summaryrefslogtreecommitdiffstats
path: root/roles/common/templates/etc/nftables.conf.j2
Commit message (Collapse)AuthorAgeFiles
* Change NTP client to systemd-timesyncd.Guilhem Moulin2020-11-151
| | | | | | | | | (Excluding our NTP master.) It's simpler, arguably more secure, and provides enough functionality when only simple client use-cases are desired. We allow outgoing connections to 123/udp also on NTP slaves so systemd-timesyncd can connect to the fallbacks NTP servers.
* Firewall: allow ICMP type 11 (time time-exceeded).Guilhem Moulin2020-11-031
| | | | This is in particular needed for traceroutes and routing loop detection.
* Firewall: Move IPsec/ICMP/ICMPv6 rules to ingress chain.Guilhem Moulin2020-11-031
| | | | | | | | This is required to receive incoming traffic to our IPsec IP in 172.16.0.0/24, as well as linked-scoped ICMPv6 traffic from/to fe80::/10 (for neighbour discovery). Regression from a6b8c0b3a4758f8d84a7ad07bb9e068075d098d3.
* Firewall: Move martian and bogus TCP filters early in the packet flow.Guilhem Moulin2020-11-021
| | | | | This is more efficient: the earlier we filter the crap out the less resources they consume.
* s/LDAP-provider/LDAP_provider/Guilhem Moulin2020-05-191
| | | | This was forgotten after a092bfd947773281a23419ee0ab62358371b7166.
* Firewall: note on reqid matching.Guilhem Moulin2020-05-181
| | | | To be done when we upgrade to Bullseye for more fine-grained control.
* Firewall: Use `meta secpath exists` to match xfrm associations.Guilhem Moulin2020-05-181
| | | | | Marking incoming ESP packets and matching decapsulated packets doesn't work with NAT traverslate (UDP encapsulation aka MOBIKE).
* typofixGuilhem Moulin2020-05-161
|
* Upgrade baseline to Debian 10.Guilhem Moulin2020-05-161
|
* Convert firewall to nftables.Guilhem Moulin2020-01-231
Debian Buster uses the nftables framework by default.
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-04 21:03:18 +0000