Initial import

2019-06-23 08:50:09 -11:00 · 2019-06-23 08:50:09 -11:00 · 57c6813b9a
commit 57c6813b9a
3 changed files with 113 additions and 0 deletions
--- a/conntrackd.conf
+++ b/conntrackd.conf
@ -0,0 +1,41 @@
 # Default debian config. Please, take a look at conntrackd.conf(5)
 General {
 	HashSize 8192
 	HashLimit 65535
 	Syslog on
 	LockFile /var/lock/conntrackd.lock
 	UNIX {
 		Path /var/run/conntrackd.sock
 		Backlog 20
 	}
 	SocketBufferSize 262142
 	SocketBufferSizeMaxGrown 655355
 	# default debian service unit file is of Type=notify
 	Systemd on
 }
 Sync {
 	Mode NOTRACK {
 		DisableInternalCache On
 		DisableExternalCache On
 	}
 	TCP {
 		IPv4_address 10.0.5.1
 		IPv4_Destination_Address 10.0.5.2
 		Port 3780
 		Interface enp0s9
 		SndSocketBuffer 1249280
 		RcvSocketBuffer 1249280
 		Checksum on
 	}
 	Options {
 		TCPWindowTracking Off
 		ExpectationSync On
 	}
 }
--- a/keepalived.conf
+++ b/keepalived.conf
@ -0,0 +1,19 @@
 vrrp_instance fw_vrrp {
 	virtual_router_id 42
 	state BACKUP
 	interface enp0s9
 	unicast_peer {
 		10.0.5.2
 	}
 	authentication {
 		auth_type PASS
 		auth_pass foo253
 	}
 	virtual_ipaddress {
 		10.10.32.1/24 dev enp0s3 -nodad
 		10.251.32.2/24 dev enp0s8 -nodad
 	}
 	priority 200
 	advert_int 1
 	nopreempt
 }
--- a/nftables.conf
+++ b/nftables.conf
@ -0,0 +1,53 @@
 #!/usr/sbin/nft -f
 flush ruleset
 define iface_intern = enp0s3
 define iface_extern = enp0s8
 table inet filter {
 	chain input {
 		type filter hook input priority 0; policy drop;
 		iif lo accept
 		ct state established,related counter accept
 	}
 	chain output {
 		type filter hook output priority 0; policy drop;
 		counter accept comment "Allow all outbound traffic for FW"
 	}
 	chain global_deny {
 		counter
 	}
 	chain global_accept {
 		icmp type echo-request accept
 		counter
 	}
 	chain forward_traffic_in {
 		type filter hook forward priority 0; policy drop;
 		ct state established,related counter accept comment "Accept already allowed traffic"
 		jump global_deny
 		jump global_accept
 		iif $iface_intern counter goto from_intern
 		iif $iface_extern counter goto from_extern
 		counter log prefix "DROP forward_traffic_in " drop
 	}
 	chain forward_traffic_out {
 		oif $iface_intern counter goto into_intern
 		oif $iface_extern counter goto into_extern
 		counter log prefix "DROP forward_traffic_out " drop
 	}
 	chain from_intern {
 		counter log prefix "DROP from_intern " drop
 	}
 	chain into_intern {
 		counter accept
 		counter log prefix "DROP into_intern " drop
 	}
 	chain from_extern {
 		counter log prefix "DROP from_extern " drop
 	}
 	chain into_extern {
 		counter accept
 		counter log prefix "DROP into_extern " drop
 	}
 }