-### -*-m4-*-
+### -*-sh-*-
###
### Local firewall configuration
###
### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
###--------------------------------------------------------------------------
+### Local configuration.
+
+m4_divert(6)m4_dnl
+## Default NTP servers.
+defconf(ntp_servers,
+ "158.152.1.76 158.152.1.204 194.159.253.2 195.173.57.232")
+
+m4_divert(-1)
+###--------------------------------------------------------------------------
### Packet classification.
## Define the available network classes.
defnetclass trusted untrusted trusted safe noloop
defnetclass safe trusted safe noloop
defnetclass noloop trusted safe
-m4_divert(-1)m4_dnl
+m4_divert(-1)
+m4_divert(26)m4_dnl
###--------------------------------------------------------------------------
### Network layout.
-m4_divert(46)m4_dnl
-## Networks and routing.
-
-defiface $if_trusted \
- trusted:172.29.199.0/26 \
- safe:172.29.199.64/27 \
- untrusted:default
-defiface $if_untrusted \
- untrusted:172.29.198.0/24
-defvpn $if_vpn safe 172.29.199.128/27 \
- crybaby:172.29.199.129
-defiface $if_its_mz safe:172.29.199.160/30
-defiface $if_its_pi safe:192.168.0.0/24
-
-m4_divert(60)m4_dnl
+## House networks.
+defnet dmz trusted
+ addr 62.49.204.144/28
+ forwards unsafe untrusted
+defnet unsafe trusted
+ addr 172.29.199.0/25
+ forwards househub
+defnet safe safe
+ addr 172.29.199.192/28
+ forwards househub
+defnet untrusted untrusted
+ addr 172.29.198.0/25
+ forwards househub
+defnet vpn safe
+ addr 172.29.199.128/27
+ forwards househub colohub
+ host crybaby 1
+ host terror 2
+defnet iodine untrusted
+ addr 172.29.198.128/28
+
+defnet househub virtual
+ forwards housebdry dmz unsafe safe untrusted
+defnet housebdry virtual
+ forwards househub hub
+ noxit dmz
+
+## House hosts.
+defhost radius
+ router
+ iface eth0 dmz unsafe safe
+ iface eth1 dmz unsafe safe
+ iface eth2 safe
+ iface eth3 untrusted
+defhost roadstar
+ iface eth0 dmz unsafe
+ iface eth1 dmz unsafe
+defhost jem
+ iface eth0 dmz unsafe
+ iface eth1 dmz unsafe
+defhost artist
+ iface eth0 dmz unsafe
+ iface eth1 dmz unsafe
+defhost vampire
+ router
+ iface eth0.0 dmz unsafe safe
+ iface eth0.1 dmz unsafe safe
+ iface eth0.2 safe
+ iface eth0.3 untrusted
+ iface dns0 dns
+ iface vpn-+ vpn
+ iface vpn-precision colobdry vpn
+defhost ibanez
+ iface br-dmz dmz unsafe
+ iface br-unsafe unsafe
+
+defhost gibson
+ iface eth0 unsafe
+
+## Colocated networks.
+defnet jump trusted
+ addr 212.13.198.64/28
+ forwards colohub
+defnet colo trusted
+ addr 172.29.199.176/28
+ forwards colohub
+defnet colohub virtual
+ forwards colobdry jump colo
+defnet colobdry virtual
+ forwards colohub hub
+ noxit jump
+
+## Colocated hosts.
+defhost fender
+ iface br-jump jump colo
+ iface br-colo jump colo
+defhost precision
+ router
+ iface eth0 jump colo
+ iface eth1 jump colo
+ iface vpn-+ vpn
+ iface vpn-vampire housebdry vpn
+defhost telecaster
+ iface eth0 jump colo
+ iface eth1 jump colo
+defhost stratocaster
+ iface eth0 jump colo
+ iface eth1 jump colo
+defhost jazz
+ iface eth0 jump colo
+ iface eth1 jump colo
+
+## Other networks.
+defnet hub virtual
+ forwards housebdry colobdry
+defnet default untrusted
+ addr 62.49.204.144/28
+ addr 212.13.198.64/28
+ forwards dmz untrusted unsafe jump colo
+
+m4_divert(80)m4_dnl
###--------------------------------------------------------------------------
### Special forwarding exemptions.
-## Allow ping from safe/noloop to untrusted networks.
-run iptables -A FORWARD -j ACCEPT \
- -p icmp --icmp-type echo-request \
- -m mark --mark $to_untrusted/$MASK_TO
-run iptables -A FORWARD -j ACCEPT \
- -p icmp --icmp-type echo-reply \
- -m mark --mark $from_untrusted/$MASK_FROM \
- -m state --state ESTABLISHED
-
-## Allow SSH from safe/noloop to untrusted networks.
-run iptables -A FORWARD -j ACCEPT \
- -p tcp --destination-port $port_ssh \
- -m mark --mark $to_untrusted/$MASK_TO
-run iptables -A FORWARD -j ACCEPT \
- -p tcp --source-port $port_ssh \
- -m mark --mark $from_untrusted/$MASK_FROM \
- -m state --state ESTABLISHED
+case $forward in
+ 1)
+
+ ## Only allow these packets if they're not fragmented. (Don't trust safe
+ ## hosts's fragment reassembly to be robust against malicious fragments.)
+ ## There's a hideous bug in iptables 1.4.11.1 which botches the meaning
+ ## of `! -f', so we do the negation using early return from a subchain.
+ clearchain fwd-spec-nofrag
+ run iptables -A fwd-spec-nofrag -j RETURN --fragment
+ run ip6tables -A fwd-spec-nofrag -j RETURN \
+ -m ipv6header --soft --header frag
+ run iptables -A FORWARD -j fwd-spec-nofrag
+
+ ## Allow ping from safe/noloop to untrusted networks.
+ run iptables -A fwd-spec-nofrag -j ACCEPT \
+ -p icmp --icmp-type echo-request \
+ -m mark --mark $to_untrusted/$MASK_TO
+ run iptables -A fwd-spec-nofrag -j ACCEPT \
+ -p icmp --icmp-type echo-reply \
+ -m mark --mark $from_untrusted/$MASK_FROM \
+ -m state --state ESTABLISHED
+ run ip6tables -A fwd-spec-nofrag -j ACCEPT \
+ -p ipv6-icmp --icmpv6-type echo-request \
+ -m mark --mark $to_untrusted/$MASK_TO
+ run ip6tables -A fwd-spec-nofrag -j ACCEPT \
+ -p ipv6-icmp --icmpv6-type echo-reply \
+ -m mark --mark $from_untrusted/$MASK_FROM \
+ -m state --state ESTABLISHED
+
+ ## Allow SSH from safe/noloop to untrusted networks.
+ run iptables -A fwd-spec-nofrag -j ACCEPT \
+ -p tcp --destination-port $port_ssh \
+ -m mark --mark $to_untrusted/$MASK_TO
+ run iptables -A fwd-spec-nofrag -j ACCEPT \
+ -p tcp --source-port $port_ssh \
+ -m mark --mark $from_untrusted/$MASK_FROM \
+ -m state --state ESTABLISHED
+ run ip6tables -A fwd-spec-nofrag -j ACCEPT \
+ -p tcp --destination-port $port_ssh \
+ -m mark --mark $to_untrusted/$MASK_TO
+ run ip6tables -A fwd-spec-nofrag -j ACCEPT \
+ -p tcp --source-port $port_ssh \
+ -m mark --mark $from_untrusted/$MASK_FROM \
+ -m state --state ESTABLISHED
+
+ ;;
+esac
m4_divert(80)m4_dnl
###--------------------------------------------------------------------------
+### Kill things we don't understand properly.
+###
+### I don't like having to do this, but since I don't know how to do proper
+### multicast filtering, I'm just going to ban it from being forwarded.
+
+errorchain poorly-understood REJECT
+
+## Ban multicast destination addresses in forwarding.
+case $forward in
+ 1)
+ run iptables -A FORWARD -g poorly-understood \
+ -d 224.0.0.0/4
+ run ip6tables -A FORWARD -g poorly-understood \
+ -d ff::/8
+ ;;
+esac
+
+m4_divert(84)m4_dnl
+###--------------------------------------------------------------------------
### Locally-bound packet inspection.
clearchain inbound
## Track connections.
+commonrules inbound
conntrack inbound
## Allow incoming bootp. Bootp won't be forwarded, so this is obviously a
-s 172.29.198.0/23 \
-p udp --source-port $port_bootpc --destination-port $port_bootps
+## Incoming multicast on a network interface associated with a trusted
+## network is OK, since it must have originated there (or been forwarded, but
+## we don't do that yet).
+seen=:-:
+for net in $allnets; do
+ eval class=\$net_class_$net
+ case $class in trusted) ;; *) continue ;; esac
+ for iface in $(net_interfaces FWHOST $net); do
+ case "$seen" in *:$iface:*) continue ;; esac
+ seen=$seen$iface:
+ run iptables -A inbound -j ACCEPT \
+ -s 0.0.0.0 -d 224.0.0.0/24 \
+ -i $iface
+ done
+done
+
## Allow incoming ping. This is the only ICMP left.
-run iptables -A inbound -j ACCEPT -p icmp
+run ip46tables -A inbound -j ACCEPT -p icmp
m4_divert(88)m4_dnl
## Allow unusual things.
openports inbound
## Inspect inbound packets from untrusted sources.
-run iptables -A inbound -j forbidden
-run iptables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
+run ip46tables -A inbound -j forbidden
+run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
## Otherwise process as indicated by the mark.
-for i in INPUT FORWARD; do
- run iptables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT
-done
+run ip46tables -A INPUT -m mark ! --mark 0/$MASK_MASK -j ACCEPT
+case $forward in
+ 1)
+ run ip46tables -A FORWARD -m mark ! --mark 0/$MASK_MASK -j ACCEPT
+ ;;
+esac
m4_divert(-1)
###----- That's all, folks --------------------------------------------------
~mdw / firewall / blobdiff