~mdw / firewall / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
*.m4: Actually allow NFS to untrusted hosts.
[firewall] / jem.m4
diff --git a/jem.m4 b/jem.m4
index 7db1ce5..ecbed74 100644 (file)
--- a/jem.m4
+++ b/jem.m4
@@ -24,7 +24,7 @@
 ###--------------------------------------------------------------------------
 ### jem-specific rules.
 
-m4_divert(84)m4_dnl
+m4_divert(86)m4_dnl
 ## Set up the SAUCE sinbin.  Unfortunately, ipset is a bit brittle.  This
 ## isn't a completely critical part of the firewall security, so don't make
 ## this fail the entire script.
@@ -36,16 +36,23 @@ iptables -A inbound -g sauce -m set --match-set sauce src || :
 allowservices inbound tcp \
        ssh \
        ident \
-       smtp submission \
-       http https \
-       imaps
+       imaps \
+       http https rsync \
+       git
+
+allowservices inbound-untrusted tcp \
+       sunrpc mount nfs
+allowservices inbound-untrusted udp \
+       sunrpc mount nfs
 
 ## Provide DNS resolution to local untrusted hosts.
 for p in tcp udp; do
-  run iptables -A inbound -j ACCEPT \
-         -s 172.29.198.0/24 \
+  run ip46tables -A inbound -j ACCEPT \
          -p $p --destination-port $port_dns
 done
 
+## Other interesting things.
+dnsresolver inbound
+
 m4_divert(-1)
 ###----- That's all, folks --------------------------------------------------
Firewall scripts for distorted.org.uk.