diff --git a/roles/firewall/files/haproxy.cfg b/roles/firewall/files/haproxy.cfg index 82ac32d3c5fd0b99c733b9ed7b513cef9bab5896..6093e4de804a04ea8496aab02fbf955d6f64ec2f 100644 --- a/roles/firewall/files/haproxy.cfg +++ b/roles/firewall/files/haproxy.cfg @@ -248,7 +248,16 @@ backend foreman backend ceph_dashboard mode http + + option httpchk GET / + http-check expect status 200 + + http-response add-header X-Frame-Options: ALLOW + server rz-sp-virt-01 192.168.123.11:8080 check + server rz-sp-virt-02 192.168.123.12:8080 check + server rz-sp-virt-04 192.168.123.14:8080 check + backend local_nginx mode http diff --git a/roles/firewall/files/shorewall/hosts b/roles/firewall/files/shorewall/hosts index e9d277c7c209190ef7016e129ce0a9933b74c6b1..e9c6593613a41601fbf437a19cc3f198c4d29dd6 100644 --- a/roles/firewall/files/shorewall/hosts +++ b/roles/firewall/files/shorewall/hosts @@ -32,6 +32,8 @@ admcli br-wan:87.162.124.119 # monitoring-extern admcli br-wan:23.88.122.18 + # Hetzner magicfelix + admcli br-wan:168.119.166.244 ?endif ?if __IPV6 diff --git a/roles/firewall/files/shorewall/params b/roles/firewall/files/shorewall/params index 549bbde5641e3d96293e104c0c09cb264cb394d8..e6df58a79a5dd0cd231733e5653e3a7c0c18f946 100644 --- a/roles/firewall/files/shorewall/params +++ b/roles/firewall/files/shorewall/params @@ -62,7 +62,7 @@ PROXMOX_HOSTS=192.168.123.11,192.168.123.12,192.168.123.13,192.168.123.14 # Blocklists -BADGUYS=101.64.0.0/13,183.128.0.0/11 +BADGUYS=101.64.0.0/13,183.128.0.0/11,111.0.0.0/10,36.99.0.0/16,31.210.37.0/24 # Hosts @@ -76,3 +76,6 @@ MEDIA=91.184.37.239 CLOUD=91.184.37.233 RZ_SP_BACKUP_01=91.184.37.163 WWW_ALT=91.184.37.227 + +# Users +HETZNER_MAGICFELIX=168.119.166.244/32 diff --git a/roles/firewall/files/shorewall/rules b/roles/firewall/files/shorewall/rules index 70a1d02b3b842f0b936b82cd3736b619fcd274ff..3eaae84043c7f2e84f6f7a5cda8717f1180e5227 100644 --- a/roles/firewall/files/shorewall/rules +++ b/roles/firewall/files/shorewall/rules @@ -20,6 +20,9 @@ ?SECTION UNTRACKED ?SECTION NEW +# Drop nervigen Foo +DROP all:$BADGUYS all + # Unbreak the internet ACCEPT all all icmp @@ -176,6 +179,7 @@ Web/ACCEPT all fw:$HAPROXY_ADMINS ACCEPT intern:192.168.124.26/32 all Web/ACCEPT all!wan intern:192.168.124.26/32 +ACCEPT wan:$HETZNER_MAGICFELIX intern:91.184.37.169/32 + ACCEPT all mgmt:$PROXMOX_HOSTS tcp 80 -DROP:info all:$BADGUYS all diff --git a/roles/firewall/files/shorewall/snat b/roles/firewall/files/shorewall/snat index ef8aacdf31238769fbdab459ad89cba29775c402..6dc4e0efd298a8d9849687df763cd7d8291dd72f 100644 --- a/roles/firewall/files/shorewall/snat +++ b/roles/firewall/files/shorewall/snat @@ -1,5 +1,5 @@ ?if __IPV4 -MASQUERADE 10.0.0.0/8 br-wan +SNAT(91.184.32.117) 10.0.0.0/8 br-wan MASQUERADE 192.168.123.0/24 br-wan MASQUERADE 192.168.124.0/24 br-wan MASQUERADE 172.16.30.0/24 br-wan