toby
|
1855169a42
|
adding bastion firewall rules to all firewalls. this is precausion so that we have the blocking rules in any event. the rest of bastion gets deployed through ansible but since if ansible gets forgotton or other things happen this will make sure the most critical things are there
|
2018-11-04 21:13:13 +01:00 |
toby
|
0868dd4df3
|
adding some early work for bastion support
|
2018-11-04 21:02:07 +01:00 |
toby
|
7aabd41def
|
simplifying and adding flexibility to the NOTRACK rules
|
2018-11-04 19:19:09 +00:00 |
toby
|
249e13bac6
|
adding mgmt IPs on the console output
|
2018-11-03 20:27:10 +01:00 |
toby
|
c25c9f4e03
|
ipsec: swanctl work: binding to only lo and feth interfaces. this should potentially avoid some issues
|
2018-11-01 16:11:59 +01:00 |
toby
|
03a8db740f
|
for now keeping the ikev1, the upgrade to v2 needs to be planned
|
2018-10-31 23:15:54 +01:00 |
toby
|
d3161082de
|
ipsec: setting source IP to loopback
|
2018-10-31 23:06:30 +01:00 |
toby
|
633b0a7521
|
removing hardcoded ike version and also fixing file path for swanctl-conf file
|
2018-10-28 22:04:16 +01:00 |
toby
|
3f2238a090
|
adding swanctl draft config. not yet used but wanna eventually switch to it
|
2018-10-28 20:45:20 +01:00 |
toby
|
467548f6e8
|
ipsec: adding new key-proposal that we wanna move towards to. once rolled out, we'd like to deprecate the old weak ones
|
2018-10-26 21:46:49 +02:00 |
toby
|
f925ad46a0
|
updated IP for new mirrors in usw2
|
2018-10-24 23:07:54 +02:00 |
toby
|
31abf06342
|
setting leftsubnet to only be the local loopback instead of a wide range. this will avoid blackholing traffic for edges and potentially other nodes
|
2018-10-23 23:28:29 +02:00 |
toby
|
f9ed8fe88b
|
adding allowas-in 1 to iBGP peergroup. this allows routes coming in from peer-edge over the gre to be learn
|
2018-10-23 18:27:55 +02:00 |
toby
|
eb8a990fc8
|
tiny but major bug in frr config
|
2018-10-23 17:39:54 +02:00 |
toby
|
d67b225792
|
cleanup firewall rules and making unnumbered bgp rules a tad more restrictive
|
2018-10-21 23:08:58 +02:00 |
toby
|
c7d116d1c1
|
adding firewall rules for edge boxes
|
2018-10-20 18:55:45 +02:00 |
toby
|
0eceabfe1d
|
implementing some ad-hoc patches I did yesterday to get it going
|
2018-10-20 17:51:53 +02:00 |
toby
|
ea70e243fe
|
more work on edge.... adding support for dynamic ipsec subnets and some more minor patches
|
2018-10-19 19:57:07 +02:00 |
toby
|
587bba4290
|
more work on edge / dynamic frr config... .making progress but still ways to go,... just taking a backup...
|
2018-10-19 17:03:43 +02:00 |
toby
|
7e1d7993fe
|
more work on edge / dynamic frr config... .making progress but still ways to go,... just taking a backup...
|
2018-10-19 16:56:11 +02:00 |
toby
|
cfdc1cd3a9
|
more work ... .still ways to go,... just taking a backup...
|
2018-10-18 22:12:43 +02:00 |
toby
|
0e9142c15e
|
first major commit for edge boxes support, not nearly done yet
|
2018-10-16 22:44:57 +02:00 |
toby
|
4f7f177cc6
|
fixing bug in regex of qemu-ifup-public public IP matching
|
2018-10-08 18:22:22 +02:00 |
toby
|
1b891db635
|
renaming WIT customers prefix-list to be more consistent, in preparation for edge support
|
2018-10-08 18:20:48 +02:00 |
toby
|
a343ade9c4
|
adding new firewall rule for stackapi
|
2018-10-05 22:27:10 +00:00 |
toby
|
928142ce70
|
updating the qemu-ifup scripts to reflect the new versions usling local files
|
2018-10-05 18:29:12 +00:00 |
toby
|
bc97208b34
|
typo in ipv6 prefix list for new customer blocks
|
2018-10-04 20:07:50 +02:00 |
toby
|
23c5b533c1
|
adding more IPv6 customer blocks for paul for the new v2 stack in usw2
|
2018-10-04 18:22:45 +02:00 |
toby
|
b5860daf1d
|
typo in firewall rule
|
2018-10-01 18:25:50 +02:00 |
toby
|
7a948a6fbf
|
adding ipv6 ssh support from bastion (in theory we should actually only need that, but keep ipv4 for now ... just in case)
|
2018-10-01 15:04:23 +02:00 |
toby
|
1c50cecdb5
|
adding direct ssh access on default for bastion, and migrating to admin domain instead of 3 different zones
|
2018-10-01 10:39:17 +02:00 |
toby
|
b18d2c03c8
|
adding mirrors.wit.com to the firewall
|
2018-09-26 23:47:01 +02:00 |
toby
|
d87f7c1720
|
configuring etc/network/interfaces from postinst instead of installing a static file
|
2018-09-25 23:24:42 +02:00 |
Adam Frank
|
6a01e4988b
|
adding local ceph traffic rules
|
2018-09-22 04:57:07 +00:00 |
toby
|
c8195a9cf8
|
adding first estimated rules for ceph
|
2018-09-20 16:40:25 +02:00 |
toby
|
37c69ab507
|
adding ipv6 tunnel to strongswan and matching firewall rules
|
2018-09-17 21:28:02 +02:00 |
toby
|
05cb6ef35f
|
quick fix for ifup since introduction of IPv6 loopback IPs
|
2018-09-13 23:51:03 +02:00 |
toby
|
002d2e0221
|
fixing firewall scirpt and rolling back to hardcoded IP till I get the systemd unit file
|
2018-09-13 23:41:28 +02:00 |
toby
|
2e95eb7bad
|
orginizing the firewall a little bit, no changes in theory
|
2018-09-13 12:08:40 +02:00 |
toby
|
8bdbba3016
|
orginizing the firewall a little bit, no changes in theory
|
2018-09-13 01:17:40 +02:00 |
toby
|
4a69025703
|
removing legacy dhcp stuff and starting to rely on DNS for loopback v4/v6 and asn
|
2018-09-12 20:01:52 +02:00 |
toby
|
dc6a02d0d4
|
fixing ipv6 mgmt firewall rules (again) and setting mgmt1 interface to be dhcp as well (not just auto)
|
2018-09-10 21:03:57 +02:00 |
toby
|
7d30951603
|
fixing DHCP6 offer packets on firewall to come through
|
2018-09-09 23:37:24 +02:00 |
toby
|
d96371752d
|
adding DHCP6 offer packets on firewall to come through
|
2018-09-09 23:20:30 +02:00 |
toby
|
52e4f93928
|
cleanup / orginizing frr.conf a little bit for dual stack
|
2018-09-09 20:06:05 +02:00 |
toby
|
660343046e
|
fix firewall to support our DNS
|
2018-09-09 15:42:45 +02:00 |
toby
|
4df3901bc2
|
adjusting ipv6 prefix filter to match new subnet definitions
|
2018-09-09 14:30:22 +02:00 |
toby
|
8beb8a5aa9
|
removing pre-defined loopback subnet from firewall dependency
|
2018-09-09 13:30:30 +02:00 |
toby
|
37125104c3
|
pulling loopback IP from DNS instead of relaying on dhcp and configfile, moving net-interfaces to each own files in interfaces.d, cleaning up the postinst scritp a bit for easier read
|
2018-09-09 12:58:45 +02:00 |
root
|
f6303f817b
|
adding support for frr 5.0
|
2018-08-12 16:34:19 +00:00 |