rc/friwall
2
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
72 commits 1 branch 0 tags 160 KiB
Commit graph

69 commits

Author SHA1 Message Date
Timotej Lazar 048195c45c Always combine IP set data with static network definitions from NetBox 
Before we relied on the combined data being present in ipsets.json
when generating a new config, but ipsets.json is only updated through
the form at /ipsets. So submitting any other form after changing
NetBox definitions might crash when trying to find an entry from
networks.json in ipsets.json.

Now we introduce a helper functon to always read both files and
combine the prefixes fron networks.json with ipsets.json. This way it
is not necessary to save a new ipsets.json before other changes.

Also don’t crash when enumerating networks for each VPN group.
 2024-08-14 11:25:07 +02:00
Timotej Lazar 3c25cbe88a vpn: add support for custom keys 
Custom keys are created by admin and specify networks directly,
bypassing AD permissions. They are intended to join managed devices
into networks where users are not allowed to create keys themselves.

Also comprehend a set directly.
 2024-07-31 09:43:32 +02:00
Timotej Lazar 1b26f0738a vpn: refactor key handling code 
Move JS code for listing, creating and deleting WG keys into a
separate file and improve it somewhat. Also the related Python code.
 2024-07-31 09:27:59 +02:00
Timotej Lazar 8c9829b726 Fix default wg_dns setting 
All settings are processed as strings so use empty string in place of
False for default.
 2024-07-31 09:26:51 +02:00
Timotej Lazar 25ee4e8a44 Improve rule management page 
Address rules by name instead of index. Still problematic if the rules
are changed while someone is managing them, but with names it’s
more likely to just not work instead of enabling or disabling the
wrong rule.

Also prevent bringing down the whole network with a single click.
 2024-05-29 11:10:31 +02:00
Timotej Lazar 0e9d1ce6f0 Add some words to templates 
Also some tags. Also remove some other words and some other tags.
 2024-05-02 23:33:13 +02:00
Timotej Lazar 32af5a43c0 Oops, missed a six 2024-05-02 17:27:18 +02:00
Timotej Lazar d123db4e64 Consolidate NAT and VPN settings into IP sets 
I have tried every possible permutation and I think this is the one.

NetBox-managed IP prefixes are pushed with ansible to firewall master.
The managed prefixes are added to custom IP sets defined in the app,
but only NAT addresses and VPN groups can be configured for them.

This way all NAT and VPN policy is (again) configured in the app. Also
both NetBox-managed and user-defined networks are treated the same.

Also improve^Wtweak config generation. Also templates.
 2024-04-30 20:57:46 +02:00
Timotej Lazar cac7658566 Fix handling default settings 
If a setting has ben set to empty string, dict.get will return it and
not default argument. This is wrong when default is something else.
 2024-04-30 09:54:39 +02:00
Timotej Lazar f8d71b7b06 vpn: fix key name regex 2024-04-25 12:32:39 +02:00
Timotej Lazar 2ebc87f308 firewall: tweak instructions some more 2024-04-24 10:29:49 +02:00
Timotej Lazar 880c6b4140 friwall: tweak instructions 
For no particularly good reason.
 2024-04-23 12:38:32 +02:00
Timotej Lazar d33fec65a2 system: support LDAP queries with no user_group set 
Though it might be better to allow multiple groups. On the other hand
the main filter is in the group→ipset settings file anyway; any VPN
user not in one of those groups will not get forwarded to anywhere.
 2024-04-22 10:43:50 +02:00
Timotej Lazar c3e35777e0 Do not configure prefixes defined in NetBox 
Push them to firewall nodes with ansible instead, as they will only
change in NetBox. Also don’t mess around with ipset “groups” based on
hyphenation, which was probably a bad idea.

With more data included in NetBox I am thinking we should configure
NAT and other stuff with ansible also, but let’s start small.
 2024-03-18 17:37:19 +01:00
Timotej Lazar a8abf580f9 vpn: assign an IPv6 subnet instead of a single address 
We are limited by the size of IPv4 pool (/18), so why not give
everyone an IPv4-internetful of IPv6 addresses.
 2023-12-12 19:26:55 +01:00
Timotej Lazar 85714f83b9 Warn about deleting key for active connection 2023-12-10 13:21:52 +01:00
Timotej Lazar bb68978b22 Clean up save_config 2023-12-10 12:32:47 +01:00
Timotej Lazar ff2246df8c vpn: configure IPv6 addresses for WG clients 2023-12-08 17:12:37 +01:00
Timotej Lazar 92e552eb76 nat: rename bound variable 2023-12-04 09:47:50 +01:00
Timotej Lazar 32b182856d Set blueprint paths in main app 
Make blueprints more self-contained for no apparent reason.
 2023-12-04 09:46:37 +01:00
Timotej Lazar abc7a0728b Generate ipsets for network groups 
Like office and server.
 2023-10-03 13:36:58 +02:00
Timotej Lazar c09410f731 Show allowed characters when creating new WG key 2023-10-03 11:38:07 +02:00
Timotej Lazar ea6ca9b55d Tweak HTML templates 2023-09-15 14:57:42 +02:00
Timotej Lazar d2b08bf891 Simplify 2023-09-15 14:26:11 +02:00
Timotej Lazar d704202e6e Parametrize wg.conf template 2023-09-15 14:24:22 +02:00
Timotej Lazar f5af9eeb59 Rename a variable 2023-09-15 13:58:21 +02:00
Timotej Lazar e5f86e72c2 Get OIDC end_session_endpoint from server metadata 2023-09-14 10:09:45 +02:00
Timotej Lazar 02059e5043 Copy OIDC settings to app.config on init 
So we avoid locking the settings file at runtime.
 2023-09-13 13:21:23 +02:00
Timotej Lazar 0dc2563b31 Rename route for SSO authorization 2023-09-11 15:37:58 +02:00
Timotej Lazar ea6aa37131 Fix OIDC id_token parsing 
Unbreak it, actually.
 2023-09-11 15:10:19 +02:00
Timotej Lazar 719bcf7c55 Improve LDAP lookup of user groups 2023-09-07 15:02:08 +02:00
Timotej Lazar 9dc0fbb4fe Switch to OIDC authentication 2023-09-07 11:46:57 +02:00
Timotej Lazar 5add39a8a7 Add form for editing ipsets 2023-07-24 16:43:57 +02:00
Timotej Lazar a5df435931 Consolidate error handling 
Do or do not; there is no try. With some exceptions.
 2023-07-12 14:19:18 +02:00
Timotej Lazar 8c824fe9e6 Improve admin settings page 
The improvements are mostly cosmetic^Wquestionable.
 2023-07-07 13:23:51 +02:00
Timotej Lazar dd607dbddd Add a nicer response for TimeoutError 2023-07-07 10:15:02 +02:00
Timotej Lazar 6b72316076 Add node status page 2023-07-07 10:13:55 +02:00
Timotej Lazar 4ef3efbc68 Handle exceptions when sending mail 2023-07-07 09:04:17 +02:00
Timotej Lazar 5262c64244 Add form for editing NAT addresses 2023-07-07 08:20:35 +02:00
Timotej Lazar 8b8c675759 Rename networks.json to ipsets.json 
Getting ready for some changes.
 2023-07-06 16:28:15 +02:00
Timotej Lazar 1ff6c9d0d3 Tweak templates for editing and managing rules 2023-07-04 12:18:01 +02:00
Timotej Lazar 5e65755ec0 Add error reporting over email and improve logging 2023-07-03 16:01:14 +02:00
Timotej Lazar b55ae4d305 Use a script on firewall nodes to update config 
So we can get some feedback to firewall master.
 2023-06-28 14:17:39 +02:00
Timotej Lazar 4fb2d2c732 Add version number to config tarballs 
Preparing to rework the updater script.
 2023-06-26 18:26:35 +02:00
Timotej Lazar fb1c328893 Normalize line endings from textareas 
Every day for us something new.
 2023-06-26 11:49:26 +02:00
Timotej Lazar 5ba9c03e23 Don’t print empty element lists in nftables 
Because nft chokes on them.
 2023-06-26 10:15:03 +02:00
Timotej Lazar e84cb26dc7 Fix up Flask settings 
DEBUG is apparently strongly discouraged. Use --debug instead.
 2023-05-29 13:37:16 +02:00
Timotej Lazar 6780f074c7 Support IPv6 sets 
Also some unrelated cleanups in system.save_config.
 2023-05-29 13:00:39 +02:00
Timotej Lazar 765d4a3ce7 Add support for managing forwarding rules 2023-05-29 12:24:21 +02:00
Timotej Lazar 52a5b7cd11 Use iif/oif instead of iifname/oifname in nftables rules 
Following the change in ansible scripts.
 2023-05-23 11:31:13 +02:00