X-Git-Url: https://git.distorted.org.uk/~mdw/firewall/blobdiff_plain/beb4f0eeafb386d83f2593fec489f4291583e08b..06ff80827cd67ab85ee31fc32fc5e740bda9193e:/local.m4

diff --git a/local.m4 b/local.m4
index 69122e2..2d9cacb 100644
--- a/local.m4
+++ b/local.m4
@@ -75,29 +75,29 @@ defnet housebdry virtual
 ## House hosts.
 defhost radius
 	router
-	iface eth0 dmz
-	iface eth1 unsafe
+	iface eth0 dmz unsafe
+	iface eth1 dmz unsafe
 	iface eth2 safe
 	iface eth3 untrusted
 defhost roadstar
-	iface eth0 dmz
-	iface eth1 unsafe
+	iface eth0 dmz unsafe
+	iface eth1 dmz unsafe
 defhost jem
-	iface eth0 dmz
-	iface eth1 unsafe
+	iface eth0 dmz unsafe
+	iface eth1 dmz unsafe
 defhost artist
-	iface eth0 dmz
-	iface eth1 unsafe
+	iface eth0 dmz unsafe
+	iface eth1 dmz unsafe
 defhost vampire
 	router
-	iface eth0.0 dmz
-	iface eth0.1 unsafe
+	iface eth0.0 dmz unsafe
+	iface eth0.1 dmz unsafe
 	iface eth0.3 untrusted
 	iface dns0 dns
 	iface vpn-+ vpn
 	iface vpn-precision colobdry vpn
 defhost ibanez
-	iface br-dmz dmz
+	iface br-dmz dmz unsafe
 	iface br-unsafe unsafe
 
 defhost gibson
@@ -118,23 +118,23 @@ defnet colobdry virtual
 
 ## Colocated hosts.
 defhost fender
-	iface br-jump jump
-	iface br-colo colo
+	iface br-jump jump colo
+	iface br-colo jump colo
 defhost precision
 	router
-	iface eth0 jump
-	iface eth1 colo
+	iface eth0 jump colo
+	iface eth1 jump colo
 	iface vpn-+ vpn
 	iface vpn-vampire housebdry vpn
 defhost telecaster
-	iface eth0 jump
-	iface eth1 colo
+	iface eth0 jump colo
+	iface eth1 jump colo
 defhost stratocaster
-	iface eth0 jump
-	iface eth1 colo
+	iface eth0 jump colo
+	iface eth1 jump colo
 defhost jazz
-	iface eth0 jump
-	iface eth1 colo
+	iface eth0 jump colo
+	iface eth1 jump colo
 
 ## Other networks.
 defnet hub virtual
@@ -148,49 +148,54 @@ m4_divert(80)m4_dnl
 ###--------------------------------------------------------------------------
 ### Special forwarding exemptions.
 
-## Only allow these packets if they're not fragmented.  (Don't trust safe
-## hosts's fragment reassembly to be robust against malicious fragments.)
-## There's a hideous bug in iptables 1.4.11.1 which botches the meaning of
-## `! -f', so we do the negation using early return from a subchain.
-clearchain fwd-spec-nofrag
-run iptables -A fwd-spec-nofrag -j RETURN --fragment
-run ip6tables -A fwd-spec-nofrag -j RETURN \
-	-m ipv6header --soft --header frag
-run iptables -A FORWARD -j fwd-spec-nofrag
-
-## Allow ping from safe/noloop to untrusted networks.
-run iptables -A fwd-spec-nofrag -j ACCEPT \
-	-p icmp --icmp-type echo-request \
-	-m mark --mark $to_untrusted/$MASK_TO
-run iptables -A fwd-spec-nofrag -j ACCEPT \
-	-p icmp --icmp-type echo-reply \
-	-m mark --mark $from_untrusted/$MASK_FROM \
-	-m state --state ESTABLISHED
-run ip6tables -A fwd-spec-nofrag -j ACCEPT \
-	-p ipv6-icmp --icmpv6-type echo-request \
-	-m mark --mark $to_untrusted/$MASK_TO
-run ip6tables -A fwd-spec-nofrag -j ACCEPT \
-	-p ipv6-icmp --icmpv6-type echo-reply \
-	-m mark --mark $from_untrusted/$MASK_FROM \
-	-m state --state ESTABLISHED
-
-## Allow SSH from safe/noloop to untrusted networks.
-run iptables -A fwd-spec-nofrag -j ACCEPT \
-	-p tcp --destination-port $port_ssh \
-	-m mark --mark $to_untrusted/$MASK_TO
-run iptables -A fwd-spec-nofrag -j ACCEPT \
-	-p tcp --source-port $port_ssh \
-	-m mark --mark $from_untrusted/$MASK_FROM \
-	-m state --state ESTABLISHED
-run ip6tables -A fwd-spec-nofrag -j ACCEPT \
-	-p tcp --destination-port $port_ssh \
-	-m mark --mark $to_untrusted/$MASK_TO
-run ip6tables -A fwd-spec-nofrag -j ACCEPT \
-	-p tcp --source-port $port_ssh \
-	-m mark --mark $from_untrusted/$MASK_FROM \
-	-m state --state ESTABLISHED
-
-m4_divert(60)m4_dnl
+case $forward in
+  1)
+
+    ## Only allow these packets if they're not fragmented.  (Don't trust safe
+    ## hosts's fragment reassembly to be robust against malicious fragments.)
+    ## There's a hideous bug in iptables 1.4.11.1 which botches the meaning
+    ## of `! -f', so we do the negation using early return from a subchain.
+    clearchain fwd-spec-nofrag
+    run iptables -A fwd-spec-nofrag -j RETURN --fragment
+    run ip6tables -A fwd-spec-nofrag -j RETURN \
+	    -m ipv6header --soft --header frag
+    run iptables -A FORWARD -j fwd-spec-nofrag
+
+    ## Allow ping from safe/noloop to untrusted networks.
+    run iptables -A fwd-spec-nofrag -j ACCEPT \
+	    -p icmp --icmp-type echo-request \
+	    -m mark --mark $to_untrusted/$MASK_TO
+    run iptables -A fwd-spec-nofrag -j ACCEPT \
+	    -p icmp --icmp-type echo-reply \
+	    -m mark --mark $from_untrusted/$MASK_FROM \
+	    -m state --state ESTABLISHED
+    run ip6tables -A fwd-spec-nofrag -j ACCEPT \
+	    -p ipv6-icmp --icmpv6-type echo-request \
+	    -m mark --mark $to_untrusted/$MASK_TO
+    run ip6tables -A fwd-spec-nofrag -j ACCEPT \
+	    -p ipv6-icmp --icmpv6-type echo-reply \
+	    -m mark --mark $from_untrusted/$MASK_FROM \
+	    -m state --state ESTABLISHED
+
+    ## Allow SSH from safe/noloop to untrusted networks.
+    run iptables -A fwd-spec-nofrag -j ACCEPT \
+	    -p tcp --destination-port $port_ssh \
+	    -m mark --mark $to_untrusted/$MASK_TO
+    run iptables -A fwd-spec-nofrag -j ACCEPT \
+	    -p tcp --source-port $port_ssh \
+	    -m mark --mark $from_untrusted/$MASK_FROM \
+	    -m state --state ESTABLISHED
+    run ip6tables -A fwd-spec-nofrag -j ACCEPT \
+	    -p tcp --destination-port $port_ssh \
+	    -m mark --mark $to_untrusted/$MASK_TO
+    run ip6tables -A fwd-spec-nofrag -j ACCEPT \
+	    -p tcp --source-port $port_ssh \
+	    -m mark --mark $from_untrusted/$MASK_FROM \
+	    -m state --state ESTABLISHED
+
+    ;;
+esac
+
 m4_divert(80)m4_dnl
 ###--------------------------------------------------------------------------
 ### Kill things we don't understand properly.
@@ -201,10 +206,14 @@ m4_divert(80)m4_dnl
 errorchain poorly-understood REJECT
 
 ## Ban multicast destination addresses in forwarding.
-run iptables -A FORWARD -g poorly-understood \
-	-d 224.0.0.0/4
-run ip6tables -A FORWARD -g poorly-understood \
-	-d ff::/8
+case $forward in
+  1)
+    run iptables -A FORWARD -g poorly-understood \
+	    -d 224.0.0.0/4
+    run ip6tables -A FORWARD -g poorly-understood \
+	    -d ff::/8
+    ;;
+esac
 
 m4_divert(84)m4_dnl
 ###--------------------------------------------------------------------------
@@ -228,18 +237,18 @@ run iptables -A inbound -j ACCEPT \
 ## Incoming multicast on a network interface associated with a trusted
 ## network is OK, since it must have originated there (or been forwarded, but
 ## we don't do that yet).
-for i in $(echo $if_trusted $if_dmz $if_safe | sed 'y/,/ /'); do
-  echo $i
-done | {
-  seen=:
-  while read i; do
-    case "$seen" in *:$i:*) continue ;; esac
-    seen=$seen$i:
+seen=:-:
+for net in $allnets; do
+  eval class=\$net_class_$net
+  case $class in trusted) ;; *) continue ;; esac
+  for iface in $(net_interfaces FWHOST $net); do
+    case "$seen" in *:$iface:*) continue ;; esac
+    seen=$seen$iface:
     run iptables -A inbound -j ACCEPT \
 	-s 0.0.0.0 -d 224.0.0.0/24 \
-	-i $i
+	-i $iface
   done
-}
+done
 
 ## Allow incoming ping.  This is the only ICMP left.
 run ip46tables -A inbound -j ACCEPT -p icmp
@@ -253,9 +262,12 @@ run ip46tables -A inbound -j forbidden
 run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
 
 ## Otherwise process as indicated by the mark.
-for i in INPUT FORWARD; do
-  run ip46tables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT
-done
+run ip46tables -A INPUT -m mark ! --mark 0/$MASK_MASK -j ACCEPT
+case $forward in
+  1)
+    run ip46tables -A FORWARD -m mark ! --mark 0/$MASK_MASK -j ACCEPT
+    ;;
+esac
 
 m4_divert(-1)
 ###----- That's all, folks --------------------------------------------------