summaryrefslogtreecommitdiffstats
path: root/roles/common
Commit message (Collapse)AuthorAgeFiles
* Autostart daemons.Guilhem Moulin2015-06-075
|
* Prohibit binding against the IP reserved for IPSec.Guilhem Moulin2015-06-073
| | | | | | | | | Packets originating from our (non-routable) $ipsec are marked; there is no xfrm lookup (i.e., no matching IPSec association), the packet will retain its mark and be null routed later on, thanks to ip rule add fwmark "$secmark" table 666 priority 666 ip route add blackhole default table 666
* Prefer maching on policy rather than marks.Guilhem Moulin2015-06-072
| | | | Also, use ESP tunnel mode instead of transport mode.
* Preserve canonical the order of IP tables.Guilhem Moulin2015-06-071
| | | | I.e., as packets are treated along the way: mangle -> nat -> filter.
* Documentation.Guilhem Moulin2015-06-071
|
* Use a dedicated, non-routable, IPv4 for IPSec.Guilhem Moulin2015-06-076
| | | | | | | At the each IPSec end-point the traffic is DNAT'ed to / MASQUERADE'd from our dedicated IP after ESP decapsulation. Also, some IP tables ensure that alien (not coming from / going to the tunnel end-point) is dropped.
* Major refactoring of the firewall.Guilhem Moulin2015-06-072
| | | | | | | | | | Also, added some options: -f force: no confirmation asked -c check: check (dry-run) mode -v verbose: see the difference between old and new ruleset -4 IPv4 only -6 IPv6 only
* Don't save dynamic rules.Guilhem Moulin2015-06-073
| | | | | These rules are automatically included by third-party servers such as strongSwan or fail2ban.
* Use a dedicated 'fail2ban' chain for fail2ban.Guilhem Moulin2015-06-072
| | | | So it doesn't mess with the high-priority rules regarding IPSec.
* Add a 'check' switch to the firewall.Guilhem Moulin2015-06-072
| | | | | update-firewall.sh -c does not update the firewall, but returns a non-zero value iff. running it without the switch would modify it.
* Configure the (basic) logging policy.Guilhem Moulin2015-06-075
|
* Configure IPSec.Guilhem Moulin2015-06-075
|
* Configure fail2ban.Guilhem Moulin2015-06-074
|
* Configure rkhunter.Guilhem Moulin2015-06-075
|
* Configure samhain.Guilhem Moulin2015-06-074
|
* Configure v4 and v6 iptable rulesets.Guilhem Moulin2015-06-076
|
* Configure APT.Guilhem Moulin2015-06-078
|
* Configure /etc/{hosts,hostname,mailname}.Guilhem Moulin2015-06-075
|
* Basic ansible setup.Guilhem Moulin2015-06-072
To run the playbook: cd ./ansible ansible-playbook -i vms site.yml