local.m4: Promote the NTP server configuration to a proper variable.

[firewall] / jem.m4

diff --git a/jem.m4 b/jem.m4
index c877300..1f74d59 100644 (file)
--- a/jem.m4
+++ b/jem.m4
@@ -34,7 +34,7 @@ setconf(log_martians, 0)
 ###--------------------------------------------------------------------------
 ### Network interfaces.
 
-m4_divert(44)m4_dnl
+m4_divert(28)m4_dnl
 ## Interface definitions.
 if_dmz=eth0
 if_trusted=eth1
@@ -49,10 +49,18 @@ m4_divert(-1)
 ###--------------------------------------------------------------------------
 ### jem-specific rules.
 
-m4_divert(82)m4_dnl
+m4_divert(84)m4_dnl
+## Set up the SAUCE sinbin.  Unfortunately, ipset is a bit brittle.  This
+## isn't a completely critical part of the firewall security, so don't make
+## this fail the entire script.
+errorchain sauce REJECT
+makeset sauce iphash || :
+iptables -A inbound -g sauce -m set --match-set sauce src || :
+
 ## Externally visible services.
 allowservices inbound tcp \
        ssh \
+       ident \
        smtp submission \
        http https \
        imaps
@@ -64,15 +72,5 @@ for p in tcp udp; do
          -p $p --destination-port $port_dns
 done
 
-## Allow smb and nmb to untrusted hosts.  This is a bit experimental.
-run iptables -A inbound -j ACCEPT \
-       -s 172.29.198.0/24 \
-       -p udp -m multiport --destination-ports \
-               $port_netbios_ns,$port_netbios_dgm
-run iptables -A inbound -j ACCEPT \
-       -s 172.29.198.0/24 \
-       -p tcp -m multiport --destination-ports \
-               $port_netbios_ssn,$port_microsoft_ds
-
 m4_divert(-1)
 ###----- That's all, folks --------------------------------------------------