X-Git-Url: https://git.distorted.org.uk/~mdw/firewall/blobdiff_plain/2dc8f4afde72f1fc1ea3f64135b36af9ee42e3e9..0f6364ac757bbdd02fe0e1577edebc2bd6198221:/vampire.m4

diff --git a/vampire.m4 b/vampire.m4
index 05a3293..f6f5d46 100644
--- a/vampire.m4
+++ b/vampire.m4
@@ -1,4 +1,4 @@
-### -*-m4-*-
+### -*-sh-*-
 ###
 ### Firewall configuration for vampire
 ###
@@ -29,6 +29,7 @@ m4_divert(44)m4_dnl
 if_untrusted=eth0.1
 if_trusted=eth0.0
 if_vpn=vpn-+
+if_iodine=dns+
 if_its_mz=eth0.0
 if_its_pi=eth0.0
 
@@ -36,35 +37,26 @@ m4_divert(-1)
 ###--------------------------------------------------------------------------
 ### vampire-specific rules.
 
-m4_divert(35)m4_dnl
-errorchain ddos-evil-dns DROP
-## Invalid DNS request with probably-forged sender address, with intent to
-## cause DDOS.
-
 m4_divert(82)m4_dnl
-## Repelling evil DDos attack.
-run ipset -N ddos-evil-dns iphash 2>/dev/null || :
-run iptables -A inbound -g ddos-evil-dns \
-	-m set --set ddos-evil-dns src \
-	-p udp --destination-port $port_dns
-
 ## Externally visible services.
 allowservices inbound tcp \
 	finger ident \
-	dns \
+	dns iodine \
 	ssh \
-	smtp \
+	smtp submission \
 	gnutella_svc \
 	ftp ftp_data \
 	rsync \
-	http https \
-	git	
-allowservices inbound tcp \
-	tor_public tor_directory
+	imaps \
+	disorder mpd \
+	http https squid \
+	git \
+	tor_public tor_directory i2p
 allowservices inbound udp \
-	dns \
+	dns iodine \
 	tripe \
-	gnutella_svc
+	gnutella_svc \
+	i2p
 
 ## Provide DNS resolution to local untrusted hosts.
 for p in tcp udp; do
@@ -73,23 +65,28 @@ for p in tcp udp; do
 	  -p $p --destination-port $port_dns
 done
 
+## Allow smb and nmb to untrusted hosts.  This is a bit experimental.
+run iptables -A inbound -j ACCEPT \
+	-s 172.29.198.0/24 \
+	-p udp -m multiport --destination-ports \
+		$port_netbios_ns,$port_netbios_dgm
+run iptables -A inbound -j ACCEPT \
+	-s 172.29.198.0/24 \
+	-p tcp -m multiport --destination-ports \
+		$port_netbios_ssn,$port_microsoft_ds
+
 ## Provide syslog for evolution.
 run iptables -A inbound -j ACCEPT \
 	-s 172.29.198.2 \
 	-p udp --destination-port $port_syslog
 
-## Provide a web cache to local untrusted hosts.
-run iptables -A inbound -j ACCEPT \
-	-s 172.29.198.0/24 \
-	-p tcp --destination-port $port_squid
-
 ## Watch outgoing Tor usage.
 run iptables -A OUTPUT -m multiport \
 	-p tcp --source-ports $port_tor_public,$port_tor_directory
 
 ## Other interesting things.
 dnsresolver inbound
-ntpclient inbound 158.152.1.76 158.152.1.204 194.159.253.2
+ntpclient inbound $ntp_servers
 
 m4_divert(-1)
 ###----- That's all, folks --------------------------------------------------