Overhaul address classification.

[firewall] / jem.m4

### -*-sh-*-
###
### Firewall configuration for jem
###
### (c) 2008 Mark Wooding
###

###----- Licensing notice ---------------------------------------------------
###
### This program is free software; you can redistribute it and/or modify
### it under the terms of the GNU General Public License as published by
### the Free Software Foundation; either version 2 of the License, or
### (at your option) any later version.
###
### This program is distributed in the hope that it will be useful,
### but WITHOUT ANY WARRANTY; without even the implied warranty of
### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
### GNU General Public License for more details.
###
### You should have received a copy of the GNU General Public License
### along with this program; if not, write to the Free Software Foundation,
### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.

###--------------------------------------------------------------------------
### Config settings.

## This host isn't a router.
setconf(forward, 0)

## This host is involved in a routing asymmetry.
setconf(rp_filter, 0)
setconf(log_martians, 0)

###--------------------------------------------------------------------------
### jem-specific rules.

m4_divert(84)m4_dnl
## Set up the SAUCE sinbin.  Unfortunately, ipset is a bit brittle.  This
## isn't a completely critical part of the firewall security, so don't make
## this fail the entire script.
errorchain sauce REJECT
makeset sauce iphash || :
iptables -A inbound -g sauce -m set --match-set sauce src || :

## Externally visible services.
allowservices inbound tcp \
	ssh \
	ident \
	smtp submission \
	http https \
	imaps

## Provide DNS resolution to local untrusted hosts.
for p in tcp udp; do
  run iptables -A inbound -j ACCEPT \
	  -s 172.29.198.0/24 \
	  -p $p --destination-port $port_dns
done

m4_divert(-1)
###----- That's all, folks --------------------------------------------------