From 6856b82bdcd61ea25cac8bc64a9114d908e6ea9e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Asbj=C3=B8rn=20Sloth=20T=C3=B8nnesen?= Date: Mon, 6 Sep 2021 18:13:20 +0000 Subject: space_server: add dedicated VLAN for Tor exit nodes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Move the Tor exit nodes to their own VLAN, and their own address space. Background for move ------------------- For the first Tor exit node, we where able to create inet6num object 2a01:4262:1ab:20::71/128. So we could assign a specific Tor abuse contact. When we added the second node it was no longer possible to create /128 inet6num objects, but only up to /64. We therefore need to move our Tor exit nodes to a dedicated address space. Connection tracking ------------------- Connection tracking is quite expensive, so it's better to only do it for Tor traffic, when we actually need it, which is only when internal clients need to access the servers. In the future conntrack could also be disabled for labicolo in general. Current stats ~~~~~~~~~~~~~ [root@space ~]# grep -v '185\.38\.175\.7[12] ' /proc/net/nf_conntrack | grep -v '2a01:4262:01ab:0020:0000:0000:0000:007[12]' | wc -l 4071 [root@space ~]# wc -l /proc/net/nf_conntrack 39138 /proc/net/nf_conntrack Currently 4071 out of 39138 connections are not Tor related. Also reading /proc/net/nf_conntrack is quite slow atm.: [root@space ~]# time cat /proc/net/nf_conntrack > /dev/null real 0m35.097s user 0m0.010s sys 0m28.114s Signed-off-by: Asbjørn Sloth Tønnesen --- roles/space_server/files/networkd/10-lan.network | 1 + roles/space_server/files/networkd/10-lan21.netdev | 6 ++++++ roles/space_server/files/networkd/10-lan21.network | 18 ++++++++++++++++++ 3 files changed, 25 insertions(+) create mode 100644 roles/space_server/files/networkd/10-lan21.netdev create mode 100644 roles/space_server/files/networkd/10-lan21.network (limited to 'roles/space_server/files/networkd') diff --git a/roles/space_server/files/networkd/10-lan.network b/roles/space_server/files/networkd/10-lan.network index 1a9f004..1221be8 100644 --- a/roles/space_server/files/networkd/10-lan.network +++ b/roles/space_server/files/networkd/10-lan.network @@ -18,3 +18,4 @@ VLAN=lan13 VLAN=lan14 VLAN=lan15 VLAN=lan20 +VLAN=lan21 diff --git a/roles/space_server/files/networkd/10-lan21.netdev b/roles/space_server/files/networkd/10-lan21.netdev new file mode 100644 index 0000000..85a79c2 --- /dev/null +++ b/roles/space_server/files/networkd/10-lan21.netdev @@ -0,0 +1,6 @@ +[NetDev] +Name=lan21 +Kind=vlan + +[VLAN] +Id=21 diff --git a/roles/space_server/files/networkd/10-lan21.network b/roles/space_server/files/networkd/10-lan21.network new file mode 100644 index 0000000..7ac5b75 --- /dev/null +++ b/roles/space_server/files/networkd/10-lan21.network @@ -0,0 +1,18 @@ +[Match] +Name=lan21 + +[Link] +ARP=yes + +[Network] +DHCP=no +IPv6AcceptRA=no +LinkLocalAddressing=no +Address=185.38.175.129/28 +Address=2a01:4262:1ab:ffff::1/64 +Address=fe80::1/64 +IPForward=yes +LLMNR=no +MulticastDNS=no +LLDP=yes +EmitLLDP=no -- cgit v1.2.1