X-Git-Url: https://git.distorted.org.uk/~mdw/firewall/blobdiff_plain/0291d6d55d3dc38a12d61abc007dda5cc3aa5110..677ef44ed3d745abddbb192ca4d53778819ffe6c:/local.m4

diff --git a/local.m4 b/local.m4
index 5e27449..2d9cacb 100644
--- a/local.m4
+++ b/local.m4
@@ -1,4 +1,4 @@
-### -*-m4-*-
+### -*-sh-*-
 ###
 ### Local firewall configuration
 ###
@@ -22,6 +22,15 @@
 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
 
 ###--------------------------------------------------------------------------
+### Local configuration.
+
+m4_divert(6)m4_dnl
+## Default NTP servers.
+defconf(ntp_servers,
+	"158.152.1.76 158.152.1.204 194.159.253.2 195.173.57.232")
+
+m4_divert(-1)
+###--------------------------------------------------------------------------
 ### Packet classification.
 
 ## Define the available network classes.
@@ -30,69 +39,184 @@ defnetclass untrusted untrusted trusted
 defnetclass trusted untrusted trusted safe noloop
 defnetclass safe trusted safe noloop
 defnetclass noloop trusted safe
-m4_divert(-1)m4_dnl
+m4_divert(-1)
 
+m4_divert(26)m4_dnl
 ###--------------------------------------------------------------------------
 ### Network layout.
 
-m4_divert(46)m4_dnl
-## Networks and routing.
-
-defiface $if_untrusted \
-	untrusted:172.29.198.0/25
-defvpn $if_vpn safe 172.29.199.128/27 \
-	crybaby:172.29.199.129 \
-	terror:172.29.199.130
-defiface $if_iodine untrusted:172.29.198.128/28
-defiface $if_its_mz safe:172.29.199.160/30
-defiface $if_its_pi safe:192.168.0.0/24
-defiface $if_trusted \
-	trusted:172.29.199.0/26 \
-	safe:172.29.199.64/27 \
-	untrusted:default
-
-m4_divert(60)m4_dnl
+## House networks.
+defnet dmz trusted
+	addr 62.49.204.144/28
+	forwards unsafe untrusted
+defnet unsafe trusted
+	addr 172.29.199.0/25
+	forwards househub
+defnet safe safe
+	addr 172.29.199.192/28
+	forwards househub
+defnet untrusted untrusted
+	addr 172.29.198.0/25
+	forwards househub
+defnet vpn safe
+	addr 172.29.199.128/27
+	forwards househub
+	host crybaby 1
+	host terror 2
+defnet iodine untrusted
+	addr 172.29.198.128/28
+
+defnet househub virtual
+	forwards housebdry dmz unsafe safe untrusted
+defnet housebdry virtual
+	forwards househub hub
+	noxit dmz
+
+## House hosts.
+defhost radius
+	router
+	iface eth0 dmz unsafe
+	iface eth1 dmz unsafe
+	iface eth2 safe
+	iface eth3 untrusted
+defhost roadstar
+	iface eth0 dmz unsafe
+	iface eth1 dmz unsafe
+defhost jem
+	iface eth0 dmz unsafe
+	iface eth1 dmz unsafe
+defhost artist
+	iface eth0 dmz unsafe
+	iface eth1 dmz unsafe
+defhost vampire
+	router
+	iface eth0.0 dmz unsafe
+	iface eth0.1 dmz unsafe
+	iface eth0.3 untrusted
+	iface dns0 dns
+	iface vpn-+ vpn
+	iface vpn-precision colobdry vpn
+defhost ibanez
+	iface br-dmz dmz unsafe
+	iface br-unsafe unsafe
+
+defhost gibson
+	iface eth0 unsafe
+
+## Colocated networks.
+defnet jump trusted
+	addr 212.13.198.64/28
+	forwards colohub
+defnet colo trusted
+	addr 172.29.199.176/28
+	forwards colohub
+defnet colohub virtual
+	forwards colobdry jump colo
+defnet colobdry virtual
+	forwards colohub hub
+	noxit jump
+
+## Colocated hosts.
+defhost fender
+	iface br-jump jump colo
+	iface br-colo jump colo
+defhost precision
+	router
+	iface eth0 jump colo
+	iface eth1 jump colo
+	iface vpn-+ vpn
+	iface vpn-vampire housebdry vpn
+defhost telecaster
+	iface eth0 jump colo
+	iface eth1 jump colo
+defhost stratocaster
+	iface eth0 jump colo
+	iface eth1 jump colo
+defhost jazz
+	iface eth0 jump colo
+	iface eth1 jump colo
+
+## Other networks.
+defnet hub virtual
+	forwards housebdry colobdry
+defnet default untrusted
+	addr 62.49.204.144/28
+	addr 212.13.198.64/28
+	forwards dmz untrusted unsafe jump colo
+
+m4_divert(80)m4_dnl
 ###--------------------------------------------------------------------------
 ### Special forwarding exemptions.
 
-## Allow ping from safe/noloop to untrusted networks.
-run iptables -A FORWARD -j ACCEPT \
-	-p icmp ! -f --icmp-type echo-request \
-	-m mark --mark $to_untrusted/$MASK_TO
-run iptables -A FORWARD -j ACCEPT \
-	-p icmp ! -f --icmp-type echo-reply \
-	-m mark --mark $from_untrusted/$MASK_FROM \
-	-m state --state ESTABLISHED
-run ip6tables -A FORWARD -j ACCEPT \
-	-p ipv6-icmp --icmpv6-type echo-request \
-	-m ipv6header --soft ! --header frag \
-	-m mark --mark $to_untrusted/$MASK_TO
-run ip6tables -A FORWARD -j ACCEPT \
-	-p ipv6-icmp --icmpv6-type echo-reply \
-	-m ipv6header --soft ! --header frag \
-	-m mark --mark $from_untrusted/$MASK_FROM \
-	-m state --state ESTABLISHED
-
-## Allow SSH from safe/noloop to untrusted networks.
-run iptables -A FORWARD -j ACCEPT \
-	-p tcp ! -f --destination-port $port_ssh \
-	-m mark --mark $to_untrusted/$MASK_TO
-run iptables -A FORWARD -j ACCEPT \
-	-p tcp ! -f --source-port $port_ssh \
-	-m mark --mark $from_untrusted/$MASK_FROM \
-	-m state --state ESTABLISHED
-run ip6tables -A FORWARD -j ACCEPT \
-	-p tcp --destination-port $port_ssh \
-	-m ipv6header --soft ! --header frag \
-	-m mark --mark $to_untrusted/$MASK_TO
-run ip6tables -A FORWARD -j ACCEPT \
-	-p tcp --source-port $port_ssh \
-	-m ipv6header --soft ! --header frag \
-	-m mark --mark $from_untrusted/$MASK_FROM \
-	-m state --state ESTABLISHED
+case $forward in
+  1)
+
+    ## Only allow these packets if they're not fragmented.  (Don't trust safe
+    ## hosts's fragment reassembly to be robust against malicious fragments.)
+    ## There's a hideous bug in iptables 1.4.11.1 which botches the meaning
+    ## of `! -f', so we do the negation using early return from a subchain.
+    clearchain fwd-spec-nofrag
+    run iptables -A fwd-spec-nofrag -j RETURN --fragment
+    run ip6tables -A fwd-spec-nofrag -j RETURN \
+	    -m ipv6header --soft --header frag
+    run iptables -A FORWARD -j fwd-spec-nofrag
+
+    ## Allow ping from safe/noloop to untrusted networks.
+    run iptables -A fwd-spec-nofrag -j ACCEPT \
+	    -p icmp --icmp-type echo-request \
+	    -m mark --mark $to_untrusted/$MASK_TO
+    run iptables -A fwd-spec-nofrag -j ACCEPT \
+	    -p icmp --icmp-type echo-reply \
+	    -m mark --mark $from_untrusted/$MASK_FROM \
+	    -m state --state ESTABLISHED
+    run ip6tables -A fwd-spec-nofrag -j ACCEPT \
+	    -p ipv6-icmp --icmpv6-type echo-request \
+	    -m mark --mark $to_untrusted/$MASK_TO
+    run ip6tables -A fwd-spec-nofrag -j ACCEPT \
+	    -p ipv6-icmp --icmpv6-type echo-reply \
+	    -m mark --mark $from_untrusted/$MASK_FROM \
+	    -m state --state ESTABLISHED
+
+    ## Allow SSH from safe/noloop to untrusted networks.
+    run iptables -A fwd-spec-nofrag -j ACCEPT \
+	    -p tcp --destination-port $port_ssh \
+	    -m mark --mark $to_untrusted/$MASK_TO
+    run iptables -A fwd-spec-nofrag -j ACCEPT \
+	    -p tcp --source-port $port_ssh \
+	    -m mark --mark $from_untrusted/$MASK_FROM \
+	    -m state --state ESTABLISHED
+    run ip6tables -A fwd-spec-nofrag -j ACCEPT \
+	    -p tcp --destination-port $port_ssh \
+	    -m mark --mark $to_untrusted/$MASK_TO
+    run ip6tables -A fwd-spec-nofrag -j ACCEPT \
+	    -p tcp --source-port $port_ssh \
+	    -m mark --mark $from_untrusted/$MASK_FROM \
+	    -m state --state ESTABLISHED
+
+    ;;
+esac
 
 m4_divert(80)m4_dnl
 ###--------------------------------------------------------------------------
+### Kill things we don't understand properly.
+###
+### I don't like having to do this, but since I don't know how to do proper
+### multicast filtering, I'm just going to ban it from being forwarded.
+
+errorchain poorly-understood REJECT
+
+## Ban multicast destination addresses in forwarding.
+case $forward in
+  1)
+    run iptables -A FORWARD -g poorly-understood \
+	    -d 224.0.0.0/4
+    run ip6tables -A FORWARD -g poorly-understood \
+	    -d ff::/8
+    ;;
+esac
+
+m4_divert(84)m4_dnl
+###--------------------------------------------------------------------------
 ### Locally-bound packet inspection.
 
 clearchain inbound
@@ -110,6 +234,22 @@ run iptables -A inbound -j ACCEPT \
 	-s 172.29.198.0/23 \
 	-p udp --source-port $port_bootpc --destination-port $port_bootps
 
+## Incoming multicast on a network interface associated with a trusted
+## network is OK, since it must have originated there (or been forwarded, but
+## we don't do that yet).
+seen=:-:
+for net in $allnets; do
+  eval class=\$net_class_$net
+  case $class in trusted) ;; *) continue ;; esac
+  for iface in $(net_interfaces FWHOST $net); do
+    case "$seen" in *:$iface:*) continue ;; esac
+    seen=$seen$iface:
+    run iptables -A inbound -j ACCEPT \
+	-s 0.0.0.0 -d 224.0.0.0/24 \
+	-i $iface
+  done
+done
+
 ## Allow incoming ping.  This is the only ICMP left.
 run ip46tables -A inbound -j ACCEPT -p icmp
 
@@ -122,9 +262,12 @@ run ip46tables -A inbound -j forbidden
 run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
 
 ## Otherwise process as indicated by the mark.
-for i in INPUT FORWARD; do
-  run ip46tables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT
-done
+run ip46tables -A INPUT -m mark ! --mark 0/$MASK_MASK -j ACCEPT
+case $forward in
+  1)
+    run ip46tables -A FORWARD -m mark ! --mark 0/$MASK_MASK -j ACCEPT
+    ;;
+esac
 
 m4_divert(-1)
 ###----- That's all, folks --------------------------------------------------