fripost-ansible/roles/common/files/etc/network, branch master Fripost ansible scripts Convert firewall to nftables. 2020-01-23T04:57:01+00:00 Guilhem Moulin guilhem@fripost.org 2020-01-23T03:29:12+00:00 7641a5d5d152db349082b1d0ec93a40888b2ef8e Debian Buster uses the nftables framework by default. 
Debian Buster uses the nftables framework by default.
Remove IPSec related files. 2015-06-07T00:52:19+00:00 Guilhem Moulin guilhem@fripost.org 2014-07-02T18:52:27+00:00 e63b5f5e39e2012bbdf1ca8301c6eb2cd13716cb 






Reformulate the headers showing the license.
2015-06-07T00:50:53+00:00

Guilhem Moulin
guilhem@fripost.org

2013-11-26T03:09:46+00:00

fd7e94a34b7fa9151d689375d8687d3686786d9b

To be clearer, and to follow the recommendation of the FSF, we include
a full header rather than a single sentence.





To be clearer, and to follow the recommendation of the FSF, we include
a full header rather than a single sentence.







Replace the 'syslog' facility (5) by 'user' (1).
2015-06-07T00:50:44+00:00

Guilhem Moulin
guilhem@fripost.org

2013-11-04T14:36:17+00:00

c669ce00eba4cd466f270a313abf1645b1149564

'syslog' is meant for the messages generated internally by syslogd,
whereas 'user' is for user-level messages.





'syslog' is meant for the messages generated internally by syslogd,
whereas 'user' is for user-level messages.







wibble
2015-06-07T00:50:44+00:00

Guilhem Moulin
guilhem@fripost.org

2013-11-04T07:25:54+00:00

51ea7eca6ca198606a71c107bb67d64186761456












Be more specific regarding the protocol in use for IPSec policies.
2015-06-07T00:50:43+00:00

Guilhem Moulin
guilhem@fripost.org

2013-11-04T06:27:10+00:00

0dd6a96ce1bf2cef9140d01a5c49eb92e2f8ec6f

We use ESP only, so other protocols shouldn't be ACCEPTed.





We use ESP only, so other protocols shouldn't be ACCEPTed.







Prohibit binding against the IP reserved for IPSec.
2015-06-07T00:50:38+00:00

Guilhem Moulin
guilhem@fripost.org

2013-11-03T23:31:43+00:00

67c5135625d3553dcb6f2bfc193df24c0e1ab826

Packets originating from our (non-routable) $ipsec are marked; there is
no xfrm lookup (i.e., no matching IPSec association), the packet will
retain its mark and be null routed later on, thanks to

    ip rule  add fwmark "$secmark" table 666 priority 666
    ip route add blackhole default table 666





Packets originating from our (non-routable) $ipsec are marked; there is
no xfrm lookup (i.e., no matching IPSec association), the packet will
retain its mark and be null routed later on, thanks to

    ip rule  add fwmark "$secmark" table 666 priority 666
    ip route add blackhole default table 666







Use a dedicated, non-routable, IPv4 for IPSec.
2015-06-07T00:50:35+00:00

Guilhem Moulin
guilhem@fripost.org

2013-11-03T04:54:11+00:00

2bcaaf01a5fcc2d2ce618da6af30a43a70d03d80

At the each IPSec end-point the traffic is DNAT'ed to / MASQUERADE'd
from our dedicated IP after ESP decapsulation. Also, some IP tables
ensure that alien (not coming from / going to the tunnel end-point) is
dropped.





At the each IPSec end-point the traffic is DNAT'ed to / MASQUERADE'd
from our dedicated IP after ESP decapsulation. Also, some IP tables
ensure that alien (not coming from / going to the tunnel end-point) is
dropped.







Major refactoring of the firewall.
2015-06-07T00:50:34+00:00

Guilhem Moulin
guilhem@fripost.org

2013-11-03T02:24:32+00:00

6c30a3f5a131b6e628b588c0723d5e5374e115e1

Also, added some options:

    -f force:   no confirmation asked
    -c check:   check (dry-run) mode
    -v verbose: see the difference between old and new ruleset
    -4 IPv4 only
    -6 IPv6 only





Also, added some options:

    -f force:   no confirmation asked
    -c check:   check (dry-run) mode
    -v verbose: see the difference between old and new ruleset
    -4 IPv4 only
    -6 IPv6 only







Configure v4 and v6 iptable rulesets.
2015-06-07T00:50:28+00:00

Guilhem Moulin
guilhem@fripost.org

2013-10-30T20:06:51+00:00

fbde929fce7405f018fc66bb5796bf0a16292913