~mdw / firewall / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
local.m4, etc.: Establish `inbound-untrusted' chain and deploy.
[firewall] / fender.m4
diff --git a/fender.m4 b/fender.m4
index 07a441d..77a08fe 100644 (file)
--- a/fender.m4
+++ b/fender.m4
@@ -34,15 +34,8 @@ allowservices inbound tcp \
 ntpclient inbound $ntp_servers
 
 ## Provide NTP service to untrusted clients.
-run iptables -A inbound -p udp -j ACCEPT \
-       --source-port 123 --destination-port 123 \
-       -s 172.29.198.0/23
-run ip6tables -A inbound -p udp -j ACCEPT \
-       --source-port 123 --destination-port 123 \
-       -s 2001:ba8:1d9::/48
-run ip6tables -A inbound -p udp -j ACCEPT \
-       --source-port 123 --destination-port 123 \
-       -s 2001:8b0:c92::/48
+run ip46tables -A inbound-untrusted -p udp -j ACCEPT \
+         --source-port 123 --destination-port 123
 
 ## Guaranteed black hole.  Put this at the very front of the chain.
 run iptables -I INPUT -d 212.13.198.78 -j DROP
Firewall scripts for distorted.org.uk.