Commit graph

15 commits

Author SHA1 Message Date
6840838978 firewall: ensure wireguard egress traffic uses the anycast source IP
Before we relied on the IP being first in the interfaces file, which
is less than optimal. Now we use nftables to ensure the correct source
IP is set only for the (fwmarked) wireguard traffic.

Also remove iface hints from interfaces configuration as they are not
needed with ifupdown-ng.
2025-07-18 18:35:36 +02:00
cf0fb98e4d firewall: drop a space 2025-05-06 13:17:57 +02:00
f57023b0f0 firewall: allow connections from master over IPv6
Oops, missed a spot.
2024-12-20 15:18:36 +01:00
bbf0798d5c firewall: add more ports to AD service definition 2024-10-04 13:29:39 +02:00
7e02a13144 firewall: forward ICMP(v6) packets 2024-09-21 20:19:55 +02:00
f8e8acb521 firewall: expand convenience nftables port sets
Should probably just allow everything for AD at this point.
2024-09-21 20:19:24 +02:00
6c18e2ff94 firewall: add convenience nftables set for AD ports
Probably not all of these are necessary. Would be nice to allow
configuring this from the app.
2024-09-19 16:25:51 +02:00
8c82af23e4 firewall: also configure VPN forwards in the app
There we can define forwards only for networks with actual VPN users.
2024-05-03 11:27:27 +02:00
7656c05b2d Revert "firewall: configure NAT from NetBox data"
Changed my mind. All NAT and VPN is configured from the app now.
2024-04-30 20:59:49 +02:00
8a9d47f176 firewall: configure NAT from NetBox data
This is dynamic NAT for (mostly) physical networks. NAT for custom
prefixes can still be defined in the app.
2024-04-28 15:54:01 +02:00
457ab7d3b7 Query prefixes once for all hosts
And group them into vrf_prefixes for VLAN networks and bgp_prefixes for
servers plugged directly into fabric.

This should reduce the number of queries to NetBox when configuring
firewalls and exit switches. Not sure but I think set_fact helps to
avoid queries (as opposed to setting group_vars).
2024-04-28 12:14:05 +02:00
6dcae194d7 firewall: accept VPN connections from inside also
People tend to leave WireGuard tunnels active and we don’t want things
to become unreachable when moving to one of the inside networks.
2024-04-08 15:03:29 +02:00
91afaec9c2 firewall: allow connections from master with NATted IP 2024-02-06 09:19:49 +01:00
544aa0a088 firewall: create empty ipsets for known networks
So we don’t crash and burn before config is set up.
2024-01-30 12:37:14 +01:00
158e8740b8 Initial commit, squashed 2023-12-18 12:55:47 +01:00