This project is mirrored from https://github.com/debops/debops/. Updated .
  1. 02 Apr, 2019 1 commit
  2. 25 Mar, 2019 1 commit
  3. 15 Feb, 2019 1 commit
    • Maciej Delmanowski's avatar
      [debops.ferm] Enable ferm on hosts without cap12s · 7764af6a
      Maciej Delmanowski authored
      In case that Ansible didn't detect any POSIX capabilities, assume by
      default that the host is a normal hardware server/VM and firewall
      configuration is possible. This should avoid idempotency issues when on
      the first run 'libcap2-bin' package is not installed and on a second run
      it suddenly shows up, which prompts the 'debops.ferm' role to configure
      ferm, breaking idempotency.
      7764af6a
  4. 10 Feb, 2019 1 commit
  5. 11 Jan, 2019 1 commit
  6. 07 Jan, 2019 2 commits
  7. 16 Oct, 2018 1 commit
    • Maciej Delmanowski's avatar
      [debops.ferm] Remove centralized forwarding config · a99f613d
      Maciej Delmanowski authored
      The centralized packet forwarding configuration in the 'debops.ferm'
      role is removed. It is replaced with per-interface forwarding
      configuration maintained by the 'debops.ifupdown' role, which uses the
      'debops.ferm' and 'debops.sysctl' roles as dependencies for configuring
      their respective services.
      a99f613d
  8. 26 Aug, 2018 1 commit
  9. 02 Aug, 2018 1 commit
    • Maciej Delmanowski's avatar
      [debops.ferm] Add 'snat_ip' parameter to rules · b727d285
      Maciej Delmanowski authored
      Based on the changes made by Gaudenz Steinlin in commit 29863982.
      
      This patch changes how the SNAT firewall configuration is implemented in
      the 'debops.ferm' role, 'dmz' rule type. With this set, connections to
      the backend host will have the source IP set to this address instead of
      the originating IP. The original rule in the POSTROUTING chain is not
      needed as this case is already automatically covered by the connection
      tracking done by the DNAT rule in the PREROUTING chain.
      b727d285
  10. 26 Jul, 2018 1 commit
    • Maciej Delmanowski's avatar
      [debops.ferm] Handle IPv4/IPv6 addresses in 'dmz' · d560a2d0
      Maciej Delmanowski authored
      The 'ferm' language does not support iterating over lists or converting
      lists to strings, this caused an issue where a list of IP addresses is
      concatenated with a string representing a port when the 'dmz' rule type
      is used. The result was an error:
      
          variable 'PRIVATE_IP' must be a string, but it is an array
      
      This patch changes the template for the 'dmz' rule so that the IPv4 and
      IPv6 addresses are separated on Ansible level instead of directly in
      ferm. Next, only 1 public and private IP address is selected for the
      'dmz' rule so that the string concatenation with a port can be performed
      correctly. This should solve the issue with the 'dmz' rule type.
      d560a2d0
  11. 19 Jul, 2018 1 commit
  12. 26 May, 2018 1 commit
  13. 13 May, 2018 1 commit
  14. 25 Mar, 2018 1 commit
    • Maciej Delmanowski's avatar
      Fix various deprecation warnings from Ansible v2.5 · 47aa3156
      Maciej Delmanowski authored
      This patch fixes deprecation warnings reported by Ansible v2.5:
      
      - warning about usage of 'include' instead of 'import_playbook' to
        include additional playbooks;
      
      - warning about usage of various tests as filters in Jinja expressions;
      47aa3156
  15. 24 Mar, 2018 1 commit
  16. 23 Mar, 2018 1 commit
  17. 08 Mar, 2018 2 commits
    • Gaudenz Steinlin's avatar
      Optional snat_ip parameter for dmz rules · 29863982
      Gaudenz Steinlin authored
      Add a parameter to configure source IP translation in dmz rules. With
      this set, connections to the backend host will have the source IP set to
      this address instead of the originating IP.
      
      The original rule in the POSTROUTING chain is not needed as this case is
      already automatically covered by the connection tracking done by the
      DNAT rule in the PREROUTING chain.
      29863982
    • Gaudenz Steinlin's avatar
      Fix DMZ ferm rule type with dport set · 7e247611
      Gaudenz Steinlin authored
      When dport was set the dmz rule type had several issues:
      - The filter rule in the FORWARD chain is traversed after the DNAT rule
        in the PREROUTING chain. Thus the filter rule has to match on the
        dport value instead of the port value.
      - The result of the @ipfilter function is always a list. Thus
        $PRIVATE_IP is a list and cannot be concatenated to a string using
        @cat. Thus the ferm configuration was invalid when dport was set.
      
      This commit fixes both of these issues. It assumes that private_ip is a
      string as having multiple private IPs does not make sense. Traffic can
      only be forwarded to one target IP.
      7e247611
  18. 19 Feb, 2018 1 commit
  19. 12 Feb, 2018 1 commit
    • Maciej Delmanowski's avatar
      Remove unneede files from role directories · 03a84faa
      Maciej Delmanowski authored
      The removed files ('.travis.yml', '.gitignore', 'README.md', etc.) were
      useful when Ansible roles were in their own separate git repositories.
      Since everything is in one git repository now, these files are redundant
      and misleading. If needed, they are still available through the git
      commit history.
      03a84faa
  20. 05 Jan, 2018 2 commits
  21. 04 Jan, 2018 1 commit
  22. 21 Oct, 2017 1 commit