defhost gibson
hosttype client
- iface eth0 unsafe
+ iface eth0.5 unsafe
## Colocated networks.
defnet jump trusted
defhost stratocaster
iface eth0 jump colo
iface eth1 jump colo
-defhost jaguar
- iface eth0 jump
defhost jazz
hosttype router
iface eth0 jump colo vpn
-p udp --source-port $port_bootpc --destination-port $port_bootps
## Allow incoming ping. This is the only ICMP left.
-run ip46tables -A inbound -j ACCEPT -p icmp
+run iptables -A inbound -j ACCEPT -p icmp
+run ip6tables -A inbound -j ACCEPT -p icmpv6
m4_divert(88)m4_dnl
## Allow unusual things.
## Inspect inbound packets from untrusted sources.
run ip46tables -A inbound -j forbidden
+run ip46tables -A INPUT -m mark --mark $from_scary/$MASK_FROM -g inbound
run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
## Allow responses from the scary outside world into the untrusted net, but