[firewall] / local.m4

### -*-sh-*-
###
### Local firewall configuration
###
### (c) 2008 Mark Wooding
###

###----- Licensing notice ---------------------------------------------------
###
### This program is free software; you can redistribute it and/or modify
### it under the terms of the GNU General Public License as published by
### the Free Software Foundation; either version 2 of the License, or
### (at your option) any later version.
###
### This program is distributed in the hope that it will be useful,
### but WITHOUT ANY WARRANTY; without even the implied warranty of
### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
### GNU General Public License for more details.
###
### You should have received a copy of the GNU General Public License
### along with this program; if not, write to the Free Software Foundation,
### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.

###--------------------------------------------------------------------------
### Local configuration.

m4_divert(6)m4_dnl
## Default NTP servers.
defconf(ntp_servers,
        "158.152.1.76 158.152.1.204 194.159.253.2 195.173.57.232")

m4_divert(-1)
###--------------------------------------------------------------------------
### Packet classification.

## IPv4 addressing.
##
## There are two small blocks of publicly routable IPv4 addresses, and a
## block of RFC1918 private-use addresses allocated from the Cambridge G-RIN.
## The former are as follows.
##
## 62.49.204.144/28
##              House border network (dmz).  We have all of these, but .145
##              is reserved for the router.
##
## 212.13.18.64/28
##              Jump colocated network (jump).  .65--68 are used by Jump
##              network infrastructure; we get the rest.
##
## The latter is the block 172.29.196.0/22.  Currently the low half is
## unallocated (and may be returned to the G-RIN); the remaining addresses
## are allocated as follows.
##
## 172.29.198.0/24  Untrusted networks.
##      .0/25           house wireless net
##      .128/28         iodine (IP-over-DNS) network
##
## 172.29.199.0/24  Trusted networks.
##      .0/25           house wired network
##      .128/27         mobile VPN hosts
##      .160/28         reserved, except .160/30 allocated for ITS
##      .176/28         internal colocated network
##      .192/27         house safe network
##      .224/27         anycast services

## IPv6 addressing.
##
## There are five blocks of publicly routable IPv6 addresses, though some of
## them aren't very interesting.  The ranges are as follows.
##
## 2001:470:1f08:1b98::/64
##              Hurricane Electric tunnel network: only :1 (HE) and :2
##              (radius) are used.
##
## 2001:470:1f09:1b98::/64
##              House border network (dmz).
##
## 2001:470:9740::/48
##              Main house range.  See below for allocation policy.
##
## 2001:ba8:0:1d9::/64
##              Jump border network (jump): :1 is the router (supplied by
##              Jump); other addresses are ours.
##
## 2001:ba8:1d9::/48
##              Main colocated range.  See below for allocation policy.
##
## Addresses in the /64 networks are simply allocated in ascending order.
## The /48s are split into /64s by appending a 16-bit network number.  The
## top nibble of the network number classifies the network, as follows.
##
## 8xxx         Untrusted
## 6xxx         Virtual
## 4xxx         Safe
## 0xxx         Unsafe, trusted
##
## These have been chosen so that network properties can be deduced by
## inspecting bits of the network number:
##
## Bit 15       If set, the network is untrusted; otherwise it is trusted.
## Bit 14       If set, the network is safe; otherwise it is unsafe.
##
## Finally, the low-order nibbles identify the site.
##
## 0            No specific site: mobile VPN endpoints or anycast addresses.
## 1            House.
## 2            Jump colocation.
##
## Usually site-0 networks are allocated from the Jump range to improve
## expected performance from/to external sites which don't engage in our
## dynamic routing protocols.

## Define the available network classes.
m4_divert(42)m4_dnl
defnetclass untrusted untrusted trusted mcast
defnetclass trusted untrusted trusted safe noloop mcast
defnetclass safe trusted safe noloop mcast
defnetclass noloop trusted safe mcast
defnetclass link
defnetclass mcast
m4_divert(-1)

m4_divert(26)m4_dnl
###--------------------------------------------------------------------------
### Network layout.

## House networks.
defnet dmz trusted
        addr 62.49.204.144/28 2001:470:1f09:1b98::/64
        forwards unsafe untrusted
defnet unsafe trusted
        addr 172.29.199.0/25 2001:470:9740:1::/64
        forwards househub
defnet safe safe
        addr 172.29.199.192/27 2001:470:9740:4001::/64
        forwards househub
defnet untrusted untrusted
        addr 172.29.198.0/25 2001:470:9740:8001::/64
        forwards househub

defnet househub virtual
        forwards housebdry dmz unsafe safe untrusted
defnet housebdry virtual
        forwards househub hub
        noxit dmz

## House hosts.
defhost radius
        hosttype router
        iface eth0 dmz unsafe safe untrusted vpn sgo colobdry default
        iface eth1 dmz unsafe safe untrusted vpn sgo colobdry default
        iface eth2 dmz unsafe safe untrusted vpn sgo colobdry
        iface eth3 untrusted vpn default
        iface ppp0 default
        iface t6-he default
        iface vpn-precision colobdry vpn sgo
        iface vpn-chiark sgo
        iface vpn-+ vpn
defhost roadstar
        iface eth0 dmz unsafe
        iface eth1 dmz unsafe
defhost jem
        iface eth0 dmz unsafe
        iface eth1 dmz unsafe
defhost artist
        hosttype router
        iface eth0 dmz unsafe untrusted
        iface eth1 dmz unsafe untrusted
        iface eth3 untrusted
defhost vampire
        hosttype router
        iface eth0.4 dmz unsafe untrusted safe vpn sgo colobdry
        iface eth0.5 dmz unsafe untrusted safe vpn sgo colobdry
        iface eth0.6 dmz unsafe safe untrusted vpn sgo colobdry
        iface eth0.7 untrusted
        iface vpn-precision colobdry vpn sgo
        iface vpn-chiark sgo
        iface vpn-+ vpn
defhost ibanez
        iface br-dmz dmz unsafe
        iface br-unsafe unsafe

defhost gibson
        hosttype client
        iface eth0 unsafe

## Colocated networks.
defnet jump trusted
        addr 212.13.198.64/28 2001:ba8:0:1d9::/64
        forwards colohub
defnet colo trusted
        addr 172.29.199.176/28 2001:ba8:1d9:2::/64
        forwards colohub
defnet colohub virtual
        forwards colobdry jump colo iodine
defnet colobdry virtual
        forwards colohub hub
        noxit jump
defnet iodine untrusted
        addr 172.29.198.128/28
        forwards colohub

## Colocated hosts.
defhost fender
        iface br-jump jump colo
        iface br-colo jump colo
defhost precision
        hosttype router
        iface eth0 jump colo sgo
        iface eth1 jump colo sgo
        iface vpn-radius housebdry vpn sgo
        iface vpn-chiark sgo
        iface vpn-+ vpn
defhost telecaster
        iface eth0 jump colo
        iface eth1 jump colo
defhost stratocaster
        iface eth0 jump colo
        iface eth1 jump colo
defhost jazz
        iface eth0 jump colo
        iface eth1 jump colo
        iface dns0 iodine

## Other networks.
defnet hub virtual
        forwards housebdry colobdry
defnet sgo noloop
        addr !172.29.198.0/23
        addr 10.0.0.0/8
        addr 172.16.0.0/12
        addr 192.168.0.0/16
        forwards househub colohub
defnet vpn safe
        addr 172.29.199.128/27 2001:ba8:1d9:6000::/64
        forwards househub colohub
        host crybaby 1
        host terror 2
defnet anycast trusted
        addr 172.29.199.224/27 2001:ba8:1d9:0::/64
        forwards dmz unsafe safe untrusted jump colo vpn
defnet default untrusted
        addr 62.49.204.144/28 2001:470:1f09:1b98::/64
        addr 212.13.198.64/28 2001:ba8:0:1d9::/64
        addr 2001:ba8:1d9::/48 #temporary
        forwards dmz unsafe untrusted jump colo

m4_divert(80)m4_dnl
###--------------------------------------------------------------------------
### Special forwarding exemptions.

case $forward in
  1)

    ## Only allow these packets if they're not fragmented.  (Don't trust safe
    ## hosts's fragment reassembly to be robust against malicious fragments.)
    ## There's a hideous bug in iptables 1.4.11.1 which botches the meaning
    ## of `! -f', so we do the negation using early return from a subchain.
    clearchain fwd-spec-nofrag
    run iptables -A fwd-spec-nofrag -j RETURN --fragment
    run ip6tables -A fwd-spec-nofrag -j RETURN \
            -m ipv6header --soft --header frag
    run ip46tables -A FORWARD -j fwd-spec-nofrag

    ## Allow ping from safe/noloop to untrusted networks.
    run iptables -A fwd-spec-nofrag -j ACCEPT \
            -p icmp --icmp-type echo-request \
            -m mark --mark $to_untrusted/$MASK_TO
    run iptables -A fwd-spec-nofrag -j ACCEPT \
            -p icmp --icmp-type echo-reply \
            -m mark --mark $from_untrusted/$MASK_FROM \
            -m state --state ESTABLISHED
    run ip6tables -A fwd-spec-nofrag -j ACCEPT \
            -p icmpv6 --icmpv6-type echo-request \
            -m mark --mark $to_untrusted/$MASK_TO
    run ip6tables -A fwd-spec-nofrag -j ACCEPT \
            -p icmpv6 --icmpv6-type echo-reply \
            -m mark --mark $from_untrusted/$MASK_FROM \
            -m state --state ESTABLISHED

    ## Allow SSH from safe/noloop to untrusted networks.
    run ip46tables -A fwd-spec-nofrag -j ACCEPT \
            -p tcp --destination-port $port_ssh \
            -m mark --mark $to_untrusted/$MASK_TO
    run ip46tables -A fwd-spec-nofrag -j ACCEPT \
            -p tcp --source-port $port_ssh \
            -m mark --mark $from_untrusted/$MASK_FROM \
            -m state --state ESTABLISHED

    ;;
esac

m4_divert(80)m4_dnl
###--------------------------------------------------------------------------
### Kill things we don't understand properly.
###
### I don't like having to do this, but since I don't know how to do proper
### multicast filtering, I'm just going to ban it from being forwarded.

errorchain poorly-understood REJECT

## Ban multicast destination addresses in forwarding.
case $forward in
  1)
    run iptables -A FORWARD -g poorly-understood \
            -d 224.0.0.0/4
    run ip6tables -A FORWARD -g poorly-understood \
            -d ff::/8
    ;;
esac

m4_divert(84)m4_dnl
###--------------------------------------------------------------------------
### Locally-bound packet inspection.

clearchain inbound

## Track connections.
commonrules inbound
conntrack inbound

## Allow incoming bootp.  Bootp won't be forwarded, so this is obviously a
## local request.
run iptables -A inbound -j ACCEPT \
        -s 0.0.0.0 -d 255.255.255.255 \
        -p udp --source-port $port_bootpc --destination-port $port_bootps
run iptables -A inbound -j ACCEPT \
        -s 172.29.198.0/23 \
        -p udp --source-port $port_bootpc --destination-port $port_bootps

## Allow incoming ping.  This is the only ICMP left.
run ip46tables -A inbound -j ACCEPT -p icmp

m4_divert(88)m4_dnl
## Allow unusual things.
openports inbound

## Inspect inbound packets from untrusted sources.
run ip46tables -A inbound -j forbidden
run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound

## Otherwise process as indicated by the mark.
for i in $inchains; do
  run ip46tables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT
done

m4_divert(-1)
###----- That's all, folks --------------------------------------------------