## block of RFC1918 private-use addresses allocated from the Cambridge G-RIN.
## The former are as follows.
##
-## 81.2.113.195, 81.187.238.128/28
+## 81.2.113.195, 81.187.238.128/28, 217.169.12.64/28
## House border network (dmz). We have all of these; the loose
## address is for the router.
##
-## 212.13.18.64/28
-## Jump colocated network (jump). .65--68 are used by Jump
-## network infrastructure; we get the rest.
-##
## The latter is the block 172.29.196.0/22. Currently the low half is
## unallocated (and may be returned to the G-RIN); the remaining addresses
## are allocated as follows.
## Main house range (aaisp). See below for allocation policy.
## There is no explicit DMZ allocation (and no need for one).
##
-## 2001:ba8:0:1d9::/64
-## Jump border network (jump): :1 is the router (supplied by
-## Jump); other addresses are ours.
-##
-## 2001:ba8:1d9::/48
-## Main colocated range. See below for allocation policy.
-##
## Addresses in the /64 networks are simply allocated in ascending order.
## The /48s are split into /64s by appending a 16-bit network number. The
## top nibble of the network number classifies the network, as follows.
##
## 0 No specific site: mobile VPN endpoints or anycast addresses.
## 1 House.
-## 2 Jump colocation.
## fff Local border network.
-##
-## Usually site-0 networks are allocated from the Jump range to improve
-## expected performance from/to external sites which don't engage in our
-## dynamic routing protocols.
## Define the available network classes.
m4_divert(42)m4_dnl
## House networks.
defnet dmz trusted
- addr 81.2.113.195 81.187.238.128/28 2001:8b0:c92:fff::/64
+ addr 81.2.113.195 81.187.238.128/28 217.169.12.64/28 2001:8b0:c92:fff::/64
via unsafe untrusted
defnet unsafe trusted
addr 172.29.199.0/25 2001:8b0:c92:1::/64
## House hosts.
defhost radius
hosttype router
- iface eth0 dmz unsafe safe untrusted vpn sgo colobdry default
- iface eth1 dmz unsafe safe untrusted vpn sgo colobdry default
- iface eth2 dmz unsafe safe untrusted vpn sgo colobdry
+ iface eth0 dmz unsafe safe untrusted vpn sgo default
+ iface eth1 dmz unsafe safe untrusted vpn sgo default
+ iface eth2 dmz unsafe safe untrusted vpn sgo
iface eth3 unsafe untrusted vpn default
iface ppp0 default
iface t6-he default
- iface vpn-precision colobdry vpn sgo
+ iface vpn-precision vpn sgo
iface vpn-chiark sgo
iface vpn-+ vpn
defhost roadstar
iface eth3 unsafe untrusted
defhost vampire
hosttype router
- iface eth0.4 dmz unsafe untrusted safe vpn sgo colobdry
- iface eth0.5 dmz unsafe untrusted safe vpn sgo colobdry
- iface eth0.6 dmz unsafe safe untrusted vpn sgo colobdry
+ iface eth0.4 dmz unsafe untrusted safe vpn sgo
+ iface eth0.5 dmz unsafe untrusted safe vpn sgo
+ iface eth0.6 dmz unsafe safe untrusted vpn sgo
iface eth0.7 unsafe untrusted vpn
- iface vpn-precision colobdry vpn sgo
+ iface vpn-precision vpn sgo
iface vpn-chiark sgo
iface vpn-+ vpn
defhost ibanez
hosttype client
iface eth0 unsafe
-## Colocated networks.
-defnet jump trusted
- addr 212.13.198.64/28 2001:ba8:0:1d9::/64
- via colohub
-defnet colo trusted
- addr 172.29.199.176/28 2001:ba8:1d9:2::/64
- via colohub
-defnet colohub virtual
- via colobdry jump colo
-defnet colobdry virtual
- via colohub hub
-defnet iodine untrusted
- addr 172.29.198.128/28
- via colohub
-defnet hippotat untrusted
- addr 172.29.198.144/28
- via colohub
-
-## Colocated hosts.
+## Formerly colocated hosts.
defhost fender
- iface br-jump jump colo
- iface br-colo jump colo
+ iface br-dmz dmz unsafe
+ iface br-unsafe dmz unsafe
defhost precision
hosttype router
- iface eth0 jump colo vpn sgo
- iface eth1 jump colo vpn sgo
+ iface eth0 dmz unsafe vpn sgo
+ iface eth1 dmz unsafe vpn sgo
iface vpn-mango binswood
- iface vpn-radius housebdry vpn sgo
iface vpn-chiark sgo
iface vpn-national upn
iface vpn-mdwdev upn
+ iface vpn-eggle upn
iface vpn-+ vpn
defhost telecaster
- iface eth0 jump colo
- iface eth1 jump colo
+ iface eth0 dmz unsafe vpn sgo
+ iface eth1 dmz unsafe vpn sgo
defhost stratocaster
- iface eth0 jump colo
- iface eth1 jump colo
+ iface eth0 dmz unsafe vpn sgo
+ iface eth1 dmz unsafe vpn sgo
defhost jazz
hosttype router
- iface eth0 jump colo vpn
- iface eth1 jump colo vpn
+ iface eth0 dmz unsafe vpn sgo
+ iface eth1 dmz unsafe vpn sgo
iface dns0 iodine
iface hippo-svc hippotat
iface vpn-+ vpn
+## Stunt connectivity networks.
+defnet iodine untrusted
+ addr 172.29.198.128/28
+ via colohub
+defnet hippotat untrusted
+ addr 172.29.198.144/28
+ via colohub
+
+
## Other networks.
defnet hub virtual
- via housebdry colobdry
+ via housebdry
defnet sgo noloop
addr !172.29.198.0/23
addr !10.165.27.0/24
addr 10.0.0.0/8
addr 172.16.0.0/12
addr 192.168.0.0/16
- via househub colohub
+ via househub
defnet vpn trusted
- addr 172.29.199.128/27 2001:ba8:1d9:6000::/64
- via househub colohub
+ addr 172.29.199.128/27 2001:8b0:c92:6000::/64
+ via househub
host crybaby 1 ::1:1
host terror 2 ::2:1
host orange 3 ::3:1
host spirit 9 ::9:1
host groove 10 ::10:1
defnet anycast trusted
- addr 172.29.199.224/27 2001:ba8:1d9:0::/64
- via dmz unsafe safe untrusted jump colo vpn
+ addr 172.29.199.224/27 2001:8b0:c92:0::/64
+ via dmz unsafe safe untrusted vpn nvpn
defnet default scary
- addr 81.2.113.195 81.187.238.128/28 2001:8b0:c92::/48
- addr 212.13.198.64/28 2001:ba8:0:1d9::/64
- addr 2001:ba8:1d9::/48 #temporary
- via dmz unsafe untrusted jump colo
+ addr 81.2.113.195 81.187.238.128/28 217.169.12.64/28 \
+ 2001:8b0:c92::/48
+ via dmz unsafe untrusted
defnet upn untrusted
- addr 172.29.198.160/27 2001:ba8:1d9:a000::/64
- via colohub
+ addr 172.29.198.160/27 2001:8b0:c92:a000::/64
+ via househub
host national 1 ::1:1
host mdwdev 2 ::2:1
+ host eggle 3 ::3:1
-## Linode hosts.
+## VPS hosts.
+defhost eggle
+ iface eth0 default
+ iface vpn-precision househub
defhost national
iface eth0 default
- iface vpn-precision colohub
+ iface vpn-precision househub
## Satellite networks.
defnet binswood vpnnat
addr 10.165.27.0/24
- via colohub
+ via househub
defhost mango
hosttype router
iface eth0 binswood default
- iface vpn-precision colo default
+ iface vpn-precision dmz default
m4_divert(80)m4_dnl
###--------------------------------------------------------------------------
## Inspect inbound packets from untrusted sources.
run iptables -A inbound -s 172.29.198.0/24 -g inbound-untrusted
run ip6tables -A inbound -s 2001:8b0:c92:8000::/49 -g inbound-untrusted
-run ip6tables -A inbound -s 2001:ba8:1d9:8000::/49 -g inbound-untrusted
run ip46tables -A inbound-untrusted -g forbidden
run ip46tables -A inbound -g forbidden
run ip46tables -A INPUT -m mark --mark $from_scary/$MASK_FROM -g inbound