Commit message (Collapse) | Author | Age | Files | ||
---|---|---|---|---|---|
... | |||||
* | Prefer maching on policy rather than marks. | Guilhem Moulin | 2015-06-07 | 2 | |
| | | | | Also, use ESP tunnel mode instead of transport mode. | ||||
* | Preserve canonical the order of IP tables. | Guilhem Moulin | 2015-06-07 | 1 | |
| | | | | I.e., as packets are treated along the way: mangle -> nat -> filter. | ||||
* | Documentation. | Guilhem Moulin | 2015-06-07 | 1 | |
| | |||||
* | Use a dedicated, non-routable, IPv4 for IPSec. | Guilhem Moulin | 2015-06-07 | 6 | |
| | | | | | | | At the each IPSec end-point the traffic is DNAT'ed to / MASQUERADE'd from our dedicated IP after ESP decapsulation. Also, some IP tables ensure that alien (not coming from / going to the tunnel end-point) is dropped. | ||||
* | Major refactoring of the firewall. | Guilhem Moulin | 2015-06-07 | 2 | |
| | | | | | | | | | | Also, added some options: -f force: no confirmation asked -c check: check (dry-run) mode -v verbose: see the difference between old and new ruleset -4 IPv4 only -6 IPv6 only | ||||
* | Don't save dynamic rules. | Guilhem Moulin | 2015-06-07 | 3 | |
| | | | | | These rules are automatically included by third-party servers such as strongSwan or fail2ban. | ||||
* | Use a dedicated 'fail2ban' chain for fail2ban. | Guilhem Moulin | 2015-06-07 | 2 | |
| | | | | So it doesn't mess with the high-priority rules regarding IPSec. | ||||
* | Add a 'check' switch to the firewall. | Guilhem Moulin | 2015-06-07 | 2 | |
| | | | | | update-firewall.sh -c does not update the firewall, but returns a non-zero value iff. running it without the switch would modify it. | ||||
* | Configure the (basic) logging policy. | Guilhem Moulin | 2015-06-07 | 5 | |
| | |||||
* | Configure IPSec. | Guilhem Moulin | 2015-06-07 | 5 | |
| | |||||
* | Configure fail2ban. | Guilhem Moulin | 2015-06-07 | 4 | |
| | |||||
* | Configure rkhunter. | Guilhem Moulin | 2015-06-07 | 5 | |
| | |||||
* | Configure samhain. | Guilhem Moulin | 2015-06-07 | 4 | |
| | |||||
* | Configure v4 and v6 iptable rulesets. | Guilhem Moulin | 2015-06-07 | 6 | |
| | |||||
* | Configure APT. | Guilhem Moulin | 2015-06-07 | 8 | |
| | |||||
* | Configure /etc/{hosts,hostname,mailname}. | Guilhem Moulin | 2015-06-07 | 5 | |
| | |||||
* | Basic ansible setup. | Guilhem Moulin | 2015-06-07 | 2 | |
To run the playbook: cd ./ansible ansible-playbook -i vms site.yml |