X-Git-Url: https://git.distorted.org.uk/~mdw/firewall/blobdiff_plain/1ee6211dcd0063197621004e6c7073bd801b8efe..1fd9cef9dd054bde484f05dd3b95898ad2c2806b:/local.m4 diff --git a/local.m4 b/local.m4 index 0d67a97..23f12a7 100644 --- a/local.m4 +++ b/local.m4 @@ -22,79 +22,288 @@ ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. ###-------------------------------------------------------------------------- +### Local configuration. + +m4_divert(6)m4_dnl +## Default NTP servers. +defconf(ntp_servers, + "158.152.1.76 158.152.1.204 194.159.253.2 195.173.57.232") + +m4_divert(-1) +###-------------------------------------------------------------------------- ### Packet classification. +## IPv4 addressing. +## +## There are two small blocks of publicly routable IPv4 addresses, and a +## block of RFC1918 private-use addresses allocated from the Cambridge G-RIN. +## The former are as follows. +## +## 62.49.204.144/28 +## House border network (dmz). We have all of these, but .145 +## is reserved for the router. +## +## 212.13.18.64/28 +## Jump colocated network (jump). .65--68 are used by Jump +## network infrastructure; we get the rest. +## +## The latter is the block 172.29.196.0/22. Currently the low half is +## unallocated (and may be returned to the G-RIN); the remaining addresses +## are allocated as follows. +## +## 172.29.198.0/24 Untrusted networks. +## .0/25 house wireless net +## .128/28 iodine (IP-over-DNS) network +## +## 172.29.199.0/24 Trusted networks. +## .0/25 house wired network +## .128/27 mobile VPN hosts +## .160/28 reserved, except .160/30 allocated for ITS +## .176/28 internal colocated network +## .192/27 house safe network +## .224/27 anycast services + +## IPv6 addressing. +## +## There are five blocks of publicly routable IPv6 addresses, though some of +## them aren't very interesting. The ranges are as follows. +## +## 2001:470:1f08:1b98::/64 +## Hurricane Electric tunnel network: only :1 (HE) and :2 +## (radius) are used. +## +## 2001:470:1f09:1b98::/64 +## House border network (dmz). +## +## 2001:470:9740::/48 +## Main house range. See below for allocation policy. +## +## 2001:ba8:0:1d9::/64 +## Jump border network (jump): :1 is the router (supplied by +## Jump); other addresses are ours. +## +## 2001:ba8:1d9::/48 +## Main colocated range. See below for allocation policy. +## +## Addresses in the /64 networks are simply allocated in ascending order. +## The /48s are split into /64s by appending a 16-bit network number. The +## top nibble of the network number classifies the network, as follows. +## +## 8xxx Untrusted +## 6xxx Virtual +## 4xxx Safe +## 0xxx Unsafe, trusted +## +## These have been chosen so that network properties can be deduced by +## inspecting bits of the network number: +## +## Bit 15 If set, the network is untrusted; otherwise it is trusted. +## Bit 14 If set, the network is safe; otherwise it is unsafe. +## +## Finally, the low-order nibbles identify the site. +## +## 0 No specific site: mobile VPN endpoints or anycast addresses. +## 1 House. +## 2 Jump colocation. +## +## Usually site-0 networks are allocated from the Jump range to improve +## expected performance from/to external sites which don't engage in our +## dynamic routing protocols. + ## Define the available network classes. m4_divert(42)m4_dnl -defnetclass untrusted untrusted trusted -defnetclass trusted untrusted trusted safe noloop -defnetclass safe trusted safe noloop -defnetclass noloop trusted safe -m4_divert(-1)m4_dnl +defnetclass untrusted untrusted trusted mcast +defnetclass trusted untrusted trusted safe noloop mcast +defnetclass safe trusted safe noloop mcast +defnetclass noloop trusted safe mcast + +defnetclass link +defnetclass mcast +m4_divert(-1) +m4_divert(26)m4_dnl ###-------------------------------------------------------------------------- ### Network layout. -m4_divert(46)m4_dnl -## Networks and routing. - -defiface $if_untrusted \ - untrusted:172.29.198.0/25 -defvpn $if_vpn safe 172.29.199.128/27 \ - crybaby:172.29.199.129 \ - terror:172.29.199.130 -defiface $if_iodine untrusted:172.29.198.128/28 -defiface $if_its_mz safe:172.29.199.160/30 -defiface $if_its_pi safe:192.168.0.0/24 -defiface $if_trusted \ - trusted:172.29.199.0/26 \ - safe:172.29.199.64/27 \ - untrusted:default +## House networks. +defnet dmz trusted + addr 62.49.204.144/28 2001:470:1f09:1b98::/64 + via unsafe untrusted +defnet unsafe trusted + addr 172.29.199.0/25 2001:470:9740:1::/64 + via househub +defnet safe safe + addr 172.29.199.192/27 2001:470:9740:4001::/64 + via househub +defnet untrusted untrusted + addr 172.29.198.0/25 2001:470:9740:8001::/64 + via househub -## Default NTP servers. -ntp_servers="158.152.1.76 158.152.1.204 194.159.253.2 195.173.57.232" +defnet househub virtual + via housebdry dmz unsafe safe untrusted +defnet housebdry virtual + via househub hub + noxit dmz + +## House hosts. +defhost radius + hosttype router + iface eth0 dmz unsafe safe untrusted vpn sgo colobdry default + iface eth1 dmz unsafe safe untrusted vpn sgo colobdry default + iface eth2 dmz unsafe safe untrusted vpn sgo colobdry + iface eth3 untrusted vpn default + iface ppp0 default + iface t6-he default + iface vpn-precision colobdry vpn sgo + iface vpn-chiark sgo + iface vpn-+ vpn +defhost roadstar + iface eth0 dmz unsafe + iface eth1 dmz unsafe +defhost jem + iface eth0 dmz unsafe + iface eth1 dmz unsafe +defhost artist + hosttype router + iface eth0 dmz unsafe untrusted + iface eth1 dmz unsafe untrusted + iface eth3 untrusted +defhost vampire + hosttype router + iface eth0.4 dmz unsafe untrusted safe vpn sgo colobdry + iface eth0.5 dmz unsafe untrusted safe vpn sgo colobdry + iface eth0.6 dmz unsafe safe untrusted vpn sgo colobdry + iface eth0.7 untrusted + iface vpn-precision colobdry vpn sgo + iface vpn-chiark sgo + iface vpn-+ vpn +defhost ibanez + iface br-dmz dmz unsafe + iface br-unsafe unsafe +defhost orange + iface wlan0 untrusted + iface vpn-radius unsafe + +defhost gibson + hosttype client + iface eth0 unsafe -m4_divert(60)m4_dnl +## Colocated networks. +defnet jump trusted + addr 212.13.198.64/28 2001:ba8:0:1d9::/64 + via colohub +defnet colo trusted + addr 172.29.199.176/28 2001:ba8:1d9:2::/64 + via colohub +defnet colohub virtual + via colobdry jump colo +defnet colobdry virtual + via colohub hub + noxit jump +defnet iodine untrusted + addr 172.29.198.128/28 + via colohub + +## Colocated hosts. +defhost fender + iface br-jump jump colo + iface br-colo jump colo +defhost precision + hosttype router + iface eth0 jump colo vpn sgo + iface eth1 jump colo vpn sgo + iface vpn-mango binswood + iface vpn-radius housebdry vpn sgo + iface vpn-chiark sgo + iface vpn-+ vpn +defhost telecaster + iface eth0 jump colo + iface eth1 jump colo +defhost stratocaster + iface eth0 jump colo + iface eth1 jump colo +defhost jazz + hosttype router + iface eth0 jump colo vpn + iface eth1 jump colo vpn + iface dns0 iodine + iface vpn-+ vpn + +## Other networks. +defnet hub virtual + via housebdry colobdry +defnet sgo noloop + addr !172.29.198.0/23 + addr 10.0.0.0/8 + addr 172.16.0.0/12 + addr 192.168.0.0/16 + via househub colohub +defnet vpn safe + addr 172.29.199.128/27 2001:ba8:1d9:6000::/64 + via househub colohub + host crybaby 1 + host terror 2 + host orange 3 +defnet anycast trusted + addr 172.29.199.224/27 2001:ba8:1d9:0::/64 + via dmz unsafe safe untrusted jump colo vpn +defnet default untrusted + addr 62.49.204.144/28 2001:470:1f09:1b98::/64 + addr 212.13.198.64/28 2001:ba8:0:1d9::/64 + addr 2001:ba8:1d9::/48 #temporary + via dmz unsafe untrusted jump colo + +## Satellite networks. +defnet binswood noloop + addr 10.165.27.0/24 + via colohub + +m4_divert(80)m4_dnl ###-------------------------------------------------------------------------- ### Special forwarding exemptions. -## Allow ping from safe/noloop to untrusted networks. -run iptables -A FORWARD -j ACCEPT \ - -p icmp ! -f --icmp-type echo-request \ - -m mark --mark $to_untrusted/$MASK_TO -run iptables -A FORWARD -j ACCEPT \ - -p icmp ! -f --icmp-type echo-reply \ - -m mark --mark $from_untrusted/$MASK_FROM \ - -m state --state ESTABLISHED -run ip6tables -A FORWARD -j ACCEPT \ - -p ipv6-icmp --icmpv6-type echo-request \ - -m ipv6header --soft ! --header frag \ - -m mark --mark $to_untrusted/$MASK_TO -run ip6tables -A FORWARD -j ACCEPT \ - -p ipv6-icmp --icmpv6-type echo-reply \ - -m ipv6header --soft ! --header frag \ - -m mark --mark $from_untrusted/$MASK_FROM \ - -m state --state ESTABLISHED - -## Allow SSH from safe/noloop to untrusted networks. -run iptables -A FORWARD -j ACCEPT \ - -p tcp ! -f --destination-port $port_ssh \ - -m mark --mark $to_untrusted/$MASK_TO -run iptables -A FORWARD -j ACCEPT \ - -p tcp ! -f --source-port $port_ssh \ - -m mark --mark $from_untrusted/$MASK_FROM \ - -m state --state ESTABLISHED -run ip6tables -A FORWARD -j ACCEPT \ - -p tcp --destination-port $port_ssh \ - -m ipv6header --soft ! --header frag \ - -m mark --mark $to_untrusted/$MASK_TO -run ip6tables -A FORWARD -j ACCEPT \ - -p tcp --source-port $port_ssh \ - -m ipv6header --soft ! --header frag \ - -m mark --mark $from_untrusted/$MASK_FROM \ - -m state --state ESTABLISHED - -m4_divert(60)m4_dnl +case $forward in + 1) + + ## Only allow these packets if they're not fragmented. (Don't trust safe + ## hosts's fragment reassembly to be robust against malicious fragments.) + ## There's a hideous bug in iptables 1.4.11.1 which botches the meaning + ## of `! -f', so we do the negation using early return from a subchain. + clearchain fwd-spec-nofrag + run iptables -A fwd-spec-nofrag -j RETURN --fragment + run ip6tables -A fwd-spec-nofrag -j RETURN \ + -m ipv6header --soft --header frag + run ip46tables -A FORWARD -j fwd-spec-nofrag + + ## Allow ping from safe/noloop to untrusted networks. + run iptables -A fwd-spec-nofrag -j ACCEPT \ + -p icmp --icmp-type echo-request \ + -m mark --mark $to_untrusted/$MASK_TO + run iptables -A fwd-spec-nofrag -j ACCEPT \ + -p icmp --icmp-type echo-reply \ + -m mark --mark $from_untrusted/$MASK_FROM \ + -m state --state ESTABLISHED + run ip6tables -A fwd-spec-nofrag -j ACCEPT \ + -p icmpv6 --icmpv6-type echo-request \ + -m mark --mark $to_untrusted/$MASK_TO + run ip6tables -A fwd-spec-nofrag -j ACCEPT \ + -p icmpv6 --icmpv6-type echo-reply \ + -m mark --mark $from_untrusted/$MASK_FROM \ + -m state --state ESTABLISHED + + ## Allow SSH from safe/noloop to untrusted networks. + run ip46tables -A fwd-spec-nofrag -j ACCEPT \ + -p tcp --destination-port $port_ssh \ + -m mark --mark $to_untrusted/$MASK_TO + run ip46tables -A fwd-spec-nofrag -j ACCEPT \ + -p tcp --source-port $port_ssh \ + -m mark --mark $from_untrusted/$MASK_FROM \ + -m state --state ESTABLISHED + + ;; +esac + +m4_divert(80)m4_dnl ###-------------------------------------------------------------------------- ### Kill things we don't understand properly. ### @@ -104,12 +313,16 @@ m4_divert(60)m4_dnl errorchain poorly-understood REJECT ## Ban multicast destination addresses in forwarding. -run iptables -A FORWARD -g poorly-understood \ - -d 224.0.0.0/4 -run ip6tables -A FORWARD -g poorly-understood \ - -d ff::/8 +case $forward in + 1) + run iptables -A FORWARD -g poorly-understood \ + -d 224.0.0.0/4 + run ip6tables -A FORWARD -g poorly-understood \ + -d ff::/8 + ;; +esac -m4_divert(80)m4_dnl +m4_divert(84)m4_dnl ###-------------------------------------------------------------------------- ### Locally-bound packet inspection. @@ -140,7 +353,7 @@ run ip46tables -A inbound -j forbidden run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound ## Otherwise process as indicated by the mark. -for i in INPUT FORWARD; do +for i in $inchains; do run ip46tables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT done