local.m4, etc.: Establish `inbound-untrusted' chain and deploy.

[firewall] / vampire.m4

diff --git a/vampire.m4 b/vampire.m4
index 48d25b3..f134bb0 100644 (file)
--- a/vampire.m4
+++ b/vampire.m4
@@ -35,11 +35,6 @@ allowservices inbound udp \
        gnutella_svc \
        i2p
 
-## Extend some services to local untrusted hosts.
-clearchain inbound-untrusted
-run iptables -A inbound -j inbound-untrusted -s $net_inet_untrusted
-run ip6tables -A inbound -j inbound-untrusted -s $net_inet6_untrusted
-
 allowservices inbound-untrusted tcp \
        dns \
        lpd \
@@ -63,15 +58,8 @@ dnsserver inbound
 ntpclient inbound $ntp_servers
 
 ## Provide NTP service to untrusted clients.
-run iptables -A inbound -p udp -j ACCEPT \
-       --source-port 123 --destination-port 123 \
-       -s 172.29.198.0/23
-run ip6tables -A inbound -p udp -j ACCEPT \
-       --source-port 123 --destination-port 123 \
-       -s 2001:ba8:1d9::/48
-run ip6tables -A inbound -p udp -j ACCEPT \
-       --source-port 123 --destination-port 123 \
-       -s 2001:8b0:c92::/48
+ip46tables -A inbound-untrusted -p udp -j ACCEPT \
+       --source-port 123 --destination-port 123
 
 m4_divert(-1)
 ###----- That's all, folks --------------------------------------------------