local.m4, etc.: Establish `inbound-untrusted' chain and deploy.

[firewall] / jem.m4

diff --git a/jem.m4 b/jem.m4
index f34aa71..5f79248 100644 (file)
--- a/jem.m4
+++ b/jem.m4
@@ -36,14 +36,13 @@ iptables -A inbound -g sauce -m set --match-set sauce src || :
 allowservices inbound tcp \
        ssh \
        ident \
-       smtp submission \
-       http https \
-       imaps
+       imaps \
+       http https rsync \
+       git
 
 ## Provide DNS resolution to local untrusted hosts.
 for p in tcp udp; do
-  run iptables -A inbound -j ACCEPT \
-         -s 172.29.198.0/24 \
+  run ip46tables -A inbound -j ACCEPT \
          -p $p --destination-port $port_dns
 done