summaryrefslogtreecommitdiffstats
path: root/roles/common/templates/etc/nftables.conf.j2
Commit message (Collapse)AuthorAgeFiles
* Firewall: Move IPsec/ICMP/ICMPv6 rules to ingress chain.Guilhem Moulin2020-11-031
| | | | | | | | This is required to receive incoming traffic to our IPsec IP in 172.16.0.0/24, as well as linked-scoped ICMPv6 traffic from/to fe80::/10 (for neighbour discovery). Regression from a6b8c0b3a4758f8d84a7ad07bb9e068075d098d3.
* Firewall: Move martian and bogus TCP filters early in the packet flow.Guilhem Moulin2020-11-021
| | | | | This is more efficient: the earlier we filter the crap out the less resources they consume.
* s/LDAP-provider/LDAP_provider/Guilhem Moulin2020-05-191
| | | | This was forgotten after a092bfd947773281a23419ee0ab62358371b7166.
* Firewall: note on reqid matching.Guilhem Moulin2020-05-181
| | | | To be done when we upgrade to Bullseye for more fine-grained control.
* Firewall: Use `meta secpath exists` to match xfrm associations.Guilhem Moulin2020-05-181
| | | | | Marking incoming ESP packets and matching decapsulated packets doesn't work with NAT traverslate (UDP encapsulation aka MOBIKE).
* typofixGuilhem Moulin2020-05-161
|
* Upgrade baseline to Debian 10.Guilhem Moulin2020-05-161
|
* Convert firewall to nftables.Guilhem Moulin2020-01-231
Debian Buster uses the nftables framework by default.