feat(ISP): firewall to separate users
Some checks failed
Check meta / check_meta (pull_request) Successful in 28s
Check meta / check_dns (pull_request) Successful in 1m3s
build configuration / build_storage01 (pull_request) Successful in 1m44s
build configuration / build_compute01 (pull_request) Successful in 1m51s
build configuration / build_web02 (pull_request) Successful in 1m22s
build configuration / build_web01 (pull_request) Successful in 2m22s
build configuration / build_rescue01 (pull_request) Successful in 1m20s
lint / check (pull_request) Successful in 27s
build configuration / build_geo01 (pull_request) Successful in 1m23s
build configuration / build_geo02 (pull_request) Successful in 1m17s
build configuration / build_bridge01 (pull_request) Successful in 1m17s
build configuration / build_vault01 (pull_request) Successful in 3m22s
build configuration / push_to_cache_storage01 (pull_request) Failing after 1m26s
build configuration / push_to_cache_compute01 (pull_request) Failing after 1m30s
build configuration / push_to_cache_rescue01 (pull_request) Failing after 1m30s
build configuration / push_to_cache_web02 (pull_request) Failing after 1m32s
build configuration / push_to_cache_geo01 (pull_request) Failing after 1m20s
build configuration / push_to_cache_geo02 (pull_request) Failing after 1m14s
build configuration / push_to_cache_web01 (pull_request) Failing after 1m57s
build configuration / push_to_cache_bridge01 (pull_request) Failing after 1m15s
Some checks failed
Check meta / check_meta (pull_request) Successful in 28s
Check meta / check_dns (pull_request) Successful in 1m3s
build configuration / build_storage01 (pull_request) Successful in 1m44s
build configuration / build_compute01 (pull_request) Successful in 1m51s
build configuration / build_web02 (pull_request) Successful in 1m22s
build configuration / build_web01 (pull_request) Successful in 2m22s
build configuration / build_rescue01 (pull_request) Successful in 1m20s
lint / check (pull_request) Successful in 27s
build configuration / build_geo01 (pull_request) Successful in 1m23s
build configuration / build_geo02 (pull_request) Successful in 1m17s
build configuration / build_bridge01 (pull_request) Successful in 1m17s
build configuration / build_vault01 (pull_request) Successful in 3m22s
build configuration / push_to_cache_storage01 (pull_request) Failing after 1m26s
build configuration / push_to_cache_compute01 (pull_request) Failing after 1m30s
build configuration / push_to_cache_rescue01 (pull_request) Failing after 1m30s
build configuration / push_to_cache_web02 (pull_request) Failing after 1m32s
build configuration / push_to_cache_geo01 (pull_request) Failing after 1m20s
build configuration / push_to_cache_geo02 (pull_request) Failing after 1m14s
build configuration / push_to_cache_web01 (pull_request) Failing after 1m57s
build configuration / push_to_cache_bridge01 (pull_request) Failing after 1m15s
This commit is contained in:
parent
595407c13b
commit
6ff99bfec4
GPG key ID:
CE3E645251AC63F3
1 changed files with 6 additions and 44 deletions
|
|
@ -39,7 +39,6 @@ let
|
||||||
mkUserVlan =
|
mkUserVlan =
|
||||||
{
|
{
|
||||||
vlan,
|
vlan,
|
||||||
netIP,
|
|
||||||
servIP,
|
servIP,
|
||||||
interfaceName,
|
interfaceName,
|
||||||
...
|
...
|
||||||
|
|
@ -48,38 +47,13 @@ let
|
||||||
name = interfaceName;
|
name = interfaceName;
|
||||||
value = {
|
value = {
|
||||||
Id = vlan;
|
Id = vlan;
|
||||||
|
address = with uplink; [ "${servIP}/27" ];
|
||||||
extraNetwork = {
|
extraNetwork = {
|
||||||
networkConfig = {
|
networkConfig = {
|
||||||
LinkLocalAddressing = "no";
|
LinkLocalAddressing = "no";
|
||||||
DHCPServer = "yes";
|
DHCPServer = "yes";
|
||||||
};
|
};
|
||||||
linkConfig.Promiscuous = true;
|
linkConfig.Promiscuous = true;
|
||||||
addresses = [
|
|
||||||
{
|
|
||||||
addressConfig = {
|
|
||||||
Address = "${servIP}/27";
|
|
||||||
AddPrefixRoute = false;
|
|
||||||
};
|
|
||||||
}
|
|
||||||
];
|
|
||||||
routes = [
|
|
||||||
{
|
|
||||||
routeConfig = {
|
|
||||||
Destination = "${netIP}/27";
|
|
||||||
Table = "user";
|
|
||||||
};
|
|
||||||
}
|
|
||||||
];
|
|
||||||
routingPolicyRules = [
|
|
||||||
{
|
|
||||||
routingPolicyRuleConfig = {
|
|
||||||
From = "${netIP}/27";
|
|
||||||
To = "10.0.0.0/27";
|
|
||||||
IncomingInterface = interfaceName;
|
|
||||||
Table = "user";
|
|
||||||
};
|
|
||||||
}
|
|
||||||
];
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
@ -140,7 +114,6 @@ in
|
||||||
{
|
{
|
||||||
systemd = {
|
systemd = {
|
||||||
network = {
|
network = {
|
||||||
config.routeTables."user" = 1000;
|
|
||||||
networks = {
|
networks = {
|
||||||
"10-lo" = {
|
"10-lo" = {
|
||||||
name = "lo";
|
name = "lo";
|
||||||
|
|
@ -149,22 +122,6 @@ in
|
||||||
"127.0.0.1/8"
|
"127.0.0.1/8"
|
||||||
"10.0.0.1/27"
|
"10.0.0.1/27"
|
||||||
];
|
];
|
||||||
routes = [
|
|
||||||
{
|
|
||||||
routeConfig = {
|
|
||||||
Destination = "10.0.0.0/27";
|
|
||||||
Table = "user";
|
|
||||||
};
|
|
||||||
}
|
|
||||||
];
|
|
||||||
routingPolicyRules = [
|
|
||||||
{
|
|
||||||
routingPolicyRuleConfig = {
|
|
||||||
IncomingInterface = "lo";
|
|
||||||
Table = "user";
|
|
||||||
};
|
|
||||||
}
|
|
||||||
];
|
|
||||||
};
|
};
|
||||||
"10-enp67s0f0np0" = {
|
"10-enp67s0f0np0" = {
|
||||||
name = "enp67s0f0np0";
|
name = "enp67s0f0np0";
|
||||||
|
|
@ -246,6 +203,11 @@ in
|
||||||
firewall = {
|
firewall = {
|
||||||
allowedUDPPorts = [ 67 ];
|
allowedUDPPorts = [ 67 ];
|
||||||
checkReversePath = false;
|
checkReversePath = false;
|
||||||
|
filterForward = true;
|
||||||
|
extraForwardRules = ''
|
||||||
|
ip saddr 10.0.0.0/16 ip daddr 10.0.0.0/27 accept
|
||||||
|
ip saddr 10.0.0.0/16 ip daddr != 10.0.0.0/16 accept
|
||||||
|
'';
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue