-### -*-m4-*-
+### -*-sh-*-
###
### Local firewall configuration
###
### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
###--------------------------------------------------------------------------
+### Local configuration.
+
+m4_divert(6)m4_dnl
+## Default NTP servers.
+defconf(ntp_servers,
+ "158.152.1.76 158.152.1.204 194.159.253.2 195.173.57.232")
+
+m4_divert(-1)
+###--------------------------------------------------------------------------
### Packet classification.
+## IPv4 addressing.
+##
+## There are two small blocks of publicly routable IPv4 addresses, and a
+## block of RFC1918 private-use addresses allocated from the Cambridge G-RIN.
+## The former are as follows.
+##
+## 62.49.204.144/28
+## House border network (dmz). We have all of these, but .145
+## is reserved for the router.
+##
+## 212.13.18.64/28
+## Jump colocated network (jump). .65--68 are used by Jump
+## network infrastructure; we get the rest.
+##
+## The latter is the block 172.29.196.0/22. Currently the low half is
+## unallocated (and may be returned to the G-RIN); the remaining addresses
+## are allocated as follows.
+##
+## 172.29.198.0/24 Untrusted networks.
+## .0/25 house wireless net
+## .128/28 iodine (IP-over-DNS) network
+##
+## 172.29.199.0/24 Trusted networks.
+## .0/25 house wired network
+## .128/27 mobile VPN hosts
+## .160/28 reserved, except .160/30 allocated for ITS
+## .176/28 internal colocated network
+## .192/27 house safe network
+## .224/27 anycast services
+
+## IPv6 addressing.
+##
+## There are five blocks of publicly routable IPv6 addresses, though some of
+## them aren't very interesting. The ranges are as follows.
+##
+## 2001:470:1f08:1b98::/64
+## Hurricane Electric tunnel network: only :1 (HE) and :2
+## (radius) are used.
+##
+## 2001:470:1f09:1b98::/64
+## House border network (dmz).
+##
+## 2001:470:9740::/48
+## Main house range. See below for allocation policy.
+##
+## 2001:ba8:0:1d9::/64
+## Jump border network (jump): :1 is the router (supplied by
+## Jump); other addresses are ours.
+##
+## 2001:ba8:1d9::/48
+## Main colocated range. See below for allocation policy.
+##
+## Addresses in the /64 networks are simply allocated in ascending order.
+## The /48s are split into /64s by appending a 16-bit network number. The
+## top nibble of the network number classifies the network, as follows.
+##
+## 8xxx Untrusted
+## 6xxx Virtual, safe
+## 4xxx Safe
+## 0xxx Unsafe, trusted
+##
+## These have been chosen so that network properties can be deduced by
+## inspecting bits of the network number:
+##
+## Bit 15 If set, the network is untrusted; otherwise it is trusted.
+## Bit 14 If set, the network is safe; otherwise it is unsafe.
+##
+## Finally, the low-order nibbles identify the site.
+##
+## 0 No specific site: mobile VPN endpoints or anycast addresses.
+## 1 House.
+## 2 Jump colocation.
+##
+## Usually site-0 networks are allocated from the Jump range to improve
+## expected performance from/to external sites which don't engage in our
+## dynamic routing protocols.
+
## Define the available network classes.
m4_divert(42)m4_dnl
-defnetclass untrusted untrusted trusted
-defnetclass trusted untrusted trusted safe noloop
-defnetclass safe trusted safe noloop
-defnetclass noloop trusted safe
-m4_divert(-1)m4_dnl
+defnetclass scary scary trusted mcast
+defnetclass untrusted scary untrusted trusted mcast
+defnetclass trusted scary untrusted trusted safe noloop mcast
+defnetclass safe trusted safe noloop mcast
+defnetclass noloop trusted safe mcast
+
+defnetclass link
+defnetclass mcast
+m4_divert(-1)
+m4_divert(26)m4_dnl
###--------------------------------------------------------------------------
### Network layout.
-m4_divert(46)m4_dnl
-## Networks and routing.
-
-defiface $if_trusted \
- trusted:172.29.199.0/26 \
- safe:172.29.199.64/27 \
- untrusted:default
-defiface $if_untrusted \
- untrusted:172.29.198.0/25
-defvpn $if_vpn safe 172.29.199.128/27 \
- crybaby:172.29.199.129 \
- terror:172.29.199.130
-defiface $if_iodine untrusted:172.29.198.128/28
-defiface $if_its_mz safe:172.29.199.160/30
-defiface $if_its_pi safe:192.168.0.0/24
-
-m4_divert(60)m4_dnl
+## House networks.
+defnet dmz trusted
+ addr 62.49.204.144/28 2001:470:1f09:1b98::/64
+ via unsafe untrusted
+defnet unsafe trusted
+ addr 172.29.199.0/25 2001:470:9740:1::/64
+ via househub
+defnet safe safe
+ addr 172.29.199.192/27 2001:470:9740:4001::/64
+ via househub
+defnet untrusted untrusted
+ addr 172.29.198.0/25 2001:470:9740:8001::/64
+ via househub
+
+defnet househub virtual
+ via housebdry dmz unsafe safe untrusted
+defnet housebdry virtual
+ via househub hub
+
+## House hosts.
+defhost radius
+ hosttype router
+ iface eth0 dmz unsafe safe untrusted vpn sgo colobdry default
+ iface eth1 dmz unsafe safe untrusted vpn sgo colobdry default
+ iface eth2 dmz unsafe safe untrusted vpn sgo colobdry
+ iface eth3 unsafe untrusted vpn default
+ iface ppp0 default
+ iface t6-he default
+ iface vpn-precision colobdry vpn sgo
+ iface vpn-chiark sgo
+ iface vpn-+ vpn
+defhost roadstar
+ iface eth0 dmz unsafe
+ iface eth1 dmz unsafe
+defhost jem
+ iface eth0 dmz unsafe
+ iface eth1 dmz unsafe
+defhost artist
+ hosttype router
+ iface eth0 dmz unsafe untrusted
+ iface eth1 dmz unsafe untrusted
+ iface eth3 unsafe untrusted
+defhost vampire
+ hosttype router
+ iface eth0.4 dmz unsafe untrusted safe vpn sgo colobdry
+ iface eth0.5 dmz unsafe untrusted safe vpn sgo colobdry
+ iface eth0.6 dmz unsafe safe untrusted vpn sgo colobdry
+ iface eth0.7 unsafe untrusted vpn
+ iface vpn-precision colobdry vpn sgo
+ iface vpn-chiark sgo
+ iface vpn-+ vpn
+defhost ibanez
+ iface br-dmz dmz unsafe
+ iface br-unsafe unsafe
+defhost orange
+ iface wlan0 untrusted
+ iface vpn-radius unsafe
+defhost groove
+ iface eth0 unsafe
+ iface wlan0 untrusted
+ iface vpn-radius unsafe
+
+defhost gibson
+ hosttype client
+ iface eth0 unsafe
+
+## Colocated networks.
+defnet jump trusted
+ addr 212.13.198.64/28 2001:ba8:0:1d9::/64
+ via colohub
+defnet colo trusted
+ addr 172.29.199.176/28 2001:ba8:1d9:2::/64
+ via colohub
+defnet colohub virtual
+ via colobdry jump colo
+defnet colobdry virtual
+ via colohub hub
+defnet iodine untrusted
+ addr 172.29.198.128/28
+ via colohub
+
+## Colocated hosts.
+defhost fender
+ iface br-jump jump colo
+ iface br-colo jump colo
+defhost precision
+ hosttype router
+ iface eth0 jump colo vpn sgo
+ iface eth1 jump colo vpn sgo
+ iface vpn-mango binswood
+ iface vpn-radius housebdry vpn sgo
+ iface vpn-chiark sgo
+ iface vpn-+ vpn
+defhost telecaster
+ iface eth0 jump colo
+ iface eth1 jump colo
+defhost stratocaster
+ iface eth0 jump colo
+ iface eth1 jump colo
+defhost jaguar
+ iface eth0 jump
+defhost jazz
+ hosttype router
+ iface eth0 jump colo vpn
+ iface eth1 jump colo vpn
+ iface dns0 iodine
+ iface vpn-+ vpn
+
+## Other networks.
+defnet hub virtual
+ via housebdry colobdry
+defnet sgo noloop
+ addr !172.29.198.0/23
+ addr 10.0.0.0/8
+ addr 172.16.0.0/12
+ addr 192.168.0.0/16
+ via househub colohub
+defnet vpn safe
+ addr 172.29.199.128/27 2001:ba8:1d9:6000::/64
+ via househub colohub
+ host crybaby 1 ::1:1
+ host terror 2 ::2:1
+ host orange 3 ::3:1
+ host haze 4 ::4:1
+ host groove 5 ::5:1
+defnet anycast trusted
+ addr 172.29.199.224/27 2001:ba8:1d9:0::/64
+ via dmz unsafe safe untrusted jump colo vpn
+defnet default scary
+ addr 62.49.204.144/28 2001:470:1f09:1b98::/64
+ addr 212.13.198.64/28 2001:ba8:0:1d9::/64
+ addr 2001:ba8:1d9::/48 #temporary
+ via dmz unsafe untrusted jump colo
+
+## Satellite networks.
+defnet binswood noloop
+ addr 10.165.27.0/24
+ via colohub
+
+defhost mango
+ hosttype router
+ iface eth0 binswood default
+ iface vpn-precision colo
+
+m4_divert(80)m4_dnl
+###--------------------------------------------------------------------------
+### Connection tracking helper modules.
+
+for i in ftp; do
+ modprobe nf_conntrack_$i
+done
+
+m4_divert(80)m4_dnl
###--------------------------------------------------------------------------
### Special forwarding exemptions.
-## Allow ping from safe/noloop to untrusted networks.
-run iptables -A FORWARD -j ACCEPT \
- -p icmp ! -f --icmp-type echo-request \
- -m mark --mark $to_untrusted/$MASK_TO
-run iptables -A FORWARD -j ACCEPT \
- -p icmp ! -f --icmp-type echo-reply \
- -m mark --mark $from_untrusted/$MASK_FROM \
- -m state --state ESTABLISHED
-
-## Allow SSH from safe/noloop to untrusted networks.
-run iptables -A FORWARD -j ACCEPT \
- -p tcp ! -f --destination-port $port_ssh \
- -m mark --mark $to_untrusted/$MASK_TO
-run iptables -A FORWARD -j ACCEPT \
- -p tcp ! -f --source-port $port_ssh \
- -m mark --mark $from_untrusted/$MASK_FROM \
- -m state --state ESTABLISHED
+case $forward in
+ 1)
+
+ ## Only allow these packets if they're not fragmented. (Don't trust safe
+ ## hosts's fragment reassembly to be robust against malicious fragments.)
+ ## There's a hideous bug in iptables 1.4.11.1 which botches the meaning
+ ## of `! -f', so we do the negation using early return from a subchain.
+ clearchain fwd-spec-nofrag
+ run iptables -A fwd-spec-nofrag -j RETURN --fragment
+ run ip6tables -A fwd-spec-nofrag -j RETURN \
+ -m ipv6header --soft --header frag
+ run ip46tables -A FORWARD -j fwd-spec-nofrag
+
+ ## Allow ping from safe/noloop to untrusted networks.
+ run iptables -A fwd-spec-nofrag -j ACCEPT \
+ -p icmp --icmp-type echo-request \
+ -m mark --mark $to_untrusted/$MASK_TO
+ run iptables -A fwd-spec-nofrag -j ACCEPT \
+ -p icmp --icmp-type echo-reply \
+ -m mark --mark $from_untrusted/$MASK_FROM \
+ -m state --state ESTABLISHED
+ run ip6tables -A fwd-spec-nofrag -j ACCEPT \
+ -p icmpv6 --icmpv6-type echo-request \
+ -m mark --mark $to_untrusted/$MASK_TO
+ run ip6tables -A fwd-spec-nofrag -j ACCEPT \
+ -p icmpv6 --icmpv6-type echo-reply \
+ -m mark --mark $from_untrusted/$MASK_FROM \
+ -m state --state ESTABLISHED
+
+ ## Allow SSH from safe/noloop to untrusted networks.
+ run ip46tables -A fwd-spec-nofrag -j ACCEPT \
+ -p tcp --destination-port $port_ssh \
+ -m mark --mark $to_untrusted/$MASK_TO
+ run ip46tables -A fwd-spec-nofrag -j ACCEPT \
+ -p tcp --source-port $port_ssh \
+ -m mark --mark $from_untrusted/$MASK_FROM \
+ -m state --state ESTABLISHED
+
+ ;;
+esac
m4_divert(80)m4_dnl
###--------------------------------------------------------------------------
+### Kill things we don't understand properly.
+###
+### I don't like having to do this, but since I don't know how to do proper
+### multicast filtering, I'm just going to ban it from being forwarded.
+
+errorchain poorly-understood REJECT
+
+## Ban multicast destination addresses in forwarding.
+case $forward in
+ 1)
+ run iptables -A FORWARD -g poorly-understood \
+ -d 224.0.0.0/4
+ run ip6tables -A FORWARD -g poorly-understood \
+ -d ff::/8
+ ;;
+esac
+
+m4_divert(84)m4_dnl
+###--------------------------------------------------------------------------
### Locally-bound packet inspection.
clearchain inbound
-p udp --source-port $port_bootpc --destination-port $port_bootps
## Allow incoming ping. This is the only ICMP left.
-run iptables -A inbound -j ACCEPT -p icmp
+run ip46tables -A inbound -j ACCEPT -p icmp
m4_divert(88)m4_dnl
## Allow unusual things.
openports inbound
## Inspect inbound packets from untrusted sources.
-run iptables -A inbound -j forbidden
-run iptables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
+run ip46tables -A inbound -j forbidden
+run ip46tables -A INPUT -m mark --mark $from_scary/$MASK_FROM -g inbound
+run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
+
+## Allow responses from the scary outside world into the untrusted net, but
+## don't let untrusted things run services.
+case $forward in
+ 1)
+ run ip46tables -A FORWARD -j ACCEPT \
+ -m mark --mark $(( $from_scary | $to_untrusted ))/$(( $MASK_FROM | $MASK_TO )) \
+ -m state --state ESTABLISHED,RELATED
+ ;;
+esac
## Otherwise process as indicated by the mark.
-for i in INPUT FORWARD; do
- run iptables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT
+for i in $inchains; do
+ run ip46tables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT
done
m4_divert(-1)
~mdw / firewall / blobdiff