### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
###--------------------------------------------------------------------------
+### Local configuration.
+
+m4_divert(6)m4_dnl
+## Default NTP servers.
+defconf(ntp_servers,
+ "158.152.1.76 158.152.1.204 194.159.253.2 195.173.57.232")
+
+m4_divert(-1)
+###--------------------------------------------------------------------------
### Packet classification.
## Define the available network classes.
m4_divert(42)m4_dnl
-defnetclass untrusted untrusted trusted
-defnetclass trusted untrusted trusted safe noloop
-defnetclass safe trusted safe noloop
-defnetclass noloop trusted safe
+defnetclass untrusted untrusted mcast
+
+defnetclass link
+defnetclass mcast
m4_divert(-1)
m4_divert(26)m4_dnl
###--------------------------------------------------------------------------
### Network layout.
-m4_divert(44)m4_dnl
-## Network definitions.
-defiface $if_dmz \
- trusted:62.49.204.144/28 \
- trusted:172.29.199.0/25 \
- untrusted:default
-defiface $if_trusted \
- trusted:172.29.199.0/25 \
- untrusted:default
-defiface $if_safe safe:172.29.199.192/26
-defiface $if_untrusted \
- untrusted:172.29.198.0/25
-defvpn $if_vpn safe 172.29.199.128/27 \
- crybaby:172.29.199.129 \
- terror:172.29.199.130
-defiface $if_iodine untrusted:172.29.198.128/28
-defiface $if_its_mz safe:172.29.199.160/30
-defiface $if_its_pi safe:192.168.0.0/24
+defnet default untrusted
-## Default NTP servers.
-ntp_servers="158.152.1.76 158.152.1.204 194.159.253.2 195.173.57.232"
+## Hosts.
+defhost jaguar
+ iface eth0 default
+
+m4_divert(80)m4_dnl
+###--------------------------------------------------------------------------
+### Connection tracking helper modules.
+
+for i in ftp; do
+ modprobe nf_conntrack_$i
+done
m4_divert(80)m4_dnl
###--------------------------------------------------------------------------
### Special forwarding exemptions.
-## Only allow these packets if they're not fragmented. (Don't trust safe
-## hosts's fragment reassembly to be robust against malicious fragments.)
-## There's a hideous bug in iptables 1.4.11.1 which botches the meaning of
-## `! -f', so we do the negation using early return from a subchain.
-clearchain fwd-spec-nofrag
-run iptables -A fwd-spec-nofrag -j RETURN --fragment
-run ip6tables -A fwd-spec-nofrag -j RETURN \
- -m ipv6header --soft --header frag
-run iptables -A FORWARD -j fwd-spec-nofrag
-
-## Allow ping from safe/noloop to untrusted networks.
-run iptables -A fwd-spec-nofrag -j ACCEPT \
- -p icmp --icmp-type echo-request \
- -m mark --mark $to_untrusted/$MASK_TO
-run iptables -A fwd-spec-nofrag -j ACCEPT \
- -p icmp --icmp-type echo-reply \
- -m mark --mark $from_untrusted/$MASK_FROM \
- -m state --state ESTABLISHED
-run ip6tables -A fwd-spec-nofrag -j ACCEPT \
- -p ipv6-icmp --icmpv6-type echo-request \
- -m mark --mark $to_untrusted/$MASK_TO
-run ip6tables -A fwd-spec-nofrag -j ACCEPT \
- -p ipv6-icmp --icmpv6-type echo-reply \
- -m mark --mark $from_untrusted/$MASK_FROM \
- -m state --state ESTABLISHED
-
-## Allow SSH from safe/noloop to untrusted networks.
-run iptables -A fwd-spec-nofrag -j ACCEPT \
- -p tcp --destination-port $port_ssh \
- -m mark --mark $to_untrusted/$MASK_TO
-run iptables -A fwd-spec-nofrag -j ACCEPT \
- -p tcp --source-port $port_ssh \
- -m mark --mark $from_untrusted/$MASK_FROM \
- -m state --state ESTABLISHED
-run ip6tables -A fwd-spec-nofrag -j ACCEPT \
- -p tcp --destination-port $port_ssh \
- -m mark --mark $to_untrusted/$MASK_TO
-run ip6tables -A fwd-spec-nofrag -j ACCEPT \
- -p tcp --source-port $port_ssh \
- -m mark --mark $from_untrusted/$MASK_FROM \
- -m state --state ESTABLISHED
-
-m4_divert(60)m4_dnl
+case $forward in
+ 1)
+
+ ## Only allow these packets if they're not fragmented. (Don't trust safe
+ ## hosts's fragment reassembly to be robust against malicious fragments.)
+ ## There's a hideous bug in iptables 1.4.11.1 which botches the meaning
+ ## of `! -f', so we do the negation using early return from a subchain.
+ clearchain fwd-spec-nofrag
+ run iptables -A fwd-spec-nofrag -j RETURN --fragment
+ run ip6tables -A fwd-spec-nofrag -j RETURN \
+ -m ipv6header --soft --header frag
+ run ip46tables -A FORWARD -j fwd-spec-nofrag
+
+ ## Allow ping from safe/noloop to untrusted networks.
+ run iptables -A fwd-spec-nofrag -j ACCEPT \
+ -p icmp --icmp-type echo-request \
+ -m mark --mark $to_untrusted/$MASK_TO
+ run iptables -A fwd-spec-nofrag -j ACCEPT \
+ -p icmp --icmp-type echo-reply \
+ -m mark --mark $from_untrusted/$MASK_FROM \
+ -m state --state ESTABLISHED
+ run ip6tables -A fwd-spec-nofrag -j ACCEPT \
+ -p icmpv6 --icmpv6-type echo-request \
+ -m mark --mark $to_untrusted/$MASK_TO
+ run ip6tables -A fwd-spec-nofrag -j ACCEPT \
+ -p icmpv6 --icmpv6-type echo-reply \
+ -m mark --mark $from_untrusted/$MASK_FROM \
+ -m state --state ESTABLISHED
+
+ ## Allow SSH from safe/noloop to untrusted networks.
+ run ip46tables -A fwd-spec-nofrag -j ACCEPT \
+ -p tcp --destination-port $port_ssh \
+ -m mark --mark $to_untrusted/$MASK_TO
+ run ip46tables -A fwd-spec-nofrag -j ACCEPT \
+ -p tcp --source-port $port_ssh \
+ -m mark --mark $from_untrusted/$MASK_FROM \
+ -m state --state ESTABLISHED
+
+ ;;
+esac
+
m4_divert(80)m4_dnl
###--------------------------------------------------------------------------
### Kill things we don't understand properly.
errorchain poorly-understood REJECT
## Ban multicast destination addresses in forwarding.
-run iptables -A FORWARD -g poorly-understood \
- -d 224.0.0.0/4
-run ip6tables -A FORWARD -g poorly-understood \
- -d ff::/8
+case $forward in
+ 1)
+ run iptables -A FORWARD -g poorly-understood \
+ -d 224.0.0.0/4
+ run ip6tables -A FORWARD -g poorly-understood \
+ -d ff::/8
+ ;;
+esac
m4_divert(84)m4_dnl
###--------------------------------------------------------------------------
-s 172.29.198.0/23 \
-p udp --source-port $port_bootpc --destination-port $port_bootps
-## Incoming multicast on a network interface associated with a trusted
-## network is OK, since it must have originated there (or been forwarded, but
-## we don't do that yet).
-for i in $(echo $if_trusted $if_dmz $if_safe | sed 'y/,/ /'); do
- echo $i
-done | {
- seen=:
- while read i; do
- case "$seen" in *:$i:*) continue ;; esac
- seen=$seen$i:
- run iptables -A inbound -j ACCEPT \
- -s 0.0.0.0 -d 224.0.0.0/24 \
- -i $i
- done
-}
-
## Allow incoming ping. This is the only ICMP left.
run ip46tables -A inbound -j ACCEPT -p icmp
run ip46tables -A inbound -j forbidden
run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
+## Allow responses from the scary outside world into the untrusted net, but
+## don't let untrusted things run services.
+case $forward in
+ 1)
+ run ip46tables -A FORWARD -j ACCEPT \
+ -m mark --mark $to_untrusted/$(( $MASK_FROM | $MASK_TO )) \
+ -m state --state ESTABLISHED,RELATED
+ ;;
+esac
+
## Otherwise process as indicated by the mark.
-for i in INPUT FORWARD; do
+for i in $inchains; do
run ip46tables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT
done
~mdw / firewall / blobdiff