summaryrefslogtreecommitdiffstats
path: root/roles/common/templates/etc/iptables/services.j2
Commit message (Collapse)AuthorAgeFiles
* Firewall: disable outgoing access to git:// remote servers.Guilhem Moulin2018-12-091
| | | | We don't need it anymore as we use https:// these days.
* Define new host "calima" serving Nextcloud.Guilhem Moulin2018-12-031
|
* IPsec: allow ISAKMP over IPv6.Guilhem Moulin2018-12-031
|
* Firewall: Allow DNS queries over TCP.Guilhem Moulin2018-04-041
|
* Perform recipient address verification on the MSA itself.Guilhem Moulin2018-04-041
|
* Webmail: don't allow outgoing TCP/993 connections.Guilhem Moulin2017-06-151
| | | | We're going through IPsec to communicate with the IMAP server.
* Route all internal SMTP traffic through IPsec.Guilhem Moulin2016-07-101
|
* IPSec → IPsecGuilhem Moulin2016-06-291
|
* Tunnel bacula (dir → {fd,sd} and fd → sd) traffic through IPSec.Guilhem Moulin2016-05-221
|
* Tunnel munin-update traffic through IPSec.Guilhem Moulin2016-05-221
|
* Tunnel internal NTP traffic through IPSec.Guilhem Moulin2016-05-221
| | | | | | | More precisely, between our NTP-master (stratum 1) host and the other machines (all stratum 2). Providing authentification and integrity for internal NTP traffic ensures a consistent time within our internal infrastructure.
* Set up IPSec tunnels between each pair of hosts.Guilhem Moulin2016-05-221
| | | | | | | | | | | | | | | We use a dedicated, non-routable, IPv4 subnet for IPSec. Furthermore the subnet is nullrouted in the absence of xfrm lookup (i.e., when there is no matching IPSec Security Association) to avoid data leaks. Each host is associated with an IP in that subnet (thus only reachble within that subnet, either by the host itself or by its IPSec peers). The peers authenticate each other using RSA public key authentication. Kernel traps are used to ensure that connections are only established when traffic is detected between the peers; after 30m of inactivity (this value needs to be less than the rekeying period) the connection is brought down and a kernel trap is installed.
* s/ansible_ssh_/ansible_/Guilhem Moulin2016-02-121
|
* Configure munin nodes & master.Guilhem Moulin2015-06-101
| | | | | Interhost communications are protected by stunnel4. The graphs are only visible on the master itself, and content is generated by Fast CGI.
* Configure Bacula File Daemon / Storage Daemon / Director.Guilhem Moulin2015-06-071
| | | | | Using client-side data signing/encryption and wrapping inter-host communication into stunnel.
* wibbleGuilhem Moulin2015-06-071
|
* Configure ikiwiki (website + wiki).Guilhem Moulin2015-06-071
|
* typoGuilhem Moulin2015-06-071
|
* Allow outgoing HKP and WHOIS traffic on the LDAP provider.Guilhem Moulin2015-06-071
|
* Allow outgoing SSH traffic.Guilhem Moulin2015-06-071
|
* Configure the list manager (Sympa).Guilhem Moulin2015-06-071
|
* Enable the use of git:// clients.Guilhem Moulin2015-06-071
|
* wibbleGuilhem Moulin2015-06-071
|
* Fix NTP configuration.Guilhem Moulin2015-06-071
| | | | We've yet to get authenticated time, though.
* typoGuilhem Moulin2015-06-071
|
* Fix Dovecot's mail location.Guilhem Moulin2015-06-071
|
* Perform the alias resolution and address validation solely on the MX:es.Guilhem Moulin2015-06-071
| | | | | We can therefore spare some lookups on the MDA, and use static:all instead.
* Configure SyncRepl (OpenLDAP replication) and related ACLs.Guilhem Moulin2015-06-071
| | | | | | | | | | | | | | | | | | | | | | | The clients are identified using their certificate, and connect securely to the SyncProv. There are a few workarounds (XXX) in the ACLs due to Postfix not supporting SASL binds in Wheezy. Overview: - Authentication (XXX: strong authentication) is required prior to any DIT operation (see 'olcRequires'). - We force a Security Strength Factor of 128 or above for all operations (see 'olcSecurity'), meaning one must use either a local connection (eg, ldapi://, possible since we set the 'olcLocalSSF' to 128), or TLS with at least 128 bits of security. - XXX: Services may not simple bind other than locally on a ldapi:// socket. If no remote access is needed, they should use SASL/EXTERNAL on a ldapi:// socket whenever possible (if the service itself supports SASL binds). If remote access is needed, they should use SASL/EXTERNAL on a ldaps:// socket, and their identity should be derived from the CN of the client certificate only (hence services may not simple bind). - Admins have restrictions similar to that of the services. - User access is only restricted by our global 'olcSecurity' attribute.
* typoGuilhem Moulin2015-06-071
|
* Replace IPSec tunnels by app-level ephemeral TLS sessions.Guilhem Moulin2015-06-071
| | | | | For some reason giraff doesn't like IPSec. App-level TLS sessions are less efficient, but thanks to ansible it still scales well.
* Outgoing SMTP proxy.Guilhem Moulin2015-06-071
|
* Configure Sieve and ManageSieve.Guilhem Moulin2015-06-071
| | | | | Also, add the 'managesieve' RoundCube plugin to communicate with our server.
* Configure the webmail.Guilhem Moulin2015-06-071
|
* Configure NTP.Guilhem Moulin2015-06-071
| | | | | | We use a "master" NTP server, which synchronizes against stratum 1 servers (hence is a stratum 2 itself); all other clients synchronize to this master server through IPSec.
* Configure the Mail Submission Agent.Guilhem Moulin2015-06-071
|
* Configure the IMAP server.Guilhem Moulin2015-06-071
| | | | (For now, only LMTP and IMAP processes, without replication.)
* Configure the MX:es.Guilhem Moulin2015-06-071
|
* Configure v4 and v6 iptable rulesets.Guilhem Moulin2015-06-071