-### -*-m4-*-
+### -*-sh-*-
###
### Firewall configuration for vampire
###
if_untrusted=eth0.1
if_trusted=eth0.0
if_vpn=vpn-+
+if_iodine=dns+
if_its_mz=eth0.0
if_its_pi=eth0.0
### vampire-specific rules.
m4_divert(82)m4_dnl
-## Repelling evil DDos attack.
-run ipset -N ddos-evil-dns iphash 2>/dev/null || :
-run iptables -A inbound -j DROP \
- -m set --set ddos-evil-dns src \
- -p udp --destination-port $port_dns
-
## Externally visible services.
allowservices inbound tcp \
finger ident \
- dns \
+ dns iodine \
ssh \
- smtp \
+ smtp submission \
gnutella_svc \
ftp ftp_data \
rsync \
- http https \
- git
-allowservices inbound tcp \
- tor_public tor_directory
+ imaps \
+ disorder mpd \
+ http https squid \
+ git \
+ tor_public tor_directory i2p
allowservices inbound udp \
- dns \
+ dns iodine \
tripe \
- gnutella_svc
+ gnutella_svc \
+ i2p
## Provide DNS resolution to local untrusted hosts.
for p in tcp udp; do
-p $p --destination-port $port_dns
done
+## Allow smb and nmb to untrusted hosts. This is a bit experimental.
+run iptables -A inbound -j ACCEPT \
+ -s 172.29.198.0/24 \
+ -p udp -m multiport --destination-ports \
+ $port_netbios_ns,$port_netbios_dgm
+run iptables -A inbound -j ACCEPT \
+ -s 172.29.198.0/24 \
+ -p tcp -m multiport --destination-ports \
+ $port_netbios_ssn,$port_microsoft_ds
+
## Provide syslog for evolution.
run iptables -A inbound -j ACCEPT \
-s 172.29.198.2 \
-p udp --destination-port $port_syslog
-## Provide a web cache to local untrusted hosts.
-run iptables -A inbound -j ACCEPT \
- -s 172.29.198.0/24 \
- -p tcp --destination-port $port_squid
-
## Watch outgoing Tor usage.
run iptables -A OUTPUT -m multiport \
-p tcp --source-ports $port_tor_public,$port_tor_directory
## Other interesting things.
dnsresolver inbound
-ntpclient inbound 158.152.1.76 158.152.1.204 194.159.253.2
+ntpclient inbound $ntp_servers
m4_divert(-1)
###----- That's all, folks --------------------------------------------------