### -*-sh-*-
###
### Local firewall configuration
###
### (c) 2008 Mark Wooding
###

###----- Licensing notice ---------------------------------------------------
###
### This program is free software; you can redistribute it and/or modify
### it under the terms of the GNU General Public License as published by
### the Free Software Foundation; either version 2 of the License, or
### (at your option) any later version.
###
### This program is distributed in the hope that it will be useful,
### but WITHOUT ANY WARRANTY; without even the implied warranty of
### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
### GNU General Public License for more details.
###
### You should have received a copy of the GNU General Public License
### along with this program; if not, write to the Free Software Foundation,
### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.

###--------------------------------------------------------------------------
### Local configuration.

m4_divert(6)m4_dnl
## Default NTP servers.
defconf(ntp_servers,
	"81.187.26.174 90.155.23.205 2001:8b0:0:23::205 185.73.44.6 2001:ba8:0:2c06::")

m4_divert(-1)
###--------------------------------------------------------------------------
### Packet classification.

## IPv4 addressing.
##
## There are two small blocks of publicly routable IPv4 addresses, and a
## block of RFC1918 private-use addresses allocated from the Cambridge G-RIN.
## The former are as follows.
##
## 81.2.113.195, 81.187.238.128/28, 217.169.12.64/28
##		House border network (dmz).  We have all of these; the loose
##		address is for the router.
##
## The latter is the block 172.29.196.0/22.  Currently the low half is
## unallocated (and may be returned to the G-RIN); the remaining addresses
## are allocated as follows.
##
## 172.29.198.0/24  Untrusted networks.
##	.0/25		house wireless net
##	.128/28		iodine (IP-over-DNS) network
##	.144/28		hippotat (IP-over-HTTP) network
##	.160/27		untrusted virtual network
##
## 172.29.199.0/24  Trusted networks.
##	.0/25		house wired network
##	.128/27		mobile VPN hosts
##	.160/28		reserved, except .160/30 allocated for ITS
##	.176/28		internal colocated network
##	.192/27		house safe network
##	.224/27		anycast services

## IPv6 addressing.
##
## There are five blocks of publicly routable IPv6 addresses, though some of
## them aren't very interesting.  The ranges are as follows.
##
## 2001:8b0:c92::/48
##		Main house range (aaisp).  See below for allocation policy.
##		There is no explicit DMZ allocation (and no need for one).
##
## Addresses in the /64 networks are simply allocated in ascending order.
## The /48s are split into /64s by appending a 16-bit network number.  The
## top nibble of the network number classifies the network, as follows.
##
## axxx		Virtual, untrusted
## 8xxx		Untrusted
## 6xxx		Virtual, safe
## 4xxx		Safe
## 0xxx		Unsafe, trusted
##
## These have been chosen so that network properties can be deduced by
## inspecting bits of the network number:
##
## Bit 15	If set, the network is untrusted; otherwise it is trusted.
## Bit 14	If set, the network is safe; otherwise it is unsafe.
##
## Finally, the low-order nibbles identify the site.
##
## 0		No specific site: mobile VPN endpoints or anycast addresses.
## 1		House.
## fff		Local border network.

## Define the available network classes.
m4_divert(42)m4_dnl
defnetclass scary	scary		trusted		    vpnnat mcast
defnetclass untrusted	scary untrusted trusted			   mcast
defnetclass trusted	scary untrusted trusted safe noloop vpnnat mcast
defnetclass safe			trusted safe noloop vpnnat mcast
defnetclass noloop			trusted safe		   mcast
defnetclass vpnnat	scary		trusted safe		   mcast

defnetclass link
defnetclass mcast
m4_divert(-1)

m4_divert(26)m4_dnl
###--------------------------------------------------------------------------
### Network layout.

## House networks.
defnet dmz trusted
	addr 81.2.113.195 81.187.238.128/28 217.169.12.64/28 2001:8b0:c92:fff::/64
	via unsafe untrusted
defnet unsafe trusted
	addr 172.29.199.0/25 2001:8b0:c92:1::/64
	via househub
defnet safe safe
	addr 172.29.199.192/27 2001:8b0:c92:4001::/64
	via househub
defnet untrusted untrusted
	addr 172.29.198.0/25 2001:8b0:c92:8001::/64
	via househub

defnet househub virtual
	via housebdry dmz unsafe safe untrusted
defnet housebdry virtual
	via househub hub

## House hosts.
defhost radius
	hosttype router
	iface eth0 dmz unsafe safe untrusted vpn sgo default
	iface eth1 dmz unsafe safe untrusted vpn sgo default
	iface eth2 dmz unsafe safe untrusted vpn sgo
	iface eth3 unsafe untrusted vpn default
	iface ppp0 default
	iface t6-he default
	iface vpn-precision vpn sgo
	iface vpn-chiark sgo
	iface vpn-+ vpn
defhost roadstar
	iface eth0 dmz unsafe
	iface eth1 dmz unsafe
defhost jem
	iface eth0 dmz unsafe
	iface eth1 dmz unsafe
defhost universe
	iface eth0 dmz unsafe
	iface eth1 dmz unsafe
defhost artist
	hosttype router
	iface eth0 dmz unsafe untrusted
	iface eth1 dmz unsafe untrusted
	iface eth3 unsafe untrusted
defhost vampire
	hosttype router
	iface eth0.4 dmz unsafe untrusted safe vpn sgo
	iface eth0.5 dmz unsafe untrusted safe vpn sgo
	iface eth0.6 dmz unsafe safe untrusted vpn sgo
	iface eth0.7 unsafe untrusted vpn
	iface vpn-precision vpn sgo
	iface vpn-chiark sgo
	iface vpn-+ vpn
defhost ibanez
	iface br-dmz dmz unsafe
	iface br-unsafe unsafe
defhost orange
	iface wlan0 untrusted
	iface vpn-radius unsafe
defhost groove
	iface eth0 unsafe
	iface wlan0 untrusted
	iface vpn-radius unsafe

defhost gibson
	hosttype client
	iface eth0 unsafe

## Formerly colocated hosts.
defhost fender
	iface br-dmz dmz unsafe
	iface br-unsafe dmz unsafe
defhost precision
	hosttype router
	iface eth0 dmz unsafe vpn sgo
	iface eth1 dmz unsafe vpn sgo
	iface vpn-mango binswood
	iface vpn-chiark sgo
	iface vpn-national upn
	iface vpn-mdwdev upn
	iface vpn-+ vpn
defhost telecaster
	iface eth0 dmz unsafe vpn sgo
	iface eth1 dmz unsafe vpn sgo
defhost stratocaster
	iface eth0 dmz unsafe vpn sgo
	iface eth1 dmz unsafe vpn sgo
defhost jazz
	hosttype router
	iface eth0 dmz unsafe vpn sgo
	iface eth1 dmz unsafe vpn sgo
	iface dns0 iodine
	iface hippo-svc hippotat
	iface vpn-+ vpn

## Stunt connectivity networks.
defnet iodine untrusted
	addr 172.29.198.128/28
	via colohub
defnet hippotat untrusted
	addr 172.29.198.144/28
	via colohub


## Other networks.
defnet hub virtual
	via housebdry
defnet sgo noloop
	addr !172.29.198.0/23
	addr !10.165.27.0/24
	addr 10.0.0.0/8
	addr 172.16.0.0/12
	addr 192.168.0.0/16
	via househub
defnet vpn trusted
	addr 172.29.199.128/27 2001:8b0:c92:6000::/64
	via househub
	host crybaby 1 ::1:1
	host terror 2 ::2:1
	host orange 3 ::3:1
	host haze 4 ::4:1
	host spirit 9 ::9:1
	host groove 10 ::10:1
defnet anycast trusted
	addr 172.29.199.224/27 2001:8b0:c92:0::/64
	via dmz unsafe safe untrusted vpn nvpn
defnet default scary
	addr 81.2.113.195 81.187.238.128/28 217.169.12.64/28 \
		2001:8b0:c92::/48
	via dmz unsafe untrusted
defnet upn untrusted
	addr 172.29.198.160/27 2001:8b0:c92:a000::/64
	via househub
	host national 1 ::1:1
	host mdwdev 2 ::2:1

## Linode hosts.
defhost national
	iface eth0 default
	iface vpn-precision househub

## Satellite networks.
defnet binswood vpnnat
	addr 10.165.27.0/24
	via househub
defhost mango
	hosttype router
	iface eth0 binswood default
	iface vpn-precision dmz default

m4_divert(80)m4_dnl
###--------------------------------------------------------------------------
### Connection tracking helper modules.

for i in ftp; do
  modprobe nf_conntrack_$i
done

m4_divert(80)m4_dnl
###--------------------------------------------------------------------------
### Special forwarding exemptions.

case $forward in
  1)

    ## Only allow these packets if they're not fragmented.  (Don't trust safe
    ## hosts's fragment reassembly to be robust against malicious fragments.)
    ## There's a hideous bug in iptables 1.4.11.1 which botches the meaning
    ## of `! -f', so we do the negation using early return from a subchain.
    clearchain fwd-spec-nofrag
    run iptables -A fwd-spec-nofrag -j RETURN --fragment
    run ip6tables -A fwd-spec-nofrag -j RETURN \
	    -m ipv6header --soft --header frag
    run ip46tables -A FORWARD -j fwd-spec-nofrag

    ## Allow ping from safe/noloop to untrusted networks.
    run iptables -A fwd-spec-nofrag -j ACCEPT \
	    -p icmp --icmp-type echo-request \
	    -m mark --mark $to_untrusted/$MASK_TO
    run iptables -A fwd-spec-nofrag -j ACCEPT \
	    -p icmp --icmp-type echo-reply \
	    -m mark --mark $from_untrusted/$MASK_FROM \
	    -m state --state ESTABLISHED
    run ip6tables -A fwd-spec-nofrag -j ACCEPT \
	    -p icmpv6 --icmpv6-type echo-request \
	    -m mark --mark $to_untrusted/$MASK_TO
    run ip6tables -A fwd-spec-nofrag -j ACCEPT \
	    -p icmpv6 --icmpv6-type echo-reply \
	    -m mark --mark $from_untrusted/$MASK_FROM \
	    -m state --state ESTABLISHED

    ## Allow SSH from safe/noloop to untrusted networks.
    run ip46tables -A fwd-spec-nofrag -j ACCEPT \
	    -p tcp --destination-port $port_ssh \
	    -m mark --mark $to_untrusted/$MASK_TO
    run ip46tables -A fwd-spec-nofrag -j ACCEPT \
	    -p tcp --source-port $port_ssh \
	    -m mark --mark $from_untrusted/$MASK_FROM \
	    -m state --state ESTABLISHED

    ;;
esac

m4_divert(80)m4_dnl
###--------------------------------------------------------------------------
### Kill things we don't understand properly.
###
### I don't like having to do this, but since I don't know how to do proper
### multicast filtering, I'm just going to ban it from being forwarded.

errorchain poorly-understood REJECT

## Ban multicast destination addresses in forwarding.
case $forward in
  1)
    run iptables -A FORWARD -g poorly-understood \
	    -d 224.0.0.0/4
    run ip6tables -A FORWARD -g poorly-understood \
	    -d ff::/8
    ;;
esac

m4_divert(82)m4_dnl
###--------------------------------------------------------------------------
### Check for source routing.

clearchain check-srcroute

run iptables -A check-srcroute -g forbidden \
    -m ipv4options --any --flags lsrr,ssrr
run ip6tables -A check-srcroute -g forbidden \
    -m rt

for c in INPUT FORWARD; do
  for m in $from_scary $from_untrusted; do
    run ip46tables -A $c -m mark --mark $m/$MASK_FROM -j check-srcroute
  done
done

m4_divert(84)m4_dnl
###--------------------------------------------------------------------------
### Locally-bound packet inspection.

clearchain inbound
clearchain inbound-untrusted

## Track connections.
commonrules inbound
conntrack inbound

## Allow incoming bootp.  Bootp won't be forwarded, so this is obviously a
## local request.
run iptables -A inbound -j ACCEPT \
	-s 0.0.0.0 -d 255.255.255.255 \
	-p udp --source-port $port_bootpc --destination-port $port_bootps
run iptables -A inbound -j ACCEPT \
	-s 172.29.198.0/23 \
	-p udp --source-port $port_bootpc --destination-port $port_bootps

## Allow incoming ping.  This is the only ICMP left.
run iptables -A inbound -j ACCEPT -p icmp
run ip6tables -A inbound -j ACCEPT -p icmpv6

m4_divert(88)m4_dnl
## Allow unusual things.
openports inbound

## Inspect inbound packets from untrusted sources.
run iptables -A inbound -s 172.29.198.0/24 -g inbound-untrusted
run ip6tables -A inbound -s 2001:8b0:c92:8000::/49 -g inbound-untrusted
run ip46tables -A inbound-untrusted -g forbidden
run ip46tables -A inbound -g forbidden
run ip46tables -A INPUT -m mark --mark $from_scary/$MASK_FROM -g inbound
run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound

## Allow responses from the scary outside world into the untrusted net, but
## don't let untrusted things run services.
case $forward in
  1)
    run ip46tables -A FORWARD -j ACCEPT \
	-m mark --mark $(( $from_scary | $to_untrusted ))/$(( $MASK_FROM | $MASK_TO )) \
	-m state --state ESTABLISHED,RELATED
    ;;
esac

## Otherwise process as indicated by the mark.
for i in $inchains; do
  run ip46tables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT
done

m4_divert(-1)
###----- That's all, folks --------------------------------------------------