Compare commits

...

4 commits

Author SHA1 Message Date
Timotej Lazar 7e02a13144 firewall: forward ICMP(v6) packets 2024-09-21 20:19:55 +02:00
Timotej Lazar f8e8acb521 firewall: expand convenience nftables port sets
Should probably just allow everything for AD at this point.
2024-09-21 20:19:24 +02:00
Timotej Lazar 5a9f0ac26a exit: strip own AS prefix from routes received by firewalls
For some reason routes with own ASN are not imported into default VRF.
Maybe also others. These routes forward packets through the firewalls.
As long as both exits are up this is not a problem, because routes
going to peer exit don’t include this exit’s own ASN.

If the peer goes down, all remaining routes sent by firewalls have our
own ASN and are not imported into default VRF, so L3 servers lose
connectivity to internal networks.

If the exit strips own ASN from received routes, importing works OK.
We strip both our and peer’s ASNs to keep path lengths the same.

This has involved an indecent amount of poking knobs and knobbing
pokes and it might cause other issues elsewhere.
2024-09-21 16:32:28 +02:00
Timotej Lazar ef1b00adce firewall: update backup route maps
To match the prefixes that are sent by firewalls.
2024-09-21 16:31:44 +02:00
2 changed files with 47 additions and 6 deletions

View file

@ -392,10 +392,12 @@ route-map firewall->outside permit 41
route-map firewall-{{ loop.index }}->inside permit 1 route-map firewall-{{ loop.index }}->inside permit 1
set tag {{ loop.index }} set tag {{ loop.index }}
set weight {{ 100 * loop.index }} set weight {{ 100 * loop.index }}
set as-path exclude {{ asn.asn }} {{ hostvars[peer].asn.asn }}
call firewall->inside call firewall->inside
route-map firewall-{{ loop.index }}->outside permit 1 route-map firewall-{{ loop.index }}->outside permit 1
set tag {{ loop.index }} set tag {{ loop.index }}
set weight {{ 100 * loop.index }} set weight {{ 100 * loop.index }}
set as-path exclude {{ asn.asn }} {{ hostvars[peer].asn.asn }}
call firewall->outside call firewall->outside
{% endfor %} {% endfor %}
@ -448,11 +450,15 @@ route-map me->peer.4 permit 110
route-map me->peer.4 permit 111 route-map me->peer.4 permit 111
match ipv6 address prefix-list default match ipv6 address prefix-list default
route-map me->peer.4 permit 120 route-map me->peer.4 permit 120
match ip address prefix-list nat match ip address prefix-list office
route-map me->peer.4 permit 121 route-map me->peer.4 permit 121
match ipv6 address prefix-list vpn
route-map me->peer.4 permit 131
match ipv6 address prefix-list office match ipv6 address prefix-list office
route-map me->peer.4 permit 130
match ip address prefix-list nat
route-map me->peer.4 permit 140
match ip address prefix-list vpn
route-map me->peer.4 permit 141
match ipv6 address prefix-list vpn
# Received backup routes (same as above). # Received backup routes (same as above).
route-map peer.4->me permit 110 route-map peer.4->me permit 110
@ -460,8 +466,12 @@ route-map peer.4->me permit 110
route-map peer.4->me permit 111 route-map peer.4->me permit 111
match ipv6 address prefix-list default match ipv6 address prefix-list default
route-map peer.4->me permit 120 route-map peer.4->me permit 120
match ip address prefix-list nat match ip address prefix-list office
route-map peer.4->me permit 121 route-map peer.4->me permit 121
match ipv6 address prefix-list vpn
route-map peer.4->me permit 131
match ipv6 address prefix-list office match ipv6 address prefix-list office
route-map peer.4->me permit 130
match ip address prefix-list nat
route-map peer.4->me permit 140
match ip address prefix-list vpn
route-map peer.4->me permit 141
match ipv6 address prefix-list vpn

View file

@ -18,8 +18,10 @@ table inet filter {
type inet_proto . inet_service type inet_proto . inet_service
flags interval flags interval
elements = { elements = {
tcp . 53,
tcp . 88, tcp . 88,
tcp . 135, tcp . 135,
tcp . 139,
tcp . 389, tcp . 389,
tcp . 445, tcp . 445,
tcp . 464, tcp . 464,
@ -29,14 +31,31 @@ table inet filter {
tcp . 9389, tcp . 9389,
tcp . 22222-22224, tcp . 22222-22224,
tcp . 49152-65535, tcp . 49152-65535,
udp . 53,
udp . 88, udp . 88,
udp . 135, udp . 135,
udp . 137, # netbios, maybe can do without
udp . 138, # netbios, maybe can do without
udp . 389, udp . 389,
udp . 464, udp . 464,
udp . 3269 udp . 3269
} }
} }
set ldap-ports {
type inet_proto . inet_service
flags interval
elements = {
tcp . 88,
tcp . 389,
tcp . 636,
tcp . 3268,
tcp . 3269,
udp . 88,
udp . 389
}
}
chain input { chain input {
type filter hook input priority 0; policy drop type filter hook input priority 0; policy drop
@ -104,6 +123,18 @@ table inet filter {
ct status dnat accept \ ct status dnat accept \
comment "Forward DNAT traffic for servers and suchlike" comment "Forward DNAT traffic for servers and suchlike"
ip protocol icmp icmp type {
echo-request, echo-reply, destination-unreachable,
parameter-problem, time-exceeded,
} accept \
comment "Accept ICMPv4"
ip6 nexthdr icmpv6 icmpv6 type {
echo-request, echo-reply, destination-unreachable,
packet-too-big, parameter-problem, time-exceeded,
} accept \
comment "Accept ICMPv6"
include "/etc/nftables.d/forward.nft*" include "/etc/nftables.d/forward.nft*"
} }