heroes / salt

Clone
Source Code
GIT

Files

  1.   012dc963caeeb71b906a063456f30dd6389ca371
  2.   salt
  3.   files
  4.   nftables
  5.   asgard
  6.   zones
  7.   1203_os-internal.nft
Blob Blame History Raw 
###################################################
## MANAGED BY SALT in salt/files/nftables/asgard ##
###################################################

 chain input_network_os-internal {
  jump global_internal

  # disabled 03/03/2024 - to remove
  #ip6 saddr $net6_os-internal  tcp dport { 22 } accept
  #ip6 daddr @lan_ipv6 ip6 nexthdr icmpv6 accept
  ip6 saddr @net6_os-internal ip6 daddr @self6_internal ip6 nexthdr icmpv6 accept

  # acme -> chip PDNS API
  #ip6 saddr @host6_acme ip6 daddr $chip tcp dport 444 accept
  # acme -> internet for Let's Encrypt (acme-v02.api.letsencrypt.org doesn't seem to use a fixed address)
  ip6 saddr @host6_acme tcp dport { http, https } accept
  # acme -> { certificate deployment targets } 
  # ICMP/ping the pre-deployment connectivity check
  ip6 saddr @host6_acme ip6 daddr $nat64_v6 icmpv6 type { echo-request, echo-reply } accept
  ip6 saddr @host6_acme ip6 daddr $host6_stage3 icmpv6 type { echo-request, echo-reply } accept
  ip6 saddr @host6_acme ip6 daddr @host6_atlas icmpv6 type { echo-request, echo-reply } accept
  ip6 saddr @host6_acme ip6 daddr @host6_mx icmpv6 type { echo-request, echo-reply } accept
  ip6 saddr @host6_acme ip6 daddr @host6_witch1 icmpv6 type { echo-request, echo-reply } accept
  # SSH for the certificate synchronization using scp and for remote service reloads
  ip6 saddr @host6_acme ip6 daddr $nat64_v6 tcp dport ssh accept
  ip6 saddr @host6_acme ip6 daddr $host6_stage3 tcp dport ssh accept
  ip6 saddr @host6_acme ip6 daddr @host6_atlas tcp dport ssh accept
  ip6 saddr @host6_acme ip6 daddr @host6_mx tcp dport ssh accept
  ip6 saddr @host6_acme ip6 daddr @host6_witch1 tcp dport ssh accept

  # paste, mailman3, discourse -> atlas1 (HTTPS / why? in case of mailman3, it seems it's required for OpenID login, metrics for susepaste)
  ip6 saddr { $host6_paste, $host6_mailman3, $host6_discourse, $host6_metrics } ip6 daddr $host6_atlas tcp dport https accept

  # galera{1,2,3} -> downloadcontent (HTTP repositories) (could use @acl6_internet_downloadcontent instead)
  ip6 saddr @host6_galera ip6 daddr @host6_downloadcontent tcp dport https accept

  # gitlab-runner* -> registry.o.o (HTTPS)
  ip6 saddr @host6_gitlab-runner ip6 daddr @cloud6_obs-login tcp dport https accept
  # -> * (temp)
  #ip6 saddr @host6_gitlab-runner tcp dport { http, https } accept
  #ip6 saddr @host6_gitlab-runner icmpv6 type { echo-request, echo-reply } accept

  # * -> GitHub (HTTP/HTTPS/SSH) (further restricted using client whitelisting through @acl4_internet_github in forward.conf)
  oifname nat64 ip6 daddr @cloud46_github_web icmpv6 type { echo-request, echo-reply } accept
  oifname nat64 ip6 daddr @cloud46_github_web tcp dport { http, https, ssh } accept #log prefix "[GitHub v6 IN] " accept

  # * -> Akismet/Sentry (HTTPS) (further restricted using client whitelisting through @acl4_internet_{akismet,sentry} in forward.conf)
  ip6 daddr @cloud46_akismet icmpv6 type { echo-request, echo-reply } accept
  oifname nat64 ip6 daddr @cloud46_akismet tcp dport https accept
  ip6 daddr @cloud46_sentry_organization icmpv6 type { echo-request, echo-reply } accept
  oifname nat64 ip6 daddr @cloud46_sentry_organization tcp dport https accept

  # Fastly ACL -> fastly (HTTPS, for rubygems.org)
  ip6 saddr @acl6_internet_fastly ip6 daddr @cloud6_fastly icmpv6 type { echo-request, echo-reply } accept
  ip6 saddr @acl6_internet_fastly ip6 daddr @cloud6_fastly tcp dport https accept

  # OBS-Login ACL -> (HTTPS, for registry.o.o, api.o.o, ..)
  ip6 saddr @acl6_internet_obs-login ip6 daddr @cloud6_obs-login icmpv6 type { echo-request, echo-reply } accept
  ip6 saddr @acl6_internet_obs-login ip6 daddr @cloud6_obs-login tcp dport https accept

  # jekyll -> * (HTTP/HTTPS, for planet.o.o RSS feeds)
  oifname { nat64, os-p2p-pub } ip6 saddr $host6_jekyll tcp dport { http, https } ip6 daddr != @lan_ipv6_nonat accept

  # jekyll -> atlas (HTTPS for planet.o.o to news.o.o)
  oif os-public ip6 saddr $host6_jekyll ip6 daddr $host6_atlas tcp dport https accept

  # narwal5 -> narwal4 (rsync over ssh)
  oifname nat64 ip6 saddr $host6_narwal5 ip6 daddr $host6_narwal4 tcp dport ssh accept
  # narwal5 -> download.o.o (HTTPS for reaching download.o.o/report/mirrors)
  oifname os-p2p-pub ip6 saddr $host6_narwal5 ip6 daddr @host6_download icmpv6 type { echo-request, echo-reply } accept
  oifname os-p2p-pub ip6 saddr $host6_narwal5 ip6 daddr @host6_download tcp dport https accept
  # narwal5 -> {rsync,stage}.o.o (rsync for generating /list/rsyncinfo{-stage}.o.o.txt)
  oifname os-p2p-pub ip6 saddr $host6_narwal5 ip6 daddr @host6_rsync icmpv6 type { echo-request, echo-reply } accept
  oifname os-p2p-pub ip6 saddr $host6_narwal5 ip6 daddr @host6_stage icmpv6 type { echo-request, echo-reply } accept
  oifname os-p2p-pub ip6 saddr $host6_narwal5 ip6 daddr @host6_rsync tcp dport rsync accept
  oifname os-p2p-pub ip6 saddr $host6_narwal5 ip6 daddr @host6_stage tcp dport rsync accept

  # riesling -> atlas* (HTTPS for RSS feeds embedded in Wiki)
  oif os-public ip6 saddr $host6_atlas tcp dport https accept

  # gitlab-runner* -> witch1 (rsync + API access for Salt deployment)
  oif os-salt ip6 saddr @host6_gitlab-runner ip6 daddr @host6_witch1 tcp dport rsync accept
  oif os-salt ip6 saddr @host6_gitlab-runner ip6 daddr @host6_witch1 tcp dport 4550 log prefix "[Salt API] " accept

  # matrix -> * (Matrix federation, all ports to facilitate connectivity to other homeservers using arbitrary ports)
  oifname { nat64, os-p2p-pub } ip6 saddr $host6_matrix ip6 nexthdr tcp ip6 daddr != @lan_ipv6_nonat accept
  # matrix -> atlas (HTTPS for access to "itself", for example Telegram tries to chat with Matrix over its public matrix.o.o proxy address)
  oif os-public ip6 saddr $host6_matrix ip6 daddr $host6_atlas tcp dport https accept

  # discourse -> * (would be good to restrict further, but download of assets during discourse-update as well as generating of arbitrary link previews makes it difficult)
  oifname { nat64, os-p2p-pub } ip6 saddr $host6_discourse tcp dport { http, https } ip6 daddr != @lan_ipv6_nonat log prefix "[Discourse HTTP 1] " accept
  # osc-collab -> * (https://github.com/openSUSE/osc-plugin-collab/blob/master/server/upstream/upstream-tarballs.txt)
  oifname { nat64, os-p2p-pub } ip6 saddr $host6_osc-collab tcp dport { http, https, ftp } ip6 daddr != @lan_ipv6_nonat accept

  # monitor -> provo-mirror (HTTPS, why ??) edit: probably Prometheus metrics for debuginfod
  #oif os-p2p-pub ip6 saddr $host6_monitor ip6 daddr 2a07:de40:0401:0000:0000:0000:0000:0065/128 tcp dport https accept
  # monitor -> LiberaChat (IRCS for heroes-bot)
  oif os-p2p-pub ip6 saddr $host6_monitor ip6 daddr @cloud6_liberachat tcp dport ircs-u accept

  # monitor -> * (Prometheus)
  ip6 saddr $host6_monitor ip6 daddr @lan_ipv6 tcp dport 9100 accept # Node Exporter
  ip6 saddr $host6_monitor ip6 daddr @net6_os-s-warp tcp dport 9100 accept
  # monitor -> mx* (Prometheus mtail/postfix metrics collection)
  ip6 saddr $host6_monitor ip6 daddr @host6_mx tcp dport { 3903, 9154 } accept
  # monitor -> witch* (Prometheus saline/salt metrics collection)
  ip6 saddr $host6_monitor ip6 daddr @host6_witch1 tcp dport 8216 accept
  # monitor -> all HAProxy nodes (Prometheus HAProxy metrics collection)
  ip6 saddr $host6_monitor ip6 daddr @host6_haproxy tcp dport 8404 accept
  # monitor -> asgard* (Prometheus ping metrics collection)
  ip6 saddr $host6_monitor ip6 daddr @self6_internal tcp dport 9427 accept

  # chip -> all nameservers (DNS, query/notify)
  ip6 saddr $host6_chip ip6 daddr @host6_all_dns udp dport domain accept

  # * -> Packman Build Service (HTTPS) (further restricted using client whitelisting through @acl4_internet_pmbs in forward.conf)
  ip6 daddr @cloud46_pmbs icmpv6 type { echo-request, echo-reply } accept
  oifname nat64 ip6 daddr @cloud46_pmbs tcp dport https accept

  # Hel -> global DNS (for recursion) and NTP (for upstream pool access)
  #oif os-p2p-pub ip6 saddr @host6_hel udp dport { domain, ntp } accept
  #oif os-p2p-pub ip6 saddr @host6_hel tcp dport domain accept
  oif os-p2p-pub ip6 saddr @host6_hel udp dport ntp accept
  # Hel -> prg-ns DNS (for forwarding)
  oif os-public ip6 saddr @host6_hel ip6 daddr @host6_prg-ns udp dport { domain, 1053 } accept
  oif os-public ip6 saddr @host6_hel ip6 daddr @host6_prg-ns tcp dport { domain, 1053 } accept
  # Hel -> mx{1,2} SMTP (for mail proxying / relay.i.o.o)
  oif os-mail ip6 saddr @host6_hel ip6 daddr @host6_mx tcp dport 26 accept # 26 is a secondary SMTP listener not passing through the spam filter
  # Hel -> kani{1,2} HTTPS/LDAPS (for idm.i.o.o/ldap.i.o.o aka proxy for Heroes Authentication)
  oif os-kani ip6 saddr @host6_hel ip6 daddr @host6_kani tcp dport { https, ldaps } accept

  # FreeIPA -> global DNS (why?)
  ip6 saddr $host6_freeipa udp dport domain accept
  ip6 saddr $host6_freeipa tcp dport domain accept

  # metrics -> download/pontifex2 (httpd log pulling)
  ip6 saddr $host6_metrics ip6 daddr @host6_download tcp dport https accept

  # nuka -> atlas (https for weblate to reach wwww.opensuse.org)
  oif os-public ip6 saddr $host6_nuka ip6 daddr $host6_atlas tcp dport https accept
  # nuka -> miscellaneous IPv6 capable services needed to be accessed by Weblate
  oif os-p2p-pub ip6 saddr $host6_nuka ip6 daddr @cloud6_misc_weblate tcp dport { http, https } accept
  oifname nat64 ip6 saddr $host6_nuka ip6 daddr @cloud46_misc_weblate tcp dport { http, https } accept
  oif os-p2p-pub ip6 saddr $host6_nuka ip6 daddr @cloud6_misc_weblate icmpv6 type { echo-request, echo-reply } accept
  oifname nat64 ip6 saddr $host6_nuka ip6 daddr @cloud46_misc_weblate icmpv6 type { echo-request, echo-reply } accept

  # progressoo -> mx{1,2} (SMTP, but why? should it not go via relay.i.o.o?)
  oif os-public ip6 saddr $host6_progressoo ip6 daddr @host6_atlas_mx tcp dport smtp accept

  # mailman3 -> publicsuffix (HTTPS, populating /list/public_suffix_list.dat)
  oif os-p2p-pub ip6 saddr $host6_mailman3 ip6 daddr @cloud6_publicsuffix icmpv6 type { echo-request, echo-reply } accept
  oif os-p2p-pub ip6 saddr $host6_mailman3 ip6 daddr @cloud6_publicsuffix tcp dport https accept

  # mickey -> atlas (SSH for GitLab -> Pagure Git repository mirror)
  oif os-public ip6 saddr $host6_mickey ip6 daddr $host6_atlas_misc tcp dport ssh accept

  log prefix "[Internal Denied] " reject with icmpv6 type admin-prohibited

 }

 chain output_network_os-internal {
  # Outbound for services the firewalls themselves need
  # Syslog
  ip6 saddr @self6_internal ip6 daddr $host6_monitor tcp dport 514 accept
  # DNS and NTP
  ip6 saddr @self6_internal ip6 daddr @host6_hel udp dport { domain, ntp } accept
  # HTTPS (for idm.i.o.o)
  ip6 saddr @self6_internal ip6 daddr @host6_hel tcp dport https accept

 }
Powered by Pagure 5.13.3
DocumentationAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.