jcarr
/
wit-network-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
297 Commits 1 Branch 0 Tags 268 KiB
Commit Graph

132 Commits

Author SHA1 Message Date
toby a000b9e2de firewall: moving the http rule to ipv6 - doh - and killing the etcd/stackapi rules again since we decided to go without them 2019-04-09 22:47:57 +00:00
toby 47b2e0b3e6 adding firewall http over VPN rule for bastion cert exchange and possibly more in the future 2019-04-09 21:27:28 +00:00
toby 1c38fef482 updateting qemu-ifup to support the VNI passed in the ifname 2019-04-09 20:38:44 +00:00
toby 7a00635a57 adding curl supprt to the qemu-ifup script again 2019-04-05 17:58:55 +00:00
toby b8e6a8a418 doh, ipv6 we want not ipv4 ;) 2019-04-05 00:17:39 +00:00
toby 30eecc7f51 allowing stackapi traffic over the VPN 2019-04-04 23:35:07 +00:00
toby d2a7099392 pulling out all the bastion related rules and moving them to tha bastion ansible... this may break shit... 2019-03-29 22:40:03 +00:00
toby 2b6992eec1 qemu-ifup: use variable for consistency 2019-03-22 19:55:03 +00:00
toby 9fa840a956 fixing typo in firewall rules 2019-03-13 01:32:01 +00:00
toby 73b2389f08 adding iptables comments to all rules 2019-03-13 00:14:17 +00:00
toby 0c2e02c1b8 removing old prometheus rules that were once hosted in aws 2019-03-11 21:51:06 +00:00
toby c760ae7c2c firewall: updating mirrors.wit.com to allow the new location in usw1 over ipv6 2019-03-11 21:48:58 +00:00
toby eeb6cedbf6 bugfix wit-gc: changing the way to quickly add the blackhole route. this way it does not get advertised over BGP (it's considered invalid) and so it doesn't create any hickups if the same route would already be used somewhere else 2019-03-11 19:30:52 +00:00
toby 73ae7b9680 accepting up to /56 on ipv6 and bugfixing for wit-gc 2019-03-11 18:59:24 +00:00
toby 2e9317222e minor bugfix on wit-gc... more to come on stale routes 2019-03-11 07:19:09 +00:00
toby 5be0d4b8fc updated qemu scripts and wit-gc to support new ipv4 forwarding 2019-03-11 02:16:33 +00:00
toby bc47af367a we definitely wanna support more than /64 on ipv6, upping it to /60 for now, but prob wanna do more eventually 2019-03-09 13:13:36 -08:00
toby f44ff9304e disabling arp on the vm interface all together. we have the static entries from the unnumbered system, reduces the attack surface and DOS potentially on the hypervisor 2019-03-09 12:05:45 -08:00
toby 1cf4ef12f7 migrating to the more conventional static arp/unnumbered ipv4 routing based on the BGP unnumbered RFC just without the BGP ;) ... its nice this way cause if we do decide to add BGP on top on a later time it will look essentially the same, just dynamic... for now it's static though ;) 2019-03-08 20:09:13 +00:00
toby af873ce08e adding interface length safety 2019-02-23 05:16:27 +00:00
toby 15c67eae20 since we changed the manual vmrun script we can now force the if-variable file to be present in qemu-ifup 2019-02-23 05:05:21 +00:00
toby a497c70abe adding mgmt dhcp6 - so we get ntp and dns over ipv6 - and timesyncd dhcp6 exit script 2019-02-23 04:09:55 +00:00
toby fc197c9fce just comments... 2019-02-21 04:31:18 +00:00
toby fb96f1daa8 adding more resiliancy to the ifup-public script. we want it to maybe fail if it doesn't know what to do with the variable. not just silently continue 2019-02-21 01:02:35 +00:00
toby db0f639547 switching the debian install around: all 'templates' are modified in the local folder and are than installed when already modified using isc-dhcp-server as an example in hope to imporove upgrade-consistency. 2019-02-14 12:35:33 -08:00
toby 94b3a68407 allow Default fallback route by default on eBGPv6-IN as well 2019-02-14 03:25:27 -08:00
root 30ac6534a3 adding first very very basic old-school vlan support 2019-02-14 08:34:11 +00:00
toby 5363feff09 firewall: adding new approach to stackapi over VPN, ipsec.conf: no changes, just nicer grouping 2019-02-09 19:48:51 -08:00
toby 90e3484f5c firewall: adding TTL hop-check on the BGP firewall rules. this makes it a bit more secure on fairly wide open BGP rules 2019-02-05 20:42:36 -08:00
toby b9d53909b8 starting to use ceph on ipv6 as well .... 2019-02-05 20:23:44 -08:00
toby c99727567d frr.conf: setting timers manually that would be set by the --enable-datacenter flag on frr. this way we don't have to compile our own frr. --enable-cumulus at this point only enables and alias for bgp address-family of evpn vs address-family l2vpn evpn. which we don't use anyway or already do it the right way 2019-02-05 19:16:03 -08:00
toby 48abb08b5a setting loopback source IP on all bgp routes for IPv6 as well - did this on ipv4 but may need patching as I wanted to use only the public IP for public routes on IPv4. may still break if for whatever reason it prefers the mgmtgw/ipmigw IP like it just happened on ipv6 2019-02-04 18:09:28 -08:00
toby d8245c2223 limiting lldp to only mgmt interfaces and avoid VMs to see lldp neigh requests 2019-01-30 11:36:56 -08:00
toby 78d6e4d4ff less output on qemu ifup scripts 2019-01-29 22:31:07 -08:00
toby 2af76bb4e8 qemu-ifup/public scritps, replaced dig loopback lookup with ip, for more stability and better all round support for outside of libvirt 2019-01-29 18:51:02 +00:00
toby 39d7830086 IPsec: ipsec.conf config items typoed. auth vs authby need to make sure it does't break but this shuold be the right way 2019-01-24 14:12:41 -08:00
toby c3df5d6f12 just some comments and to test the new signing machinery ... 2019-01-23 14:50:54 -08:00
toby a1d5439422 firewall: allowing ipmi calles to be routed so that VPN clients and other boxes can make calls to ipmi 2019-01-11 18:09:37 +01:00
toby e88b13e51d adding customer interface bgp firewall fules 2019-01-02 22:29:23 +01:00
toby 2a4150aa41 firewall cleanup and organization 2018-12-21 17:41:04 +01:00
toby 83332a7f74 just formatting 2018-12-20 15:28:27 +01:00
Tim Sogard dfa58f6089 Allow hosts to communicate with prometheus exporters 2018-12-20 02:27:37 -05:00
toby fcfdc8b19c mistakenly commited initial work for customer peering. so fixing the problem now by disabling the parts that would break things 2018-12-20 00:01:59 +01:00
toby 279648eeb3 adding frr-pythontools and grub-pc as dependencies 2018-12-19 23:53:35 +01:00
toby 3032bf9edb tweaking threads a bit more 2018-12-09 22:55:54 +01:00
toby 7fb7552c90 firewall: removing upstream NTP and adding bgp rules for edge ibgp links 2018-12-07 23:27:09 +01:00
toby d81c621bd0 ipsec tweaks for stability ... hopefully.... 2018-12-07 18:08:11 +01:00
toby 1c1b6e6383 some work to actually advertise mgmt/ipmi networks from bastion into the bgp domain 2018-12-06 18:57:32 +01:00
toby 0494fb2e21 ipsec: no changes, just unified formating and cleanup of config 2018-12-05 21:26:06 +01:00
toby adefd694e4 enabling debug post-script again and removing hardcoded domain name in post-script for subnets lookups 2018-12-01 18:30:10 +01:00