leap_platform.git/puppet/modules/site_shorewall/manifests, branch 0.5.4.1 [leap_platform] fix incorrect shorewall parameter name 'protocol', should be 'proto' 2014-05-02T20:24:00+00:00 Micah Anderson micah@leap.se 2014-05-02T20:24:00+00:00 c334061df623e3806c544598195eb93a805a91ce Change-Id: I9c6c798b174228d44d01b55f2a4aa19458e2da8d 
Change-Id: I9c6c798b174228d44d01b55f2a4aa19458e2da8d
block DNS traffic at the OpenVPN gateway (#4164) 2014-04-29T18:39:15+00:00 Micah Anderson micah@leap.se 2014-04-29T18:39:15+00:00 e3e44973d6290a0228375135adf88d3271fc4242 There are many different edge cases where mac and windows clients (and maybe android too) will revert to using a different DNS server than the one specified by openvpn. This is bad news for security reasons. The client is being designed so it doesn't leak DNS, however we don't want to put all of our eggs in one basket, so this will block outgoing port 53 (udp and tcp) on the gateway's firewall from any of the EIP interfaces (thus not blocking DNS access on the gateway itself). Change-Id: I84dcfec7fb591cf7e6b356b66b9721feda188177 
There are many different edge cases where mac and windows clients (and
maybe android too) will revert to using a different DNS server than the
one specified by openvpn.

This is bad news for security reasons. The client is being designed so
it doesn't leak DNS, however we don't want to put all of our eggs in one
basket, so this will block outgoing port 53 (udp and tcp) on the
gateway's firewall from any of the EIP interfaces (thus not blocking DNS
access on the gateway itself).

Change-Id: I84dcfec7fb591cf7e6b356b66b9721feda188177
vagrant: support other providers besides virtualbox (Bug #4158), Part 2 2013-10-16T19:30:16+00:00 varac varacanero@zeromail.org 2013-10-16T19:30:16+00:00 99df31cdd58ca60b90c0098b126903e2d8251128 took out the last remaining virtualbox references 
took out the last remaining virtualbox references
make sure that the shorewall package is installed before trying to change its configuration file (#3701) 2013-09-04T14:45:20+00:00 Micah Anderson micah@leap.se 2013-09-03T18:47:09+00:00 9544d1a4c8e3dfa11ba611b296a3e47edde0e67f Change-Id: Ib2dad30d53e5bf7539762eb3683430b10eb875ed 
Change-Id: Ib2dad30d53e5bf7539762eb3683430b10eb875ed
postfix enable submission port using starttls, so the client can transition to the more restrictive TLS wrapper mode 2013-08-31T12:33:53+00:00 Micah Anderson micah@leap.se 2013-08-30T19:19:43+00:00 ff26ca98604d9e3f3856cca2af678b21c096d1ee Change-Id: I2a1728788378d9a1b79155ddb9bb4b0464b16baa 
Change-Id: I2a1728788378d9a1b79155ddb9bb4b0464b16baa
Make TLS-required smtps (465) be port for sending SMTP. This is preferred over 25 because that is typically blocked, and we cannot force TLS on that port due to other MTAs not being configured for this century. We don't use submission (568) because that uses STARTTLS, and the STARTTLS banner can easily be stripped by an adversary. (#3604) 2013-08-29T20:15:24+00:00 Micah Anderson micah@leap.se 2013-08-29T20:14:53+00:00 ddcab83dda101ee335bbf37451f37e2bfe358c7f . enable smtps (port 465) for client submission over TLS, and require that TLS is enabled . add 465 to the allowed open ports in the firewall . change the smtp-service.json to use 465 instead of 25 note: I did not use the 'use_smtps' parameter that is available in the postfix class because it added some options that we do not want/need. Change-Id: I0040eb2dff6008a1c830d59df9963eb83dc9ea02 
. enable smtps (port 465) for client submission over TLS, and require that TLS is enabled
. add 465 to the allowed open ports in the firewall
. change the smtp-service.json to use 465 instead of 25

note: I did not use the 'use_smtps' parameter that is available in the postfix
class because it added some options that we do not want/need.

Change-Id: I0040eb2dff6008a1c830d59df9963eb83dc9ea02
install a preliminary firewall that blocks everything, except ssh for the cases when shorewall doesn't properly come up, ensuring that it fails safe (#3339) 2013-08-22T13:43:20+00:00 Micah Anderson micah@leap.se 2013-08-20T23:45:56+00:00 3cdebf3ebe73cb2859dc852dcc73a8ee2d60e976 Change-Id: Id4f0bf6cf25f420aa2ad67635b37ae95f54e3d38 
Change-Id: Id4f0bf6cf25f420aa2ad67635b37ae95f54e3d38
make site_shorewall::soledad use the hiera value for the soledad port 2013-08-01T10:04:47+00:00 Micah Anderson micah@leap.se 2013-07-30T01:00:21+00:00 da191971398827f81ddb0dffd86d4a3c572f6386 Change-Id: I923f15de807f907d6246c3a83df1e59c39d4e920 
Change-Id: I923f15de807f907d6246c3a83df1e59c39d4e920
Merge branch 'feature/soledad' into feature/leap_mx 2013-07-26T18:11:33+00:00 Micah Anderson micah@leap.se 2013-07-26T18:11:33+00:00 8d28379aca4d8a79caa00afbf79ad4e5a204493f 






initial soledad configuration
2013-07-25T19:07:57+00:00

Micah Anderson
micah@riseup.net

2013-05-21T21:35:20+00:00

1c9c5a5fec51919a8e9ec14f5fe9b16c538bb4fa

Change-Id: I19e91887c3f8e90764b4baef8c5e29e25658e190





Change-Id: I19e91887c3f8e90764b4baef8c5e29e25658e190