| Commit message (Collapse) | Author | Age | Files |
... | |
| |
|
| |
|
| |
|
|
|
|
| |
We use a dedicated instance for each role: MDA, MTA out, MX, etc.
|
|
|
|
| |
We use ESP only, so other protocols shouldn't be ACCEPTed.
|
|
|
|
| |
This is pointless since the service will be restarted anyway.
|
|
|
|
|
|
|
|
|
| |
In particular, run 'apt-get update' right after configured APT, and
restart daemon right after configured them.
The advantage being that if ansible crashes in some "task", the earlier
would already be restarted if neeeded. (This may not happen in the next
run since the configuration should already be up to date.)
|
| |
|
| |
|
|
|
|
|
|
|
|
|
| |
Packets originating from our (non-routable) $ipsec are marked; there is
no xfrm lookup (i.e., no matching IPSec association), the packet will
retain its mark and be null routed later on, thanks to
ip rule add fwmark "$secmark" table 666 priority 666
ip route add blackhole default table 666
|
|
|
|
|
|
|
| |
At the each IPSec end-point the traffic is DNAT'ed to / MASQUERADE'd
from our dedicated IP after ESP decapsulation. Also, some IP tables
ensure that alien (not coming from / going to the tunnel end-point) is
dropped.
|
|
|
|
|
| |
These rules are automatically included by third-party servers such as
strongSwan or fail2ban.
|
|
|
|
|
| |
update-firewall.sh -c does not update the firewall, but returns a
non-zero value iff. running it without the switch would modify it.
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
To run the playbook:
cd ./ansible
ansible-playbook -i vms site.yml
|