~mdw
/
firewall
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
local.m4, local.mk, national.m4: New virtual host `national'.
[firewall]
/
local.m4
diff --git
a/local.m4
b/local.m4
index
7e7ad15
..
eb28dd7
100644
(file)
--- a/
local.m4
+++ b/
local.m4
@@
-54,6
+54,7
@@
m4_divert(-1)
## 172.29.198.0/24 Untrusted networks.
## .0/25 house wireless net
## .128/28 iodine (IP-over-DNS) network
## 172.29.198.0/24 Untrusted networks.
## .0/25 house wireless net
## .128/28 iodine (IP-over-DNS) network
+## .160/27 untrusted virtual network
##
## 172.29.199.0/24 Trusted networks.
## .0/25 house wired network
##
## 172.29.199.0/24 Trusted networks.
## .0/25 house wired network
@@
-89,6
+90,7
@@
m4_divert(-1)
## The /48s are split into /64s by appending a 16-bit network number. The
## top nibble of the network number classifies the network, as follows.
##
## The /48s are split into /64s by appending a 16-bit network number. The
## top nibble of the network number classifies the network, as follows.
##
+## axxx Virtual, untrusted
## 8xxx Untrusted
## 6xxx Virtual, safe
## 4xxx Safe
## 8xxx Untrusted
## 6xxx Virtual, safe
## 4xxx Safe
@@
-190,7
+192,7
@@
defhost groove
defhost gibson
hosttype client
defhost gibson
hosttype client
- iface eth0 unsafe
+ iface eth0
.5
unsafe
## Colocated networks.
defnet jump trusted
## Colocated networks.
defnet jump trusted
@@
-218,6
+220,7
@@
defhost precision
iface vpn-mango binswood
iface vpn-radius housebdry vpn sgo
iface vpn-chiark sgo
iface vpn-mango binswood
iface vpn-radius housebdry vpn sgo
iface vpn-chiark sgo
+ iface vpn-national upn
iface vpn-+ vpn
defhost telecaster
iface eth0 jump colo
iface vpn-+ vpn
defhost telecaster
iface eth0 jump colo
@@
-225,8
+228,6
@@
defhost telecaster
defhost stratocaster
iface eth0 jump colo
iface eth1 jump colo
defhost stratocaster
iface eth0 jump colo
iface eth1 jump colo
-defhost jaguar
- iface eth0 jump
defhost jazz
hosttype router
iface eth0 jump colo vpn
defhost jazz
hosttype router
iface eth0 jump colo vpn
@@
-259,12
+260,20
@@
defnet default scary
addr 212.13.198.64/28 2001:ba8:0:1d9::/64
addr 2001:ba8:1d9::/48 #temporary
via dmz unsafe untrusted jump colo
addr 212.13.198.64/28 2001:ba8:0:1d9::/64
addr 2001:ba8:1d9::/48 #temporary
via dmz unsafe untrusted jump colo
+defnet upn untrusted
+ addr 172.29.198.160/27 2001:ba8:1d9:a000::/64
+ via colohub
+ host national 1 ::1:1
+
+## Linode hosts.
+defhost national
+ iface eth0 default
+ iface vpn-precision colohub
## Satellite networks.
defnet binswood noloop
addr 10.165.27.0/24
via colohub
## Satellite networks.
defnet binswood noloop
addr 10.165.27.0/24
via colohub
-
defhost mango
hosttype router
iface eth0 binswood default
defhost mango
hosttype router
iface eth0 binswood default
@@
-362,7
+371,8
@@
run iptables -A inbound -j ACCEPT \
-p udp --source-port $port_bootpc --destination-port $port_bootps
## Allow incoming ping. This is the only ICMP left.
-p udp --source-port $port_bootpc --destination-port $port_bootps
## Allow incoming ping. This is the only ICMP left.
-run ip46tables -A inbound -j ACCEPT -p icmp
+run iptables -A inbound -j ACCEPT -p icmp
+run ip6tables -A inbound -j ACCEPT -p icmpv6
m4_divert(88)m4_dnl
## Allow unusual things.
m4_divert(88)m4_dnl
## Allow unusual things.