summaryrefslogtreecommitdiffstats
path: root/roles/common/tasks/firewall.yml
Commit message (Collapse)AuthorAgeFiles
* wibbleGuilhem Moulin2015-06-071
|
* Be more specific regarding the protocol in use for IPSec policies.Guilhem Moulin2015-06-071
| | | | We use ESP only, so other protocols shouldn't be ACCEPTed.
* Use a dedicated, non-routable, IPv4 for IPSec.Guilhem Moulin2015-06-071
| | | | | | | At the each IPSec end-point the traffic is DNAT'ed to / MASQUERADE'd from our dedicated IP after ESP decapsulation. Also, some IP tables ensure that alien (not coming from / going to the tunnel end-point) is dropped.
* Don't save dynamic rules.Guilhem Moulin2015-06-071
| | | | | These rules are automatically included by third-party servers such as strongSwan or fail2ban.
* Add a 'check' switch to the firewall.Guilhem Moulin2015-06-071
| | | | | update-firewall.sh -c does not update the firewall, but returns a non-zero value iff. running it without the switch would modify it.
* Configure v4 and v6 iptable rulesets.Guilhem Moulin2015-06-071