* firewall notes - add port 500 & 15060
* correct nc sync cron note * wireguard: remove dns and add ipmasq for server peer * qmi-network.service - remove wants on wg devices & ensure on startup that the network is actually ready
This commit is contained in:
parent
f172bb901e
commit
16402ce2b3
|
@ -14,18 +14,23 @@ ufw allow bootps
|
|||
ufw allow 53/udp
|
||||
ufw allow 5355
|
||||
ufw allow 53/tcp
|
||||
ufw allow 500/udp
|
||||
```
|
||||
|
||||
Allow SSH from local addresses only.
|
||||
```
|
||||
ufw allow from 192.168.1.0/24 proto tcp to any port 22
|
||||
ufw allow from 192.168.156.0/24 proto tcp to any port 22
|
||||
|
||||
ufw allow from 192.168.1.0/24 proto tcp to any port 80
|
||||
ufw allow from 192.168.156.0/24 proto tcp to any port 80
|
||||
|
||||
ufw allow from 192.168.1.0/24 proto tcp to any port 8080
|
||||
ufw allow from 192.168.156.0/24 proto tcp to any port 8080
|
||||
|
||||
ufw allow from 192.168.1.0/24 proto tcp to any port 443
|
||||
ufw allow from 192.168.156.0/24 proto tcp to any port 443
|
||||
|
||||
ufw allow from 192.168.1.0/24 proto udp to any port 5060
|
||||
ufw allow from 192.168.156.0/24 proto udp to any port 5060
|
||||
ufw allow from 217.10.64.0/20 proto udp to any port 5060
|
||||
|
@ -33,6 +38,13 @@ ufw allow from 217.116.112.0/20 proto udp to any port 5060
|
|||
ufw allow from 212.9.32.0/19 proto udp to any port 5060
|
||||
ufw allow from 10.0.0.0/24 proto udp to any port 5060
|
||||
|
||||
ufw allow from 192.168.1.0/24 proto udp to any port 15060
|
||||
ufw allow from 192.168.156.0/24 proto udp to any port 15060
|
||||
ufw allow from 217.10.64.0/20 proto udp to any port 15060
|
||||
ufw allow from 217.116.112.0/20 proto udp to any port 15060
|
||||
ufw allow from 212.9.32.0/19 proto udp to any port 15060
|
||||
ufw allow from 10.0.0.0/24 proto udp to any port 15060
|
||||
|
||||
ufw allow from 192.168.1.0/24 proto udp to any port 24000:26000
|
||||
ufw allow from 192.168.156.0/24 proto udp to any port 24000:26000
|
||||
ufw allow from 10.0.0.0/24 proto udp to any port 24000:26000
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
# Run this script with "(sudo) bash <filename> <args>".
|
||||
#
|
||||
# 0 2 * * * bash /root/nc-sync.sh | tee -a /var/log/$0_$(date +"\%Y-\%m-\%d").log
|
||||
# 0 2 * * * bash /root/nextcloud-sync.sh | tee /var/log/nextcloud.log > /dev/null 2>&1
|
||||
|
||||
|
||||
# Exit on error.
|
||||
|
|
|
@ -1,8 +1,17 @@
|
|||
# Needs netdev for wgs0, wireguard & wireguard-tools installed to work.
|
||||
|
||||
[Match]
|
||||
Name=wgs0
|
||||
|
||||
[Network]
|
||||
# Packet forwarding.
|
||||
IPForward=yes
|
||||
|
||||
# Link discovery causes some issues so disable it.
|
||||
LLDP=no
|
||||
|
||||
# IPv4
|
||||
[Network]
|
||||
|
||||
Address=10.0.0.1/24
|
||||
IPForward=true
|
||||
|
||||
IPMasquerade=yes
|
||||
|
|
|
@ -22,8 +22,6 @@ PrivateKey=<KEY>
|
|||
# Public key for the above private key. Only here as a reminder.
|
||||
#PublicKey=<PUBKEY>
|
||||
|
||||
# DNS
|
||||
DNS = 1.1.1.1, 1.0.0.1
|
||||
|
||||
# Your Peers.
|
||||
[WireGuardPeer]
|
||||
|
|
|
@ -2,6 +2,11 @@
|
|||
# IP address range.
|
||||
Address=192.168.156.1/24
|
||||
|
||||
# As systemd-networkd doesn't yet *fully* support being a dhcp server
|
||||
# setup dnsmasq instead.
|
||||
# Enable serving of DHCP addresses from the network range.
|
||||
#DHCPServer=yes
|
||||
|
||||
# Packet forwarding.
|
||||
IPForward=yes
|
||||
|
||||
|
@ -22,9 +27,6 @@ LLDP=no
|
|||
#DNS=1.1.1.1
|
||||
#DNS=1.0.0.1
|
||||
|
||||
# Enable serving of DHCP addresses from the network range.
|
||||
#DHCPServer=yes
|
||||
|
||||
#[DHCPServerStaticLease]
|
||||
#MACAddress=xx:xx:xx:xx:xx:xx
|
||||
#Address=192.168.156.2
|
||||
|
|
|
@ -1,15 +1,14 @@
|
|||
# $ cp -v ./qmi-network@.service /etc/systemd/system/
|
||||
# $ systemctl daemon-reload
|
||||
#
|
||||
# $ systemctl enable --now qmi-network@0
|
||||
#
|
||||
# apt install --no-install-recommends libqmi-utils
|
||||
# cp -v ./qmi-network@.service /etc/systemd/system/
|
||||
# systemctl daemon-reload
|
||||
# systemctl enable --now qmi-network@0
|
||||
|
||||
# This will NOT work without a .network for your wwan device.
|
||||
[Unit]
|
||||
Description=qmi-network for cdc-wdm%i device
|
||||
|
||||
Before=freepbx.service
|
||||
Before=asterisk.service
|
||||
Before=sys-subsystem-net-devices-wg*.device
|
||||
|
||||
After=sys-subsystem-net-devices-wwan%i.device
|
||||
Wants=sys-subsystem-net-devices-wwan%i.device
|
||||
|
@ -17,18 +16,28 @@ Wants=sys-subsystem-net-devices-wwan%i.device
|
|||
[Service]
|
||||
Type=simple
|
||||
Restart=always
|
||||
TimeoutSec=240s
|
||||
TimeoutSec=300s
|
||||
|
||||
ExecStartPre=-qmi-network /dev/cdc-wdm%i stop
|
||||
ExecStartPre=-rm /tmp/qmi-network-state-cdc-wdm%i
|
||||
# Stop wwan so it can be reconfigured.
|
||||
ExecStartPre=networkctl down wwan%i
|
||||
|
||||
# Raw IP must be enabled.
|
||||
ExecStartPre=sh -c "echo 'Y' | tee /sys/class/net/wwan%i/qmi/raw_ip"
|
||||
|
||||
# Start the network via qmi-network scripts.
|
||||
ExecStartPre=qmi-network /dev/cdc-wdm%i start
|
||||
|
||||
# Bring up the network.
|
||||
ExecStartPre=networkctl up wwan%i
|
||||
|
||||
ExecStart=sh -e -c "sleep 30; while true; do ping -w 120 -I wwan%i -c 5 one.one.one.one || exit 1; sleep 300; done;"
|
||||
# We need to wait for dhcp to settle, then use ping to test connection
|
||||
# is alive.
|
||||
ExecStartPre=sh -e -c "sleep 10; ping -w 30 -I wwan%i -c 5 one.one.one.one"
|
||||
|
||||
ExecStop=-rm /tmp/qmi-network-state-cdc-wdm%i
|
||||
# Small loop as the main process to watchdog the connection.
|
||||
ExecStart=sh -e -c "while true; do sleep 300; ping -w 120 -I wwan%i -c 5 one.one.one.one; done;"
|
||||
|
||||
# Stop.. DOWN TIME!
|
||||
ExecStop=networkctl down wwan%i
|
||||
ExecStop=qmi-network /dev/cdc-wdm%i stop
|
||||
|
||||
|
|
Loading…
Reference in New Issue