Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
S slapos.package
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 0
    • Issues 0
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Merge requests 13
    • Merge requests 13
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Operations
    • Operations
    • Incidents
    • Environments
  • Analytics
    • Analytics
    • CI/CD
    • Repository
    • Value Stream
  • Wiki
    • Wiki
  • Members
    • Members
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • nexedi
  • slapos.package
  • Merge requests
  • !22

Closed
Created Sep 21, 2016 by Julien Muchembled@jmOwner
  • Report abuse
Report abuse

playbook: do not touch the firewall

  • Overview 7
  • Commits 1
  • Changes 2

The cron task that adds a few ipv6 rules at reboot for babeld/re6stnet is a time bomb. If someone has a firewall, updates its conf and restarts it instead of rebooting, the result is likely to be wrong with consequences like:

  • no more access to the machine (if re6stnet was used to access it)
  • machine acting like a blackhole (INPUT rules still there but FORWARD back to DROP)

Someone who sets up a firewall must understand things a minimum and configure it himself for re6stnet. ipv4 rules are anyway required. Maybe that's what happened on server managed by @romain, where there were only 2 tunnels with outside because the openvpn server was firewalled.

@vpelletier had the idea to document in re6stnet how to configure shorewall. We should finish this.

The playbook could also issue a warning in the case that there's a firewall. Maybe you have better ideas about how to draw attention.

@rafael @alain.takoudjou

Assignee
Assign to
Reviewer
Request review from
None
Milestone
None
Assign milestone
Time tracking
Source branch: no-fw
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7