## 172.29.198.0/24 Untrusted networks.
## .0/25 house wireless net
## .128/28 iodine (IP-over-DNS) network
+## .160/27 untrusted virtual network
##
## 172.29.199.0/24 Trusted networks.
## .0/25 house wired network
## The /48s are split into /64s by appending a 16-bit network number. The
## top nibble of the network number classifies the network, as follows.
##
+## axxx Virtual, untrusted
## 8xxx Untrusted
## 6xxx Virtual, safe
## 4xxx Safe
## Define the available network classes.
m4_divert(42)m4_dnl
-defnetclass untrusted untrusted trusted mcast
-defnetclass trusted untrusted trusted safe noloop mcast
-defnetclass safe trusted safe noloop mcast
-defnetclass noloop trusted safe mcast
+defnetclass scary scary trusted mcast
+defnetclass untrusted scary untrusted trusted mcast
+defnetclass trusted scary untrusted trusted safe noloop mcast
+defnetclass safe trusted safe noloop mcast
+defnetclass noloop trusted safe mcast
defnetclass link
defnetclass mcast
iface vpn-radius unsafe
defhost groove
iface eth0 unsafe
+ iface wlan0 untrusted
+ iface vpn-radius unsafe
defhost gibson
hosttype client
- iface eth0 unsafe
+ iface eth0.5 unsafe
## Colocated networks.
defnet jump trusted
iface vpn-mango binswood
iface vpn-radius housebdry vpn sgo
iface vpn-chiark sgo
+ iface vpn-national upn
iface vpn-+ vpn
defhost telecaster
iface eth0 jump colo
defhost stratocaster
iface eth0 jump colo
iface eth1 jump colo
-defhost jaguar
- iface eth0 jump
defhost jazz
hosttype router
iface eth0 jump colo vpn
host terror 2 ::2:1
host orange 3 ::3:1
host haze 4 ::4:1
+ host groove 5 ::5:1
defnet anycast trusted
addr 172.29.199.224/27 2001:ba8:1d9:0::/64
via dmz unsafe safe untrusted jump colo vpn
-defnet default untrusted
+defnet default scary
addr 62.49.204.144/28 2001:470:1f09:1b98::/64
addr 212.13.198.64/28 2001:ba8:0:1d9::/64
addr 2001:ba8:1d9::/48 #temporary
via dmz unsafe untrusted jump colo
+defnet upn untrusted
+ addr 172.29.198.160/27 2001:ba8:1d9:a000::/64
+ via colohub
+ host national 1 ::1:1
+
+## Linode hosts.
+defhost national
+ iface eth0 default
+ iface vpn-precision colohub
## Satellite networks.
defnet binswood noloop
addr 10.165.27.0/24
via colohub
-
defhost mango
hosttype router
iface eth0 binswood default
-p udp --source-port $port_bootpc --destination-port $port_bootps
## Allow incoming ping. This is the only ICMP left.
-run ip46tables -A inbound -j ACCEPT -p icmp
+run iptables -A inbound -j ACCEPT -p icmp
+run ip6tables -A inbound -j ACCEPT -p icmpv6
m4_divert(88)m4_dnl
## Allow unusual things.
## Inspect inbound packets from untrusted sources.
run ip46tables -A inbound -j forbidden
+run ip46tables -A INPUT -m mark --mark $from_scary/$MASK_FROM -g inbound
run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
+## Allow responses from the scary outside world into the untrusted net, but
+## don't let untrusted things run services.
+case $forward in
+ 1)
+ run ip46tables -A FORWARD -j ACCEPT \
+ -m mark --mark $(( $from_scary | $to_untrusted ))/$(( $MASK_FROM | $MASK_TO )) \
+ -m state --state ESTABLISHED,RELATED
+ ;;
+esac
+
## Otherwise process as indicated by the mark.
for i in $inchains; do
run ip46tables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT