jcarr
/
wit-network-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
254 Commits 1 Branch 0 Tags 268 KiB
Commit Graph

109 Commits

Author SHA1 Message Date
toby fb96f1daa8 adding more resiliancy to the ifup-public script. we want it to maybe fail if it doesn't know what to do with the variable. not just silently continue 2019-02-21 01:02:35 +00:00
toby db0f639547 switching the debian install around: all 'templates' are modified in the local folder and are than installed when already modified using isc-dhcp-server as an example in hope to imporove upgrade-consistency. 2019-02-14 12:35:33 -08:00
toby 94b3a68407 allow Default fallback route by default on eBGPv6-IN as well 2019-02-14 03:25:27 -08:00
root 30ac6534a3 adding first very very basic old-school vlan support 2019-02-14 08:34:11 +00:00
toby 5363feff09 firewall: adding new approach to stackapi over VPN, ipsec.conf: no changes, just nicer grouping 2019-02-09 19:48:51 -08:00
toby 90e3484f5c firewall: adding TTL hop-check on the BGP firewall rules. this makes it a bit more secure on fairly wide open BGP rules 2019-02-05 20:42:36 -08:00
toby b9d53909b8 starting to use ceph on ipv6 as well .... 2019-02-05 20:23:44 -08:00
toby c99727567d frr.conf: setting timers manually that would be set by the --enable-datacenter flag on frr. this way we don't have to compile our own frr. --enable-cumulus at this point only enables and alias for bgp address-family of evpn vs address-family l2vpn evpn. which we don't use anyway or already do it the right way 2019-02-05 19:16:03 -08:00
toby 48abb08b5a setting loopback source IP on all bgp routes for IPv6 as well - did this on ipv4 but may need patching as I wanted to use only the public IP for public routes on IPv4. may still break if for whatever reason it prefers the mgmtgw/ipmigw IP like it just happened on ipv6 2019-02-04 18:09:28 -08:00
toby d8245c2223 limiting lldp to only mgmt interfaces and avoid VMs to see lldp neigh requests 2019-01-30 11:36:56 -08:00
toby 78d6e4d4ff less output on qemu ifup scripts 2019-01-29 22:31:07 -08:00
toby 2af76bb4e8 qemu-ifup/public scritps, replaced dig loopback lookup with ip, for more stability and better all round support for outside of libvirt 2019-01-29 18:51:02 +00:00
toby 39d7830086 IPsec: ipsec.conf config items typoed. auth vs authby need to make sure it does't break but this shuold be the right way 2019-01-24 14:12:41 -08:00
toby c3df5d6f12 just some comments and to test the new signing machinery ... 2019-01-23 14:50:54 -08:00
toby a1d5439422 firewall: allowing ipmi calles to be routed so that VPN clients and other boxes can make calls to ipmi 2019-01-11 18:09:37 +01:00
toby e88b13e51d adding customer interface bgp firewall fules 2019-01-02 22:29:23 +01:00
toby 2a4150aa41 firewall cleanup and organization 2018-12-21 17:41:04 +01:00
toby 83332a7f74 just formatting 2018-12-20 15:28:27 +01:00
Tim Sogard dfa58f6089 Allow hosts to communicate with prometheus exporters 2018-12-20 02:27:37 -05:00
toby fcfdc8b19c mistakenly commited initial work for customer peering. so fixing the problem now by disabling the parts that would break things 2018-12-20 00:01:59 +01:00
toby 279648eeb3 adding frr-pythontools and grub-pc as dependencies 2018-12-19 23:53:35 +01:00
toby 3032bf9edb tweaking threads a bit more 2018-12-09 22:55:54 +01:00
toby 7fb7552c90 firewall: removing upstream NTP and adding bgp rules for edge ibgp links 2018-12-07 23:27:09 +01:00
toby d81c621bd0 ipsec tweaks for stability ... hopefully.... 2018-12-07 18:08:11 +01:00
toby 1c1b6e6383 some work to actually advertise mgmt/ipmi networks from bastion into the bgp domain 2018-12-06 18:57:32 +01:00
toby 0494fb2e21 ipsec: no changes, just unified formating and cleanup of config 2018-12-05 21:26:06 +01:00
toby adefd694e4 enabling debug post-script again and removing hardcoded domain name in post-script for subnets lookups 2018-12-01 18:30:10 +01:00
toby bfbd9068e4 minor adjustments to swanctl config template after making all these upgrades to ipsec.conf. ipsec.conf is still the one active, swanctl not cut over yet 2018-12-01 18:29:29 +01:00
toby 91e34ea5e1 ipsec: removing old proposal now that we are 100% upgraded, also tweaking some settings making use of ikev2 2018-11-30 18:27:18 +01:00
toby 83e0ccc728 adding firewall restart to postinst script. firewall is now restarted on upgrade, may break kickstart, need to test 2018-11-28 18:14:08 +01:00
toby fcaa400452 removing ceph rgw 8080 for now since it's not in use 2018-11-26 19:17:31 +01:00
toby 2ff6566d2e firewall house-keeping 2018-11-26 18:39:18 +01:00
toby c65529f6ad adding support for bastions public lo ipv4 2018-11-19 18:35:11 +01:00
toby e5b6e96c2e adding bastion2 to firewalls for potential failover 2018-11-19 00:32:12 +01:00
toby b2b902672b raising dpdtimeout to be 5x the delay, it's much more agressive than defaults but at least its the same multiplier than default 2018-11-18 23:18:29 +01:00
toby 9d11caf8f9 changed my mind about closeaction, we should maybe have that, but trying to use hold instead 2018-11-18 22:14:26 +01:00
toby 86d5c80bbb ipsec changes: IKEv2, and more ipsec changes to hopefully inclrease stability 2018-11-18 22:06:53 +01:00
toby e3fba4ecad prepping to flip back bastion to a loopback ip. setting firewall rule accordingly 2018-11-18 02:22:04 +01:00
toby 9028be6de6 fixing live migration iptables rules 2018-11-17 02:06:37 +01:00
toby a0d2d87355 adding ceph rgw rules to firewall 2018-11-16 18:26:57 +01:00
toby 052aeec779 we obviously wanna remove our private ASNs on IPv6 as well 2018-11-15 21:05:45 +01:00
toby 26f34e482f adding smarthost to the firewall 2018-11-13 20:41:41 +01:00
toby 346f3516d4 more/better bastion support 2018-11-13 17:22:42 +01:00
toby 045736616f fixng small console error so that systemd actually thinks firewall started successfully 2018-11-12 21:08:25 +01:00
toby 039b56b15d fixing issue showing IPs 2018-11-07 17:07:47 +01:00
toby 1855169a42 adding bastion firewall rules to all firewalls. this is precausion so that we have the blocking rules in any event. the rest of bastion gets deployed through ansible but since if ansible gets forgotton or other things happen this will make sure the most critical things are there 2018-11-04 21:13:13 +01:00
toby 0868dd4df3 adding some early work for bastion support 2018-11-04 21:02:07 +01:00
toby 7aabd41def simplifying and adding flexibility to the NOTRACK rules 2018-11-04 19:19:09 +00:00
toby 249e13bac6 adding mgmt IPs on the console output 2018-11-03 20:27:10 +01:00
toby c25c9f4e03 ipsec: swanctl work: binding to only lo and feth interfaces. this should potentially avoid some issues 2018-11-01 16:11:59 +01:00