leap_platform.git/puppet/modules/site_shorewall, branch master [leap_platform] Stricter VPN egress firewall (#8289) 2016-08-08T15:09:14+00:00 Micah micah@leap.se 2016-08-04T19:34:14+00:00 7a3c80abc416bd022bf9d53d8641fc383c51b23d Change-Id: Ie09a6a34dfa8fe3d72568d2de0b208e7d947412f 
Change-Id: Ie09a6a34dfa8fe3d72568d2de0b208e7d947412f
Disallow intra-client connectivity (#8272). 2016-08-08T15:08:46+00:00 Micah micah@leap.se 2016-08-04T18:57:03+00:00 9c2025cd0dbd8b8e19a838c3be2669a288f8a6b9 If you connect to the VPN with a client, you can make direct network connections to the other connected clients. This allows communication to the eip gateways, but disallows any other connections. Change-Id: I73e5bb5715e4d91256cbf95eda8c0ec70aa75f93 
If you connect to the VPN with a client, you can make direct network
connections to the other connected clients.

This allows communication to the eip gateways, but disallows any other
connections.

Change-Id: I73e5bb5715e4d91256cbf95eda8c0ec70aa75f93
Disallow intra-client connectivity (#8272). 2016-08-05T15:51:35+00:00 Micah micah@leap.se 2016-08-04T18:57:03+00:00 5d6a4c389b93486ab1aa0012284b5bdcfbbc8a20 If you connect to the VPN with a client, you can make direct network connections to the other connected clients. This allows communication to the eip gateways, but disallows any other connections. Change-Id: I73e5bb5715e4d91256cbf95eda8c0ec70aa75f93 
If you connect to the VPN with a client, you can make direct network
connections to the other connected clients.

This allows communication to the eip gateways, but disallows any other
connections.

Change-Id: I73e5bb5715e4d91256cbf95eda8c0ec70aa75f93
Notify Exec[shorewall_check] not Service[shorew..] 2016-07-13T08:46:05+00:00 varac varacanero@zeromail.org 2016-06-13T18:11:23+00:00 f3f78ebaf5f3fd3233bc35596fefb51f6e5ed9d9 Latest shorewall module does `shorewall check` (executed by `Exec[shorewall_check]`) so every related resource change must notify this Exec instead of `Service[shorewall]` as before. 
Latest shorewall module does `shorewall check` (executed
by `Exec[shorewall_check]`) so every related resource change
must notify this Exec instead of `Service[shorewall]` as before.
Fix shorewall not starting with systemd (#8044) 2016-04-27T12:48:16+00:00 Micah micah@leap.se 2016-04-25T19:52:54+00:00 e0e3bc3478b3b7ca1afe24ff7e44dbdfa384ea44 Shorewall in jessie doesn't come with a proper unit file, and as a result, it doesn't properly start with systemd. To solve this, we provide the systemd unit file that comes with stretch, add a systemd submodule that provides the exec resources needed for when systemd units or configuration files are changed Change-Id: I861fa951835928b4741abfbf969adcee4b8f147b 
Shorewall in jessie doesn't come with a proper unit file, and
as a result, it doesn't properly start with systemd.

To solve this, we provide the systemd unit file that comes with stretch,
add a systemd submodule that provides the exec resources needed for when
systemd units or configuration files are changed

Change-Id: I861fa951835928b4741abfbf969adcee4b8f147b
[style] more manual linting for custom manifests 2016-04-18T16:28:29+00:00 varac varacanero@zeromail.org 2016-04-18T16:28:29+00:00 8370875d608ebddae09fcd05741bb77e0e31c122 






[style] lint some custom manifests
2016-04-18T16:19:44+00:00

varac
varacanero@zeromail.org

2016-04-18T16:19:44+00:00

22b788920defdd42b4abda144afd8ca69d0a9d37

I used `puppet-lint -f FILE` to fix most issues, while
finishing with manual intervention.





I used `puppet-lint -f FILE` to fix most issues, while
finishing with manual intervention.







specify the destination IP for DNAT rules for gateway addresses on port 443 (#6388)
2014-11-20T18:13:55+00:00

Micah Anderson
micah@leap.se

2014-11-20T18:13:55+00:00

e334f10447303209ac3802436437670f45511603

Previously the DNAT rule would redirect the incoming port 443 requests
to openvpn, which was the wrong thing to do on the primary IP (but the
right thing to do on the openvpn gateway IPs). This manifested in the
webapp not being available when it was also configured as a service on
the node.

Change-Id: Ic8c6b6c0389859fab168a7df687351e11263277a





Previously the DNAT rule would redirect the incoming port 443 requests
to openvpn, which was the wrong thing to do on the primary IP (but the
right thing to do on the openvpn gateway IPs). This manifested in the
webapp not being available when it was also configured as a service on
the node.

Change-Id: Ic8c6b6c0389859fab168a7df687351e11263277a







minor linting
2014-11-20T18:13:33+00:00

Micah Anderson
micah@leap.se

2014-11-20T18:13:33+00:00

be18ba31fadd2e587672adc44175dd106187ceba

Change-Id: I6d04cc7e028e86ee0012d96d7ef075fdd7ecef19





Change-Id: I6d04cc7e028e86ee0012d96d7ef075fdd7ecef19







Make shorewall accept incoming traffic for obfsproxy server
2014-07-01T23:05:40+00:00

irregulator
irregulator@riseup.net

2014-05-21T17:42:46+00:00

156c2e1194c65d2f7813b946ac8baa90ffdf1f39