| Age | Commit message (Collapse) | Author |
|---|
|
Shorewall in jessie doesn't come with a proper unit file, and
as a result, it doesn't properly start with systemd.
To solve this, we provide the systemd unit file that comes with stretch,
add a systemd submodule that provides the exec resources needed for when
systemd units or configuration files are changed
Change-Id: I861fa951835928b4741abfbf969adcee4b8f147b
|
|
|
|
I used `puppet-lint -f FILE` to fix most issues, while
finishing with manual intervention.
|
|
(#6388)
Previously the DNAT rule would redirect the incoming port 443 requests
to openvpn, which was the wrong thing to do on the primary IP (but the
right thing to do on the openvpn gateway IPs). This manifested in the
webapp not being available when it was also configured as a service on
the node.
Change-Id: Ic8c6b6c0389859fab168a7df687351e11263277a
|
|
Change-Id: I6d04cc7e028e86ee0012d96d7ef075fdd7ecef19
|
|
|
|
|
|
needed shorewall will be automatically set up. requires new leap_cli
|
|
Change-Id: I9c6c798b174228d44d01b55f2a4aa19458e2da8d
|
|
There are many different edge cases where mac and windows clients (and
maybe android too) will revert to using a different DNS server than the
one specified by openvpn.
This is bad news for security reasons. The client is being designed so
it doesn't leak DNS, however we don't want to put all of our eggs in one
basket, so this will block outgoing port 53 (udp and tcp) on the
gateway's firewall from any of the EIP interfaces (thus not blocking DNS
access on the gateway itself).
Change-Id: I84dcfec7fb591cf7e6b356b66b9721feda188177
|
|
took out the last remaining virtualbox references
|
|
its configuration file (#3701)
Change-Id: Ib2dad30d53e5bf7539762eb3683430b10eb875ed
|
|
to the more restrictive TLS wrapper mode
Change-Id: I2a1728788378d9a1b79155ddb9bb4b0464b16baa
|
|
over 25 because that is typically blocked, and we cannot force TLS on that port due to other MTAs not being configured for this century. We don't use submission (568) because that uses STARTTLS, and the STARTTLS banner can easily be stripped by an adversary. (#3604)
. enable smtps (port 465) for client submission over TLS, and require that TLS is enabled
. add 465 to the allowed open ports in the firewall
. change the smtp-service.json to use 465 instead of 25
note: I did not use the 'use_smtps' parameter that is available in the postfix
class because it added some options that we do not want/need.
Change-Id: I0040eb2dff6008a1c830d59df9963eb83dc9ea02
|
|
cases when shorewall doesn't properly come up, ensuring that it fails safe (#3339)
Change-Id: Id4f0bf6cf25f420aa2ad67635b37ae95f54e3d38
|
|
Change-Id: I923f15de807f907d6246c3a83df1e59c39d4e920
|
|
|
|
Change-Id: I19e91887c3f8e90764b4baef8c5e29e25658e190
|
|
|
|
without this rule, one just gets a 'site is unavailable' result
Change-Id: I27b80a0044e9fe4e87e607412c8d0a089d4866a6
|
|
|
|
|
|
|
|
variables that are used in different places
to start with we setup the $interface variable, based on logic as defined in #2213
change the various places that were looking up this value to use site_config::params::interface instead
|
|
setup ednp_server and ednp_client stunnels
update couchdb puppet submodule to support configurable ednp_port parameter and general module cleanup
pass ednp_port to couchdb setup so that it is configured in the vm.args template
clarify in comments the difference between the epmd and ednp ports
remove hard-coded erlang_vm_port variable and instead setup shorewall to allow for the stunnel connection only
setup dnat rules for the ednp client connections
|
|
|
|
|
|
remove the 'ip:' from the beginning in bigcouch replication client stunnels
|
|
|
|
create a macro for the bigcouch replication server stunnel to enable these
connections pulling bigcouch_replication_clients,
bigcouch_replication_server_port from hiera
create site_shorewall::couchdb::dnat and create_resources to properly setup DNAT
for bigcouch_replication_clients
|
|
|
|
necessary for the stunnel to communicate
|
|
|
|
bigcouch cluster protocol communicate via the fqdn of
the neighbor hosts. So we need to bend all requests to
<fqdn>:4369 to localhost:400x (which is the entry of
an stunnel connection to the other neighbor)
|
|
|
|
|
|
|
|
rate limited).
|
|
special client certificates with the FREE prefix in the common name.
|
|
site_shorewall
|
|
site_shorewall
|
|
shorewall is installed first (#1741)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
site_shorewall::defaults can be used on every host, it configures
a basic firewall, which blocks everything from outside except
ping + ssh, and allows outgoing traffic for http, git, dns.
|
