Updated ifg.in (updated nft rules for the new nameservers).

diff --git a/sources/ifg.in/firstboot/nftables.config b/sources/ifg.in/firstboot/nftables.config
index e8d5f0a79b6bc514b41f456e39553acce86c16a1..a6954b22d1cba84e5f3a871b4c2656b01a32b093 100644 (file)
--- a/sources/ifg.in/firstboot/nftables.config
+++ b/sources/ifg.in/firstboot/nftables.config
@@ -39,24 +39,20 @@ define PUBLIC_DL380E_IPV4    = 37.220.137.109
 # efg address (perimeter network)
 define EFG_PERIMETER_IPV4 = 192.168.173.254
 
-# service address (perimeter network)
-#define SVC_PERIMETER_IPV4 = 192.168.173.253
-
 # transfer web server address (perimeter network)
 define XFR_PERIMETER_IPV4 = 192.168.173.251
 
-# subversion address (perimeter network)
-#define SVN_PERIMETER_IPV4 = 192.168.173.250
-
 # web server address (perimeter network)
 define WS_PERIMETER_IPV4 = 192.168.173.249
 define WS_PERIMETER_IPV6 = 2a02:d400:0000:f2ad:000c:18ff:fe03:adf9
 
 # perimeter name server address (perimeter network)
 define PNS_PERIMETER_IPV4 = 192.168.173.174
+define PNS_PERIMETER_IPV6 = 2a02:d400:0000:f2ad:000c:18ff:fe03:adae
 
 # external name server address (perimeter network)
 define ENS_PERIMETER_IPV4 = 192.168.173.64
+define ENS_PERIMETER_IPV6 = 2a02:d400:0000:f2ad:000c:18ff:fe03:ad40
 
 # ifg address (perimeter network)
 define IFG_PERIMETER_IPV4 = 192.168.173.1
@@ -82,9 +78,17 @@ define WIKI_INTERNAL_IPV6 = 2a02:d400:0000:f268:000c:18ff:fe03:6def
 # vpn address (internal network)
 define VPN_INTERNAL_IPV4 = 10.228.109.236
 
+# source name server address (internal network)
+define SNS_INTERNAL_IPV4 = 10.228.109.204
+define SNS_INTERNAL_IPV6 = 2a02:d400:0000:f268:000c:18ff:fe03:6dcc
+
 # primary name server address (internal network)
 define PNS_INTERNAL_IPV4 = 10.228.109.174
 
+# name server 1 address (internal network)
+define NS1_INTERNAL_IPV4 = 10.228.109.159
+define NS1_INTERNAL_IPV6 = 2a02:d400:0000:f268:000c:18ff:fe03:6d9f
+
 # minicrm address (internal network)
 define MINICRM_INTERNAL_IPV4 = 10.228.109.133
 
@@ -92,6 +96,10 @@ define MINICRM_INTERNAL_IPV4 = 10.228.109.133
 define INS_INTERNAL_IPV4 = 10.228.109.104
 define INS_INTERNAL_IPV6 = 2a02:d400:0000:f268:000c:18ff:fe03:6d68
 
+# name server 2 address (internal network)
+define NS2_INTERNAL_IPV4 = 10.228.92.159
+define NS2_INTERNAL_IPV6 = 2a02:d400:0000:f268:000c:18ff:fe03:5c9f
+
 # dvredmine address (internal network)
 define DVREDMINE_INTERNAL_IPV4 = 10.228.62.193
 
@@ -163,12 +171,12 @@ add rule ip ifg_nat prerouting \
 add rule ip ifg_filter input \
     ct state established \
     ip protocol udp \
-    iifname $INTERNAL_IF ip saddr { $INS_INTERNAL_IPV4, $SVC_INTERNAL_IPV4 } udp sport 53 \
+    iifname $INTERNAL_IF ip saddr { $NS1_INTERNAL_IPV4, $NS2_INTERNAL_IPV4 } udp sport 53 \
     ip daddr $IFG_INTERNAL_IPV4 udp dport 1024-65535 \
     counter accept comment "DNS replies"
 add rule ip6 ifg_filter input \
     ct state established \
-    iifname $INTERNAL_IF ip6 saddr { $INS_INTERNAL_IPV6, $SVC_INTERNAL_IPV6 } udp sport 53 \
+    iifname $INTERNAL_IF ip6 saddr { $NS1_INTERNAL_IPV6, $NS2_INTERNAL_IPV6 } udp sport 53 \
     ip6 daddr $IFG_INTERNAL_IPV6 udp dport 1024-65535 \
     counter accept comment "DNS replies"
 
@@ -244,23 +252,38 @@ add rule ip ifg_filter forward \
 add rule ip ifg_filter forward \
     ct state new \
     ip protocol udp \
-    iifname $INTERNAL_IF ip saddr $PNS_INTERNAL_IPV4 udp sport 1024-65535 \
+    iifname $INTERNAL_IF ip saddr $SNS_INTERNAL_IPV4 udp sport 1024-65535 \
     oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } udp dport 53 \
     counter accept comment "DNS zone notification"
+add rule ip6 ifg_filter forward \
+    ct state new \
+    iifname $INTERNAL_IF ip6 saddr $SNS_INTERNAL_IPV6 udp sport 1024-65535 \
+    oifname $PERIMETER_IF ip6 daddr { $ENS_PERIMETER_IPV6, $PNS_PERIMETER_IPV6 } udp dport 53 \
+    counter accept comment "DNS zone notification"
 
 add rule ip ifg_filter forward \
     ct state new \
     ip protocol tcp \
     iifname $PERIMETER_IF ip saddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } tcp sport 1024-65535 \
-    oifname $INTERNAL_IF ip daddr $PNS_INTERNAL_IPV4 tcp dport 53 \
+    oifname $INTERNAL_IF ip daddr $SNS_INTERNAL_IPV4 tcp dport 53 \
+    counter accept comment "DNS zone transfer requests"
+add rule ip6 ifg_filter forward \
+    ct state new \
+    iifname $PERIMETER_IF ip6 saddr { $ENS_PERIMETER_IPV6, $PNS_PERIMETER_IPV6 } tcp sport 1024-65535 \
+    oifname $INTERNAL_IF ip6 daddr $SNS_INTERNAL_IPV6 tcp dport 53 \
     counter accept comment "DNS zone transfer requests"
 
 add rule ip ifg_filter forward \
     ct state established \
     ip protocol tcp \
-    iifname $INTERNAL_IF ip saddr $PNS_INTERNAL_IPV4 tcp sport 53 \
+    iifname $INTERNAL_IF ip saddr $SNS_INTERNAL_IPV4 tcp sport 53 \
     oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } tcp dport 1024-65535 \
     counter accept comment "DNS zone transfer replies"
+add rule ip6 ifg_filter forward \
+    ct state established \
+    iifname $INTERNAL_IF ip6 saddr $SNS_INTERNAL_IPV6 tcp sport 53 \
+    oifname $PERIMETER_IF ip6 daddr { $ENS_PERIMETER_IPV6, $PNS_PERIMETER_IPV6 } tcp dport 1024-65535 \
+    counter accept comment "DNS zone transfer replies"
 
 add rule ip ifg_filter forward \
     ip protocol udp \
@@ -391,12 +414,12 @@ add rule ip ifg_filter output \
     ct state new \
     ip protocol udp \
     ip saddr $IFG_INTERNAL_IPV4 udp sport 1024-65535 \
-    oifname $INTERNAL_IF ip daddr { $INS_INTERNAL_IPV4, $SVC_INTERNAL_IPV4 } udp dport 53 \
+    oifname $INTERNAL_IF ip daddr { $NS1_INTERNAL_IPV4, $NS2_INTERNAL_IPV4 } udp dport 53 \
     counter accept comment "DNS requests"
 add rule ip6 ifg_filter output \
     ct state new \
     ip6 saddr $IFG_INTERNAL_IPV6 udp sport 1024-65535 \
-    oifname $INTERNAL_IF ip6 daddr { $INS_INTERNAL_IPV6, $SVC_INTERNAL_IPV6 } udp dport 53 \
+    oifname $INTERNAL_IF ip6 daddr { $NS1_INTERNAL_IPV6, $NS2_INTERNAL_IPV6 } udp dport 53 \
     counter accept comment "DNS requests"
 
 add rule ip ifg_filter output \