X-Git-Url: https://git.distorted.org.uk/~mdw/firewall/blobdiff_plain/1b534b6a971639a492666b35145b247e4f4a94a9..38e85ca3b58ddcf50c7db608f5baa2fd19771f8a:/local.m4

diff --git a/local.m4 b/local.m4
index b5cee43..eb28dd7 100644
--- a/local.m4
+++ b/local.m4
@@ -54,6 +54,7 @@ m4_divert(-1)
 ## 172.29.198.0/24  Untrusted networks.
 ##	.0/25		house wireless net
 ##	.128/28		iodine (IP-over-DNS) network
+##	.160/27		untrusted virtual network
 ##
 ## 172.29.199.0/24  Trusted networks.
 ##	.0/25		house wired network
@@ -89,6 +90,7 @@ m4_divert(-1)
 ## The /48s are split into /64s by appending a 16-bit network number.  The
 ## top nibble of the network number classifies the network, as follows.
 ##
+## axxx		Virtual, untrusted
 ## 8xxx		Untrusted
 ## 6xxx		Virtual, safe
 ## 4xxx		Safe
@@ -190,7 +192,7 @@ defhost groove
 
 defhost gibson
 	hosttype client
-	iface eth0 unsafe
+	iface eth0.5 unsafe
 
 ## Colocated networks.
 defnet jump trusted
@@ -218,6 +220,7 @@ defhost precision
 	iface vpn-mango binswood
 	iface vpn-radius housebdry vpn sgo
 	iface vpn-chiark sgo
+	iface vpn-national upn
 	iface vpn-+ vpn
 defhost telecaster
 	iface eth0 jump colo
@@ -225,8 +228,6 @@ defhost telecaster
 defhost stratocaster
 	iface eth0 jump colo
 	iface eth1 jump colo
-defhost jaguar
-	iface eth0 jump
 defhost jazz
 	hosttype router
 	iface eth0 jump colo vpn
@@ -259,12 +260,20 @@ defnet default scary
 	addr 212.13.198.64/28 2001:ba8:0:1d9::/64
 	addr 2001:ba8:1d9::/48 #temporary
 	via dmz unsafe untrusted jump colo
+defnet upn untrusted
+	addr 172.29.198.160/27 2001:ba8:1d9:a000::/64
+	via colohub
+	host national 1 ::1:1
+
+## Linode hosts.
+defhost national
+	iface eth0 default
+	iface vpn-precision colohub
 
 ## Satellite networks.
 defnet binswood noloop
 	addr 10.165.27.0/24
 	via colohub
-
 defhost mango
 	hosttype router
 	iface eth0 binswood default
@@ -362,7 +371,8 @@ run iptables -A inbound -j ACCEPT \
 	-p udp --source-port $port_bootpc --destination-port $port_bootps
 
 ## Allow incoming ping.  This is the only ICMP left.
-run ip46tables -A inbound -j ACCEPT -p icmp
+run iptables -A inbound -j ACCEPT -p icmp
+run ip6tables -A inbound -j ACCEPT -p icmpv6
 
 m4_divert(88)m4_dnl
 ## Allow unusual things.
@@ -370,10 +380,11 @@ openports inbound
 
 ## Inspect inbound packets from untrusted sources.
 run ip46tables -A inbound -j forbidden
+run ip46tables -A INPUT -m mark --mark $from_scary/$MASK_FROM -g inbound
 run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
 
 ## Allow responses from the scary outside world into the untrusted net, but
-## don't let untrusted things run services.  [EXPERIMENTAL]
+## don't let untrusted things run services.
 case $forward in
   1)
     run ip46tables -A FORWARD -j ACCEPT \