X-Git-Url: https://git.distorted.org.uk/~mdw/firewall/blobdiff_plain/8b021091932977b8bae420b7845369018e301451..183dccdc8d5a96039eb838f5afe3bcc82c24d781:/local.m4 diff --git a/local.m4 b/local.m4 index f373e3f..0705fb2 100644 --- a/local.m4 +++ b/local.m4 @@ -35,10 +35,12 @@ m4_divert(-1) ## Define the available network classes. m4_divert(42)m4_dnl -defnetclass untrusted untrusted trusted -defnetclass trusted untrusted trusted safe noloop -defnetclass safe trusted safe noloop -defnetclass noloop trusted safe +defnetclass untrusted untrusted trusted mcast +defnetclass trusted untrusted trusted safe noloop mcast +defnetclass safe trusted safe noloop mcast +defnetclass noloop trusted safe mcast +defnetclass link +defnetclass mcast m4_divert(-1) m4_divert(26)m4_dnl @@ -74,7 +76,7 @@ defnet housebdry virtual ## House hosts. defhost radius - router + hosttype router iface eth0 dmz unsafe safe iface eth1 dmz unsafe safe iface eth2 safe @@ -89,19 +91,21 @@ defhost artist iface eth0 dmz unsafe iface eth1 dmz unsafe defhost vampire - router - iface eth0.0 dmz unsafe safe - iface eth0.1 dmz unsafe safe + hosttype router + iface eth0.0 dmz unsafe safe default + iface eth0.1 dmz unsafe safe default iface eth0.2 safe - iface eth0.3 untrusted + iface eth0.3 untrusted default iface dns0 dns iface vpn-+ vpn iface vpn-precision colobdry vpn + iface t6-he default defhost ibanez iface br-dmz dmz unsafe iface br-unsafe unsafe defhost gibson + hosttype client iface eth0 unsafe ## Colocated networks. @@ -122,7 +126,7 @@ defhost fender iface br-jump jump colo iface br-colo jump colo defhost precision - router + hosttype router iface eth0 jump colo iface eth1 jump colo iface vpn-+ vpn @@ -161,7 +165,7 @@ case $forward in run iptables -A fwd-spec-nofrag -j RETURN --fragment run ip6tables -A fwd-spec-nofrag -j RETURN \ -m ipv6header --soft --header frag - run iptables -A FORWARD -j fwd-spec-nofrag + run ip46tables -A FORWARD -j fwd-spec-nofrag ## Allow ping from safe/noloop to untrusted networks. run iptables -A fwd-spec-nofrag -j ACCEPT \ @@ -236,22 +240,6 @@ run iptables -A inbound -j ACCEPT \ -s 172.29.198.0/23 \ -p udp --source-port $port_bootpc --destination-port $port_bootps -## Incoming multicast on a network interface associated with a trusted -## network is OK, since it must have originated there (or been forwarded, but -## we don't do that yet). -seen=:-: -for net in $allnets; do - eval class=\$net_class_$net - case $class in trusted) ;; *) continue ;; esac - for iface in $(net_interfaces FWHOST $net); do - case "$seen" in *:$iface:*) continue ;; esac - seen=$seen$iface: - run iptables -A inbound -j ACCEPT \ - -s 0.0.0.0 -d 224.0.0.0/24 \ - -i $iface - done -done - ## Allow incoming ping. This is the only ICMP left. run ip46tables -A inbound -j ACCEPT -p icmp