From 01f18412a8f48aa128625ad78e109fcfeda89bee Mon Sep 17 00:00:00 2001 From: Matt Birkholz Date: Thu, 15 Jan 2026 14:25:24 -0700 Subject: [PATCH] Wordsmithing around the firewall rules. And punt Systemd timers. Replacing a cron job, esp. one you wanted email from (in the event of a failure, or whenever), is a hassle with Systemd timers. You will need webupdate.timer, webupdate.service, webupdate-fail.service, and /usr/local/sbin/webupdate-fail. 5 lines of Ansible become 100. --- README.org | 24 +++++++++++------------- 1 file changed, 11 insertions(+), 13 deletions(-) diff --git a/README.org b/README.org index cbb56d8..a79ba0d 100644 --- a/README.org +++ b/README.org @@ -5198,10 +5198,10 @@ set in =/etc/ufw/sysctl.conf=. NAT is enabled per the ~ufw-framework(8)~ manual page, by introducing ~nat~ table rules in a block at the end of =/etc/ufw/before.rules=. -They translate packets going to the ISP. These can come from the -private Ethernet or the untrusted Ethernet (campus IoT, including -Wi-Fi APs). Hosts on the other institute networks (the two VPNs) -should not be routing their Internet traffic through their VPN. +The rules translate packets going to the ISP. These packets can come +from the private Ethernet or the wild Ethernet. Hosts on the other +institute networks (the two VPNs) should not be routing their Internet +traffic through their WireGuard™ interface. #+NAME: ufw-nat #+CAPTION: ~ufw-nat~ @@ -5213,10 +5213,10 @@ should not be routing their Internet traffic through their VPN. Forwarding rules are also needed. The ~nat~ table is a /post/ routing rule set, so the default routing policy (~DENY~) will drop packets before NAT can translate them. The following rules are added to allow -packets to be forwarded from the campus Ethernet or its wild subnet to -an ISP on the ~isp~ interface. A generic routing rule in UFW accepts -any related or established packet (according to the kernel's -connection tracking). +packets to be forwarded from the campus or wild Ethernets to an ISP on +the ~isp~ interface. A generic routing rule in UFW accepts any +related or established packet (according to the kernel's connection +tracking). #+NAME: ufw-forward-nat #+CAPTION: ~ufw-forward-nat~ @@ -5226,7 +5226,7 @@ connection tracking). #+END_SRC Forwarding rules are also needed to route packets from the campus VPN -(the ~wg0~ WireGuard™ tunnel device) to the institute's LAN and back. +(the WireGuard™ interface, ~wg0~) to the institute's LAN and back. The public VPN on Front will also be included since its packets arrive at Gate's ~lan~ interface, coming from Core. Thus forwarding between public and campus VPNs is also allowed. @@ -5245,7 +5245,8 @@ default, log and reject packets, even those from subnet to the same subnet (if it is a WireGuard™ subnet?). Note that there are no forwarding rules to allow packets to pass from -the ~wild~ device to the ~lan~ device, just the ~wg0~ device. +the ~wild~ device to the ~lan~ device, only from ~wg0~ device is +forwarded to ~lan~. ** Configure UFW @@ -8132,9 +8133,6 @@ Pro-active monitoring might include notifying ~root~ of any vandalism corrected by Monkey's quarter-hourly web update. This is a non-trivial task that must ignore intentional changes. -Monkey's ~cron~ jobs on Core should be ~systemd.timer~ and ~.service~ -units. - The institute's reverse domains (e.g. ~86.177.10.in-addr.arpa~) are not available on Front, yet. -- 2.47.3