Changeset View
Changeset View
Standalone View
Standalone View
sysadm/network-architecture/how-to-access-firewall-settings.rst
.. _firewall_settings: | .. _firewall_settings: | ||||
How to access firewall settings | How to access firewall settings | ||||
=============================== | =============================== | ||||
.. todo:: | .. admonition:: Intended audience | ||||
This page is a work in progress. For now, please refer to the existing documentation :ref:`swh-devel:network_configuration`. | :class: important | ||||
No newline at end of file | |||||
sysadm staff members | |||||
The firewalls are 2 `OPNsense <https://opnsense.org>`_ VMs deployed on the PROXMOX | |||||
cluster with an `High Availability | |||||
<https://docs.opnsense.org/manual/hacarp.html?highlight=high%20availability>`_ | |||||
configuration. | |||||
They are sharing a virtual IP on each VLAN to act as the gateway. Only one of the 2 | |||||
firewalls is owning all the GW ips at the same time. The owner is called the ``PRIMARY`` | |||||
.. list-table:: | |||||
:header-rows: 1 | |||||
* - Nominal Role | |||||
- name (link to the inventory) | |||||
- login page | |||||
* - PRIMARY | |||||
- `pushkin <https://inventory.internal.softwareheritage.org/virtualization/virtual-machines/75/>`_ | |||||
- `https://pushkin.internal.softwareheritage.org <https://pushkin.internal.softwareheritage.org>`_ | |||||
* - BACKUP | |||||
- `glyptotek <https://inventory.internal.softwareheritage.org/virtualization/virtual-machines/86/>`_ | |||||
- `https://glyptotek.internal.softwareheritage.org <https://glyptotek.internal.softwareheritage.org>`_ | |||||
Access to the gui of the secondary firewall | |||||
------------------------------------------- | |||||
The secondary firewall is not directly reachable for VPN user. As the OpenVPN service is | |||||
also running when the firewall is a backup, the packets coming from tne VPN are routed | |||||
to the local VPN on the secondary and lost. | |||||
To access to GUI, a tunnel can be used: | |||||
ssh -L 8443:pushkin.internal.softwareheritage.org:443 pergamon.internal.softwareheritage.org | |||||
Once the tunnel is created, the gui is accessible at https://localhost:8443 in any | |||||
browser | |||||
Configuration backup | |||||
-------------------- | |||||
The configuration is automatically committed on a `git repository | |||||
<https://forge.softwareheritage.org/source/iFWCFG/branches/master/>`_. Each firewall | |||||
regularly pushes its configuration on a dedicated branch of the repository. | |||||
The configuration is visible on the `System / Configuration / Backups | |||||
<https://pushkin.internal.softwareheritage.org/diag_backup.php>`_ page of each one. |