~mdw
/
firewall
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
local.m4: Don't expect `forbidden' to return.
[firewall]
/
local.m4
diff --git
a/local.m4
b/local.m4
index
5dfb3a0
..
c16f94e
100644
(file)
--- a/
local.m4
+++ b/
local.m4
@@
-54,6
+54,7
@@
m4_divert(-1)
## 172.29.198.0/24 Untrusted networks.
## .0/25 house wireless net
## .128/28 iodine (IP-over-DNS) network
## 172.29.198.0/24 Untrusted networks.
## .0/25 house wireless net
## .128/28 iodine (IP-over-DNS) network
+## .144/28 hippotat (IP-over-HTTP) network
## .160/27 untrusted virtual network
##
## 172.29.199.0/24 Trusted networks.
## .160/27 untrusted virtual network
##
## 172.29.199.0/24 Trusted networks.
@@
-190,7
+191,7
@@
defhost groove
defhost gibson
hosttype client
defhost gibson
hosttype client
- iface eth0
.5
unsafe
+ iface eth0 unsafe
## Colocated networks.
defnet jump trusted
## Colocated networks.
defnet jump trusted
@@
-206,6
+207,9
@@
defnet colobdry virtual
defnet iodine untrusted
addr 172.29.198.128/28
via colohub
defnet iodine untrusted
addr 172.29.198.128/28
via colohub
+defnet hippotat untrusted
+ addr 172.29.198.144/28
+ via colohub
## Colocated hosts.
defhost fender
## Colocated hosts.
defhost fender
@@
-231,6
+235,7
@@
defhost jazz
iface eth0 jump colo vpn
iface eth1 jump colo vpn
iface dns0 iodine
iface eth0 jump colo vpn
iface eth1 jump colo vpn
iface dns0 iodine
+ iface hippo-svc hippotat
iface vpn-+ vpn
## Other networks.
iface vpn-+ vpn
## Other networks.
@@
-242,7
+247,7
@@
defnet sgo noloop
addr 172.16.0.0/12
addr 192.168.0.0/16
via househub colohub
addr 172.16.0.0/12
addr 192.168.0.0/16
via househub colohub
-defnet vpn
safe
+defnet vpn
trusted
addr 172.29.199.128/27 2001:ba8:1d9:6000::/64
via househub colohub
host crybaby 1 ::1:1
addr 172.29.199.128/27 2001:ba8:1d9:6000::/64
via househub colohub
host crybaby 1 ::1:1
@@
-377,7
+382,7
@@
m4_divert(88)m4_dnl
openports inbound
## Inspect inbound packets from untrusted sources.
openports inbound
## Inspect inbound packets from untrusted sources.
-run ip46tables -A inbound -
j
forbidden
+run ip46tables -A inbound -
g
forbidden
run ip46tables -A INPUT -m mark --mark $from_scary/$MASK_FROM -g inbound
run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
run ip46tables -A INPUT -m mark --mark $from_scary/$MASK_FROM -g inbound
run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound