Compare commits
No commits in common. "7e02a13144abff7f6e21f2125b1632b00c4a947b" and "6c18e2ff9466993c3725d1d5e2767479aa16923e" have entirely different histories.
7e02a13144
...
6c18e2ff94
|
|
@ -392,12 +392,10 @@ route-map firewall->outside permit 41
|
||||||
route-map firewall-{{ loop.index }}->inside permit 1
|
route-map firewall-{{ loop.index }}->inside permit 1
|
||||||
set tag {{ loop.index }}
|
set tag {{ loop.index }}
|
||||||
set weight {{ 100 * loop.index }}
|
set weight {{ 100 * loop.index }}
|
||||||
set as-path exclude {{ asn.asn }} {{ hostvars[peer].asn.asn }}
|
|
||||||
call firewall->inside
|
call firewall->inside
|
||||||
route-map firewall-{{ loop.index }}->outside permit 1
|
route-map firewall-{{ loop.index }}->outside permit 1
|
||||||
set tag {{ loop.index }}
|
set tag {{ loop.index }}
|
||||||
set weight {{ 100 * loop.index }}
|
set weight {{ 100 * loop.index }}
|
||||||
set as-path exclude {{ asn.asn }} {{ hostvars[peer].asn.asn }}
|
|
||||||
call firewall->outside
|
call firewall->outside
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
|
||||||
|
|
@ -450,15 +448,11 @@ route-map me->peer.4 permit 110
|
||||||
route-map me->peer.4 permit 111
|
route-map me->peer.4 permit 111
|
||||||
match ipv6 address prefix-list default
|
match ipv6 address prefix-list default
|
||||||
route-map me->peer.4 permit 120
|
route-map me->peer.4 permit 120
|
||||||
match ip address prefix-list office
|
|
||||||
route-map me->peer.4 permit 121
|
|
||||||
match ipv6 address prefix-list office
|
|
||||||
route-map me->peer.4 permit 130
|
|
||||||
match ip address prefix-list nat
|
match ip address prefix-list nat
|
||||||
route-map me->peer.4 permit 140
|
route-map me->peer.4 permit 121
|
||||||
match ip address prefix-list vpn
|
|
||||||
route-map me->peer.4 permit 141
|
|
||||||
match ipv6 address prefix-list vpn
|
match ipv6 address prefix-list vpn
|
||||||
|
route-map me->peer.4 permit 131
|
||||||
|
match ipv6 address prefix-list office
|
||||||
|
|
||||||
# Received backup routes (same as above).
|
# Received backup routes (same as above).
|
||||||
route-map peer.4->me permit 110
|
route-map peer.4->me permit 110
|
||||||
|
|
@ -466,12 +460,8 @@ route-map peer.4->me permit 110
|
||||||
route-map peer.4->me permit 111
|
route-map peer.4->me permit 111
|
||||||
match ipv6 address prefix-list default
|
match ipv6 address prefix-list default
|
||||||
route-map peer.4->me permit 120
|
route-map peer.4->me permit 120
|
||||||
match ip address prefix-list office
|
|
||||||
route-map peer.4->me permit 121
|
|
||||||
match ipv6 address prefix-list office
|
|
||||||
route-map peer.4->me permit 130
|
|
||||||
match ip address prefix-list nat
|
match ip address prefix-list nat
|
||||||
route-map peer.4->me permit 140
|
route-map peer.4->me permit 121
|
||||||
match ip address prefix-list vpn
|
|
||||||
route-map peer.4->me permit 141
|
|
||||||
match ipv6 address prefix-list vpn
|
match ipv6 address prefix-list vpn
|
||||||
|
route-map peer.4->me permit 131
|
||||||
|
match ipv6 address prefix-list office
|
||||||
|
|
|
||||||
|
|
@ -18,10 +18,8 @@ table inet filter {
|
||||||
type inet_proto . inet_service
|
type inet_proto . inet_service
|
||||||
flags interval
|
flags interval
|
||||||
elements = {
|
elements = {
|
||||||
tcp . 53,
|
|
||||||
tcp . 88,
|
tcp . 88,
|
||||||
tcp . 135,
|
tcp . 135,
|
||||||
tcp . 139,
|
|
||||||
tcp . 389,
|
tcp . 389,
|
||||||
tcp . 445,
|
tcp . 445,
|
||||||
tcp . 464,
|
tcp . 464,
|
||||||
|
|
@ -31,31 +29,14 @@ table inet filter {
|
||||||
tcp . 9389,
|
tcp . 9389,
|
||||||
tcp . 22222-22224,
|
tcp . 22222-22224,
|
||||||
tcp . 49152-65535,
|
tcp . 49152-65535,
|
||||||
udp . 53,
|
|
||||||
udp . 88,
|
udp . 88,
|
||||||
udp . 135,
|
udp . 135,
|
||||||
udp . 137, # netbios, maybe can do without
|
|
||||||
udp . 138, # netbios, maybe can do without
|
|
||||||
udp . 389,
|
udp . 389,
|
||||||
udp . 464,
|
udp . 464,
|
||||||
udp . 3269
|
udp . 3269
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
set ldap-ports {
|
|
||||||
type inet_proto . inet_service
|
|
||||||
flags interval
|
|
||||||
elements = {
|
|
||||||
tcp . 88,
|
|
||||||
tcp . 389,
|
|
||||||
tcp . 636,
|
|
||||||
tcp . 3268,
|
|
||||||
tcp . 3269,
|
|
||||||
udp . 88,
|
|
||||||
udp . 389
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
chain input {
|
chain input {
|
||||||
type filter hook input priority 0; policy drop
|
type filter hook input priority 0; policy drop
|
||||||
|
|
||||||
|
|
@ -123,18 +104,6 @@ table inet filter {
|
||||||
ct status dnat accept \
|
ct status dnat accept \
|
||||||
comment "Forward DNAT traffic for servers and suchlike"
|
comment "Forward DNAT traffic for servers and suchlike"
|
||||||
|
|
||||||
ip protocol icmp icmp type {
|
|
||||||
echo-request, echo-reply, destination-unreachable,
|
|
||||||
parameter-problem, time-exceeded,
|
|
||||||
} accept \
|
|
||||||
comment "Accept ICMPv4"
|
|
||||||
|
|
||||||
ip6 nexthdr icmpv6 icmpv6 type {
|
|
||||||
echo-request, echo-reply, destination-unreachable,
|
|
||||||
packet-too-big, parameter-problem, time-exceeded,
|
|
||||||
} accept \
|
|
||||||
comment "Accept ICMPv6"
|
|
||||||
|
|
||||||
include "/etc/nftables.d/forward.nft*"
|
include "/etc/nftables.d/forward.nft*"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue