cleanup firewall

sown · Nov 30, 2024 · 16c59ac · 16c59ac
1 parent bfa1982
commit 16c59ac
Showing 1 changed file with 36 additions and 110 deletions.
diff --git a/roles/gw/templates/nftables.conf b/roles/gw/templates/nftables.conf
@@ -42,43 +42,13 @@ table inet filter {
     }
 
     # SOWN HOSTS
-
-    define HOST_LOGIN_4 = 152.78.103.165
-    define HOST_LOGIN_6 = 2001:630:d0:f700::209
-
-    define HOST_LOGIN2_4 = 152.78.103.168
-    define HOST_LOGIN2_6 = 2001:630:d0:f700::208
 
     define HOST_AUTH2_4 = 152.78.103.166
     define HOST_AUTH2_6 = 2001:630:d0:f700::239
 
-    define HOST_GIT_4 = 10.5.0.234
-    define HOST_GIT_6 = 2001:630:d0:f700::234
-
-    define HOST_MONITOR_4 = {152.78.103.164, 10.5.0.243}
-    define HOST_MONITOR_6 = 2001:630:d0:f700::243
-
     define HOST_BACKUP3_4 = 10.5.0.247
     define HOST_BACKUP3_6 = 2001:630:d0:f700::247
 
-    define HOST_WEBSDR_4 = 152.78.103.190
-    define HOST_WEBSDR_6 = 2001:630:d0:f700::218
-
-    define HOST_VMS_4 = {152.78.103.162, 10.5.0.237}
-    define HOST_VMS_6 = 2001:630:d0:f700::237 
-
-    define HOST_NETBOX_4 = 152.78.103.188
-    define HOST_NETBOX_6 = 2001:630:d0:f700::216
-
-    define HOST_KEYCLOAK_4 = 152.78.103.170
-    define HOST_KEYCLOAK_6 = 2001:630:d0:f700::206
-
-    define HOST_MONITOR2_4 = 152.78.103.187
-    define HOST_MONITOR2_6 = 2001:630:d0:f700::215
-
-    define HOST_ZEPLER_WEBSDR_4 = 152.78.103.190
-    define HOST_ZEPLER_WEBSDR_6 = 2001:630:d0:f700::218
-
     define HOST_CONTAINERS_1_4 = 152.78.103.171
     define HOST_CONTAINERS_1_6 = 2001:630:d0:f700::205
 
@@ -88,16 +58,24 @@ table inet filter {
     define HOST_CONTAINERS_3_4 = 152.78.103.173
     define HOST_CONTAINERS_3_6 = 2001:630:d0:f700::203
 
-    # DMZ HOSTS
-    define HOST_SOWN_WWW_DMZ4 = 152.78.189.39
-    define HOST_SOWN_WWW_DMZ6 = 2001:630:d0:f104::5032:250
-
-    define HOST_SUWS_MARCONI_DMZ4 = 152.78.189.75
-    define HOST_SUWS_MARCONI_DMZ6 = {
-        2001:630:d0:f104::5032:80a comment "old ip",
-        2001:630:d0:f104::5032:5235 comment "new ip",
-    }
+    define HOST_LOGIN_4 = 152.78.103.165
+    define HOST_LOGIN_6 = 2001:630:d0:f700::209
 
+    define HOST_LOGIN2_4 = 152.78.103.168
+    define HOST_LOGIN2_6 = 2001:630:d0:f700::208
+
+    define HOST_MONITOR_4 = {152.78.103.164, 10.5.0.243}
+    define HOST_MONITOR_6 = 2001:630:d0:f700::243
+
+    define HOST_MONITOR2_4 = 152.78.103.187
+    define HOST_MONITOR2_6 = 2001:630:d0:f700::215
+
+    define HOST_NETBOX_4 = 152.78.103.188
+    define HOST_NETBOX_6 = 2001:630:d0:f700::216
+
+    define HOST_WEBSDR_4 = 152.78.103.190
+    define HOST_WEBSDR_6 = 2001:630:d0:f700::218
+
     # ECS HOSTS
 
     define HOST_ECS_STAFFLOGIN4 = 152.78.128.111
@@ -205,82 +183,30 @@ table inet filter {
 
         ip saddr $HOST_ECS_STAFFLOGIN4 ip daddr $HOST_MONITOR_4 tcp dport 5668 counter accept comment "Accept traffic to monitor from stafflogin for CRON + SSH-DEBSUMS check"
 
-        # SSH Access
-        ip saddr $NET_EXTERNALTRUSTED4 ip daddr $HOST_AUTH2_4 tcp dport ssh counter accept comment "Allow trusted to access SSH on AUTH2"
-        ip6 saddr $NET_EXTERNALTRUSTED6 ip6 daddr $HOST_AUTH2_6 tcp dport ssh counter accept comment "Allow trusted to access SSH on AUTH2"
-
-	ip saddr $NET_UOSLOGINSERVERS4 ip daddr {$HOST_LOGIN_4, $HOST_LOGIN2_4} tcp dport ssh counter accept comment "Allow UoS Login Servers to access SSH on sown login servers"
-        ip saddr $NET_EXTERNALTRUSTED4 ip daddr {$HOST_LOGIN_4, $HOST_LOGIN2_4} tcp dport ssh counter accept comment "Allow trusted to access SSH on sown login servers"
-        ip6 saddr $NET_EXTERNALTRUSTED6 ip6 daddr {$HOST_LOGIN_6, $HOST_LOGIN2_6} tcp dport ssh counter accept comment "Allow trusted to access SSH on sown login servers"
+        # SSH
+	    ip saddr {$NET_EXTERNALTRUSTED4,$NET_UOSLOGINSERVERS4} ip daddr {$HOST_LOGIN_4, $HOST_LOGIN2_4} tcp dport ssh counter accept comment "Allow access SSH on sown login servers v4"
+        ip6 saddr $NET_EXTERNALTRUSTED6 ip6 daddr {$HOST_LOGIN_6, $HOST_LOGIN2_6} tcp dport ssh counter accept comment "Allow access SSH on sown login servers v6"
 
         # Auth2 Web Access
         ip saddr {$NET_EXTERNALTRUSTED4, $NET_UOSLOGINSERVERS4} ip daddr $HOST_AUTH2_4 tcp dport {http, https} counter accept comment "Allow trusted and login to access web interface on auth2"
         ip6 saddr $NET_EXTERNALTRUSTED6 ip6 daddr $HOST_AUTH2_6 tcp dport {http, https} counter accept comment "Allow trusted and login to access web interface on auth2"
 
-        # RADIUS
-        ip saddr {$HOST_SOWN_WWW_DMZ4, $HOST_SUWS_MARCONI_DMZ4} ip daddr $HOST_AUTH2_4 tcp dport radius counter accept comment "Allow www and marconi to auth against radius"
-
-	    # Git
-	    ip saddr {$HOST_SOWN_WWW_DMZ4, $HOST_SUWS_MARCONI_DMZ4} ip daddr $HOST_GIT_4 tcp dport http counter accept comment "Allow www and marconi to accedd git"
-
-        # Website
-        ip daddr $HOST_WEBSDR_4 tcp dport http counter accept comment "Allow zepler-websdr.suws.org.uk to be accessible on HTTP from external"
-        ip6 daddr $HOST_WEBSDR_6 tcp dport http counter accept comment "Allow zepler-websdr.suws.org.uk to be accessible on HTTP from external"
-
-        ip6 saddr $HOST_SOWN_WWW_DMZ6 ip6 daddr $HOST_MONITOR_6 tcp dport {
-            http comment "Allow HTTP to get XML files",
-            https comment "Allow HTTPS to get XML files",
-            mysql comment "Allow access to IRC logs database",
-            4444 comment "Allow access to SOWN-Bot",
-        } counter accept comment "Allow sown-www access to services on monitor"
-
-        ip saddr $HOST_SOWN_WWW_DMZ4 ip daddr $HOST_MONITOR_4 tcp dport {
-            http comment "Allow HTTP to get XML files",
-            https comment "Allow HTTPS to get XML files",
-            mysql comment "Allow access to IRC logs database",
-            4444 comment "Allow access to SOWN-Bot",
-        }  counter accept comment "Allow sown-www access to services on monitor"
-
-        ip6 saddr $HOST_SOWN_WWW_DMZ6 ip6 daddr $HOST_AUTH2_6 tcp dport {
-            http comment "Allow HTTP to access graphs",
-            https comment "Allow HTTPS to access graphs",
-            mysql comment "Allow access to git database on mysql",
-        } counter accept comment "Allow sown-www access to services on auth2"
-
-        # VMS Access
-        ip saddr {$NET_UOSLOGINSERVERS4, $NET_EXTERNALTRUSTED4} ip daddr $HOST_VMS_4 tcp dport {
-            http,
-            https,
-            8010,
-            64667,
-        } counter accept comment "Allow access to VMS web interface"
-
-	    ip6 saddr $NET_EXTERNALTRUSTED6 ip6 daddr $HOST_VMS_6 tcp dport {
-            http,
-            https,
-            8010,
-            64667,
-        } counter accept comment "Allow access to VMS web interface"
-
-        # Netbox
-        ip daddr $HOST_NETBOX_4 tcp dport {http, https} counter accept comment "Allow access to netbox"
-        ip6 daddr $HOST_NETBOX_6 tcp dport {http, https} counter accept comment "Allow access to netbox"
-
-        # SSO (keycloak)
-        ip daddr $HOST_KEYCLOAK_4 tcp dport {http, https} counter accept comment "Allow access to sso"
-        ip6 daddr $HOST_KEYCLOAK_6 tcp dport {http, https} counter accept comment "Allow access to sso"
-
-	    # containers-1 (*.containers-dev)
-        ip daddr $HOST_CONTAINERS_1_4 tcp dport {http, https} counter accept comment "Allow access to web-based development Docker containers"
-        ip6 daddr $HOST_CONTAINERS_1_6 tcp dport {http, https} counter accept comment "Allow access to web-based development Docker containers"
-
-	    # containers-2 / containers-prod
-        ip daddr $HOST_CONTAINERS_2_4 tcp dport {http, https} counter accept comment "Allow access to web-based production Docker containers"
-        ip6 daddr $HOST_CONTAINERS_2_6 tcp dport {http, https} counter accept comment "Allow access to web-based production Docker containers"
-
-	    # containers-3 / containers-secure
-        ip daddr $HOST_CONTAINERS_3_4 tcp dport {http, https} counter accept comment "Allow access to web-based secure Docker containers"
-        ip6 daddr $HOST_CONTAINERS_3_6 tcp dport {http, https} counter accept comment "Allow access to web-based secure Docker containers"
+        # External HTTP(S) access
+        ip daddr {
+            $HOST_CONTAINERS_1_4,
+            $HOST_CONTAINERS_2_4,
+            $HOST_CONTAINERS_3_4,
+            $HOST_NETBOX_4,
+            $HOST_WEBSDR_4 comment "Allow zepler-websdr.suws.org.uk to be accessible on HTTP from external",
+        } tcp dport {http, https} counter accept comment "Allow access to HTTP(S) on v4"
+
+        ip6 daddr {
+            $HOST_CONTAINERS_1_6,
+            $HOST_CONTAINERS_2_6,
+            $HOST_CONTAINERS_3_6,
+            $HOST_NETBOX_6,
+            $HOST_WEBSDR_6 comment "Allow zepler-websdr.suws.org.uk to be accessible on HTTP from external",
+        } tcp dport {http, https} counter accept comment "Allow access to HTTP(S) on v6"
 
         # SOWN LAN
         iifname $NIC_SOWN counter accept comment "Allow all traffic from SOWN LAN"