numbers.m4, telecaster.m4: TLS-enabled web cache.

[firewall] / fender.m4

diff --git a/fender.m4 b/fender.m4
index 05354bd..dda96f8 100644 (file)
--- a/fender.m4
+++ b/fender.m4
@@ -24,7 +24,7 @@
 ###--------------------------------------------------------------------------
 ### fender-specific rules.
 
-m4_divert(82)m4_dnl
+m4_divert(86)m4_dnl
 ## Externally visible services.
 allowservices inbound tcp \
        ssh \
@@ -33,5 +33,34 @@ allowservices inbound tcp \
 ## We have to provide NTP service.  The guests sync to our clock.
 ntpclient inbound $ntp_servers
 
+## Guaranteed black hole.  Put this at the very front of the chain.
+run iptables -I INPUT -d 212.13.198.78 -j DROP
+run ip6tables -I INPUT -d 2001:ba8:0:1d9::ffff -j DROP
+
+## Ethernet bridge-level filtering for source addresses.
+run ebtables -F
+for c in bad-source-addr check-eth0; do
+  run ebtables -X $c >/dev/null 2>&1 || :
+done
+for i in log limit ip ip6; do run modprobe ebt-$i; done
+run ebtables -N bad-source-addr
+run ebtables -A bad-source-addr \
+       --limit 20/second --limit-burst 100 \
+       --log-prefix "fw: bad-source-addr(br) " --log-ip --log-ip6
+run ebtables -A bad-source-addr -j DROP
+run ebtables -N check-eth0
+run ebtables -A check-eth0 -j RETURN -p ip --ip-source ! 212.13.198.64/28
+run ebtables -A check-eth0 -j RETURN -p ip6 --ip6-source 2001:ba8:0:1d9::1
+run ebtables -A check-eth0 -j bad-source-addr \
+       -p ip6 --ip6-source 2001:ba8:1d9::/48
+run ebtables -A check-eth0 -j bad-source-addr \
+       -p ip6 --ip6-source 2001:ba8:0:1d9::/64
+run ebtables -A check-eth0 -j RETURN -p ip6
+run ebtables -A check-eth0 -j RETURN -p ip --ip-source 212.13.198.64/30
+run ebtables -A check-eth0 -j RETURN -p ip --ip-source 212.13.198.68
+run ebtables -A check-eth0 -j bad-source-addr -p ip
+run ebtables -A INPUT -j check-eth0 -i bond0
+run ebtables -A FORWARD -j check-eth0 -i bond0
+
 m4_divert(-1)
 ###----- That's all, folks --------------------------------------------------