diff --git a/network/Readme.md b/network/Readme.md new file mode 100644 --- /dev/null +++ b/network/Readme.md @@ -0,0 +1,99 @@ +This document act as the network flow's matrix for the OPN firewall[1] + +Rules: +- Use aliases on the rules, avoid as far as possible to directly reference objects + +# Interface + +| Name | Ip | Owner | +| ------------ | --------------- | -------------- | +| Staging - v1 | 192.168.128.130 | FW1 | +| Staging - v1 | 192.168.128.131 | FW2(provision) | +| Staging | 192.168.130.2 | FW1 | +| Staging | 192.168.130.3 | FW2(provision) | +| Production | 192.168.100.130 | FW1 | +| Production | 192.168.100.131 | FW2(provision) | +| Admin | 192.168.50.2 | FW1 | +| Admin | 192.168.50.3 | FW2(provision) | +| SWH Public | 128.193.166.3 | FW1 | +| SWH Public | 128.193.166.4 | FW2(provision) | + +# Virtual ips + +| Name | Ip | Possible owners | Description | +| ------------- | --------------- | ---------------------------------- | ----------------------------------------- | +| Admin GW | 192.168.50.1 | FW1/(FW2) | VIP for FW HA in the Admin network | +| Staging GW | 192.168.130.1 | FW1/(FW2) | VIP for FW HA in the staging network | +| Production GW | 192.168.100.129 | FW1/(FW2) | VIP for FW HA in the production network | +| Public GW | 128.193.166.2 | FW1/(FW2) | VIP for the FW HA in the public network | +| Staging RP | 128.193.166.X | (FW1/FW2\| RP if exposed directly) | Reverse proxy for the staging environment | + +# Alias + +| Name | Type | Range | Description | +| -------------------- | -------- | ----------------- | ----------- | +| Production network | Networks | 192.168.100.0/24 | VLAN 440 | +| SWH Public network | Networks | 128.93.166.00/66 | VLAN 1300 | +| Staging network - v1 | Networks | 192.168.128.0/24 | VLAN 443 | +| Staging network | Networks | 192.168.129.0/24 | VLAN 443 | +| Admin network | Networks | 192.168.129.0/24 | VLAN 442 | +| DNS server | Host | 192.168.100.29/32 | Pergamon | +| Staging RP | Host | 192.168.130.10/32 | | +| Puppet server | Host | 192.168.100.29/32 | Pergamon | +| Http/s traffic | Ports | 80, 443 | | +| Puppet server | Ports | 8140 | Puppet port | + + +# NAT + +To be defined + +# Rules + +If unspecified : +- Outboud traffic is allowed by default +- Inbound traffic is blocked by default + +## Floating rules + +This rules are interpreted before the per interfaces rules[2] + +| IN/OUT | Action | Source | Target | Type | Port | Description | +| ------ | ------ | ------ | ------ | ---- | ---- | ------------------- | +| IN | Allow | * | * | ICMP | * | Allow ICMP globally | + + +## Admin interface + +| IN/OUT | Action | Source | Target | Type | Port | Description | +| ------ | ------ | ------ | ------ | ---- | ---- | ----------- | + +## Production interface + +| IN/OUT | Action | Source | Target | Type | Port | Description | +| ------ | ------ | ------ | ------------- | ---- | ------------- | ------------------------------------------ | +| IN | Pass | * | DHCP Server | * | 53 | DNS queries | +| IN | Pass | * | Puppet Server | TCP | Puppet server | Allow puppet agents to reach puppet master | + + +## SWH Public interface + +| IN/OUT | Action | Source | Target | Type | Port | Description | +| ------ | ------ | ------ | ---------- | ---- | -------------- | ------------------------------- | +| IN | Pass | * | Staging RP | TCP | Http/s traffic | Allow Web traffic from internet | + +## Staging V1 interface + +| IN/OUT | Action | Source | Target | Type | Port | Description | +| ------ | ------ | -------------------- | ---------- | ---- | ---------- | --------------------- | +| IN | Pass | SWH Public interface | Staging RP | TCP | Web server | Public facing service | + + +## Staging interface + +| IN/OUT | Action | Source | Target | Type | Port | Description | +| ------ | ------ | ------ | ------ | ---- | ---- | ----------- | + + +[1]: TODO: Internal url +[2]: https://wiki.opnsense.org/manual/firewall.html#processing-order