### -*-sh-*-
###
### Local firewall configuration
###
### (c) 2008 Mark Wooding
###

###----- Licensing notice ---------------------------------------------------
###
### This program is free software; you can redistribute it and/or modify
### it under the terms of the GNU General Public License as published by
### the Free Software Foundation; either version 2 of the License, or
### (at your option) any later version.
###
### This program is distributed in the hope that it will be useful,
### but WITHOUT ANY WARRANTY; without even the implied warranty of
### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
### GNU General Public License for more details.
###
### You should have received a copy of the GNU General Public License
### along with this program; if not, write to the Free Software Foundation,
### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.

###--------------------------------------------------------------------------
### Local configuration.

m4_divert(6)m4_dnl
## Default NTP servers.
defconf(ntp_servers,
	"158.152.1.76 158.152.1.204 194.159.253.2 195.173.57.232")

m4_divert(-1)
###--------------------------------------------------------------------------
### Packet classification.

## IPv4 addressing.
##
## There are two small blocks of publicly routable IPv4 addresses, and a
## block of RFC1918 private-use addresses allocated from the Cambridge G-RIN.
## The former are as follows.
##
## 62.49.204.144/28
##		House border network (dmz).  We have all of these, but .145
##		is reserved for the router.
##
## 212.13.18.64/28
##		Jump colocated network (jump).  .65--68 are used by Jump
##		network infrastructure; we get the rest.
##
## The latter is the block 172.29.196.0/22.  Currently the low half is
## unallocated (and may be returned to the G-RIN); the remaining addresses
## are allocated as follows.
##
## 172.29.198.0/24  Untrusted networks.
##	.0/25		house wireless net
##	.128/28		iodine (IP-over-DNS) network
##	.160/27		untrusted virtual network
##
## 172.29.199.0/24  Trusted networks.
##	.0/25		house wired network
##	.128/27		mobile VPN hosts
##	.160/28		reserved, except .160/30 allocated for ITS
##	.176/28		internal colocated network
##	.192/27		house safe network
##	.224/27		anycast services

## IPv6 addressing.
##
## There are five blocks of publicly routable IPv6 addresses, though some of
## them aren't very interesting.  The ranges are as follows.
##
## 2001:470:1f08:1b98::/64
##		Hurricane Electric tunnel network: only :1 (HE) and :2
##		(radius) are used.
##
## 2001:470:1f09:1b98::/64
##		House border network (dmz).
##
## 2001:470:9740::/48
##		Main house range.  See below for allocation policy.
##
## 2001:ba8:0:1d9::/64
##		Jump border network (jump): :1 is the router (supplied by
##		Jump); other addresses are ours.
##
## 2001:ba8:1d9::/48
##		Main colocated range.  See below for allocation policy.
##
## Addresses in the /64 networks are simply allocated in ascending order.
## The /48s are split into /64s by appending a 16-bit network number.  The
## top nibble of the network number classifies the network, as follows.
##
## axxx		Virtual, untrusted
## 8xxx		Untrusted
## 6xxx		Virtual, safe
## 4xxx		Safe
## 0xxx		Unsafe, trusted
##
## These have been chosen so that network properties can be deduced by
## inspecting bits of the network number:
##
## Bit 15	If set, the network is untrusted; otherwise it is trusted.
## Bit 14	If set, the network is safe; otherwise it is unsafe.
##
## Finally, the low-order nibbles identify the site.
##
## 0		No specific site: mobile VPN endpoints or anycast addresses.
## 1		House.
## 2		Jump colocation.
##
## Usually site-0 networks are allocated from the Jump range to improve
## expected performance from/to external sites which don't engage in our
## dynamic routing protocols.

## Define the available network classes.
m4_divert(42)m4_dnl
defnetclass scary	scary		trusted		    mcast
defnetclass untrusted	scary untrusted trusted		    mcast
defnetclass trusted	scary untrusted trusted safe noloop mcast
defnetclass safe			trusted safe noloop mcast
defnetclass noloop			trusted safe	    mcast

defnetclass link
defnetclass mcast
m4_divert(-1)

m4_divert(26)m4_dnl
###--------------------------------------------------------------------------
### Network layout.

## House networks.
defnet dmz trusted
	addr 62.49.204.144/28 2001:470:1f09:1b98::/64
	via unsafe untrusted
defnet unsafe trusted
	addr 172.29.199.0/25 2001:470:9740:1::/64
	via househub
defnet safe safe
	addr 172.29.199.192/27 2001:470:9740:4001::/64
	via househub
defnet untrusted untrusted
	addr 172.29.198.0/25 2001:470:9740:8001::/64
	via househub

defnet househub virtual
	via housebdry dmz unsafe safe untrusted
defnet housebdry virtual
	via househub hub

## House hosts.
defhost radius
	hosttype router
	iface eth0 dmz unsafe safe untrusted vpn sgo colobdry default
	iface eth1 dmz unsafe safe untrusted vpn sgo colobdry default
	iface eth2 dmz unsafe safe untrusted vpn sgo colobdry
	iface eth3 unsafe untrusted vpn default
	iface ppp0 default
	iface t6-he default
	iface vpn-precision colobdry vpn sgo
	iface vpn-chiark sgo
	iface vpn-+ vpn
defhost roadstar
	iface eth0 dmz unsafe
	iface eth1 dmz unsafe
defhost jem
	iface eth0 dmz unsafe
	iface eth1 dmz unsafe
defhost universe
	iface eth0 dmz unsafe
	iface eth1 dmz unsafe
defhost artist
	hosttype router
	iface eth0 dmz unsafe untrusted
	iface eth1 dmz unsafe untrusted
	iface eth3 unsafe untrusted
defhost vampire
	hosttype router
	iface eth0.4 dmz unsafe untrusted safe vpn sgo colobdry
	iface eth0.5 dmz unsafe untrusted safe vpn sgo colobdry
	iface eth0.6 dmz unsafe safe untrusted vpn sgo colobdry
	iface eth0.7 unsafe untrusted vpn
	iface vpn-precision colobdry vpn sgo
	iface vpn-chiark sgo
	iface vpn-+ vpn
defhost ibanez
	iface br-dmz dmz unsafe
	iface br-unsafe unsafe
defhost orange
	iface wlan0 untrusted
	iface vpn-radius unsafe
defhost groove
	iface eth0 unsafe
	iface wlan0 untrusted
	iface vpn-radius unsafe

defhost gibson
	hosttype client
	iface eth0.5 unsafe

## Colocated networks.
defnet jump trusted
	addr 212.13.198.64/28 2001:ba8:0:1d9::/64
	via colohub
defnet colo trusted
	addr 172.29.199.176/28 2001:ba8:1d9:2::/64
	via colohub
defnet colohub virtual
	via colobdry jump colo
defnet colobdry virtual
	via colohub hub
defnet iodine untrusted
	addr 172.29.198.128/28
	via colohub

## Colocated hosts.
defhost fender
	iface br-jump jump colo
	iface br-colo jump colo
defhost precision
	hosttype router
	iface eth0 jump colo vpn sgo
	iface eth1 jump colo vpn sgo
	iface vpn-mango binswood
	iface vpn-radius housebdry vpn sgo
	iface vpn-chiark sgo
	iface vpn-national upn
	iface vpn-+ vpn
defhost telecaster
	iface eth0 jump colo
	iface eth1 jump colo
defhost stratocaster
	iface eth0 jump colo
	iface eth1 jump colo
defhost jazz
	hosttype router
	iface eth0 jump colo vpn
	iface eth1 jump colo vpn
	iface dns0 iodine
	iface vpn-+ vpn

## Other networks.
defnet hub virtual
	via housebdry colobdry
defnet sgo noloop
	addr !172.29.198.0/23
	addr 10.0.0.0/8
	addr 172.16.0.0/12
	addr 192.168.0.0/16
	via househub colohub
defnet vpn safe
	addr 172.29.199.128/27 2001:ba8:1d9:6000::/64
	via househub colohub
	host crybaby 1 ::1:1
	host terror 2 ::2:1
	host orange 3 ::3:1
	host haze 4 ::4:1
	host groove 5 ::5:1
defnet anycast trusted
	addr 172.29.199.224/27 2001:ba8:1d9:0::/64
	via dmz unsafe safe untrusted jump colo vpn
defnet default scary
	addr 62.49.204.144/28 2001:470:1f09:1b98::/64
	addr 212.13.198.64/28 2001:ba8:0:1d9::/64
	addr 2001:ba8:1d9::/48 #temporary
	via dmz unsafe untrusted jump colo
defnet upn untrusted
	addr 172.29.198.160/27 2001:ba8:1d9:a000::/64
	via colohub
	host national 1 ::1:1

## Linode hosts.
defhost national
	iface eth0 default
	iface vpn-precision colohub

## Satellite networks.
defnet binswood noloop
	addr 10.165.27.0/24
	via colohub
defhost mango
	hosttype router
	iface eth0 binswood default
	iface vpn-precision colo

m4_divert(80)m4_dnl
###--------------------------------------------------------------------------
### Connection tracking helper modules.

for i in ftp; do
  modprobe nf_conntrack_$i
done

m4_divert(80)m4_dnl
###--------------------------------------------------------------------------
### Special forwarding exemptions.

case $forward in
  1)

    ## Only allow these packets if they're not fragmented.  (Don't trust safe
    ## hosts's fragment reassembly to be robust against malicious fragments.)
    ## There's a hideous bug in iptables 1.4.11.1 which botches the meaning
    ## of `! -f', so we do the negation using early return from a subchain.
    clearchain fwd-spec-nofrag
    run iptables -A fwd-spec-nofrag -j RETURN --fragment
    run ip6tables -A fwd-spec-nofrag -j RETURN \
	    -m ipv6header --soft --header frag
    run ip46tables -A FORWARD -j fwd-spec-nofrag

    ## Allow ping from safe/noloop to untrusted networks.
    run iptables -A fwd-spec-nofrag -j ACCEPT \
	    -p icmp --icmp-type echo-request \
	    -m mark --mark $to_untrusted/$MASK_TO
    run iptables -A fwd-spec-nofrag -j ACCEPT \
	    -p icmp --icmp-type echo-reply \
	    -m mark --mark $from_untrusted/$MASK_FROM \
	    -m state --state ESTABLISHED
    run ip6tables -A fwd-spec-nofrag -j ACCEPT \
	    -p icmpv6 --icmpv6-type echo-request \
	    -m mark --mark $to_untrusted/$MASK_TO
    run ip6tables -A fwd-spec-nofrag -j ACCEPT \
	    -p icmpv6 --icmpv6-type echo-reply \
	    -m mark --mark $from_untrusted/$MASK_FROM \
	    -m state --state ESTABLISHED

    ## Allow SSH from safe/noloop to untrusted networks.
    run ip46tables -A fwd-spec-nofrag -j ACCEPT \
	    -p tcp --destination-port $port_ssh \
	    -m mark --mark $to_untrusted/$MASK_TO
    run ip46tables -A fwd-spec-nofrag -j ACCEPT \
	    -p tcp --source-port $port_ssh \
	    -m mark --mark $from_untrusted/$MASK_FROM \
	    -m state --state ESTABLISHED

    ;;
esac

m4_divert(80)m4_dnl
###--------------------------------------------------------------------------
### Kill things we don't understand properly.
###
### I don't like having to do this, but since I don't know how to do proper
### multicast filtering, I'm just going to ban it from being forwarded.

errorchain poorly-understood REJECT

## Ban multicast destination addresses in forwarding.
case $forward in
  1)
    run iptables -A FORWARD -g poorly-understood \
	    -d 224.0.0.0/4
    run ip6tables -A FORWARD -g poorly-understood \
	    -d ff::/8
    ;;
esac

m4_divert(84)m4_dnl
###--------------------------------------------------------------------------
### Locally-bound packet inspection.

clearchain inbound

## Track connections.
commonrules inbound
conntrack inbound

## Allow incoming bootp.  Bootp won't be forwarded, so this is obviously a
## local request.
run iptables -A inbound -j ACCEPT \
	-s 0.0.0.0 -d 255.255.255.255 \
	-p udp --source-port $port_bootpc --destination-port $port_bootps
run iptables -A inbound -j ACCEPT \
	-s 172.29.198.0/23 \
	-p udp --source-port $port_bootpc --destination-port $port_bootps

## Allow incoming ping.  This is the only ICMP left.
run iptables -A inbound -j ACCEPT -p icmp
run ip6tables -A inbound -j ACCEPT -p icmpv6

m4_divert(88)m4_dnl
## Allow unusual things.
openports inbound

## Inspect inbound packets from untrusted sources.
run ip46tables -A inbound -j forbidden
run ip46tables -A INPUT -m mark --mark $from_scary/$MASK_FROM -g inbound
run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound

## Allow responses from the scary outside world into the untrusted net, but
## don't let untrusted things run services.
case $forward in
  1)
    run ip46tables -A FORWARD -j ACCEPT \
	-m mark --mark $(( $from_scary | $to_untrusted ))/$(( $MASK_FROM | $MASK_TO )) \
	-m state --state ESTABLISHED,RELATED
    ;;
esac

## Otherwise process as indicated by the mark.
for i in $inchains; do
  run ip46tables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT
done

m4_divert(-1)
###----- That's all, folks --------------------------------------------------