| Commit message (Collapse) | Author | Age | Files |
|---|
| | |
|
| |
|
|
| |
Debian Buster uses the nftables framework by default.
|
| |
|
|
|
|
|
| |
This is useful when an ESTABLISHED connection is seen as NEW because the
client was offline for some time. For instance, clients now gracefully
close existing SSH connections immediately after resuming from a suspend
state, rather that waiting for the TCP timeout.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We use a dedicated, non-routable, IPv4 subnet for IPSec. Furthermore
the subnet is nullrouted in the absence of xfrm lookup (i.e., when there
is no matching IPSec Security Association) to avoid data leaks.
Each host is associated with an IP in that subnet (thus only reachble
within that subnet, either by the host itself or by its IPSec peers).
The peers authenticate each other using RSA public key authentication.
Kernel traps are used to ensure that connections are only established
when traffic is detected between the peers; after 30m of inactivity
(this value needs to be less than the rekeying period) the connection is
brought down and a kernel trap is installed.
|
| | |
|
| |
|
|
|
| |
But not in the installer, as busybox's implementation of mktemp didn't
deprecate -t/-p.
|
| | |
|
| |
|
|
|
| |
To be clearer, and to follow the recommendation of the FSF, we include
a full header rather than a single sentence.
|
| |
|
|
|
| |
Replaced [ -n "$string" ] with [ "$string" ], and [ -z "$string" ] with
[ ! "$string" ].
|
| |
|
|
|
| |
'syslog' is meant for the messages generated internally by syslogd,
whereas 'user' is for user-level messages.
|
| | |
|
| |
|
|
| |
We use ESP only, so other protocols shouldn't be ACCEPTed.
|
| |
|
|
|
|
|
|
|
| |
Packets originating from our (non-routable) $ipsec are marked; there is
no xfrm lookup (i.e., no matching IPSec association), the packet will
retain its mark and be null routed later on, thanks to
ip rule add fwmark "$secmark" table 666 priority 666
ip route add blackhole default table 666
|
| |
|
|
| |
Also, use ESP tunnel mode instead of transport mode.
|
| |
|
|
| |
I.e., as packets are treated along the way: mangle -> nat -> filter.
|
| | |
|
| |
|
|
|
|
|
| |
At the each IPSec end-point the traffic is DNAT'ed to / MASQUERADE'd
from our dedicated IP after ESP decapsulation. Also, some IP tables
ensure that alien (not coming from / going to the tunnel end-point) is
dropped.
|
| |
|
|
|
|
|
|
|
|
| |
Also, added some options:
-f force: no confirmation asked
-c check: check (dry-run) mode
-v verbose: see the difference between old and new ruleset
-4 IPv4 only
-6 IPv6 only
|
| |
|
|
|
| |
These rules are automatically included by third-party servers such as
strongSwan or fail2ban.
|
| |
|
|
| |
So it doesn't mess with the high-priority rules regarding IPSec.
|
| |
|
|
|
| |
update-firewall.sh -c does not update the firewall, but returns a
non-zero value iff. running it without the switch would modify it.
|
| |
|
