https://projects.duckcorp.org/https://projects.duckcorp.org/favicon.ico?16699090422020-08-25T15:42:34ZDuckCorp ProjectsDuckCorp Infrastructure - Review #711: Allow to connect to services hosted on Orthos while being at Condehttps://projects.duckcorp.org/issues/711?journal_id=21732020-08-25T15:42:34ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>In Progress</i></li></ul> DuckCorp Infrastructure - Review #711: Allow to connect to services hosted on Orthos while being at Condehttps://projects.duckcorp.org/issues/711?journal_id=21742020-08-25T15:43:06ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<ul><li><strong>Description</strong> updated (<a title="View differences" href="/journals/2174/diff?detail_id=2492">diff</a>)</li><li><strong>Status</strong> changed from <i>In Progress</i> to <i>Rejected</i></li></ul> DuckCorp Infrastructure - Review #711: Allow to connect to services hosted on Orthos while being at Condehttps://projects.duckcorp.org/issues/711?journal_id=21752020-08-25T15:43:19ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<ul><li><strong>Status</strong> changed from <i>Rejected</i> to <i>In Progress</i></li></ul> DuckCorp Infrastructure - Review #711: Allow to connect to services hosted on Orthos while being at Condehttps://projects.duckcorp.org/issues/711?journal_id=21762020-08-28T06:26:02ZMarc Dequènesduck@duckcorp.org
<ul><li><strong>Assignee</strong> changed from <i>Marc Dequènes</i> to <i>Pierre-Louis Bonicoli</i></li></ul><p>The iptables call is fine; indeed RFC1918 are not expected on the WAN interface but Orthos is not directly connected to the Internet.</p>
<p>I just don't understand the check of interfaces count, what is it supposed to prevent?</p> DuckCorp Infrastructure - Review #711: Allow to connect to services hosted on Orthos while being at Condehttps://projects.duckcorp.org/issues/711?journal_id=21772020-08-28T10:13:29ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<ul></ul><p>Marc Dequènes wrote:</p>
<blockquote>
<p>I just don't understand the check of interfaces count, what is it supposed to prevent?</p>
</blockquote>
<p>The goal is to detect configuration inconsistency, for example if this template were to be reused.</p>
<p>I updated this check:</p>
<pre>
diff --git a/ansible/roles/dc-base/templates/fw/Orthos b/ansible/roles/dc-base/templates/fw/Orthos
index fecc03f..8327e25 100644
--- a/ansible/roles/dc-base/templates/fw/Orthos
+++ b/ansible/roles/dc-base/templates/fw/Orthos
@@ -19,7 +19,7 @@ ban_bad_people_hook()
fi
/sbin/iptables -t filter -A INPUT -j bogons
{# raise an error when network interfaces differ from (lo, default interface) #}
- {%- if ansible_interfaces|length != 2 %}
+ {%- if ansible_interfaces|length != 2 or ([ansible_default_ipv4.gateway, ansible_default_ipv4.address] | ipaddr('public')) %}
{{ undefined|mandatory('unexpected network interfaces: ' ~ ansible_interfaces) -}}
{% endif -%}
/sbin/iptables -t filter -I bogons -s {{ ansible_default_ipv4.gateway }} -d {{ ansible_default_ipv4.address }} -j RETURN
</pre> DuckCorp Infrastructure - Review #711: Allow to connect to services hosted on Orthos while being at Condehttps://projects.duckcorp.org/issues/711?journal_id=21792020-08-28T10:35:46ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<ul><li><strong>Assignee</strong> changed from <i>Pierre-Louis Bonicoli</i> to <i>Marc Dequènes</i></li></ul> DuckCorp Infrastructure - Review #711: Allow to connect to services hosted on Orthos while being at Condehttps://projects.duckcorp.org/issues/711?journal_id=21802020-09-01T19:25:36ZMarc Dequènesduck@duckcorp.org
<ul><li><strong>Assignee</strong> changed from <i>Marc Dequènes</i> to <i>Pierre-Louis Bonicoli</i></li></ul><p>This check has absolutely nothing to do with the original PR. Moreover these templates are specific parameters and functions to customize <em>srv_firewalling</em> already so it is never gonna be reused. Also we setup the interfaces via Ansible so this should never happen. Here this check requires syncing configuration in two places, this one being not obvious at all, thus I believe this is not a good approach.</p>
<p>I would suggest a more descriptive approach of the network config if we want to improve. For example I made changes to handle ppp interfaces in a generic way for Elwing (see host_vars/Elwing/net.yml). In this case we could simply bring bogons support into <em>srv_firewalling</em> (no idea why it's duplicated since it's used on all machines) (outside of the hook to still be able to add host-specific config, maybe with a <em>net.filter_bogons</em> flag) and add a flag <em>net.wan_natted</em> which would trigger this behavior. Anyway, this is for a separate PR.</p> DuckCorp Infrastructure - Review #711: Allow to connect to services hosted on Orthos while being at Condehttps://projects.duckcorp.org/issues/711?journal_id=21812020-09-01T19:27:53ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<ul><li><strong>Status</strong> changed from <i>In Progress</i> to <i>Rejected</i></li><li><strong>Assignee</strong> deleted (<del><i>Pierre-Louis Bonicoli</i></del>)</li></ul> DuckCorp Infrastructure - Review #711: Allow to connect to services hosted on Orthos while being at Condehttps://projects.duckcorp.org/issues/711?journal_id=21822020-09-05T01:37:30ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<ul><li><strong>Status</strong> changed from <i>Rejected</i> to <i>In Progress</i></li><li><strong>Assignee</strong> set to <i>Marc Dequènes</i></li></ul><p>Updated: Following our exchanges on IRC, I removed the first check (about the number of interfaces) and kept only the check about private ranges.<br /><pre>
diff --git a/ansible/roles/dc-base/templates/fw/Orthos b/ansible/roles/dc-base/templates/fw/Orthos
index 8327e25..33c9853 100644
--- a/ansible/roles/dc-base/templates/fw/Orthos
+++ b/ansible/roles/dc-base/templates/fw/Orthos
@@ -18,9 +18,9 @@ ban_bad_people_hook()
sh /var/lib/adm/bogons-iptables.sh
fi
/sbin/iptables -t filter -A INPUT -j bogons
- {# raise an error when network interfaces differ from (lo, default interface) #}
- {%- if ansible_interfaces|length != 2 or ([ansible_default_ipv4.gateway, ansible_default_ipv4.address] | ipaddr('public')) %}
- {{ undefined|mandatory('unexpected network interfaces: ' ~ ansible_interfaces) -}}
+ {# raise an error when the IPv4 of the default network interface isn't private #}
+ {%- if [ansible_default_ipv4.gateway, ansible_default_ipv4.address] | ipaddr('public') %}
+ {{ undefined|mandatory('unexpected network setup: ' ~ ansible_default_ipv4.alias) -}}
{% endif -%}
/sbin/iptables -t filter -I bogons -s {{ ansible_default_ipv4.gateway }} -d {{ ansible_default_ipv4.address }} -j RETURN
}
</pre></p> DuckCorp Infrastructure - Review #711: Allow to connect to services hosted on Orthos while being at Condehttps://projects.duckcorp.org/issues/711?journal_id=21842020-09-28T09:55:37ZMarc Dequènesduck@duckcorp.org
<ul></ul><p>Merged. thanks.</p> DuckCorp Infrastructure - Review #711: Allow to connect to services hosted on Orthos while being at Condehttps://projects.duckcorp.org/issues/711?journal_id=21852020-09-28T09:55:51ZMarc Dequènesduck@duckcorp.org
<ul><li><strong>Status</strong> changed from <i>In Progress</i> to <i>Resolved</i></li></ul>