## block of RFC1918 private-use addresses allocated from the Cambridge G-RIN.
## The former are as follows.
##
-## 62.49.204.144/28
-## House border network (dmz). We have all of these, but .145
-## is reserved for the router.
+## 81.2.113.195, 81.187.238.128/28
+## House border network (dmz). We have all of these; the loose
+## address is for the router.
##
## 212.13.18.64/28
## Jump colocated network (jump). .65--68 are used by Jump
## 172.29.198.0/24 Untrusted networks.
## .0/25 house wireless net
## .128/28 iodine (IP-over-DNS) network
+## .144/28 hippotat (IP-over-HTTP) network
## .160/27 untrusted virtual network
##
## 172.29.199.0/24 Trusted networks.
## There are five blocks of publicly routable IPv6 addresses, though some of
## them aren't very interesting. The ranges are as follows.
##
-## 2001:470:1f08:1b98::/64
-## Hurricane Electric tunnel network: only :1 (HE) and :2
-## (radius) are used.
-##
-## 2001:470:1f09:1b98::/64
-## House border network (dmz).
-##
-## 2001:470:9740::/48
-## Main house range. See below for allocation policy.
+## 2001:8b0:c92::/48
+## Main house range (aaisp). See below for allocation policy.
+## There is no explicit DMZ allocation (and no need for one).
##
## 2001:ba8:0:1d9::/64
## Jump border network (jump): :1 is the router (supplied by
## 0 No specific site: mobile VPN endpoints or anycast addresses.
## 1 House.
## 2 Jump colocation.
+## fff Local border network.
##
## Usually site-0 networks are allocated from the Jump range to improve
## expected performance from/to external sites which don't engage in our
## Define the available network classes.
m4_divert(42)m4_dnl
-defnetclass scary scary trusted mcast
+defnetclass scary scary trusted mcast
defnetclass untrusted scary untrusted trusted mcast
defnetclass trusted scary untrusted trusted safe noloop mcast
defnetclass safe trusted safe noloop mcast
## House networks.
defnet dmz trusted
- addr 62.49.204.144/28 2001:470:1f09:1b98::/64
+ addr 81.2.113.195 81.187.238.128/28 2001:8b0:c92:fff::/64
via unsafe untrusted
defnet unsafe trusted
- addr 172.29.199.0/25 2001:470:9740:1::/64
+ addr 172.29.199.0/25 2001:8b0:c92:1::/64
via househub
defnet safe safe
- addr 172.29.199.192/27 2001:470:9740:4001::/64
+ addr 172.29.199.192/27 2001:8b0:c92:4001::/64
via househub
defnet untrusted untrusted
- addr 172.29.198.0/25 2001:470:9740:8001::/64
+ addr 172.29.198.0/25 2001:8b0:c92:8001::/64
via househub
defnet househub virtual
defhost gibson
hosttype client
- iface eth0.5 unsafe
+ iface eth0 unsafe
## Colocated networks.
defnet jump trusted
defnet iodine untrusted
addr 172.29.198.128/28
via colohub
+defnet hippotat untrusted
+ addr 172.29.198.144/28
+ via colohub
## Colocated hosts.
defhost fender
iface eth0 jump colo vpn
iface eth1 jump colo vpn
iface dns0 iodine
+ iface hippo-svc hippotat
iface vpn-+ vpn
## Other networks.
addr 172.16.0.0/12
addr 192.168.0.0/16
via househub colohub
-defnet vpn safe
+defnet vpn trusted
addr 172.29.199.128/27 2001:ba8:1d9:6000::/64
via househub colohub
host crybaby 1 ::1:1
addr 172.29.199.224/27 2001:ba8:1d9:0::/64
via dmz unsafe safe untrusted jump colo vpn
defnet default scary
- addr 62.49.204.144/28 2001:470:1f09:1b98::/64
+ addr 81.2.113.195 81.187.238.128/28 2001:8b0:c92::/48
addr 212.13.198.64/28 2001:ba8:0:1d9::/64
addr 2001:ba8:1d9::/48 #temporary
via dmz unsafe untrusted jump colo
openports inbound
## Inspect inbound packets from untrusted sources.
-run ip46tables -A inbound -j forbidden
+run ip46tables -A inbound -g forbidden
run ip46tables -A INPUT -m mark --mark $from_scary/$MASK_FROM -g inbound
run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
~mdw / firewall / blobdiff