fripost-ansible/roles/common/templates/etc/network, branch master Fripost ansible scripts Convert firewall to nftables. 2020-01-23T04:57:01+00:00 Guilhem Moulin guilhem@fripost.org 2020-01-23T03:29:12+00:00 7641a5d5d152db349082b1d0ec93a40888b2ef8e Debian Buster uses the nftables framework by default. 
Debian Buster uses the nftables framework by default.
IPSec → IPsec 2016-06-29T18:14:25+00:00 Guilhem Moulin guilhem@fripost.org 2016-06-29T18:14:25+00:00 aaba815dbccbb0d623def17d1e030383d905daa0 






Set up IPSec tunnels between each pair of hosts.
2016-05-22T15:53:52+00:00

Guilhem Moulin
guilhem@fripost.org

2016-05-19T23:19:27+00:00

3fafa03aeb3640a86d9cd8c639d085df6a8d085d

We use a dedicated, non-routable, IPv4 subnet for IPSec.  Furthermore
the subnet is nullrouted in the absence of xfrm lookup (i.e., when there
is no matching IPSec Security Association) to avoid data leaks.

Each host is associated with an IP in that subnet (thus only reachble
within that subnet, either by the host itself or by its IPSec peers).

The peers authenticate each other using RSA public key authentication.
Kernel traps are used to ensure that connections are only established
when traffic is detected between the peers; after 30m of inactivity
(this value needs to be less than the rekeying period) the connection is
brought down and a kernel trap is installed.





We use a dedicated, non-routable, IPv4 subnet for IPSec.  Furthermore
the subnet is nullrouted in the absence of xfrm lookup (i.e., when there
is no matching IPSec Security Association) to avoid data leaks.

Each host is associated with an IP in that subnet (thus only reachble
within that subnet, either by the host itself or by its IPSec peers).

The peers authenticate each other using RSA public key authentication.
Kernel traps are used to ensure that connections are only established
when traffic is detected between the peers; after 30m of inactivity
(this value needs to be less than the rekeying period) the connection is
brought down and a kernel trap is installed.