summaryrefslogtreecommitdiffstats
path: root/roles/common/files/usr/local/sbin/update-firewall.sh
Commit message (Collapse)AuthorAgeFiles
* Firewall: allow duplicates rules.Guilhem Moulin2016-09-181
|
* IPSec → IPsecGuilhem Moulin2016-06-291
|
* update-firewall.sh: COMMIT empty iptables rule files.Guilhem Moulin2016-06-291
|
* typoGuilhem Moulin2016-05-241
|
* Set up IPSec tunnels between each pair of hosts.Guilhem Moulin2016-05-221
| | | | | | | | | | | | | | | We use a dedicated, non-routable, IPv4 subnet for IPSec. Furthermore the subnet is nullrouted in the absence of xfrm lookup (i.e., when there is no matching IPSec Security Association) to avoid data leaks. Each host is associated with an IP in that subnet (thus only reachble within that subnet, either by the host itself or by its IPSec peers). The peers authenticate each other using RSA public key authentication. Kernel traps are used to ensure that connections are only established when traffic is detected between the peers; after 30m of inactivity (this value needs to be less than the rekeying period) the connection is brought down and a kernel trap is installed.
* firewall: allow 127.0.0.1/8 on lo.Guilhem Moulin2015-06-071
|
* Replace mktemp's deprecated -t option by --tmpdir.Guilhem Moulin2015-06-071
| | | | | But not in the installer, as busybox's implementation of mktemp didn't deprecate -t/-p.
* wibbleGuilhem Moulin2015-06-071
|
* Reformulate the headers showing the license.Guilhem Moulin2015-06-071
| | | | | To be clearer, and to follow the recommendation of the FSF, we include a full header rather than a single sentence.
* wibbleGuilhem Moulin2015-06-071
| | | | | Replaced [ -n "$string" ] with [ "$string" ], and [ -z "$string" ] with [ ! "$string" ].
* Replace the 'syslog' facility (5) by 'user' (1).Guilhem Moulin2015-06-071
| | | | | 'syslog' is meant for the messages generated internally by syslogd, whereas 'user' is for user-level messages.
* wibbleGuilhem Moulin2015-06-071
|
* Be more specific regarding the protocol in use for IPSec policies.Guilhem Moulin2015-06-071
| | | | We use ESP only, so other protocols shouldn't be ACCEPTed.
* Prohibit binding against the IP reserved for IPSec.Guilhem Moulin2015-06-071
| | | | | | | | | Packets originating from our (non-routable) $ipsec are marked; there is no xfrm lookup (i.e., no matching IPSec association), the packet will retain its mark and be null routed later on, thanks to ip rule add fwmark "$secmark" table 666 priority 666 ip route add blackhole default table 666
* Prefer maching on policy rather than marks.Guilhem Moulin2015-06-071
| | | | Also, use ESP tunnel mode instead of transport mode.
* Preserve canonical the order of IP tables.Guilhem Moulin2015-06-071
| | | | I.e., as packets are treated along the way: mangle -> nat -> filter.
* Documentation.Guilhem Moulin2015-06-071
|
* Use a dedicated, non-routable, IPv4 for IPSec.Guilhem Moulin2015-06-071
| | | | | | | At the each IPSec end-point the traffic is DNAT'ed to / MASQUERADE'd from our dedicated IP after ESP decapsulation. Also, some IP tables ensure that alien (not coming from / going to the tunnel end-point) is dropped.
* Major refactoring of the firewall.Guilhem Moulin2015-06-071
| | | | | | | | | | Also, added some options: -f force: no confirmation asked -c check: check (dry-run) mode -v verbose: see the difference between old and new ruleset -4 IPv4 only -6 IPv6 only
* Don't save dynamic rules.Guilhem Moulin2015-06-071
| | | | | These rules are automatically included by third-party servers such as strongSwan or fail2ban.
* Use a dedicated 'fail2ban' chain for fail2ban.Guilhem Moulin2015-06-071
| | | | So it doesn't mess with the high-priority rules regarding IPSec.
* Add a 'check' switch to the firewall.Guilhem Moulin2015-06-071
| | | | | update-firewall.sh -c does not update the firewall, but returns a non-zero value iff. running it without the switch would modify it.
* Configure v4 and v6 iptable rulesets.Guilhem Moulin2015-06-071