Timotej Lazar
7e02a13144
firewall: forward ICMP(v6) packets
2024-09-21 20:19:55 +02:00
Timotej Lazar
f8e8acb521
firewall: expand convenience nftables port sets
...
Should probably just allow everything for AD at this point.
2024-09-21 20:19:24 +02:00
Timotej Lazar
6c18e2ff94
firewall: add convenience nftables set for AD ports
...
Probably not all of these are necessary. Would be nice to allow
configuring this from the app.
2024-09-19 16:25:51 +02:00
Timotej Lazar
8c82af23e4
firewall: also configure VPN forwards in the app
...
There we can define forwards only for networks with actual VPN users.
2024-05-03 11:27:27 +02:00
Timotej Lazar
7656c05b2d
Revert "firewall: configure NAT from NetBox data"
...
Changed my mind. All NAT and VPN is configured from the app now.
2024-04-30 20:59:49 +02:00
Timotej Lazar
8a9d47f176
firewall: configure NAT from NetBox data
...
This is dynamic NAT for (mostly) physical networks. NAT for custom
prefixes can still be defined in the app.
2024-04-28 15:54:01 +02:00
Timotej Lazar
457ab7d3b7
Query prefixes once for all hosts
...
And group them into vrf_prefixes for VLAN networks and bgp_prefixes for
servers plugged directly into fabric.
This should reduce the number of queries to NetBox when configuring
firewalls and exit switches. Not sure but I think set_fact helps to
avoid queries (as opposed to setting group_vars).
2024-04-28 12:14:05 +02:00
Timotej Lazar
6dcae194d7
firewall: accept VPN connections from inside also
...
People tend to leave WireGuard tunnels active and we don’t want things
to become unreachable when moving to one of the inside networks.
2024-04-08 15:03:29 +02:00
Timotej Lazar
91afaec9c2
firewall: allow connections from master with NATted IP
2024-02-06 09:19:49 +01:00
Timotej Lazar
544aa0a088
firewall: create empty ipsets for known networks
...
So we don’t crash and burn before config is set up.
2024-01-30 12:37:14 +01:00
Timotej Lazar
158e8740b8
Initial commit, squashed
2023-12-18 12:55:47 +01:00
Timotej Lazar