From ef1b00adce9ba6febc0d4168228d8b4f8b8012bb Mon Sep 17 00:00:00 2001 From: Timotej Lazar Date: Sat, 21 Sep 2024 10:13:26 +0200 Subject: [PATCH 1/4] firewall: update backup route maps To match the prefixes that are sent by firewalls. --- roles/exit/templates/frr.conf.j2 | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/roles/exit/templates/frr.conf.j2 b/roles/exit/templates/frr.conf.j2 index e9107a3..e02943c 100644 --- a/roles/exit/templates/frr.conf.j2 +++ b/roles/exit/templates/frr.conf.j2 @@ -448,11 +448,15 @@ route-map me->peer.4 permit 110 route-map me->peer.4 permit 111 match ipv6 address prefix-list default route-map me->peer.4 permit 120 - match ip address prefix-list nat + match ip address prefix-list office route-map me->peer.4 permit 121 - match ipv6 address prefix-list vpn -route-map me->peer.4 permit 131 match ipv6 address prefix-list office +route-map me->peer.4 permit 130 + match ip address prefix-list nat +route-map me->peer.4 permit 140 + match ip address prefix-list vpn +route-map me->peer.4 permit 141 + match ipv6 address prefix-list vpn # Received backup routes (same as above). route-map peer.4->me permit 110 @@ -460,8 +464,12 @@ route-map peer.4->me permit 110 route-map peer.4->me permit 111 match ipv6 address prefix-list default route-map peer.4->me permit 120 - match ip address prefix-list nat + match ip address prefix-list office route-map peer.4->me permit 121 - match ipv6 address prefix-list vpn -route-map peer.4->me permit 131 match ipv6 address prefix-list office +route-map peer.4->me permit 130 + match ip address prefix-list nat +route-map peer.4->me permit 140 + match ip address prefix-list vpn +route-map peer.4->me permit 141 + match ipv6 address prefix-list vpn From 5a9f0ac26a669d58fee8dd8686ec87f8f5014603 Mon Sep 17 00:00:00 2001 From: Timotej Lazar Date: Sat, 21 Sep 2024 16:13:59 +0200 Subject: [PATCH 2/4] exit: strip own AS prefix from routes received by firewalls MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit For some reason routes with own ASN are not imported into default VRF. Maybe also others. These routes forward packets through the firewalls. As long as both exits are up this is not a problem, because routes going to peer exit don’t include this exit’s own ASN. If the peer goes down, all remaining routes sent by firewalls have our own ASN and are not imported into default VRF, so L3 servers lose connectivity to internal networks. If the exit strips own ASN from received routes, importing works OK. We strip both our and peer’s ASNs to keep path lengths the same. This has involved an indecent amount of poking knobs and knobbing pokes and it might cause other issues elsewhere. --- roles/exit/templates/frr.conf.j2 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/exit/templates/frr.conf.j2 b/roles/exit/templates/frr.conf.j2 index e02943c..13723a6 100644 --- a/roles/exit/templates/frr.conf.j2 +++ b/roles/exit/templates/frr.conf.j2 @@ -392,10 +392,12 @@ route-map firewall->outside permit 41 route-map firewall-{{ loop.index }}->inside permit 1 set tag {{ loop.index }} set weight {{ 100 * loop.index }} + set as-path exclude {{ asn.asn }} {{ hostvars[peer].asn.asn }} call firewall->inside route-map firewall-{{ loop.index }}->outside permit 1 set tag {{ loop.index }} set weight {{ 100 * loop.index }} + set as-path exclude {{ asn.asn }} {{ hostvars[peer].asn.asn }} call firewall->outside {% endfor %} From f8e8acb5212dcd25ae46fd9eac4bf038b90f6241 Mon Sep 17 00:00:00 2001 From: Timotej Lazar Date: Sat, 21 Sep 2024 20:19:24 +0200 Subject: [PATCH 3/4] firewall: expand convenience nftables port sets Should probably just allow everything for AD at this point. --- roles/firewall/templates/nftables.nft.j2 | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/roles/firewall/templates/nftables.nft.j2 b/roles/firewall/templates/nftables.nft.j2 index 14baf08..9f8679c 100644 --- a/roles/firewall/templates/nftables.nft.j2 +++ b/roles/firewall/templates/nftables.nft.j2 @@ -18,8 +18,10 @@ table inet filter { type inet_proto . inet_service flags interval elements = { + tcp . 53, tcp . 88, tcp . 135, + tcp . 139, tcp . 389, tcp . 445, tcp . 464, @@ -29,14 +31,31 @@ table inet filter { tcp . 9389, tcp . 22222-22224, tcp . 49152-65535, + udp . 53, udp . 88, udp . 135, + udp . 137, # netbios, maybe can do without + udp . 138, # netbios, maybe can do without udp . 389, udp . 464, udp . 3269 } } + set ldap-ports { + type inet_proto . inet_service + flags interval + elements = { + tcp . 88, + tcp . 389, + tcp . 636, + tcp . 3268, + tcp . 3269, + udp . 88, + udp . 389 + } + } + chain input { type filter hook input priority 0; policy drop From 7e02a13144abff7f6e21f2125b1632b00c4a947b Mon Sep 17 00:00:00 2001 From: Timotej Lazar Date: Sat, 21 Sep 2024 20:19:55 +0200 Subject: [PATCH 4/4] firewall: forward ICMP(v6) packets --- roles/firewall/templates/nftables.nft.j2 | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/roles/firewall/templates/nftables.nft.j2 b/roles/firewall/templates/nftables.nft.j2 index 9f8679c..baae902 100644 --- a/roles/firewall/templates/nftables.nft.j2 +++ b/roles/firewall/templates/nftables.nft.j2 @@ -123,6 +123,18 @@ table inet filter { ct status dnat accept \ comment "Forward DNAT traffic for servers and suchlike" + ip protocol icmp icmp type { + echo-request, echo-reply, destination-unreachable, + parameter-problem, time-exceeded, + } accept \ + comment "Accept ICMPv4" + + ip6 nexthdr icmpv6 icmpv6 type { + echo-request, echo-reply, destination-unreachable, + packet-too-big, parameter-problem, time-exceeded, + } accept \ + comment "Accept ICMPv6" + include "/etc/nftables.d/forward.nft*" }