rc/network
2
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
80 commits 1 branch 0 tags 211 KiB
Commit graph

29 commits

Author SHA1 Message Date
Timotej Lazar bbf0798d5c firewall: add more ports to AD service definition 2024-10-04 13:29:39 +02:00
Timotej Lazar 7e02a13144 firewall: forward ICMP(v6) packets 2024-09-21 20:19:55 +02:00
Timotej Lazar f8e8acb521 firewall: expand convenience nftables port sets 
Should probably just allow everything for AD at this point.
 2024-09-21 20:19:24 +02:00
Timotej Lazar 6c18e2ff94 firewall: add convenience nftables set for AD ports 
Probably not all of these are necessary. Would be nice to allow
configuring this from the app.
 2024-09-19 16:25:51 +02:00
Timotej Lazar 6322d5ec97 exit: add routes for VPN IPv4 addresses to outside and default VRFs 
Like commit 7b5980f but for VPN addresses. Also renumber some route
maps to improve consistency.
 2024-09-16 17:20:43 +02:00
Timotej Lazar c3ff39fe72 firewall: reload nftables in mgmt VRF 
It doesn’t matter for the rules themselves as nft does not do VRFs,
but DNS names can only be resolved there. This is because all nodes
use the same IPs in the default VRF, so DNS replies sent from there go
to the active node.

This allows using DNS names in firewall rules. Not yet sure if that is
actually a good idea.
 2024-08-19 13:54:01 +02:00
Timotej Lazar 7b5980f871 exit: add routes for internal IPv4 addresses to outside VRF 
Routed through and mostly dropped by the firewall, of course. So we
don’t necessarily have to do NAT for everything that comes from the
old / USI network.
 2024-08-13 19:02:03 +02:00
Timotej Lazar bb41d406f8 exit, firewall: don’t hardcode prefix length 2024-07-10 16:57:08 +02:00
Timotej Lazar ff1abcb508 firewall: drop a line 
It was rubbish.
 2024-06-20 20:54:42 +02:00
Timotej Lazar 668af8bdb6 firewall: use a handler to reboot 2024-05-19 10:10:02 +02:00
Timotej Lazar 8c82af23e4 firewall: also configure VPN forwards in the app 
There we can define forwards only for networks with actual VPN users.
 2024-05-03 11:27:27 +02:00
Timotej Lazar 7656c05b2d Revert "firewall: configure NAT from NetBox data" 
Changed my mind. All NAT and VPN is configured from the app now.
 2024-04-30 20:59:49 +02:00
Timotej Lazar 8a9d47f176 firewall: configure NAT from NetBox data 
This is dynamic NAT for (mostly) physical networks. NAT for custom
prefixes can still be defined in the app.
 2024-04-28 15:54:01 +02:00
Timotej Lazar 457ab7d3b7 Query prefixes once for all hosts 
And group them into vrf_prefixes for VLAN networks and bgp_prefixes for
servers plugged directly into fabric.

This should reduce the number of queries to NetBox when configuring
firewalls and exit switches. Not sure but I think set_fact helps to
avoid queries (as opposed to setting group_vars).
 2024-04-28 12:14:05 +02:00
Timotej Lazar db397cb2b1 exit: store VLAN interface addresses in NetBox 
… instead of generating them from prefixes. A NetBox script can be
used to create and configure all necessary data for a new VLAN.

Instead of VLAN roles “inside" and “outside” we now create separate
VRFs for inside VLANs to match the actual exit/firewall configuration.
The “outside” VRF is for all VLANs that are directly accessible from
the internet.
 2024-04-10 14:03:50 +02:00
Timotej Lazar 6dcae194d7 firewall: accept VPN connections from inside also 
People tend to leave WireGuard tunnels active and we don’t want things
to become unreachable when moving to one of the inside networks.
 2024-04-08 15:03:29 +02:00
Timotej Lazar 1ffdea8e43 firewall: fix duplicate space in template 2024-04-05 12:00:55 +02:00
Timotej Lazar 7ef4023424 firewall: add known IP ranges in network ipset definitions 
This data should only change in NetBox, so no point deploying it from
firewall master. Sometimes the first approach is the best approach.
 2024-03-19 09:46:26 +01:00
Timotej Lazar ce7c1bd49e fabric: consolidate interface templates 
Mostly to avoid special‐casing bond interfaces, and to support BGP
connections over virtual interfaces.
 2024-02-27 13:35:29 +01:00
Timotej Lazar 65c16dbc63 Drop BGP update-delay option 
Dropped from Cumulus manual and advised by seniors.
 2024-02-27 13:35:29 +01:00
Timotej Lazar 7fe1dac008 firewall: use slurp instead of generic command to get host key 2024-02-27 13:35:29 +01:00
Timotej Lazar 91afaec9c2 firewall: allow connections from master with NATted IP 2024-02-06 09:19:49 +01:00
Timotej Lazar f54b23f49a firewall: disable forwarding for mgmt interfaces in if-pre-up 
Should be more robust and more importantly works when interfaces are
not renamed by mdev as is the situation now.
 2024-01-30 13:11:35 +01:00
Timotej Lazar 25289dd82f firewall: fix interface renaming 
The mdev rules for renaming interfaces at boot seem to not work with
latest Alpine. So rename with ifupdown instead.
 2024-01-30 13:11:35 +01:00
Timotej Lazar 544aa0a088 firewall: create empty ipsets for known networks 
So we don’t crash and burn before config is set up.
 2024-01-30 12:37:14 +01:00
Timotej Lazar aeb124e346 Add inside and outside roles for VLANs 
Will probably rename inside/outside and office/server to int/ext.
 2024-01-30 12:35:33 +01:00
Timotej Lazar 0d24f9fdc7 firewall: log policy update messages to syslog 2023-12-18 12:55:50 +01:00
Timotej Lazar c2d0e88996 firewall: set IPv6 address for wireguard interface 
And advertise it.
 2023-12-18 12:55:50 +01:00
Timotej Lazar 158e8740b8 Initial commit, squashed 2023-12-18 12:55:47 +01:00