firewall-controller
firewall-controller copied to clipboard
metal-stack
A kubernetes controller running on bare-metal firewalls, creating nftables rules, configures suricata, collects network metrics
Have no idea if this is gonna work, but it would bring the following improvements: - Only configured DNS server considered by proxy, no public servers used anymore if desired...
references #157 According to: https://www.kernel.org/doc/html/latest/networking/nf_flowtable.html#layer-2-encapsulation we do not need to specify every interface, instead lan0/lan1 should be sufficient Another Post: https://www.ubicloud.com/blog/improving-network-performance-with-linux-flowtables TODO: - [ ] measure impact - [ ]...
If on the communication path to outside destinations smaller MTUs are required, we should be able to enable [MSS Clamping](https://de.wikipedia.org/wiki/Maximum_Segment_Size). This can be done with netfilter, the generated rules must...
On a shoot migration, the firewall-controller's seed endpoint changes. It somehow has to update it's client.
https://github.com/facebookincubator/dns/tree/main/dnswatch
According to the spec, rules which leave `to:` or `ports:` fields empty, the rule should default to any for these fields: ``` FIELDS: ports List of destination ports for outgoing...
We should enforce that for every rule specified either `to` or `toFQDNs` and `port` is specified to prevent accidentally open to wide
Metadata
Owner
Metadata
A kubernetes controller running on bare-metal firewalls, creating nftables rules, configures suricata, collects network metrics