firefrost-gaming/firefrost-operations-manual
3
0
Fork 0
Code Issues 146 Pull Requests Packages Projects Releases Wiki Activity
Files
deeced2aa37bda231d260ec9db6c7dee991d0cc3
firefrost-operations-manual/docs/tasks/frostwall-protocol/README.md
Claude ebb66b3cc2 priority: elevate Frostwall Protocol to top priority 
Email is needed urgently — Holly staff email, staff comms,
subscriber notifications. Frostwall → Mailcow is the only
path. Elevated March 10, 2026.

Created by Chronicler #29
2026-03-10 23:34:34 +00:00

123 lines
3.6 KiB
Markdown
Raw Blame History

# The Frostwall Protocol - GRE Tunnel Security Architecture
**Status:** PLANNING COMPLETE - Ready to Deploy
**Owner:** Michael "Frostystyle" Krause
**Priority:** CRITICAL - TOP PRIORITY (elevated March 10, 2026)
**Last Updated:** 2026-02-17
**Time Estimate:** 3-4 hours deployment (SSH required)
**Elevated:** Email needed urgently — Frostwall → Mailcow is the only path
---
## Overview
Custom DDoS protection using GRE tunnels from Command Center (Dallas hub) to remote nodes (TX1, NC1). Routes all game traffic through Command Center scrubbing, then encrypted tunnels to backend servers. Hides real server IPs and protects email reputation.
**Current Status:** Previously deployed, torn down due to incorrect implementation. Rebuild required with proper architecture.
---
## What It Is
**The Frostwall:** Iron Wall security protocol using GRE tunneling
**Architecture:**
- Command Center (Dallas): Hub/scrubbing center
- TX1 (Dallas): Texas game servers
- NC1 (Charlotte): North Carolina game servers
- GRE tunnels: Encrypted links between hub and nodes
**Purpose:**
- DDoS protection for all game servers
- Hide real server IPs from internet
- Separate game traffic from email (IP reputation protection)
- Foundation for all service deployments
---
## Core Components
### 1. GRE Tunneling
Private encrypted links between Command Center and remote nodes:
- Command Center ↔ TX1 (Dallas to Dallas)
- Command Center ↔ NC1 (Dallas to Charlotte)
### 2. 1-to-1 NAT/DMZ Forwarding
/29 IP block for clean external→internal mapping
### 3. Iron Wall UFW Rules
Physical interfaces drop ALL traffic except:
- GRE tunnel traffic
- Management IP (Michael's static IP)
### 4. IP Hierarchy
Three-tier IP structure:
- **Scrubbing Center IP:** What players see (external)
- **Backend Alias IP:** Hidden server address (tunnel)
- **Binding Truth IP:** Internal service binding (localhost)
---
## Implementation Steps
1. **Configure GRE Tunnels** (Command Center ↔ TX1, NC1)
2. **Set Up 1-to-1 NAT/DMZ** with /29 IP block
3. **Deploy Iron Wall UFW Rules** (drop all except GRE + management)
4. **Test Tunnel Connectivity** and failover
5. **Implement Self-Healing** (auto-recovery on failure)
6. **Document IP Hierarchy** in repo
7. **Verify Game Traffic** routes correctly through tunnels
8. **Test DDoS Protection** (simulated attack)
---
## Success Criteria
- ✅ GRE tunnels operational (Command Center ↔ TX1, NC1)
- ✅ All game traffic routes through tunnels
- ✅ Real server IPs hidden from internet
- ✅ DDoS scrubbing active
- ✅ Self-healing tunnels (auto-recovery)
- ✅ Email IP separate from game traffic
- ✅ Management IP whitelisted
- ✅ Complete documentation in repo
---
## Blocks
**This task blocks:**
- Mailcow email deployment (needs IP isolation)
- AI stack deployment (needs protected network)
- All Tier 2+ infrastructure work
- Future service deployments
**Critical path:** Must complete before any major infrastructure expansion
---
## Documentation
**Current:** Google Doc (external)
https://docs.google.com/document/d/12Kh-AhUgJLOJrBgIjMiGi3xRZH1basRzv9Pa_-x1t_0/edit
**Migration Target:** `docs/tasks/frostwall-protocol/deployment-plan.md`
**Additional docs needed:**
- GRE tunnel configuration guide
- NAT/DMZ setup procedures
- UFW rules reference
- IP hierarchy documentation
- Troubleshooting guide
- Recovery procedures
---
**Fire + Frost + Foundation = Where Love Builds Legacy** 💙🔥❄️
---
**Document Status:** ACTIVE
**Implementation Status:** Rebuild pending (torn down, needs correct implementation)
**Critical Infrastructure:** YES - Foundation for all future deployments
Reference in New Issue View Git Blame Copy Permalink