability and better all round support for outside of libvirt
|
2019-01-29 18:51:02 +00:00 |
toby
|
39d7830086
|
IPsec: ipsec.conf config items typoed. auth vs authby need to make sure it does't break but this shuold be the right way
|
2019-01-24 14:12:41 -08:00 |
toby
|
c3df5d6f12
|
just some comments and to test the new signing machinery ...
|
2019-01-23 14:50:54 -08:00 |
toby
|
a1d5439422
|
firewall: allowing ipmi calles to be routed so that VPN clients and other boxes can make calls to ipmi
|
2019-01-11 18:09:37 +01:00 |
toby
|
0de30974af
|
fixing the copyright in debian to be GPLv3
|
2019-01-09 23:20:40 +01:00 |
toby
|
277cd58eaa
|
completely removing grub left overs
|
2019-01-08 21:00:46 +01:00 |
toby
|
afdcd416b7
|
removing ssh-password less which is now default anyway, and also remove grub config which needs to be broken out since it differes on various platforms like arm and s86
|
2019-01-08 19:11:29 +01:00 |
toby
|
643519147d
|
removing grub-pc from dependencies again, PXE has more issues anyway and we wanna work towards the EFI boot options and it bites grub-efi
|
2019-01-03 15:48:13 +01:00 |
toby
|
e88b13e51d
|
adding customer interface bgp firewall fules
|
2019-01-02 22:29:23 +01:00 |
toby
|
7468e4fddf
|
more work on customer link support on edges
|
2019-01-02 22:05:35 +01:00 |