~mdw
/
firewall
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
eggle.m4, local.m4, local.mk: Add new VPS `eggle'.
[firewall]
/
local.m4
diff --git
a/local.m4
b/local.m4
index
fc6dae2
..
b0a1770
100644
(file)
--- a/
local.m4
+++ b/
local.m4
@@
-39,14
+39,10
@@
m4_divert(-1)
## block of RFC1918 private-use addresses allocated from the Cambridge G-RIN.
## The former are as follows.
##
## block of RFC1918 private-use addresses allocated from the Cambridge G-RIN.
## The former are as follows.
##
-## 81.2.113.195, 81.187.238.128/28
+## 81.2.113.195, 81.187.238.128/28
, 217.169.12.64/28
## House border network (dmz). We have all of these; the loose
## address is for the router.
##
## House border network (dmz). We have all of these; the loose
## address is for the router.
##
-## 212.13.18.64/28
-## Jump colocated network (jump). .65--68 are used by Jump
-## network infrastructure; we get the rest.
-##
## The latter is the block 172.29.196.0/22. Currently the low half is
## unallocated (and may be returned to the G-RIN); the remaining addresses
## are allocated as follows.
## The latter is the block 172.29.196.0/22. Currently the low half is
## unallocated (and may be returned to the G-RIN); the remaining addresses
## are allocated as follows.
@@
-74,13
+70,6
@@
m4_divert(-1)
## Main house range (aaisp). See below for allocation policy.
## There is no explicit DMZ allocation (and no need for one).
##
## Main house range (aaisp). See below for allocation policy.
## There is no explicit DMZ allocation (and no need for one).
##
-## 2001:ba8:0:1d9::/64
-## Jump border network (jump): :1 is the router (supplied by
-## Jump); other addresses are ours.
-##
-## 2001:ba8:1d9::/48
-## Main colocated range. See below for allocation policy.
-##
## Addresses in the /64 networks are simply allocated in ascending order.
## The /48s are split into /64s by appending a 16-bit network number. The
## top nibble of the network number classifies the network, as follows.
## Addresses in the /64 networks are simply allocated in ascending order.
## The /48s are split into /64s by appending a 16-bit network number. The
## top nibble of the network number classifies the network, as follows.
@@
-101,12
+90,7
@@
m4_divert(-1)
##
## 0 No specific site: mobile VPN endpoints or anycast addresses.
## 1 House.
##
## 0 No specific site: mobile VPN endpoints or anycast addresses.
## 1 House.
-## 2 Jump colocation.
## fff Local border network.
## fff Local border network.
-##
-## Usually site-0 networks are allocated from the Jump range to improve
-## expected performance from/to external sites which don't engage in our
-## dynamic routing protocols.
## Define the available network classes.
m4_divert(42)m4_dnl
## Define the available network classes.
m4_divert(42)m4_dnl
@@
-127,7
+111,7
@@
m4_divert(26)m4_dnl
## House networks.
defnet dmz trusted
## House networks.
defnet dmz trusted
- addr 81.2.113.195 81.187.238.128/28 2001:8b0:c92:fff::/64
+ addr 81.2.113.195 81.187.238.128/28 2
17.169.12.64/28 2
001:8b0:c92:fff::/64
via unsafe untrusted
defnet unsafe trusted
addr 172.29.199.0/25 2001:8b0:c92:1::/64
via unsafe untrusted
defnet unsafe trusted
addr 172.29.199.0/25 2001:8b0:c92:1::/64
@@
-147,13
+131,13
@@
defnet housebdry virtual
## House hosts.
defhost radius
hosttype router
## House hosts.
defhost radius
hosttype router
- iface eth0 dmz unsafe safe untrusted vpn sgo
colobdry
default
- iface eth1 dmz unsafe safe untrusted vpn sgo
colobdry
default
- iface eth2 dmz unsafe safe untrusted vpn sgo
colobdry
+ iface eth0 dmz unsafe safe untrusted vpn sgo default
+ iface eth1 dmz unsafe safe untrusted vpn sgo default
+ iface eth2 dmz unsafe safe untrusted vpn sgo
iface eth3 unsafe untrusted vpn default
iface ppp0 default
iface t6-he default
iface eth3 unsafe untrusted vpn default
iface ppp0 default
iface t6-he default
- iface vpn-precision
colobdry
vpn sgo
+ iface vpn-precision vpn sgo
iface vpn-chiark sgo
iface vpn-+ vpn
defhost roadstar
iface vpn-chiark sgo
iface vpn-+ vpn
defhost roadstar
@@
-172,11
+156,11
@@
defhost artist
iface eth3 unsafe untrusted
defhost vampire
hosttype router
iface eth3 unsafe untrusted
defhost vampire
hosttype router
- iface eth0.4 dmz unsafe untrusted safe vpn sgo
colobdry
- iface eth0.5 dmz unsafe untrusted safe vpn sgo
colobdry
- iface eth0.6 dmz unsafe safe untrusted vpn sgo
colobdry
+ iface eth0.4 dmz unsafe untrusted safe vpn sgo
+ iface eth0.5 dmz unsafe untrusted safe vpn sgo
+ iface eth0.6 dmz unsafe safe untrusted vpn sgo
iface eth0.7 unsafe untrusted vpn
iface eth0.7 unsafe untrusted vpn
- iface vpn-precision
colobdry
vpn sgo
+ iface vpn-precision vpn sgo
iface vpn-chiark sgo
iface vpn-+ vpn
defhost ibanez
iface vpn-chiark sgo
iface vpn-+ vpn
defhost ibanez
@@
-194,65
+178,56
@@
defhost gibson
hosttype client
iface eth0 unsafe
hosttype client
iface eth0 unsafe
-## Colocated networks.
-defnet jump trusted
- addr 212.13.198.64/28 2001:ba8:0:1d9::/64
- via colohub
-defnet colo trusted
- addr 172.29.199.176/28 2001:ba8:1d9:2::/64
- via colohub
-defnet colohub virtual
- via colobdry jump colo
-defnet colobdry virtual
- via colohub hub
-defnet iodine untrusted
- addr 172.29.198.128/28
- via colohub
-defnet hippotat untrusted
- addr 172.29.198.144/28
- via colohub
-
-## Colocated hosts.
+## Formerly colocated hosts.
defhost fender
defhost fender
- iface br-
jump jump colo
- iface br-
colo jump colo
+ iface br-
dmz dmz unsafe
+ iface br-
unsafe dmz unsafe
defhost precision
hosttype router
defhost precision
hosttype router
- iface eth0
jump colo
vpn sgo
- iface eth1
jump colo
vpn sgo
+ iface eth0
dmz unsafe
vpn sgo
+ iface eth1
dmz unsafe
vpn sgo
iface vpn-mango binswood
iface vpn-mango binswood
- iface vpn-radius housebdry vpn sgo
iface vpn-chiark sgo
iface vpn-national upn
iface vpn-mdwdev upn
iface vpn-chiark sgo
iface vpn-national upn
iface vpn-mdwdev upn
+ iface vpn-eggle upn
iface vpn-+ vpn
defhost telecaster
iface vpn-+ vpn
defhost telecaster
- iface eth0
jump col
o
- iface eth1
jump col
o
+ iface eth0
dmz unsafe vpn sg
o
+ iface eth1
dmz unsafe vpn sg
o
defhost stratocaster
defhost stratocaster
- iface eth0
jump col
o
- iface eth1
jump col
o
+ iface eth0
dmz unsafe vpn sg
o
+ iface eth1
dmz unsafe vpn sg
o
defhost jazz
hosttype router
defhost jazz
hosttype router
- iface eth0
jump colo vpn
- iface eth1
jump colo vpn
+ iface eth0
dmz unsafe vpn sgo
+ iface eth1
dmz unsafe vpn sgo
iface dns0 iodine
iface hippo-svc hippotat
iface vpn-+ vpn
iface dns0 iodine
iface hippo-svc hippotat
iface vpn-+ vpn
+## Stunt connectivity networks.
+defnet iodine untrusted
+ addr 172.29.198.128/28
+ via colohub
+defnet hippotat untrusted
+ addr 172.29.198.144/28
+ via colohub
+
+
## Other networks.
defnet hub virtual
## Other networks.
defnet hub virtual
- via housebdry
colobdry
+ via housebdry
defnet sgo noloop
addr !172.29.198.0/23
addr !10.165.27.0/24
addr 10.0.0.0/8
addr 172.16.0.0/12
addr 192.168.0.0/16
defnet sgo noloop
addr !172.29.198.0/23
addr !10.165.27.0/24
addr 10.0.0.0/8
addr 172.16.0.0/12
addr 192.168.0.0/16
- via househub
colohub
+ via househub
defnet vpn trusted
defnet vpn trusted
- addr 172.29.199.128/27 2001:
ba8:1d9
:6000::/64
- via househub
colohub
+ addr 172.29.199.128/27 2001:
8b0:c92
:6000::/64
+ via househub
host crybaby 1 ::1:1
host terror 2 ::2:1
host orange 3 ::3:1
host crybaby 1 ::1:1
host terror 2 ::2:1
host orange 3 ::3:1
@@
-260,32
+235,35
@@
defnet vpn trusted
host spirit 9 ::9:1
host groove 10 ::10:1
defnet anycast trusted
host spirit 9 ::9:1
host groove 10 ::10:1
defnet anycast trusted
- addr 172.29.199.224/27 2001:
ba8:1d9
:0::/64
- via dmz unsafe safe untrusted
jump colo
vpn
+ addr 172.29.199.224/27 2001:
8b0:c92
:0::/64
+ via dmz unsafe safe untrusted
vpn n
vpn
defnet default scary
defnet default scary
- addr 81.2.113.195 81.187.238.128/28 2001:8b0:c92::/48
- addr 212.13.198.64/28 2001:ba8:0:1d9::/64
- addr 2001:ba8:1d9::/48 #temporary
- via dmz unsafe untrusted jump colo
+ addr 81.2.113.195 81.187.238.128/28 217.169.12.64/28 \
+ 2001:8b0:c92::/48
+ via dmz unsafe untrusted
defnet upn untrusted
defnet upn untrusted
- addr 172.29.198.160/27 2001:
ba8:1d9
:a000::/64
- via
colo
hub
+ addr 172.29.198.160/27 2001:
8b0:c92
:a000::/64
+ via
house
hub
host national 1 ::1:1
host mdwdev 2 ::2:1
host national 1 ::1:1
host mdwdev 2 ::2:1
+ host eggle 3 ::3:1
-## Linode hosts.
+## VPS hosts.
+defhost eggle
+ iface eth0 default
+ iface vpn-precision househub
defhost national
iface eth0 default
defhost national
iface eth0 default
- iface vpn-precision
colo
hub
+ iface vpn-precision
house
hub
## Satellite networks.
defnet binswood vpnnat
addr 10.165.27.0/24
## Satellite networks.
defnet binswood vpnnat
addr 10.165.27.0/24
- via
colo
hub
+ via
house
hub
defhost mango
hosttype router
iface eth0 binswood default
defhost mango
hosttype router
iface eth0 binswood default
- iface vpn-precision
colo
default
+ iface vpn-precision
dmz
default
m4_divert(80)m4_dnl
###--------------------------------------------------------------------------
m4_divert(80)m4_dnl
###--------------------------------------------------------------------------
@@
-407,7
+385,6
@@
openports inbound
## Inspect inbound packets from untrusted sources.
run iptables -A inbound -s 172.29.198.0/24 -g inbound-untrusted
run ip6tables -A inbound -s 2001:8b0:c92:8000::/49 -g inbound-untrusted
## Inspect inbound packets from untrusted sources.
run iptables -A inbound -s 172.29.198.0/24 -g inbound-untrusted
run ip6tables -A inbound -s 2001:8b0:c92:8000::/49 -g inbound-untrusted
-run ip6tables -A inbound -s 2001:ba8:1d9:8000::/49 -g inbound-untrusted
run ip46tables -A inbound-untrusted -g forbidden
run ip46tables -A inbound -g forbidden
run ip46tables -A INPUT -m mark --mark $from_scary/$MASK_FROM -g inbound
run ip46tables -A inbound-untrusted -g forbidden
run ip46tables -A inbound -g forbidden
run ip46tables -A INPUT -m mark --mark $from_scary/$MASK_FROM -g inbound