### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
###--------------------------------------------------------------------------
-### Config settings.
-
-## This host isn't a router.
-setconf(forward, 0)
-
-## This host is involved in a routing asymmetry.
-setconf(rp_filter, 0)
-setconf(log_martians, 0)
-
-###--------------------------------------------------------------------------
-### Network interfaces.
-
-m4_divert(44)m4_dnl
-## Interface definitions.
-if_untrusted=eth0
-if_dmz=$if_untrusted
-if_safe=$if_dmz
-if_trusted=$if_dmz
-if_vpn=$if_dmz
-if_iodine=$if_dmz
-if_its_mz=$if_dmz
-if_its_pi=$if_dmz
-
-m4_divert(-1)
-###--------------------------------------------------------------------------
### fender-specific rules.
-m4_divert(82)m4_dnl
+m4_divert(86)m4_dnl
## Externally visible services.
allowservices inbound tcp \
ssh \
## We have to provide NTP service. The guests sync to our clock.
ntpclient inbound $ntp_servers
+## Provide NTP service to untrusted clients.
+iptables -A inbound -p udp -j ACCEPT \
+ --source-port 123 --destination-port 123 \
+ -s 172.29.198.0/23
+ip6tables -A inbound -p udp -j ACCEPT \
+ --source-port 123 --destination-port 123 \
+ -s 2001:470:9740::/48
+
+## Guaranteed black hole. Put this at the very front of the chain.
+run iptables -I INPUT -d 212.13.198.78 -j DROP
+run ip6tables -I INPUT -d 2001:ba8:0:1d9::ffff -j DROP
+
+## Ethernet bridge-level filtering for source addresses.
+run ebtables -F
+for i in log limit ip ip6; do run modprobe ebt-$i; done
+
+for c in bad-source-addr check-eth0 bcp38 check-bcp38; do
+ run ebtables -X $c >/dev/null 2>&1 || :
+done
+
+for ch in bad-source-addr bcp38; do
+ run ebtables -N $ch
+ run ebtables -A $ch \
+ --limit 20/second --limit-burst 100 \
+ --log-prefix "fw: $ch(br)" --log-ip --log-ip6
+ run ebtables -A $ch -j DROP
+done
+
+run ebtables -N check-eth0
+run ebtables -A check-eth0 -j RETURN -p ip --ip-source ! 212.13.198.64/28
+run ebtables -A check-eth0 -j RETURN -p ip6 --ip6-source 2001:ba8:0:1d9::1
+run ebtables -A check-eth0 -j bad-source-addr \
+ -p ip6 --ip6-source 2001:ba8:1d9::/48
+run ebtables -A check-eth0 -j bad-source-addr \
+ -p ip6 --ip6-source 2001:ba8:0:1d9::/64
+run ebtables -A check-eth0 -j RETURN -p ip6
+run ebtables -A check-eth0 -j RETURN -p ip --ip-source 212.13.198.64/30
+run ebtables -A check-eth0 -j RETURN -p ip --ip-source 212.13.198.68
+run ebtables -A check-eth0 -j bad-source-addr -p ip
+run ebtables -A INPUT -j check-eth0 -i bond0
+run ebtables -A FORWARD -j check-eth0 -i bond0
+
+run ebtables -N check-bcp38
+run ebtables -A check-bcp38 -j RETURN -p ip --ip-source 212.13.198.64/28
+run ebtables -A check-bcp38 -j bcp38 -p ip
+run ebtables -A check-bcp38 -j RETURN -p ip6 --ip6-source 2001:ba8:0:1d9::/64
+run ebtables -A check-bcp38 -j RETURN -p ip6 --ip6-source 2001:ba8:1d9::/48
+run ebtables -A check-bcp38 -j RETURN -p ip6 --ip6-source fe80::/10
+run ebtables -A check-bcp38 -j bcp38 -p ip6
+run ebtables -A FORWARD -j check-bcp38 -o bond0
+
+## There's a hideous bug in Linux' 3.2.51-1's ebtables: for some reason it
+## misparses (at least) locally originated multicast packets, and tries to
+## extract IP header fields relative to the start of the Ethernet frame. The
+## result is obviously a hideous mess. Don't try to do BCP38 checking for
+## locally originated packets until this is fixed.
+##run ebtables -A OUTPUT -j check-bcp38 -o bond0
+
m4_divert(-1)
###----- That's all, folks --------------------------------------------------
~mdw / firewall / blobdiff