From 6f2e4151831dbd82587b671f7645eddcfbbe743c Mon Sep 17 00:00:00 2001
From: Tom Teichler <tom.teichler@teckids.org>
Date: Sun, 3 Sep 2023 11:31:48 +0200
Subject: [PATCH] Shorewall- und HAProxy-Config aktualisieren

---
 roles/firewall/files/haproxy.cfg      | 9 +++++++++
 roles/firewall/files/shorewall/hosts  | 2 ++
 roles/firewall/files/shorewall/params | 5 ++++-
 roles/firewall/files/shorewall/rules  | 6 +++++-
 roles/firewall/files/shorewall/snat   | 2 +-
 5 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/roles/firewall/files/haproxy.cfg b/roles/firewall/files/haproxy.cfg
index 82ac32d..6093e4d 100644
--- a/roles/firewall/files/haproxy.cfg
+++ b/roles/firewall/files/haproxy.cfg
@@ -248,7 +248,16 @@ backend foreman
 
 backend ceph_dashboard
     mode http
+
+    option httpchk GET /
+    http-check expect status 200
+
+    http-response add-header X-Frame-Options: ALLOW
+
     server rz-sp-virt-01 192.168.123.11:8080 check
+    server rz-sp-virt-02 192.168.123.12:8080 check
+    server rz-sp-virt-04 192.168.123.14:8080 check
+
 
 backend local_nginx
     mode http
diff --git a/roles/firewall/files/shorewall/hosts b/roles/firewall/files/shorewall/hosts
index e9d277c..e9c6593 100644
--- a/roles/firewall/files/shorewall/hosts
+++ b/roles/firewall/files/shorewall/hosts
@@ -32,6 +32,8 @@
 	admcli		br-wan:87.162.124.119
 	# monitoring-extern
 	admcli		br-wan:23.88.122.18
+        # Hetzner magicfelix
+        admcli		br-wan:168.119.166.244
 ?endif
 
 ?if __IPV6
diff --git a/roles/firewall/files/shorewall/params b/roles/firewall/files/shorewall/params
index 549bbde..e6df58a 100644
--- a/roles/firewall/files/shorewall/params
+++ b/roles/firewall/files/shorewall/params
@@ -62,7 +62,7 @@ PROXMOX_HOSTS=192.168.123.11,192.168.123.12,192.168.123.13,192.168.123.14
 
 # Blocklists
 
-BADGUYS=101.64.0.0/13,183.128.0.0/11 
+BADGUYS=101.64.0.0/13,183.128.0.0/11,111.0.0.0/10,36.99.0.0/16,31.210.37.0/24
 
 # Hosts
 
@@ -76,3 +76,6 @@ MEDIA=91.184.37.239
 CLOUD=91.184.37.233
 RZ_SP_BACKUP_01=91.184.37.163
 WWW_ALT=91.184.37.227
+
+# Users
+HETZNER_MAGICFELIX=168.119.166.244/32
diff --git a/roles/firewall/files/shorewall/rules b/roles/firewall/files/shorewall/rules
index 70a1d02..3eaae84 100644
--- a/roles/firewall/files/shorewall/rules
+++ b/roles/firewall/files/shorewall/rules
@@ -20,6 +20,9 @@
 ?SECTION UNTRACKED
 ?SECTION NEW
 
+# Drop nervigen Foo
+DROP			all:$BADGUYS				all
+
 # Unbreak the internet
 ACCEPT			all				all				icmp
 
@@ -176,6 +179,7 @@ Web/ACCEPT  all  fw:$HAPROXY_ADMINS
 ACCEPT				intern:192.168.124.26/32	all
 Web/ACCEPT			all!wan				intern:192.168.124.26/32
 
+ACCEPT		wan:$HETZNER_MAGICFELIX		intern:91.184.37.169/32
+
 ACCEPT				all				mgmt:$PROXMOX_HOSTS	tcp	80
 
-DROP:info			all:$BADGUYS				all
diff --git a/roles/firewall/files/shorewall/snat b/roles/firewall/files/shorewall/snat
index ef8aacd..6dc4e0e 100644
--- a/roles/firewall/files/shorewall/snat
+++ b/roles/firewall/files/shorewall/snat
@@ -1,5 +1,5 @@
 ?if __IPV4
-MASQUERADE	10.0.0.0/8		br-wan
+SNAT(91.184.32.117)    10.0.0.0/8              br-wan
 MASQUERADE	192.168.123.0/24	br-wan
 MASQUERADE      192.168.124.0/24        br-wan
 MASQUERADE	172.16.30.0/24		br-wan
-- 
GitLab