X-Git-Url: https://git.distorted.org.uk/~mdw/firewall/blobdiff_plain/5ac64c9b750673e11f9a0f78be88d8658bc2e5e5..a3972fea9c58e172fb2a1c1dc7362ec6a40fa4bd:/radius.m4

diff --git a/radius.m4 b/radius.m4
new file mode 100644
index 0000000..b97f481
--- /dev/null
+++ b/radius.m4
@@ -0,0 +1,66 @@
+### -*-sh-*-
+###
+### Firewall configuration for radius
+###
+### (c) 2008 Mark Wooding
+###
+
+###----- Licensing notice ---------------------------------------------------
+###
+### This program is free software; you can redistribute it and/or modify
+### it under the terms of the GNU General Public License as published by
+### the Free Software Foundation; either version 2 of the License, or
+### (at your option) any later version.
+###
+### This program is distributed in the hope that it will be useful,
+### but WITHOUT ANY WARRANTY; without even the implied warranty of
+### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+### GNU General Public License for more details.
+###
+### You should have received a copy of the GNU General Public License
+### along with this program; if not, write to the Free Software Foundation,
+### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+
+###--------------------------------------------------------------------------
+### Network interfaces.
+
+m4_divert(44)m4_dnl
+## Interface definitions.
+if_untrusted=eth1
+if_trusted=eth0
+if_vpn=eth0
+if_iodine=eth0
+if_its_mz=eth0
+if_its_pi=eth0
+
+m4_divert(-1)
+###--------------------------------------------------------------------------
+### radius-specific rules.
+
+m4_divert(82)m4_dnl
+## Externally visible services.
+allowservices inbound tcp \
+	dns iodine \
+	ssh
+allowservices inbound udp \
+	dns iodine \
+	tripe
+
+## Provide DNS resolution to local untrusted hosts.
+for p in tcp udp; do
+  run iptables -A inbound -j ACCEPT \
+	  -s 172.29.198.0/24 \
+	  -p $p --destination-port $port_dns
+done
+
+## Provide syslog for evolution.
+run iptables -A inbound -j ACCEPT \
+	-s 172.29.198.2 \
+	-p udp --destination-port $port_syslog
+
+## Other interesting things.
+dnsresolver inbound
+ntpclient inbound 158.152.1.76 158.152.1.204 194.159.253.2
+
+m4_divert(-1)
+###----- That's all, folks --------------------------------------------------