leap_platform.git/puppet/modules/site_shorewall/manifests, branch 0.8.0rc1 [leap_platform] specify the destination IP for DNAT rules for gateway addresses on port 443 (#6388) 2014-11-20T18:13:55+00:00 Micah Anderson micah@leap.se 2014-11-20T18:13:55+00:00 e334f10447303209ac3802436437670f45511603 Previously the DNAT rule would redirect the incoming port 443 requests to openvpn, which was the wrong thing to do on the primary IP (but the right thing to do on the openvpn gateway IPs). This manifested in the webapp not being available when it was also configured as a service on the node. Change-Id: Ic8c6b6c0389859fab168a7df687351e11263277a 
Previously the DNAT rule would redirect the incoming port 443 requests
to openvpn, which was the wrong thing to do on the primary IP (but the
right thing to do on the openvpn gateway IPs). This manifested in the
webapp not being available when it was also configured as a service on
the node.

Change-Id: Ic8c6b6c0389859fab168a7df687351e11263277a
minor linting 2014-11-20T18:13:33+00:00 Micah Anderson micah@leap.se 2014-11-20T18:13:33+00:00 be18ba31fadd2e587672adc44175dd106187ceba Change-Id: I6d04cc7e028e86ee0012d96d7ef075fdd7ecef19 
Change-Id: I6d04cc7e028e86ee0012d96d7ef075fdd7ecef19
Make shorewall accept incoming traffic for obfsproxy server 2014-07-01T23:05:40+00:00 irregulator irregulator@riseup.net 2014-05-21T17:42:46+00:00 156c2e1194c65d2f7813b946ac8baa90ffdf1f39 






stunnel: make site_mx and site_webapp use new site_stunnel
2014-06-26T01:17:31+00:00

elijah
elijah@riseup.net

2014-06-20T21:34:53+00:00

bc42e9bd3a86bb858ef853cf333242c81874209b












new generic system for stunnel: just `include site_stunnel` and stunnel + needed shorewall will be automatically set up. requires new leap_cli
2014-06-26T01:17:22+00:00

elijah
elijah@riseup.net

2014-06-20T08:58:39+00:00

49f0c54a05f6b542367f8ef4538316ba2eaac6cd












fix incorrect shorewall parameter name 'protocol', should be 'proto'
2014-05-02T20:24:00+00:00

Micah Anderson
micah@leap.se

2014-05-02T20:24:00+00:00

c334061df623e3806c544598195eb93a805a91ce

Change-Id: I9c6c798b174228d44d01b55f2a4aa19458e2da8d





Change-Id: I9c6c798b174228d44d01b55f2a4aa19458e2da8d







block DNS traffic at the OpenVPN gateway (#4164)
2014-04-29T18:39:15+00:00

Micah Anderson
micah@leap.se

2014-04-29T18:39:15+00:00

e3e44973d6290a0228375135adf88d3271fc4242

There are many different edge cases where mac and windows clients (and
maybe android too) will revert to using a different DNS server than the
one specified by openvpn.

This is bad news for security reasons. The client is being designed so
it doesn't leak DNS, however we don't want to put all of our eggs in one
basket, so this will block outgoing port 53 (udp and tcp) on the
gateway's firewall from any of the EIP interfaces (thus not blocking DNS
access on the gateway itself).

Change-Id: I84dcfec7fb591cf7e6b356b66b9721feda188177





There are many different edge cases where mac and windows clients (and
maybe android too) will revert to using a different DNS server than the
one specified by openvpn.

This is bad news for security reasons. The client is being designed so
it doesn't leak DNS, however we don't want to put all of our eggs in one
basket, so this will block outgoing port 53 (udp and tcp) on the
gateway's firewall from any of the EIP interfaces (thus not blocking DNS
access on the gateway itself).

Change-Id: I84dcfec7fb591cf7e6b356b66b9721feda188177







vagrant: support other providers besides virtualbox (Bug #4158), Part 2
2013-10-16T19:30:16+00:00

varac
varacanero@zeromail.org

2013-10-16T19:30:16+00:00

99df31cdd58ca60b90c0098b126903e2d8251128

took out the last remaining virtualbox references





took out the last remaining virtualbox references







make sure that the shorewall package is installed before trying to change its configuration file (#3701)
2013-09-04T14:45:20+00:00

Micah Anderson
micah@leap.se

2013-09-03T18:47:09+00:00

9544d1a4c8e3dfa11ba611b296a3e47edde0e67f

Change-Id: Ib2dad30d53e5bf7539762eb3683430b10eb875ed





Change-Id: Ib2dad30d53e5bf7539762eb3683430b10eb875ed







postfix enable submission port using starttls, so the client can transition to the more restrictive TLS wrapper mode
2013-08-31T12:33:53+00:00

Micah Anderson
micah@leap.se

2013-08-30T19:19:43+00:00

ff26ca98604d9e3f3856cca2af678b21c096d1ee

Change-Id: I2a1728788378d9a1b79155ddb9bb4b0464b16baa





Change-Id: I2a1728788378d9a1b79155ddb9bb4b0464b16baa