Makefile, base.m4: Inject the target hostname into the generated script.

[firewall] / jem.m4

diff --git a/jem.m4 b/jem.m4
index 78574f1..c91a104 100644 (file)
--- a/jem.m4
+++ b/jem.m4
@@ -50,6 +50,13 @@ m4_divert(-1)
 ### jem-specific rules.
 
 m4_divert(82)m4_dnl
+## Set up the SAUCE sinbin.  Unfortunately, ipset is a bit brittle.  This
+## isn't a completely critical part of the firewall security, so don't make
+## this fail the entire script.
+errorchain sauce REJECT
+makeset sauce iphash || :
+iptables -A inbound -g sauce -m set --match-set sauce src || :
+
 ## Externally visible services.
 allowservices inbound tcp \
        ssh \
@@ -65,15 +72,5 @@ for p in tcp udp; do
          -p $p --destination-port $port_dns
 done
 
-## Allow smb and nmb to untrusted hosts.  This is a bit experimental.
-run iptables -A inbound -j ACCEPT \
-       -s 172.29.198.0/24 \
-       -p udp -m multiport --destination-ports \
-               $port_netbios_ns,$port_netbios_dgm
-run iptables -A inbound -j ACCEPT \
-       -s 172.29.198.0/24 \
-       -p tcp -m multiport --destination-ports \
-               $port_netbios_ssn,$port_microsoft_ds
-
 m4_divert(-1)
 ###----- That's all, folks --------------------------------------------------