rc/network
5
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
116 commits 1 branch 0 tags 308 KiB
Commit graph

16 commits

Author SHA1 Message Date
Timotej Lazar
78e02134e7 firewall: do track wireguard connections not meant for us 
Oops. Connection tracking is disabled for our wireguard connections
because of source address mangling. We still need to track outside
connections to allow inbound reply packets through the firewall.
 2025-07-19 12:02:07 +02:00
Timotej Lazar
6840838978 firewall: ensure wireguard egress traffic uses the anycast source IP 
Before we relied on the IP being first in the interfaces file, which
is less than optimal. Now we use nftables to ensure the correct source
IP is set only for the (fwmarked) wireguard traffic.

Also remove iface hints from interfaces configuration as they are not
needed with ifupdown-ng.
 2025-07-18 18:35:36 +02:00
Timotej Lazar
cf0fb98e4d firewall: drop a space 2025-05-06 13:17:57 +02:00
Timotej Lazar
f57023b0f0 firewall: allow connections from master over IPv6 
Oops, missed a spot.
 2024-12-20 15:18:36 +01:00
Timotej Lazar
bbf0798d5c firewall: add more ports to AD service definition 2024-10-04 13:29:39 +02:00
Timotej Lazar
7e02a13144 firewall: forward ICMP(v6) packets 2024-09-21 20:19:55 +02:00
Timotej Lazar
f8e8acb521 firewall: expand convenience nftables port sets 
Should probably just allow everything for AD at this point.
 2024-09-21 20:19:24 +02:00
Timotej Lazar
6c18e2ff94 firewall: add convenience nftables set for AD ports 
Probably not all of these are necessary. Would be nice to allow
configuring this from the app.
 2024-09-19 16:25:51 +02:00
Timotej Lazar
8c82af23e4 firewall: also configure VPN forwards in the app 
There we can define forwards only for networks with actual VPN users.
 2024-05-03 11:27:27 +02:00
Timotej Lazar
7656c05b2d Revert "firewall: configure NAT from NetBox data" 
Changed my mind. All NAT and VPN is configured from the app now.
 2024-04-30 20:59:49 +02:00
Timotej Lazar
8a9d47f176 firewall: configure NAT from NetBox data 
This is dynamic NAT for (mostly) physical networks. NAT for custom
prefixes can still be defined in the app.
 2024-04-28 15:54:01 +02:00
Timotej Lazar
457ab7d3b7 Query prefixes once for all hosts 
And group them into vrf_prefixes for VLAN networks and bgp_prefixes for
servers plugged directly into fabric.

This should reduce the number of queries to NetBox when configuring
firewalls and exit switches. Not sure but I think set_fact helps to
avoid queries (as opposed to setting group_vars).
 2024-04-28 12:14:05 +02:00
Timotej Lazar
6dcae194d7 firewall: accept VPN connections from inside also 
People tend to leave WireGuard tunnels active and we don’t want things
to become unreachable when moving to one of the inside networks.
 2024-04-08 15:03:29 +02:00
Timotej Lazar
91afaec9c2 firewall: allow connections from master with NATted IP 2024-02-06 09:19:49 +01:00
Timotej Lazar
544aa0a088 firewall: create empty ipsets for known networks 
So we don’t crash and burn before config is set up.
 2024-01-30 12:37:14 +01:00
Timotej Lazar
158e8740b8 Initial commit, squashed 2023-12-18 12:55:47 +01:00