defhost gibson
hosttype client
- iface eth0 unsafe
+ iface eth0.5 unsafe
## Colocated networks.
defnet jump trusted
defhost stratocaster
iface eth0 jump colo
iface eth1 jump colo
-defhost jaguar
- iface eth0 jump
defhost jazz
hosttype router
iface eth0 jump colo vpn
## Inspect inbound packets from untrusted sources.
run ip46tables -A inbound -j forbidden
+run ip46tables -A INPUT -m mark --mark $from_scary/$MASK_FROM -g inbound
run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
## Allow responses from the scary outside world into the untrusted net, but
-## don't let untrusted things run services. [EXPERIMENTAL]
+## don't let untrusted things run services.
case $forward in
1)
run ip46tables -A FORWARD -j ACCEPT \