functions.m4, local.m4: Workaround for option parser fragmentation bugs.

[firewall] / local.m4

diff --git a/local.m4 b/local.m4
index b321cde..f6b5f46 100644 (file)
--- a/local.m4
+++ b/local.m4
@@ -1,4 +1,4 @@
-### -*-m4-*-
+### -*-sh-*-
 ###
 ### Local firewall configuration
 ###
@@ -38,40 +38,83 @@ m4_divert(-1)m4_dnl
 m4_divert(46)m4_dnl
 ## Networks and routing.
 
-defiface $if_trusted \
-       trusted:172.29.199.0/26 \
-       safe:172.29.199.64/27 \
-       untrusted:default
 defiface $if_untrusted \
        untrusted:172.29.198.0/25
 defvpn $if_vpn safe 172.29.199.128/27 \
-       crybaby:172.29.199.129
+       crybaby:172.29.199.129 \
+       terror:172.29.199.130
 defiface $if_iodine untrusted:172.29.198.128/28
 defiface $if_its_mz safe:172.29.199.160/30
 defiface $if_its_pi safe:192.168.0.0/24
+defiface $if_trusted \
+       trusted:172.29.199.0/26 \
+       safe:172.29.199.64/27 \
+       untrusted:default
+
+## Default NTP servers.
+ntp_servers="158.152.1.76 158.152.1.204 194.159.253.2 195.173.57.232"
 
 m4_divert(60)m4_dnl
 ###--------------------------------------------------------------------------
 ### Special forwarding exemptions.
 
+## Only allow these packets if they're not fragmented.  (Don't trust safe
+## hosts's fragment reassembly to be robust against malicious fragments.)
+## There's a hideous bug in iptables 1.4.11.1 which botches the meaning of
+## `! -f', so we do the negation using early return from a subchain.
+clearchain fwd-spec-nofrag
+run iptables -A fwd-spec-nofrag -j RETURN --fragment
+run ip6tables -A fwd-spec-nofrag -j RETURN \
+       -m ipv6header --soft --header frag
+run iptables -A FORWARD -j fwd-spec-nofrag
+
 ## Allow ping from safe/noloop to untrusted networks.
-run iptables -A FORWARD -j ACCEPT \
-       -p icmp ! -f --icmp-type echo-request \
+run iptables -A fwd-spec-nofrag -j ACCEPT \
+       -p icmp --icmp-type echo-request \
+       -m mark --mark $to_untrusted/$MASK_TO
+run iptables -A fwd-spec-nofrag -j ACCEPT \
+       -p icmp --icmp-type echo-reply \
+       -m mark --mark $from_untrusted/$MASK_FROM \
+       -m state --state ESTABLISHED
+run ip6tables -A fwd-spec-nofrag -j ACCEPT \
+       -p ipv6-icmp --icmpv6-type echo-request \
        -m mark --mark $to_untrusted/$MASK_TO
-run iptables -A FORWARD -j ACCEPT \
-       -p icmp ! -f --icmp-type echo-reply \
+run ip6tables -A fwd-spec-nofrag -j ACCEPT \
+       -p ipv6-icmp --icmpv6-type echo-reply \
        -m mark --mark $from_untrusted/$MASK_FROM \
        -m state --state ESTABLISHED
 
 ## Allow SSH from safe/noloop to untrusted networks.
-run iptables -A FORWARD -j ACCEPT \
-       -p tcp ! -f --destination-port $port_ssh \
+run iptables -A fwd-spec-nofrag -j ACCEPT \
+       -p tcp --destination-port $port_ssh \
+       -m mark --mark $to_untrusted/$MASK_TO
+run iptables -A fwd-spec-nofrag -j ACCEPT \
+       -p tcp --source-port $port_ssh \
+       -m mark --mark $from_untrusted/$MASK_FROM \
+       -m state --state ESTABLISHED
+run ip6tables -A fwd-spec-nofrag -j ACCEPT \
+       -p tcp --destination-port $port_ssh \
        -m mark --mark $to_untrusted/$MASK_TO
-run iptables -A FORWARD -j ACCEPT \
-       -p tcp ! -f --source-port $port_ssh \
+run ip6tables -A fwd-spec-nofrag -j ACCEPT \
+       -p tcp --source-port $port_ssh \
        -m mark --mark $from_untrusted/$MASK_FROM \
        -m state --state ESTABLISHED
 
+m4_divert(60)m4_dnl
+###--------------------------------------------------------------------------
+### Kill things we don't understand properly.
+###
+### I don't like having to do this, but since I don't know how to do proper
+### multicast filtering, I'm just going to ban it from being forwarded.
+
+errorchain poorly-understood REJECT
+
+## Ban multicast destination addresses in forwarding.
+run iptables -A FORWARD -g poorly-understood \
+       -d 224.0.0.0/4
+run ip6tables -A FORWARD -g poorly-understood \
+       -d ff::/8
+
 m4_divert(80)m4_dnl
 ###--------------------------------------------------------------------------
 ### Locally-bound packet inspection.
@@ -91,20 +134,27 @@ run iptables -A inbound -j ACCEPT \
        -s 172.29.198.0/23 \
        -p udp --source-port $port_bootpc --destination-port $port_bootps
 
+## Incoming broadcast multicast on a network interface associated with the
+## trusted network is OK, since it must have originated there (or been
+## forwarded, but we don't do that yet).
+run iptables -A inbound -j ACCEPT \
+       -s 0.0.0.0 -d 224.0.0.0/24 \
+       -i $if_trusted
+
 ## Allow incoming ping.  This is the only ICMP left.
-run iptables -A inbound -j ACCEPT -p icmp
+run ip46tables -A inbound -j ACCEPT -p icmp
 
 m4_divert(88)m4_dnl
 ## Allow unusual things.
 openports inbound
 
 ## Inspect inbound packets from untrusted sources.
-run iptables -A inbound -j forbidden
-run iptables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
+run ip46tables -A inbound -j forbidden
+run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
 
 ## Otherwise process as indicated by the mark.
 for i in INPUT FORWARD; do
-  run iptables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT
+  run ip46tables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT
 done
 
 m4_divert(-1)