Updated efg.pm and ifg.in (added wireguard routes and rules).

diff --git a/sources/efg.pm/c3d/firstboot/data/nftables.config b/sources/efg.pm/c3d/firstboot/data/nftables.config
index fc8f03c88d0b0901088f7592013ae8bc03138e84..1668a551ea00fcf936002d855673c32734ee245b 100644 (file)
--- a/sources/efg.pm/c3d/firstboot/data/nftables.config
+++ b/sources/efg.pm/c3d/firstboot/data/nftables.config
@@ -101,7 +101,7 @@ define PERIMETER_IPV4_NET = 192.168.173.0/24
 define PERIMETER_IPV6_NET = 2a02:d400:0000:f2ad::/64
 
 # vpn client network
-define VPN_IPV4_NET = 172.16.223.0/24
+define VPN_IPV4_NET = 172.24.232.0/24
 
 # peep-bo network
 define PEEP_BO_IPV4_NET = 10.162.104.0/24
@@ -111,6 +111,7 @@ define PEEP_BO_IPV4_NET = 10.162.104.0/24
 ################################
 
 #define MX_PORTS = { 25, 110, 143, 465, 587, 993, 995 }
+define VPN_PORTS = { openvpn, 51820 }
 
 
 ################################
@@ -137,7 +138,7 @@ create chain ip6 efg-filter output { type filter hook output priority 0; policy
 
 add rule ip efg-nat prerouting \
     iifname $EXTERNAL_ACE_IF \
-    ip daddr $PUBLIC_ACE_VPN_IPV4 udp dport openvpn \
+    ip daddr $PUBLIC_ACE_VPN_IPV4 udp dport $VPN_PORTS \
     counter dnat $VPN_INTERNAL_IPV4 comment "Incoming VPN traffic"
 
 #add rule ip efg-nat prerouting \
@@ -244,12 +245,12 @@ add rule ip efg-filter forward \
 
 add rule ip efg-filter forward \
     iifname $EXTERNAL_ACE_IF \
-    oifname $PERIMETER_IF ip daddr $VPN_INTERNAL_IPV4 udp dport openvpn \
+    oifname $PERIMETER_IF ip daddr $VPN_INTERNAL_IPV4 udp dport $VPN_PORTS \
     counter accept comment "Incoming VPN traffic (ACE)"
 
 add rule ip efg-filter forward \
     iifname $EXTERNAL_TELEKOM_IF \
-    oifname $PERIMETER_IF ip daddr $VPN_INTERNAL_IPV4 udp dport openvpn \
+    oifname $PERIMETER_IF ip daddr $VPN_INTERNAL_IPV4 udp dport $VPN_PORTS \
     counter accept comment "Incoming VPN traffic (TELEKOM)"
 
 add rule ip efg-filter forward \

diff --git a/sources/efg.pm/envvars b/sources/efg.pm/envvars
index 92144055f84ea7cfd9720f34daa2d20a0dceebc2..9a2fa0105551ecbbe0ff7eea4f533761d89e82e5 100644 (file)
--- a/sources/efg.pm/envvars
+++ b/sources/efg.pm/envvars
@@ -1,5 +1,5 @@
 DISTRIBUTION=Fedora
-DISTRIBUTION_VERSION=36
+DISTRIBUTION_VERSION=37
 ROOT_PACKAGES="hostname initscripts iproute rootfiles systemd-udev"
 BASE_PACKAGES="NetworkManager iputils logrotate rsyslog tar vim-minimal"
 SPEC_PACKAGES="cronie ethtool nftables radvd tcpdump"

diff --git a/sources/ifg.in/c3d/firstboot/data/nftables.config b/sources/ifg.in/c3d/firstboot/data/nftables.config
index d49cd48ae1041bf41c4e219330e329eb26de8e04..c0e21afb0315ad8f7d4fa41e5ac68fbae244bd22 100644 (file)
--- a/sources/ifg.in/c3d/firstboot/data/nftables.config
+++ b/sources/ifg.in/c3d/firstboot/data/nftables.config
@@ -136,17 +136,20 @@ define INTERNAL_IPV4_NETS = { $INTERNAL_IPV4_NET, \
 define PERIMETER_NET = 192.168.173.0/24
 define PERIMETER_IPV6_NET = 2a02:d400:0000:f2ad::/64
 
-# vpn client network
-define VPN_NET = 172.16.223.0/24
+# vpn client networks
+define OVPN_NET = 172.16.223.0/24
+define WG_NET = 172.24.232.0/24
+define VPN_NETS = { $OVPN_NET, $WG_NET }
 
 # peep-bo network
-define PEEP_BO_NET = 10.162.104.0/24
+define PEEP_BO_NET = 10.162.0.0/16
 
 ################################
 # port definitions
 ################################
 
 #define MX_PORTS = { 25, 110, 143, 465, 587, 993, 995 }
+define VPN_PORTS = { openvpn, 51820 }
 
 
 ################################
@@ -309,7 +312,7 @@ add rule ip6 ifg-filter forward \
 add rule ip ifg-filter forward \
     ip protocol udp \
     iifname $PERIMETER_IF ip saddr != $PERIMETER_NET udp sport 1024-65535 \
-    oifname $INTERNAL_IF ip daddr $VPN_INTERNAL_IPV4 udp dport 1194 \
+    oifname $INTERNAL_IF ip daddr $VPN_INTERNAL_IPV4 udp dport $VPN_PORTS \
     counter accept comment "Incoming VPN traffic"
 
 add rule ip ifg-filter forward \

diff --git a/sources/ifg.in/c3d/firstboot/scripts/01_setupnetworking.sh b/sources/ifg.in/c3d/firstboot/scripts/01_setupnetworking.sh
index 44b4cf134487714a8f07a74623cf46703cd7b580..17f7f8611897d8bea76067403d043934dafb8cc3 100755 (executable)
--- a/sources/ifg.in/c3d/firstboot/scripts/01_setupnetworking.sh
+++ b/sources/ifg.in/c3d/firstboot/scripts/01_setupnetworking.sh
@@ -54,7 +54,7 @@ nmcli connection add \
     ipv4.dns "10.228.109.159, 10.228.92.159" \
     ipv4.dns-search "in.useribm.hu" \
     ipv4.method "manual" \
-    ipv4.routes "172.16.223.0/24 10.228.109.236, 10.162.104.0/24 10.228.109.236" \
+    ipv4.routes "172.16.223.0/24 10.228.109.236, 172.24.232.0/24 10.228.109.236, 10.162.0.0/16 10.228.109.236" \
     ipv6.addresses "2a02:d400:0000:f268:000c:18ff:fe03:6dfe/64" \
     ipv6.dns "2a02:d400:0000:f268:000c:18ff:fe03:6d9f, 2a02:d400:0000:f268:000c:18ff:fe03:5c9f" \
     ipv6.dns-search "in.useribm.hu" \

diff --git a/sources/ifg.in/envvars b/sources/ifg.in/envvars
index 980f713560dc88785b75c39bd281a657c1d8230b..2535012ac497ecb9f90dc9341da1317f348c4aad 100644 (file)
--- a/sources/ifg.in/envvars
+++ b/sources/ifg.in/envvars
@@ -1,3 +1,3 @@
 DISTRIBUTION=Fedora
-DISTRIBUTION_VERSION=36
+DISTRIBUTION_VERSION=37
 SPEC_PACKAGES="ethtool nftables radvd tcpdump"