## This host isn't a router.
setconf(forward, 0)
+## This host is involved in a routing asymmetry.
+setconf(rp_filter, 0)
+setconf(log_martians, 0)
+
###--------------------------------------------------------------------------
### Network interfaces.
m4_divert(44)m4_dnl
## Interface definitions.
-if_untrusted=eth0
-if_trusted=eth0
-if_vpn=eth0
-if_iodine=eth0
-if_its_mz=eth0
-if_its_pi=eth0
+if_dmz=eth0
+if_trusted=eth1
+if_safe=$if_dmz,$if_trusted
+if_untrusted=$if_dmz,$if_trusted
+if_vpn=$if_dmz,$if_trusted
+if_iodine=$if_dmz,$if_trusted
+if_its_mz=$if_dmz,$if_trusted
+if_its_pi=$if_dmz,$if_trusted
m4_divert(-1)
###--------------------------------------------------------------------------
### jem-specific rules.
m4_divert(82)m4_dnl
+## Set up the SAUCE sinbin. Unfortunately, ipset is a bit brittle. This
+## isn't a completely critical part of the firewall security, so don't make
+## this fail the entire script.
+errorchain sauce REJECT
+makeset sauce iphash || :
+iptables -A inbound -g sauce -m set --match-set sauce src || :
+
## Externally visible services.
allowservices inbound tcp \
ssh \
+ ident \
smtp submission \
http https \
imaps
-p $p --destination-port $port_dns
done
-## Allow smb and nmb to untrusted hosts. This is a bit experimental.
-run iptables -A inbound -j ACCEPT \
- -s 172.29.198.0/24 \
- -p udp -m multiport --destination-ports \
- $port_netbios_ns,$port_netbios_dgm
-run iptables -A inbound -j ACCEPT \
- -s 172.29.198.0/24 \
- -p tcp -m multiport --destination-ports \
- $port_netbios_ssn,$port_microsoft_ds
-
m4_divert(-1)
###----- That's all, folks --------------------------------------------------
~mdw / firewall / blobdiff