Commit Graph

276 Commits

Author SHA1 Message Date
toby 9fa840a956 fixing typo in firewall rules 2019-03-13 01:32:01 +00:00
toby 73b2389f08 adding iptables comments to all rules 2019-03-13 00:14:17 +00:00
toby 0c2e02c1b8 removing old prometheus rules that were once hosted in aws 2019-03-11 21:51:06 +00:00
toby c760ae7c2c firewall: updating mirrors.wit.com to allow the new location in usw1 over ipv6 2019-03-11 21:48:58 +00:00
toby eeb6cedbf6 bugfix wit-gc: changing the way to quickly add the blackhole route. this way it does not get advertised over BGP (it's considered invalid) and so it doesn't create any hickups if the same route would already be used somewhere else 2019-03-11 19:30:52 +00:00
toby 73ae7b9680 accepting up to /56 on ipv6 and bugfixing for wit-gc 2019-03-11 18:59:24 +00:00
toby 2e9317222e minor bugfix on wit-gc... more to come on stale routes 2019-03-11 07:19:09 +00:00
toby 5be0d4b8fc updated qemu scripts and wit-gc to support new ipv4 forwarding 2019-03-11 02:16:33 +00:00
toby bc47af367a we definitely wanna support more than /64 on ipv6, upping it to /60 for now, but prob wanna do more eventually 2019-03-09 13:13:36 -08:00
toby f44ff9304e disabling arp on the vm interface all together. we have the static entries from the unnumbered system, reduces the attack surface and DOS potentially on the hypervisor 2019-03-09 12:05:45 -08:00
toby 51d76bc101 more testing... 2019-03-08 23:37:53 -08:00
toby 268dd01421 another attempt at the rules file 2019-03-08 23:21:18 -08:00
toby cfeef0de5b ... seriously,... running out of ideas ... 2019-03-08 23:19:39 -08:00
toby 396b2899ae ... seriously,... running out of ideas ... 2019-03-08 22:53:21 -08:00
toby b63d21ba83 ... seriously,... running out of ideas ... 2019-03-08 22:42:11 -08:00
toby 2b1c7b34a6 trying a whole new approach, seems like it worked on my wit-vm-router-config package, lets see what it does here ... 2019-03-08 22:14:00 -08:00
toby 1cf4ef12f7 migrating to the more conventional static arp/unnumbered ipv4 routing based on the BGP unnumbered RFC just without the BGP ;) ... its nice this way cause if we do decide to add BGP on top on a later time it will look essentially the same, just dynamic... for now it's static though ;) 2019-03-08 20:09:13 +00:00
toby 22b4da07a3 removing jumbo frames from uplinks. it aint happening.... 2019-02-23 06:22:12 +00:00
toby af873ce08e adding interface length safety 2019-02-23 05:16:27 +00:00
toby 15c67eae20 since we changed the manual vmrun script we can now force the if-variable file to be present in qemu-ifup 2019-02-23 05:05:21 +00:00
toby a497c70abe adding mgmt dhcp6 - so we get ntp and dns over ipv6 - and timesyncd dhcp6 exit script 2019-02-23 04:09:55 +00:00
toby fc197c9fce just comments... 2019-02-21 04:31:18 +00:00
toby fb96f1daa8 adding more resiliancy to the ifup-public script. we want it to maybe fail if it doesn't know what to do with the variable. not just silently continue 2019-02-21 01:02:35 +00:00
toby 13be20d519 writing out ipsec.secrets through postinst again since apparmor blocks any type of hide/displace action 2019-02-14 22:15:36 -08:00
toby 477b89aa0e fixing major bug in ipsec.secrets 2019-02-14 17:46:50 -08:00
toby 289b42e100 fixing sysctl tweak path 2019-02-14 17:31:38 -08:00
toby 3003509bf4 trying yet again a different approach to update files correctly upon install 2019-02-14 16:43:13 -08:00
toby a3934b7014 evidently everything is breaking right now, so trying a different approach 2019-02-14 14:43:53 -08:00
toby 1066e48dc7 evidently everything is breaking right now, so trying a different approach 2019-02-14 14:38:06 -08:00
toby 7ef14c0794 adding some comments to the dynamic files 2019-02-14 13:24:08 -08:00
toby db0f639547 switching the debian install around: all 'templates' are modified in the local folder and are than installed when already modified using isc-dhcp-server as an example in hope to imporove upgrade-consistency. 2019-02-14 12:35:33 -08:00
toby 94b3a68407 allow Default fallback route by default on eBGPv6-IN as well 2019-02-14 03:25:27 -08:00
root 30ac6534a3 adding first very very basic old-school vlan support 2019-02-14 08:34:11 +00:00
toby 5363feff09 firewall: adding new approach to stackapi over VPN, ipsec.conf: no changes, just nicer grouping 2019-02-09 19:48:51 -08:00
toby 90e3484f5c firewall: adding TTL hop-check on the BGP firewall rules. this makes it a bit more secure on fairly wide open BGP rules 2019-02-05 20:42:36 -08:00
toby b9d53909b8 starting to use ceph on ipv6 as well .... 2019-02-05 20:23:44 -08:00
toby c99727567d frr.conf: setting timers manually that would be set by the --enable-datacenter flag on frr. this way we don't have to compile our own frr. --enable-cumulus at this point only enables and alias for bgp address-family of evpn vs address-family l2vpn evpn. which we don't use anyway or already do it the right way 2019-02-05 19:16:03 -08:00
toby 48abb08b5a setting loopback source IP on all bgp routes for IPv6 as well - did this on ipv4 but may need patching as I wanted to use only the public IP for public routes on IPv4. may still break if for whatever reason it prefers the mgmtgw/ipmigw IP like it just happened on ipv6 2019-02-04 18:09:28 -08:00
toby d8245c2223 limiting lldp to only mgmt interfaces and avoid VMs to see lldp neigh requests 2019-01-30 11:36:56 -08:00
toby 78d6e4d4ff less output on qemu ifup scripts 2019-01-29 22:31:07 -08:00
toby 2af76bb4e8 qemu-ifup/public scritps, replaced dig loopback lookup with ip, for more stability and better all round support for outside of libvirt 2019-01-29 18:51:02 +00:00
toby 39d7830086 IPsec: ipsec.conf config items typoed. auth vs authby need to make sure it does't break but this shuold be the right way 2019-01-24 14:12:41 -08:00
toby c3df5d6f12 just some comments and to test the new signing machinery ... 2019-01-23 14:50:54 -08:00
toby a1d5439422 firewall: allowing ipmi calles to be routed so that VPN clients and other boxes can make calls to ipmi 2019-01-11 18:09:37 +01:00
toby 0de30974af fixing the copyright in debian to be GPLv3 2019-01-09 23:20:40 +01:00
toby 277cd58eaa completely removing grub left overs 2019-01-08 21:00:46 +01:00
toby afdcd416b7 removing ssh-password less which is now default anyway, and also remove grub config which needs to be broken out since it differes on various platforms like arm and s86 2019-01-08 19:11:29 +01:00
toby 643519147d removing grub-pc from dependencies again, PXE has more issues anyway and we wanna work towards the EFI boot options and it bites grub-efi 2019-01-03 15:48:13 +01:00
toby e88b13e51d adding customer interface bgp firewall fules 2019-01-02 22:29:23 +01:00
toby 7468e4fddf more work on customer link support on edges 2019-01-02 22:05:35 +01:00