Robert Volkmann
Robert Volkmann
For forwarding the packets from the mgmt server back to the leaves via the default docker bridge, you should add the following route: `sudo ip route add 10.0.1.1/32 via `
@Gerrit91 do we still need these lines in the integration test script? ``` echo "Adding route to leaf01 and leaf02" make route echo "Check if SSH login to firewall works"...
ssh login over link-local addresses is prohibited because these are not part of [hosts.allowed](https://github.com/metal-stack/metal-images/pull/177/commits/fb7146080f7013f1c477ba0fdd9652efcb490290) anymore. @majst01 Any reason not to include link-local addresses?
Do we need the SSH access only for the integration tests?
Yes, the LLA range `fe80::/10` is not contained within the ULA range `fc00::/7`. Adding the LLA range to `hosts.allow` would allow SSH connections from the leaves to the machines.
Can I change `hosts.allow` by providing some ignition file with `--userdata` or should I use the serial console?
The firewall has access to the internet, but the machine does not. Packets arrive at the firewall but do not enter the vrf104009. ``` root@fw:~# tcpdump -i any -n icmp...
Firewall images not containing the PR https://github.com/metal-stack/metal-images/pull/214 work on my machine. But outgoing access still doesn't work on our CI system. @majst01 Any workaround for the PR?
@majst01 forwarding is still forbidden. Do we need a firewall-controller in the mini-lab?
[rules.txt](https://github.com/user-attachments/files/16235915/rules.txt)