78e02134e7
firewall: do track wireguard connections not meant for us
...
Oops. Connection tracking is disabled for our wireguard connections
because of source address mangling. We still need to track outside
connections to allow inbound reply packets through the firewall.
2025-07-19 12:02:07 +02:00
c53df0aa9c
firewall: sync conntrackd entries from other node on startup
2025-07-18 18:51:10 +02:00
24fc864e63
firewall: don’t configure mdev for interface renaming
...
Since Alpine 3.22 this is now done in default configuration.
2025-07-18 18:49:51 +02:00
6840838978
firewall: ensure wireguard egress traffic uses the anycast source IP
...
Before we relied on the IP being first in the interfaces file, which
is less than optimal. Now we use nftables to ensure the correct source
IP is set only for the (fwmarked) wireguard traffic.
Also remove iface hints from interfaces configuration as they are not
needed with ifupdown-ng.
2025-07-18 18:35:36 +02:00
cf0fb98e4d
firewall: drop a space
2025-05-06 13:17:57 +02:00
3e1949565a
firewall: increase max connections
...
Apparently we reached the default.
2025-04-16 22:24:01 +02:00
2f662373e5
firewall: get mgmt gateway from custom field on prefix
...
Mainly so we can add IPv6 mgmt addresses and drop the gateway custom
field from NetBox interfaces.
2025-03-26 19:20:03 +01:00
d3196a48c2
firewall: set up resolv.conf
...
To use IPv6 nameserver addresses.
2025-03-26 12:32:54 +01:00
f9f71bb337
firewall: don’t import or advertise subnets for inside networks
...
This is part two to commit 3b3e759c
2025-03-26 12:32:54 +01:00
cafa938da3
firewall: consolidate IPv4 and IPv6 address families for BGP
2025-03-26 12:32:50 +01:00
f57023b0f0
firewall: allow connections from master over IPv6
...
Oops, missed a spot.
2024-12-20 15:18:36 +01:00
bbf0798d5c
firewall: add more ports to AD service definition
2024-10-04 13:29:39 +02:00
7e02a13144
firewall: forward ICMP(v6) packets
2024-09-21 20:19:55 +02:00
f8e8acb521
firewall: expand convenience nftables port sets
...
Should probably just allow everything for AD at this point.
2024-09-21 20:19:24 +02:00
6c18e2ff94
firewall: add convenience nftables set for AD ports
...
Probably not all of these are necessary. Would be nice to allow
configuring this from the app.
2024-09-19 16:25:51 +02:00
6322d5ec97
exit: add routes for VPN IPv4 addresses to outside and default VRFs
...
Like commit 7b5980f
2024-09-16 17:20:43 +02:00
c3ff39fe72
firewall: reload nftables in mgmt VRF
...
It doesn’t matter for the rules themselves as nft does not do VRFs,
but DNS names can only be resolved there. This is because all nodes
use the same IPs in the default VRF, so DNS replies sent from there go
to the active node.
This allows using DNS names in firewall rules. Not yet sure if that is
actually a good idea.
2024-08-19 13:54:01 +02:00
7b5980f871
exit: add routes for internal IPv4 addresses to outside VRF
...
Routed through and mostly dropped by the firewall, of course. So we
don’t necessarily have to do NAT for everything that comes from the
old / USI network.
2024-08-13 19:02:03 +02:00
bb41d406f8
exit, firewall: don’t hardcode prefix length
2024-07-10 16:57:08 +02:00
ff1abcb508
firewall: drop a line
...
It was rubbish.
2024-06-20 20:54:42 +02:00
668af8bdb6
firewall: use a handler to reboot
2024-05-19 10:10:02 +02:00
8c82af23e4
firewall: also configure VPN forwards in the app
...
There we can define forwards only for networks with actual VPN users.
2024-05-03 11:27:27 +02:00
7656c05b2d
Revert "firewall: configure NAT from NetBox data"
...
Changed my mind. All NAT and VPN is configured from the app now.
2024-04-30 20:59:49 +02:00
8a9d47f176
firewall: configure NAT from NetBox data
...
This is dynamic NAT for (mostly) physical networks. NAT for custom
prefixes can still be defined in the app.
2024-04-28 15:54:01 +02:00
457ab7d3b7
Query prefixes once for all hosts
...
And group them into vrf_prefixes for VLAN networks and bgp_prefixes for
servers plugged directly into fabric.
This should reduce the number of queries to NetBox when configuring
firewalls and exit switches. Not sure but I think set_fact helps to
avoid queries (as opposed to setting group_vars).
2024-04-28 12:14:05 +02:00
db397cb2b1
exit: store VLAN interface addresses in NetBox
...
… instead of generating them from prefixes. A NetBox script can be
used to create and configure all necessary data for a new VLAN.
Instead of VLAN roles “inside" and “outside” we now create separate
VRFs for inside VLANs to match the actual exit/firewall configuration.
The “outside” VRF is for all VLANs that are directly accessible from
the internet.
2024-04-10 14:03:50 +02:00
6dcae194d7
firewall: accept VPN connections from inside also
...
People tend to leave WireGuard tunnels active and we don’t want things
to become unreachable when moving to one of the inside networks.
2024-04-08 15:03:29 +02:00
1ffdea8e43
firewall: fix duplicate space in template
2024-04-05 12:00:55 +02:00
7ef4023424
firewall: add known IP ranges in network ipset definitions
...
This data should only change in NetBox, so no point deploying it from
firewall master. Sometimes the first approach is the best approach.
2024-03-19 09:46:26 +01:00
ce7c1bd49e
fabric: consolidate interface templates
...
Mostly to avoid special‐casing bond interfaces, and to support BGP
connections over virtual interfaces.
2024-02-27 13:35:29 +01:00
65c16dbc63
Drop BGP update-delay option
...
Dropped from Cumulus manual and advised by seniors.
2024-02-27 13:35:29 +01:00
7fe1dac008
firewall: use slurp instead of generic command to get host key
2024-02-27 13:35:29 +01:00
91afaec9c2
firewall: allow connections from master with NATted IP
2024-02-06 09:19:49 +01:00
f54b23f49a
firewall: disable forwarding for mgmt interfaces in if-pre-up
...
Should be more robust and more importantly works when interfaces are
not renamed by mdev as is the situation now.
2024-01-30 13:11:35 +01:00
25289dd82f
firewall: fix interface renaming
...
The mdev rules for renaming interfaces at boot seem to not work with
latest Alpine. So rename with ifupdown instead.
2024-01-30 13:11:35 +01:00
544aa0a088
firewall: create empty ipsets for known networks
...
So we don’t crash and burn before config is set up.
2024-01-30 12:37:14 +01:00
aeb124e346
Add inside and outside roles for VLANs
...
Will probably rename inside/outside and office/server to int/ext.
2024-01-30 12:35:33 +01:00
0d24f9fdc7
firewall: log policy update messages to syslog
2023-12-18 12:55:50 +01:00
c2d0e88996
firewall: set IPv6 address for wireguard interface
...
And advertise it.
2023-12-18 12:55:50 +01:00
158e8740b8
Initial commit, squashed
2023-12-18 12:55:47 +01:00
