## This host isn't a router.
setconf(forward, 0)
-###--------------------------------------------------------------------------
-### Network interfaces.
-
-m4_divert(44)m4_dnl
-## Interface definitions.
-if_untrusted=eth0
-if_trusted=eth0
-if_vpn=eth0
-if_iodine=eth0
-if_its_mz=eth0
-if_its_pi=eth0
+## This host is involved in a routing asymmetry.
+setconf(rp_filter, 0)
+setconf(log_martians, 0)
-m4_divert(-1)
###--------------------------------------------------------------------------
### jem-specific rules.
-m4_divert(82)m4_dnl
+m4_divert(84)m4_dnl
+## Set up the SAUCE sinbin. Unfortunately, ipset is a bit brittle. This
+## isn't a completely critical part of the firewall security, so don't make
+## this fail the entire script.
+errorchain sauce REJECT
+makeset sauce iphash || :
+iptables -A inbound -g sauce -m set --match-set sauce src || :
+
## Externally visible services.
allowservices inbound tcp \
ssh \
+ ident \
smtp submission \
http https \
imaps
-p $p --destination-port $port_dns
done
-## Allow smb and nmb to untrusted hosts. This is a bit experimental.
-run iptables -A inbound -j ACCEPT \
- -s 172.29.198.0/24 \
- -p udp -m multiport --destination-ports \
- $port_netbios_ns,$port_netbios_dgm
-run iptables -A inbound -j ACCEPT \
- -s 172.29.198.0/24 \
- -p tcp -m multiport --destination-ports \
- $port_netbios_ssn,$port_microsoft_ds
-
m4_divert(-1)
###----- That's all, folks --------------------------------------------------
~mdw / firewall / blobdiff