Rate limiting for incoming DNS queries over UDP.

[firewall] / local.m4

diff --git a/local.m4 b/local.m4
index 410e523..d57b53d 100644 (file)
--- a/local.m4
+++ b/local.m4
@@ -74,7 +74,7 @@ defhost radius
        hosttype router
        iface eth0 dmz unsafe safe untrusted vpn sgo colobdry default
        iface eth1 dmz unsafe safe untrusted vpn sgo colobdry default
-       iface eth2 safe vpn
+       iface eth2 dmz unsafe safe untrusted vpn sgo colobdry
        iface eth3 untrusted vpn default
        iface t6-he default
        iface vpn-precision colobdry vpn sgo
@@ -95,7 +95,7 @@ defhost vampire
        hosttype router
        iface eth0.0 dmz unsafe untrusted safe vpn sgo colobdry
        iface eth0.1 dmz unsafe untrusted safe vpn sgo colobdry
-       iface eth0.2 safe
+       iface eth0.2 dmz unsafe safe untrusted vpn sgo colobdry
        iface eth0.3 untrusted
        iface dns0 iodine
        iface vpn-precision colobdry vpn sgo
@@ -200,17 +200,10 @@ case $forward in
            -m state --state ESTABLISHED
 
     ## Allow SSH from safe/noloop to untrusted networks.
-    run iptables -A fwd-spec-nofrag -j ACCEPT \
+    run ip46tables -A fwd-spec-nofrag -j ACCEPT \
            -p tcp --destination-port $port_ssh \
            -m mark --mark $to_untrusted/$MASK_TO
-    run iptables -A fwd-spec-nofrag -j ACCEPT \
-           -p tcp --source-port $port_ssh \
-           -m mark --mark $from_untrusted/$MASK_FROM \
-           -m state --state ESTABLISHED
-    run ip6tables -A fwd-spec-nofrag -j ACCEPT \
-           -p tcp --destination-port $port_ssh \
-           -m mark --mark $to_untrusted/$MASK_TO
-    run ip6tables -A fwd-spec-nofrag -j ACCEPT \
+    run ip46tables -A fwd-spec-nofrag -j ACCEPT \
            -p tcp --source-port $port_ssh \
            -m mark --mark $from_untrusted/$MASK_FROM \
            -m state --state ESTABLISHED