|  | Commit message (Collapse) | Author | Age | Files | 
|---|
| | 
| 
| 
| 
| | While the combination of "s=" tag (selector) & "d=" tag signing domain
maps to a unique key, the selector alone doesn't necessarily. | 
| | |  | 
| | |  | 
| | |  | 
| | |  | 
| | |  | 
| | 
| 
| 
| | There is no need to bother with X.509 cruft here. | 
| | 
| 
| 
| | parameters. | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | We use a dedicated, non-routable, IPv4 subnet for IPSec.  Furthermore
the subnet is nullrouted in the absence of xfrm lookup (i.e., when there
is no matching IPSec Security Association) to avoid data leaks.
Each host is associated with an IP in that subnet (thus only reachble
within that subnet, either by the host itself or by its IPSec peers).
The peers authenticate each other using RSA public key authentication.
Kernel traps are used to ensure that connections are only established
when traffic is detected between the peers; after 30m of inactivity
(this value needs to be less than the rekeying period) the connection is
brought down and a kernel trap is installed. | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| | Ideally we we should also increase the Diffie-Hellman group size from
2048-bit to 3072-bit, as per ENISA 2014 report.
    https://www.enisa.europa.eu/publications/algorithms-key-size-and-parameters-report-2014
But we postpone that for now until we are reasonably certain that older
client won't be left out. | 
| | |  | 
| | |  | 
| | 
| 
| 
| | Using multigraphs instead. | 
| | 
| 
| 
| 
| | We don't use the provided 'slapd_' Munin plugin because it doesn't
support SASL binds. | 
| | 
| 
| 
| 
| | Interhost communications are protected by stunnel4.  The graphs are only
visible on the master itself, and content is generated by Fast CGI. | 
| | |  | 
| | 
| 
| 
| | Also, set ‘subjectKeyIdentifier = hash’ in the CSR. | 
| | |  | 
| | |  | 
| | |  | 
| | 
| 
| 
| | Also, it's now possible to reuse an existing private key (with -f). | 
| | |  | 
| | 
| 
| 
| | For DKIM signing and virus checking. | 
| | |  | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | Instead, generate a server certificate for each host (on the machine
itself).  Then fetch all these certs locally, and copy them over to each
IPSec peer.  That requires more certs to be stored on each machines (n
vs 2), but it can be done automatically, and is easier to deploy.
Note: When adding a new machine to the inventory, one needs to run the
playbook on that machine (to generate the cert and fetch it locally)
first, then on all other machines. | 
| | 
| 
| 
| 
| | But not in the installer, as busybox's implementation of mktemp didn't
deprecate -t/-p. | 
| | |  | 
| | 
| 
| 
| 
| | To be clearer, and to follow the recommendation of the FSF, we include
a full header rather than a single sentence. | 
| | 
| 
| 
| 
| | Replaced [ -n "$string" ] with [ "$string" ], and [ -z "$string" ] with
[ ! "$string" ]. | 
| | 
| 
| 
| 
| | 'syslog' is meant for the messages generated internally by syslogd,
whereas 'user' is for user-level messages. | 
| | |  | 
| | 
| 
| 
| | We use ESP only, so other protocols shouldn't be ACCEPTed. | 
| | 
| 
| 
| 
| 
| 
| 
| 
| | Packets originating from our (non-routable) $ipsec are marked; there is
no xfrm lookup (i.e., no matching IPSec association), the packet will
retain its mark and be null routed later on, thanks to
    ip rule  add fwmark "$secmark" table 666 priority 666
    ip route add blackhole default table 666 | 
| | 
| 
| 
| | Also, use ESP tunnel mode instead of transport mode. | 
| | 
| 
| 
| | I.e., as packets are treated along the way: mangle -> nat -> filter. | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| | At the each IPSec end-point the traffic is DNAT'ed to / MASQUERADE'd
from our dedicated IP after ESP decapsulation. Also, some IP tables
ensure that alien (not coming from / going to the tunnel end-point) is
dropped. | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| | Also, added some options:
    -f force:   no confirmation asked
    -c check:   check (dry-run) mode
    -v verbose: see the difference between old and new ruleset
    -4 IPv4 only
    -6 IPv6 only | 
| | 
| 
| 
| 
| | These rules are automatically included by third-party servers such as
strongSwan or fail2ban. | 
| | 
| 
| 
| | So it doesn't mess with the high-priority rules regarding IPSec. | 
| | 
| 
| 
| 
| | update-firewall.sh -c does not update the firewall, but returns a
non-zero value iff. running it without the switch would modify it. | 
|  |  |