Merge branch 'master' into emergency

[firewall] / vampire.m4

diff --git a/vampire.m4 b/vampire.m4
index 44eef03..d283145 100644 (file)
--- a/vampire.m4
+++ b/vampire.m4
@@ -31,7 +31,6 @@ allowservices inbound tcp \
        dns iodine \
        ssh \
        smtp submission \
-       rdesktop \
        gnutella_svc \
        ftp ftp_data \
        rsync \
@@ -48,8 +47,8 @@ allowservices inbound udp \
 
 ## Extend some services to local untrusted hosts.
 clearchain inbound-untrusted
-run iptables -A inbound -j inbound-untrusted \
-       -s 172.29.198.0/24
+run iptables -A inbound -j inbound-untrusted -s $net_inet_untrusted
+run ip6tables -A inbound -j inbound-untrusted -s $net_inet6_untrusted
 
 allowservices inbound-untrusted tcp \
        dns \
@@ -71,6 +70,10 @@ run iptables -A OUTPUT -m multiport \
 dnsresolver inbound
 ntpclient inbound $ntp_servers
 
+## IPv6 6-in-4 tunnel.
+run iptables -A inbound -j ACCEPT \
+          -p $proto_ipv6 -s 216.66.80.26
+
 ## NAT for RFC1918 addresses.
 for i in PREROUTING OUTPUT POSTROUTING; do
   run iptables -t nat -P $i ACCEPT 2>/dev/null || :
@@ -97,5 +100,8 @@ for p in ftp sip h323; do
   run modprobe nf_nat_$p
 done
 
+## Forbid anything complicated to the NAT address.
+run iptables -A INPUT -d 62.49.204.158 ! -p icmp -j REJECT
+
 m4_divert(-1)
 ###----- That's all, folks --------------------------------------------------