Shorewall- und HAProxy-Config aktualisieren

roles/firewall/files/haproxy.cfg

@@ -248,7 +248,16 @@ backend foreman
 
 backend ceph_dashboard
     mode http
+
+    option httpchk GET /
+    http-check expect status 200
+
+    http-response add-header X-Frame-Options: ALLOW
+
     server rz-sp-virt-01 192.168.123.11:8080 check
+    server rz-sp-virt-02 192.168.123.12:8080 check
+    server rz-sp-virt-04 192.168.123.14:8080 check
+
 
 backend local_nginx
     mode http

roles/firewall/files/shorewall/hosts

@@ -32,6 +32,8 @@
 	admcli		br-wan:87.162.124.119
 	# monitoring-extern
 	admcli		br-wan:23.88.122.18
+        # Hetzner magicfelix
+        admcli		br-wan:168.119.166.244
 ?endif
 
 ?if __IPV6

roles/firewall/files/shorewall/params

@@ -62,7 +62,7 @@ PROXMOX_HOSTS=192.168.123.11,192.168.123.12,192.168.123.13,192.168.123.14
 
 # Blocklists
 
-BADGUYS=101.64.0.0/13,183.128.0.0/11 
+BADGUYS=101.64.0.0/13,183.128.0.0/11,111.0.0.0/10,36.99.0.0/16,31.210.37.0/24
 
 # Hosts
 
@@ -76,3 +76,6 @@ MEDIA=91.184.37.239
 CLOUD=91.184.37.233
 RZ_SP_BACKUP_01=91.184.37.163
 WWW_ALT=91.184.37.227
+
+# Users
+HETZNER_MAGICFELIX=168.119.166.244/32

roles/firewall/files/shorewall/rules

@@ -20,6 +20,9 @@
 ?SECTION UNTRACKED
 ?SECTION NEW
 
+# Drop nervigen Foo
+DROP			all:$BADGUYS				all
+
 # Unbreak the internet
 ACCEPT			all				all				icmp
 
@@ -176,6 +179,7 @@ Web/ACCEPT  all  fw:$HAPROXY_ADMINS
 ACCEPT				intern:192.168.124.26/32	all
 Web/ACCEPT			all!wan				intern:192.168.124.26/32
 
+ACCEPT		wan:$HETZNER_MAGICFELIX		intern:91.184.37.169/32
+
 ACCEPT				all				mgmt:$PROXMOX_HOSTS	tcp	80
 
-DROP:info			all:$BADGUYS				all

roles/firewall/files/shorewall/snat

 ?if __IPV4
-MASQUERADE	10.0.0.0/8		br-wan
+SNAT(91.184.32.117)    10.0.0.0/8              br-wan
 MASQUERADE	192.168.123.0/24	br-wan
 MASQUERADE      192.168.124.0/24        br-wan
 MASQUERADE	172.16.30.0/24		br-wan