commit 57c6813b9aa950acf3aaad721033c05d5ff7c605
Author: Jan Philipp Timme <jan.philipp@timme.it>
Date:   Sun Jun 23 08:50:09 2019 -1100

    Initial import

diff --git a/conntrackd.conf b/conntrackd.conf
new file mode 100644
index 0000000..392ba5d
--- /dev/null
+++ b/conntrackd.conf
@@ -0,0 +1,41 @@
+# Default debian config. Please, take a look at conntrackd.conf(5)
+
+General {
+	HashSize 8192
+	HashLimit 65535
+
+	Syslog on
+
+	LockFile /var/lock/conntrackd.lock
+
+	UNIX {
+		Path /var/run/conntrackd.sock
+		Backlog 20
+	}
+
+	SocketBufferSize 262142
+	SocketBufferSizeMaxGrown 655355
+
+	# default debian service unit file is of Type=notify
+	Systemd on
+}
+
+Sync {
+	Mode NOTRACK {
+		DisableInternalCache On
+		DisableExternalCache On
+	}
+	TCP {
+		IPv4_address 10.0.5.1
+		IPv4_Destination_Address 10.0.5.2
+		Port 3780
+		Interface enp0s9
+		SndSocketBuffer 1249280
+		RcvSocketBuffer 1249280
+		Checksum on
+	}
+	Options {
+		TCPWindowTracking Off
+		ExpectationSync On
+	}
+}
diff --git a/keepalived.conf b/keepalived.conf
new file mode 100644
index 0000000..b5d79ee
--- /dev/null
+++ b/keepalived.conf
@@ -0,0 +1,19 @@
+vrrp_instance fw_vrrp {
+	virtual_router_id 42
+	state BACKUP
+	interface enp0s9
+	unicast_peer {
+		10.0.5.2
+	}
+	authentication {
+		auth_type PASS
+		auth_pass foo253
+	}
+	virtual_ipaddress {
+		10.10.32.1/24 dev enp0s3 -nodad
+		10.251.32.2/24 dev enp0s8 -nodad
+	}
+	priority 200
+	advert_int 1
+	nopreempt
+}
diff --git a/nftables.conf b/nftables.conf
new file mode 100755
index 0000000..d23ba13
--- /dev/null
+++ b/nftables.conf
@@ -0,0 +1,53 @@
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+define iface_intern = enp0s3
+define iface_extern = enp0s8
+
+table inet filter {
+	chain input {
+		type filter hook input priority 0; policy drop;
+		iif lo accept
+		ct state established,related counter accept
+	}
+	chain output {
+		type filter hook output priority 0; policy drop;
+		counter accept comment "Allow all outbound traffic for FW"
+	}
+	chain global_deny {
+		counter
+	}
+	chain global_accept {
+		icmp type echo-request accept
+		counter
+	}
+	chain forward_traffic_in {
+		type filter hook forward priority 0; policy drop;
+		ct state established,related counter accept comment "Accept already allowed traffic"
+		jump global_deny
+		jump global_accept
+		iif $iface_intern counter goto from_intern
+		iif $iface_extern counter goto from_extern
+		counter log prefix "DROP forward_traffic_in " drop
+	}
+	chain forward_traffic_out {
+		oif $iface_intern counter goto into_intern
+		oif $iface_extern counter goto into_extern
+		counter log prefix "DROP forward_traffic_out " drop
+	}
+	chain from_intern {
+		counter log prefix "DROP from_intern " drop
+	}
+	chain into_intern {
+		counter accept
+		counter log prefix "DROP into_intern " drop
+	}
+	chain from_extern {
+		counter log prefix "DROP from_extern " drop
+	}
+	chain into_extern {
+		counter accept
+		counter log prefix "DROP into_extern " drop
+	}
+}