* firewall notes - add port 500 & 15060

* correct nc sync cron note * wireguard: remove dns and add ipmasq for server peer * qmi-network.service - remove wants on wg devices & ensure on startup that the network is actually ready
2022-05-28 14:47:48 +01:00 · 2022-05-28 14:47:48 +01:00 · 16402ce2b3
parent f172bb901e
commit 16402ce2b3
6 changed files with 49 additions and 19 deletions
--- a/debian/bullseye/notes/firewall-ufw.md
+++ b/debian/bullseye/notes/firewall-ufw.md
@ -14,18 +14,23 @@ ufw allow bootps
 ufw allow 53/udp
 ufw allow 5355
 ufw allow 53/tcp
+ufw allow 500/udp
 ```

 Allow SSH from local addresses only.
 ```
 ufw allow from 192.168.1.0/24 proto tcp to any port 22
 ufw allow from 192.168.156.0/24 proto tcp to any port 22
+
 ufw allow from 192.168.1.0/24 proto tcp to any port 80
 ufw allow from 192.168.156.0/24 proto tcp to any port 80
+
 ufw allow from 192.168.1.0/24 proto tcp to any port 8080
 ufw allow from 192.168.156.0/24 proto tcp to any port 8080
+
 ufw allow from 192.168.1.0/24 proto tcp to any port 443
 ufw allow from 192.168.156.0/24 proto tcp to any port 443
+
 ufw allow from 192.168.1.0/24 proto udp to any port 5060
 ufw allow from 192.168.156.0/24 proto udp to any port 5060
 ufw allow from 217.10.64.0/20 proto udp to any port 5060
@ -33,6 +38,13 @@ ufw allow from 217.116.112.0/20 proto udp to any port 5060
 ufw allow from 212.9.32.0/19 proto udp to any port 5060
 ufw allow from 10.0.0.0/24 proto udp to any port 5060

+ufw allow from 192.168.1.0/24 proto udp to any port 15060
+ufw allow from 192.168.156.0/24 proto udp to any port 15060
+ufw allow from 217.10.64.0/20 proto udp to any port 15060
+ufw allow from 217.116.112.0/20 proto udp to any port 15060
+ufw allow from 212.9.32.0/19 proto udp to any port 15060
+ufw allow from 10.0.0.0/24 proto udp to any port 15060
+
 ufw allow from 192.168.1.0/24 proto udp to any port 24000:26000
 ufw allow from 192.168.156.0/24 proto udp to any port 24000:26000
 ufw allow from 10.0.0.0/24 proto udp to any port 24000:26000
--- a/debian/bullseye/scripts/nextcloud-sync.sh
+++ b/debian/bullseye/scripts/nextcloud-sync.sh
@ -2,7 +2,7 @@

 # Run this script with "(sudo) bash <filename> <args>".
 #
-# 0 2 * * * bash /root/nc-sync.sh | tee -a /var/log/$0_$(date +"\%Y-\%m-\%d").log
+# 0 2 * * * bash /root/nextcloud-sync.sh | tee /var/log/nextcloud.log > /dev/null 2>&1


 # Exit on error.
--- a/debian/bullseye/systemd/network/71-wgs0.network
+++ b/debian/bullseye/systemd/network/71-wgs0.network
@ -1,8 +1,17 @@
 # Needs netdev for wgs0, wireguard & wireguard-tools installed to work.
-
 [Match]
 Name=wgs0

 [Network]
+# Packet forwarding.
+IPForward=yes
+
+# Link discovery causes some issues so disable it.
+LLDP=no
+
+# IPv4
+[Network]
+
 Address=10.0.0.1/24
-IPForward=true
+
+IPMasquerade=yes
--- a/debian/bullseye/systemd/network/80-wg0.netdev
+++ b/debian/bullseye/systemd/network/80-wg0.netdev
@ -22,8 +22,6 @@ PrivateKey=<KEY>
 # Public key for the above private key. Only here as a reminder.
 #PublicKey=<PUBKEY>

-# DNS
-DNS = 1.1.1.1, 1.0.0.1

 # Your Peers.
 [WireGuardPeer]
--- a/debian/bullseye/systemd/network/examples/lan.conf
+++ b/debian/bullseye/systemd/network/examples/lan.conf
@ -2,6 +2,11 @@
 # IP address range.
 Address=192.168.156.1/24

+# As systemd-networkd doesn't yet *fully* support being a dhcp server
+# setup dnsmasq instead.
+# Enable serving of DHCP addresses from the network range.
+#DHCPServer=yes
+
 # Packet forwarding.
 IPForward=yes

@ -22,9 +27,6 @@ LLDP=no
 #DNS=1.1.1.1
 #DNS=1.0.0.1

-# Enable serving of DHCP addresses from the network range.
-#DHCPServer=yes
-
 #[DHCPServerStaticLease]
 #MACAddress=xx:xx:xx:xx:xx:xx
 #Address=192.168.156.2
--- a/debian/bullseye/systemd/system/qmi-network@.service
+++ b/debian/bullseye/systemd/system/qmi-network@.service
@ -1,15 +1,14 @@
-# $ cp -v ./qmi-network@.service /etc/systemd/system/
-# $ systemctl daemon-reload
-#
-# $ systemctl enable --now qmi-network@0
-#
+# apt install --no-install-recommends libqmi-utils
+# cp -v ./qmi-network@.service /etc/systemd/system/
+# systemctl daemon-reload
+# systemctl enable --now qmi-network@0
+
 # This will NOT work without a .network for your wwan device.
 [Unit]
 Description=qmi-network for cdc-wdm%i device

 Before=freepbx.service
 Before=asterisk.service
-Before=sys-subsystem-net-devices-wg*.device

 After=sys-subsystem-net-devices-wwan%i.device
 Wants=sys-subsystem-net-devices-wwan%i.device
@ -17,18 +16,28 @@ Wants=sys-subsystem-net-devices-wwan%i.device
 [Service]
 Type=simple
 Restart=always
-TimeoutSec=240s
+TimeoutSec=300s

-ExecStartPre=-qmi-network /dev/cdc-wdm%i stop
-ExecStartPre=-rm /tmp/qmi-network-state-cdc-wdm%i 
+# Stop wwan so it can be reconfigured.
 ExecStartPre=networkctl down wwan%i
+
+# Raw IP must be enabled.
 ExecStartPre=sh -c "echo 'Y' | tee /sys/class/net/wwan%i/qmi/raw_ip"
+
+# Start the network via qmi-network scripts.
 ExecStartPre=qmi-network /dev/cdc-wdm%i start
+
+# Bring up the network.
 ExecStartPre=networkctl up wwan%i

-ExecStart=sh -e -c "sleep 30; while true; do ping -w 120 -I wwan%i -c 5 one.one.one.one || exit 1; sleep 300; done;"
+# We need to wait for dhcp to settle, then use ping to test connection
+# is alive.
+ExecStartPre=sh -e -c "sleep 10; ping -w 30 -I wwan%i -c 5 one.one.one.one"

-ExecStop=-rm /tmp/qmi-network-state-cdc-wdm%i
+# Small loop as the main process to watchdog the connection.
+ExecStart=sh -e -c "while true; do sleep 300; ping -w 120 -I wwan%i -c 5 one.one.one.one; done;"
+
+# Stop.. DOWN TIME!
 ExecStop=networkctl down wwan%i
 ExecStop=qmi-network /dev/cdc-wdm%i stop