| Commit message (Collapse) | Author | Age | Files |
|---|
| ... | |
| |
|
|
|
| |
${distro_codename} doesn't work properly there, so we put stable and/or
oldstable instead.
|
| |
|
|
|
| |
Replaced [ -n "$string" ] with [ "$string" ], and [ -z "$string" ] with
[ ! "$string" ].
|
| |
|
|
|
| |
'syslog' is meant for the messages generated internally by syslogd,
whereas 'user' is for user-level messages.
|
| | |
|
| |
|
|
| |
We use ESP only, so other protocols shouldn't be ACCEPTed.
|
| |
|
|
|
|
|
|
|
| |
Packets originating from our (non-routable) $ipsec are marked; there is
no xfrm lookup (i.e., no matching IPSec association), the packet will
retain its mark and be null routed later on, thanks to
ip rule add fwmark "$secmark" table 666 priority 666
ip route add blackhole default table 666
|
| |
|
|
| |
Also, use ESP tunnel mode instead of transport mode.
|
| |
|
|
| |
I.e., as packets are treated along the way: mangle -> nat -> filter.
|
| | |
|
| |
|
|
|
|
|
| |
At the each IPSec end-point the traffic is DNAT'ed to / MASQUERADE'd
from our dedicated IP after ESP decapsulation. Also, some IP tables
ensure that alien (not coming from / going to the tunnel end-point) is
dropped.
|
| |
|
|
|
|
|
|
|
|
| |
Also, added some options:
-f force: no confirmation asked
-c check: check (dry-run) mode
-v verbose: see the difference between old and new ruleset
-4 IPv4 only
-6 IPv6 only
|
| |
|
|
|
| |
These rules are automatically included by third-party servers such as
strongSwan or fail2ban.
|
| |
|
|
| |
So it doesn't mess with the high-priority rules regarding IPSec.
|
| |
|
|
|
| |
update-firewall.sh -c does not update the firewall, but returns a
non-zero value iff. running it without the switch would modify it.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
