Commit Graph

64 Commits

Author SHA1 Message Date
toby 1855169a42 adding bastion firewall rules to all firewalls. this is precausion so that we have the blocking rules in any event. the rest of bastion gets deployed through ansible but since if ansible gets forgotton or other things happen this will make sure the most critical things are there 2018-11-04 21:13:13 +01:00
toby 0868dd4df3 adding some early work for bastion support 2018-11-04 21:02:07 +01:00
toby 7aabd41def simplifying and adding flexibility to the NOTRACK rules 2018-11-04 19:19:09 +00:00
toby 249e13bac6 adding mgmt IPs on the console output 2018-11-03 20:27:10 +01:00
toby c25c9f4e03 ipsec: swanctl work: binding to only lo and feth interfaces. this should potentially avoid some issues 2018-11-01 16:11:59 +01:00
toby 03a8db740f for now keeping the ikev1, the upgrade to v2 needs to be planned 2018-10-31 23:15:54 +01:00
toby d3161082de ipsec: setting source IP to loopback 2018-10-31 23:06:30 +01:00
toby 633b0a7521 removing hardcoded ike version and also fixing file path for swanctl-conf file 2018-10-28 22:04:16 +01:00
toby 3f2238a090 adding swanctl draft config. not yet used but wanna eventually switch to it 2018-10-28 20:45:20 +01:00
toby 467548f6e8 ipsec: adding new key-proposal that we wanna move towards to. once rolled out, we'd like to deprecate the old weak ones 2018-10-26 21:46:49 +02:00
toby f925ad46a0 updated IP for new mirrors in usw2 2018-10-24 23:07:54 +02:00
toby 31abf06342 setting leftsubnet to only be the local loopback instead of a wide range. this will avoid blackholing traffic for edges and potentially other nodes 2018-10-23 23:28:29 +02:00
toby f9ed8fe88b adding allowas-in 1 to iBGP peergroup. this allows routes coming in from peer-edge over the gre to be learn 2018-10-23 18:27:55 +02:00
toby eb8a990fc8 tiny but major bug in frr config 2018-10-23 17:39:54 +02:00
toby d67b225792 cleanup firewall rules and making unnumbered bgp rules a tad more restrictive 2018-10-21 23:08:58 +02:00
toby c7d116d1c1 adding firewall rules for edge boxes 2018-10-20 18:55:45 +02:00
toby 0eceabfe1d implementing some ad-hoc patches I did yesterday to get it going 2018-10-20 17:51:53 +02:00
toby ea70e243fe more work on edge.... adding support for dynamic ipsec subnets and some more minor patches 2018-10-19 19:57:07 +02:00
toby 587bba4290 more work on edge / dynamic frr config... .making progress but still ways to go,... just taking a backup... 2018-10-19 17:03:43 +02:00
toby 7e1d7993fe more work on edge / dynamic frr config... .making progress but still ways to go,... just taking a backup... 2018-10-19 16:56:11 +02:00
toby cfdc1cd3a9 more work ... .still ways to go,... just taking a backup... 2018-10-18 22:12:43 +02:00
toby 0e9142c15e first major commit for edge boxes support, not nearly done yet 2018-10-16 22:44:57 +02:00
toby 4f7f177cc6 fixing bug in regex of qemu-ifup-public public IP matching 2018-10-08 18:22:22 +02:00
toby 1b891db635 renaming WIT customers prefix-list to be more consistent, in preparation for edge support 2018-10-08 18:20:48 +02:00
toby a343ade9c4 adding new firewall rule for stackapi 2018-10-05 22:27:10 +00:00
toby 928142ce70 updating the qemu-ifup scripts to reflect the new versions usling local files 2018-10-05 18:29:12 +00:00
toby bc97208b34 typo in ipv6 prefix list for new customer blocks 2018-10-04 20:07:50 +02:00
toby 23c5b533c1 adding more IPv6 customer blocks for paul for the new v2 stack in usw2 2018-10-04 18:22:45 +02:00
toby b5860daf1d typo in firewall rule 2018-10-01 18:25:50 +02:00
toby 7a948a6fbf adding ipv6 ssh support from bastion (in theory we should actually only need that, but keep ipv4 for now ... just in case) 2018-10-01 15:04:23 +02:00
toby 1c50cecdb5 adding direct ssh access on default for bastion, and migrating to admin domain instead of 3 different zones 2018-10-01 10:39:17 +02:00
toby b18d2c03c8 adding mirrors.wit.com to the firewall 2018-09-26 23:47:01 +02:00
toby d87f7c1720 configuring etc/network/interfaces from postinst instead of installing a static file 2018-09-25 23:24:42 +02:00
Adam Frank 6a01e4988b adding local ceph traffic rules 2018-09-22 04:57:07 +00:00
toby c8195a9cf8 adding first estimated rules for ceph 2018-09-20 16:40:25 +02:00
toby 37c69ab507 adding ipv6 tunnel to strongswan and matching firewall rules 2018-09-17 21:28:02 +02:00
toby 05cb6ef35f quick fix for ifup since introduction of IPv6 loopback IPs 2018-09-13 23:51:03 +02:00
toby 002d2e0221 fixing firewall scirpt and rolling back to hardcoded IP till I get the systemd unit file 2018-09-13 23:41:28 +02:00
toby 2e95eb7bad orginizing the firewall a little bit, no changes in theory 2018-09-13 12:08:40 +02:00
toby 8bdbba3016 orginizing the firewall a little bit, no changes in theory 2018-09-13 01:17:40 +02:00
toby 4a69025703 removing legacy dhcp stuff and starting to rely on DNS for loopback v4/v6 and asn 2018-09-12 20:01:52 +02:00
toby dc6a02d0d4 fixing ipv6 mgmt firewall rules (again) and setting mgmt1 interface to be dhcp as well (not just auto) 2018-09-10 21:03:57 +02:00
toby 7d30951603 fixing DHCP6 offer packets on firewall to come through 2018-09-09 23:37:24 +02:00
toby d96371752d adding DHCP6 offer packets on firewall to come through 2018-09-09 23:20:30 +02:00
toby 52e4f93928 cleanup / orginizing frr.conf a little bit for dual stack 2018-09-09 20:06:05 +02:00
toby 660343046e fix firewall to support our DNS 2018-09-09 15:42:45 +02:00
toby 4df3901bc2 adjusting ipv6 prefix filter to match new subnet definitions 2018-09-09 14:30:22 +02:00
toby 8beb8a5aa9 removing pre-defined loopback subnet from firewall dependency 2018-09-09 13:30:30 +02:00
toby 37125104c3 pulling loopback IP from DNS instead of relaying on dhcp and configfile, moving net-interfaces to each own files in interfaces.d, cleaning up the postinst scritp a bit for easier read 2018-09-09 12:58:45 +02:00
root f6303f817b adding support for frr 5.0 2018-08-12 16:34:19 +00:00