6840838978
firewall: ensure wireguard egress traffic uses the anycast source IP
...
Before we relied on the IP being first in the interfaces file, which
is less than optimal. Now we use nftables to ensure the correct source
IP is set only for the (fwmarked) wireguard traffic.
Also remove iface hints from interfaces configuration as they are not
needed with ifupdown-ng.
2025-07-18 18:35:36 +02:00
cf0fb98e4d
firewall: drop a space
2025-05-06 13:17:57 +02:00
f57023b0f0
firewall: allow connections from master over IPv6
...
Oops, missed a spot.
2024-12-20 15:18:36 +01:00
bbf0798d5c
firewall: add more ports to AD service definition
2024-10-04 13:29:39 +02:00
7e02a13144
firewall: forward ICMP(v6) packets
2024-09-21 20:19:55 +02:00
f8e8acb521
firewall: expand convenience nftables port sets
...
Should probably just allow everything for AD at this point.
2024-09-21 20:19:24 +02:00
6c18e2ff94
firewall: add convenience nftables set for AD ports
...
Probably not all of these are necessary. Would be nice to allow
configuring this from the app.
2024-09-19 16:25:51 +02:00
8c82af23e4
firewall: also configure VPN forwards in the app
...
There we can define forwards only for networks with actual VPN users.
2024-05-03 11:27:27 +02:00
7656c05b2d
Revert "firewall: configure NAT from NetBox data"
...
Changed my mind. All NAT and VPN is configured from the app now.
2024-04-30 20:59:49 +02:00
8a9d47f176
firewall: configure NAT from NetBox data
...
This is dynamic NAT for (mostly) physical networks. NAT for custom
prefixes can still be defined in the app.
2024-04-28 15:54:01 +02:00
457ab7d3b7
Query prefixes once for all hosts
...
And group them into vrf_prefixes for VLAN networks and bgp_prefixes for
servers plugged directly into fabric.
This should reduce the number of queries to NetBox when configuring
firewalls and exit switches. Not sure but I think set_fact helps to
avoid queries (as opposed to setting group_vars).
2024-04-28 12:14:05 +02:00
6dcae194d7
firewall: accept VPN connections from inside also
...
People tend to leave WireGuard tunnels active and we don’t want things
to become unreachable when moving to one of the inside networks.
2024-04-08 15:03:29 +02:00
91afaec9c2
firewall: allow connections from master with NATted IP
2024-02-06 09:19:49 +01:00
544aa0a088
firewall: create empty ipsets for known networks
...
So we don’t crash and burn before config is set up.
2024-01-30 12:37:14 +01:00
158e8740b8
Initial commit, squashed
2023-12-18 12:55:47 +01:00
