leap_platform.git/puppet/modules/site_shorewall/manifests/eip.pp, branch 0.5.4.1 [leap_platform] fix incorrect shorewall parameter name 'protocol', should be 'proto' 2014-05-02T20:24:00+00:00 Micah Anderson micah@leap.se 2014-05-02T20:24:00+00:00 c334061df623e3806c544598195eb93a805a91ce Change-Id: I9c6c798b174228d44d01b55f2a4aa19458e2da8d 
Change-Id: I9c6c798b174228d44d01b55f2a4aa19458e2da8d
block DNS traffic at the OpenVPN gateway (#4164) 2014-04-29T18:39:15+00:00 Micah Anderson micah@leap.se 2014-04-29T18:39:15+00:00 e3e44973d6290a0228375135adf88d3271fc4242 There are many different edge cases where mac and windows clients (and maybe android too) will revert to using a different DNS server than the one specified by openvpn. This is bad news for security reasons. The client is being designed so it doesn't leak DNS, however we don't want to put all of our eggs in one basket, so this will block outgoing port 53 (udp and tcp) on the gateway's firewall from any of the EIP interfaces (thus not blocking DNS access on the gateway itself). Change-Id: I84dcfec7fb591cf7e6b356b66b9721feda188177 
There are many different edge cases where mac and windows clients (and
maybe android too) will revert to using a different DNS server than the
one specified by openvpn.

This is bad news for security reasons. The client is being designed so
it doesn't leak DNS, however we don't want to put all of our eggs in one
basket, so this will block outgoing port 53 (udp and tcp) on the
gateway's firewall from any of the EIP interfaces (thus not blocking DNS
access on the gateway itself).

Change-Id: I84dcfec7fb591cf7e6b356b66b9721feda188177
special casing for pistoncloud/openstack/ec2 2013-05-16T16:46:00+00:00 Micah Anderson micah@riseup.net 2013-05-11T18:05:14+00:00 0f6d2ebd6467d1c793d1907d677ca374a1efe477 






minor spacing changes
2013-04-30T21:18:19+00:00

Micah Anderson
micah@riseup.net

2013-04-30T21:18:19+00:00

b54161a12561c5983f6bc5215f764a1f46a4bd1f












setup a site_config::params class that can be used to set some common variables that are used in different places
2013-04-30T21:17:54+00:00

Micah Anderson
micah@riseup.net

2013-04-30T21:17:54+00:00

8e5716518b361aceac5c2cc5433148edf8785d89

to start with we setup the $interface variable, based on logic as defined in #2213
change the various places that were looking up this value to use site_config::params::interface instead





to start with we setup the $interface variable, based on logic as defined in #2213
change the various places that were looking up this value to use site_config::params::interface instead







added support for "limited" service levels (although vpn is not yet actually rate limited).
2013-03-17T20:15:51+00:00

elijah
elijah@riseup.net

2013-03-17T20:15:51+00:00

ad62cfdad04c8f8ed9d6454f716c92e850ac53ba












missed another require => Package['shorewall'] on the file resources in site_shorewall
2013-02-26T20:07:38+00:00

Micah Anderson
micah@riseup.net

2013-02-26T20:07:38+00:00

b3aca2b0cd35f9cc921d1703a597ddbc91529044












allow outgoing traffic moved to site_shorewall::defaults
2013-02-06T22:59:26+00:00

varac
varacanero@zeromail.org

2013-02-06T22:59:17+00:00

dbdbb33ce52cf04798763d488e63acc5a26980f9












Restructuring site_shorewall
2013-02-06T22:23:21+00:00

varac
varacanero@zeromail.org

2013-02-06T17:11:21+00:00

ab25692d3b8aaf3e71ec3546d1ea9d85f26f7b63

site_shorewall::defaults can be used on every host, it configures
a basic firewall, which blocks everything from outside except
ping + ssh, and allows outgoing traffic for http, git, dns.





site_shorewall::defaults can be used on every host, it configures
a basic firewall, which blocks everything from outside except
ping + ssh, and allows outgoing traffic for http, git, dns.







start shorewall on vagrant nodes too (#1467)
2013-01-30T14:40:58+00:00

varac
varacanero@zeromail.org

2013-01-30T14:40:58+00:00

6b3dafcb8c18ac31a1d11be661c255ec458d6078