toby
|
bfbd9068e4
|
minor adjustments to swanctl config template after making all these upgrades to ipsec.conf. ipsec.conf is still the one active, swanctl not cut over yet
|
2018-12-01 18:29:29 +01:00 |
|
toby
|
91e34ea5e1
|
ipsec: removing old proposal now that we are 100% upgraded, also tweaking some settings making use of ikev2
|
2018-11-30 18:27:18 +01:00 |
|
toby
|
83e0ccc728
|
adding firewall restart to postinst script. firewall is now restarted on upgrade, may break kickstart, need to test
|
2018-11-28 18:14:08 +01:00 |
|
toby
|
fcaa400452
|
removing ceph rgw 8080 for now since it's not in use
|
2018-11-26 19:17:31 +01:00 |
|
toby
|
2ff6566d2e
|
firewall house-keeping
|
2018-11-26 18:39:18 +01:00 |
|
toby
|
c65529f6ad
|
adding support for bastions public lo ipv4
|
2018-11-19 18:35:11 +01:00 |
|
toby
|
e5b6e96c2e
|
adding bastion2 to firewalls for potential failover
|
2018-11-19 00:32:12 +01:00 |
|
toby
|
b2b902672b
|
raising dpdtimeout to be 5x the delay, it's much more agressive than defaults but at least its the same multiplier than default
|
2018-11-18 23:18:29 +01:00 |
|
toby
|
9d11caf8f9
|
changed my mind about closeaction, we should maybe have that, but trying to use hold instead
|
2018-11-18 22:14:26 +01:00 |
|
toby
|
86d5c80bbb
|
ipsec changes: IKEv2, and more ipsec changes to hopefully inclrease stability
|
2018-11-18 22:06:53 +01:00 |
|
toby
|
e3fba4ecad
|
prepping to flip back bastion to a loopback ip. setting firewall rule accordingly
|
2018-11-18 02:22:04 +01:00 |
|
toby
|
9028be6de6
|
fixing live migration iptables rules
|
2018-11-17 02:06:37 +01:00 |
|
toby
|
a0d2d87355
|
adding ceph rgw rules to firewall
|
2018-11-16 18:26:57 +01:00 |
|
toby
|
052aeec779
|
we obviously wanna remove our private ASNs on IPv6 as well
|
2018-11-15 21:05:45 +01:00 |
|
toby
|
26f34e482f
|
adding smarthost to the firewall
|
2018-11-13 20:41:41 +01:00 |
|
toby
|
346f3516d4
|
more/better bastion support
|
2018-11-13 17:22:42 +01:00 |
|
toby
|
045736616f
|
fixng small console error so that systemd actually thinks firewall started successfully
|
2018-11-12 21:08:25 +01:00 |
|
toby
|
039b56b15d
|
fixing issue showing IPs
|
2018-11-07 17:07:47 +01:00 |
|
toby
|
1855169a42
|
adding bastion firewall rules to all firewalls. this is precausion so that we have the blocking rules in any event. the rest of bastion gets deployed through ansible but since if ansible gets forgotton or other things happen this will make sure the most critical things are there
|
2018-11-04 21:13:13 +01:00 |
|
toby
|
0868dd4df3
|
adding some early work for bastion support
|
2018-11-04 21:02:07 +01:00 |
|
toby
|
7aabd41def
|
simplifying and adding flexibility to the NOTRACK rules
|
2018-11-04 19:19:09 +00:00 |
|
toby
|
249e13bac6
|
adding mgmt IPs on the console output
|
2018-11-03 20:27:10 +01:00 |
|
toby
|
c25c9f4e03
|
ipsec: swanctl work: binding to only lo and feth interfaces. this should potentially avoid some issues
|
2018-11-01 16:11:59 +01:00 |
|
toby
|
03a8db740f
|
for now keeping the ikev1, the upgrade to v2 needs to be planned
|
2018-10-31 23:15:54 +01:00 |
|
toby
|
d3161082de
|
ipsec: setting source IP to loopback
|
2018-10-31 23:06:30 +01:00 |
|
toby
|
633b0a7521
|
removing hardcoded ike version and also fixing file path for swanctl-conf file
|
2018-10-28 22:04:16 +01:00 |
|
toby
|
3f2238a090
|
adding swanctl draft config. not yet used but wanna eventually switch to it
|
2018-10-28 20:45:20 +01:00 |
|
toby
|
467548f6e8
|
ipsec: adding new key-proposal that we wanna move towards to. once rolled out, we'd like to deprecate the old weak ones
|
2018-10-26 21:46:49 +02:00 |
|
toby
|
f925ad46a0
|
updated IP for new mirrors in usw2
|
2018-10-24 23:07:54 +02:00 |
|
toby
|
31abf06342
|
setting leftsubnet to only be the local loopback instead of a wide range. this will avoid blackholing traffic for edges and potentially other nodes
|
2018-10-23 23:28:29 +02:00 |
|
toby
|
f9ed8fe88b
|
adding allowas-in 1 to iBGP peergroup. this allows routes coming in from peer-edge over the gre to be learn
|
2018-10-23 18:27:55 +02:00 |
|
toby
|
eb8a990fc8
|
tiny but major bug in frr config
|
2018-10-23 17:39:54 +02:00 |
|
toby
|
d67b225792
|
cleanup firewall rules and making unnumbered bgp rules a tad more restrictive
|
2018-10-21 23:08:58 +02:00 |
|
toby
|
c7d116d1c1
|
adding firewall rules for edge boxes
|
2018-10-20 18:55:45 +02:00 |
|
toby
|
0eceabfe1d
|
implementing some ad-hoc patches I did yesterday to get it going
|
2018-10-20 17:51:53 +02:00 |
|
toby
|
ea70e243fe
|
more work on edge.... adding support for dynamic ipsec subnets and some more minor patches
|
2018-10-19 19:57:07 +02:00 |
|
toby
|
587bba4290
|
more work on edge / dynamic frr config... .making progress but still ways to go,... just taking a backup...
|
2018-10-19 17:03:43 +02:00 |
|
toby
|
7e1d7993fe
|
more work on edge / dynamic frr config... .making progress but still ways to go,... just taking a backup...
|
2018-10-19 16:56:11 +02:00 |
|
toby
|
cfdc1cd3a9
|
more work ... .still ways to go,... just taking a backup...
|
2018-10-18 22:12:43 +02:00 |
|
toby
|
0e9142c15e
|
first major commit for edge boxes support, not nearly done yet
|
2018-10-16 22:44:57 +02:00 |
|
toby
|
4f7f177cc6
|
fixing bug in regex of qemu-ifup-public public IP matching
|
2018-10-08 18:22:22 +02:00 |
|
toby
|
1b891db635
|
renaming WIT customers prefix-list to be more consistent, in preparation for edge support
|
2018-10-08 18:20:48 +02:00 |
|
toby
|
a343ade9c4
|
adding new firewall rule for stackapi
|
2018-10-05 22:27:10 +00:00 |
|
toby
|
928142ce70
|
updating the qemu-ifup scripts to reflect the new versions usling local files
|
2018-10-05 18:29:12 +00:00 |
|
toby
|
bc97208b34
|
typo in ipv6 prefix list for new customer blocks
|
2018-10-04 20:07:50 +02:00 |
|
toby
|
23c5b533c1
|
adding more IPv6 customer blocks for paul for the new v2 stack in usw2
|
2018-10-04 18:22:45 +02:00 |
|
toby
|
b5860daf1d
|
typo in firewall rule
|
2018-10-01 18:25:50 +02:00 |
|
toby
|
7a948a6fbf
|
adding ipv6 ssh support from bastion (in theory we should actually only need that, but keep ipv4 for now ... just in case)
|
2018-10-01 15:04:23 +02:00 |
|
toby
|
1c50cecdb5
|
adding direct ssh access on default for bastion, and migrating to admin domain instead of 3 different zones
|
2018-10-01 10:39:17 +02:00 |
|
toby
|
b18d2c03c8
|
adding mirrors.wit.com to the firewall
|
2018-09-26 23:47:01 +02:00 |
|
toby
|
d87f7c1720
|
configuring etc/network/interfaces from postinst instead of installing a static file
|
2018-09-25 23:24:42 +02:00 |
Adam Frank
|
6a01e4988b
|
adding local ceph traffic rules
|
2018-09-22 04:57:07 +00:00 |
|
toby
|
c8195a9cf8
|
adding first estimated rules for ceph
|
2018-09-20 16:40:25 +02:00 |
|
toby
|
37c69ab507
|
adding ipv6 tunnel to strongswan and matching firewall rules
|
2018-09-17 21:28:02 +02:00 |
|
toby
|
05cb6ef35f
|
quick fix for ifup since introduction of IPv6 loopback IPs
|
2018-09-13 23:51:03 +02:00 |
|
toby
|
002d2e0221
|
fixing firewall scirpt and rolling back to hardcoded IP till I get the systemd unit file
|
2018-09-13 23:41:28 +02:00 |
|
toby
|
2e95eb7bad
|
orginizing the firewall a little bit, no changes in theory
|
2018-09-13 12:08:40 +02:00 |
|
toby
|
8bdbba3016
|
orginizing the firewall a little bit, no changes in theory
|
2018-09-13 01:17:40 +02:00 |
|
toby
|
4a69025703
|
removing legacy dhcp stuff and starting to rely on DNS for loopback v4/v6 and asn
|
2018-09-12 20:01:52 +02:00 |
|
toby
|
dc6a02d0d4
|
fixing ipv6 mgmt firewall rules (again) and setting mgmt1 interface to be dhcp as well (not just auto)
|
2018-09-10 21:03:57 +02:00 |
|
toby
|
7d30951603
|
fixing DHCP6 offer packets on firewall to come through
|
2018-09-09 23:37:24 +02:00 |
|
toby
|
d96371752d
|
adding DHCP6 offer packets on firewall to come through
|
2018-09-09 23:20:30 +02:00 |
|
toby
|
52e4f93928
|
cleanup / orginizing frr.conf a little bit for dual stack
|
2018-09-09 20:06:05 +02:00 |
|
toby
|
660343046e
|
fix firewall to support our DNS
|
2018-09-09 15:42:45 +02:00 |
|
toby
|
4df3901bc2
|
adjusting ipv6 prefix filter to match new subnet definitions
|
2018-09-09 14:30:22 +02:00 |
|
toby
|
8beb8a5aa9
|
removing pre-defined loopback subnet from firewall dependency
|
2018-09-09 13:30:30 +02:00 |
|
toby
|
37125104c3
|
pulling loopback IP from DNS instead of relaying on dhcp and configfile, moving net-interfaces to each own files in interfaces.d, cleaning up the postinst scritp a bit for easier read
|
2018-09-09 12:58:45 +02:00 |
root
|
f6303f817b
|
adding support for frr 5.0
|
2018-08-12 16:34:19 +00:00 |
|
root
|
8508708aaf
|
re-enabling frr dependencies and upping version for push to repo
|
2018-08-09 13:32:24 +00:00 |
|
root
|
13fbc9d572
|
I may come close to the full support finally
|
2018-08-09 10:18:19 +00:00 |
|
root
|
6739750f31
|
moving back to tier_id from loopback since we need that in more cases than just loopback
|
2018-08-08 21:45:07 +00:00 |
|
root
|
e8a00a6adf
|
adding first steps for dhcp-loopback support and vcs info in control
|
2018-08-08 20:59:37 +00:00 |
|
root
|
b8368a446f
|
just a coupe more comments and adding vteps to auto-detect
|
2018-08-06 18:45:35 +00:00 |
|
root
|
35e370d4d7
|
addign dhcpcd5 conflict dependency and fixing rc.local to exit 0
|
2018-08-02 21:54:14 +00:00 |
|
root
|
248bdb7f80
|
refacotring to some extend now that we switched to dhcpcd and turned off networkd entirely.
|
2018-08-02 21:35:37 +00:00 |
|
root
|
fcf5d208d7
|
more versatile rc.local file with more hardware support
|
2018-07-31 09:24:43 +00:00 |
|
root
|
27ece3ddea
|
getting very very close
|
2018-07-28 18:47:08 +00:00 |
|
root
|
14c4cd626b
|
final tweaks
|
2018-07-27 20:51:10 +00:00 |
|
root
|
906bcb2a7c
|
adding ipsec config as well
|
2018-07-27 20:34:21 +00:00 |
|
root
|
214ea903fc
|
getting close.... only frr.conf is not behaving
|
2018-07-27 18:28:18 +00:00 |
|
root
|
c467b30914
|
building and major patches still
|
2018-07-27 10:39:47 +00:00 |
|
root
|
bb377472b0
|
first commit
|
2018-07-26 08:57:41 +00:00 |