## Define the available network classes.
m4_divert(42)m4_dnl
-defnetclass untrusted untrusted trusted mcast
-defnetclass trusted untrusted trusted safe noloop mcast
-defnetclass safe trusted safe noloop mcast
-defnetclass noloop trusted safe mcast
+defnetclass scary scary trusted mcast
+defnetclass untrusted scary untrusted trusted mcast
+defnetclass trusted scary untrusted trusted safe noloop mcast
+defnetclass safe trusted safe noloop mcast
+defnetclass noloop trusted safe mcast
defnetclass link
defnetclass mcast
via housebdry dmz unsafe safe untrusted
defnet housebdry virtual
via househub hub
- noxit dmz
## House hosts.
defhost radius
defhost orange
iface wlan0 untrusted
iface vpn-radius unsafe
+defhost groove
+ iface eth0 unsafe
+ iface wlan0 untrusted
+ iface vpn-radius unsafe
defhost gibson
hosttype client
- iface eth0 unsafe
+ iface eth0.5 unsafe
## Colocated networks.
defnet jump trusted
via colobdry jump colo
defnet colobdry virtual
via colohub hub
- noxit jump
defnet iodine untrusted
addr 172.29.198.128/28
via colohub
defhost stratocaster
iface eth0 jump colo
iface eth1 jump colo
-defhost jaguar
- iface eth0 jump
defhost jazz
hosttype router
iface eth0 jump colo vpn
host crybaby 1 ::1:1
host terror 2 ::2:1
host orange 3 ::3:1
+ host haze 4 ::4:1
+ host groove 5 ::5:1
defnet anycast trusted
addr 172.29.199.224/27 2001:ba8:1d9:0::/64
via dmz unsafe safe untrusted jump colo vpn
-defnet default untrusted
+defnet default scary
addr 62.49.204.144/28 2001:470:1f09:1b98::/64
addr 212.13.198.64/28 2001:ba8:0:1d9::/64
addr 2001:ba8:1d9::/48 #temporary
m4_divert(80)m4_dnl
###--------------------------------------------------------------------------
+### Connection tracking helper modules.
+
+for i in ftp; do
+ modprobe nf_conntrack_$i
+done
+
+m4_divert(80)m4_dnl
+###--------------------------------------------------------------------------
### Special forwarding exemptions.
case $forward in
## Inspect inbound packets from untrusted sources.
run ip46tables -A inbound -j forbidden
+run ip46tables -A INPUT -m mark --mark $from_scary/$MASK_FROM -g inbound
run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
+## Allow responses from the scary outside world into the untrusted net, but
+## don't let untrusted things run services.
+case $forward in
+ 1)
+ run ip46tables -A FORWARD -j ACCEPT \
+ -m mark --mark $(( $from_scary | $to_untrusted ))/$(( $MASK_FROM | $MASK_TO )) \
+ -m state --state ESTABLISHED,RELATED
+ ;;
+esac
+
## Otherwise process as indicated by the mark.
for i in $inchains; do
run ip46tables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT