We now have a globally routable /28. Use this as the DMZ and the
network backbone. The main servers (ibanez, radius, roadstar, jem,
artist and vampire) are on both the DMZ and the unsafe network.
radius is now the main internal router, though vampire is still on
several networks because it provides DHCP and DNS services.
This new configuration makes essential use of the ability (added to
defiface) to accept multiple interface names by setting lists of names
into the interface variables if_FOO.
There's another aspect of the routing complexity which we must address
here: multicasts can arrive on any of several trusted networks, and we
should accept them all. (We must cope with interface name lists in the
interface variables here, and deduplicate.)
## This host isn't a router.
setconf(forward, 0)
## This host isn't a router.
setconf(forward, 0)
+## This host is involved in a routing asymmetry.
+setconf(rp_filter, 0)
+setconf(log_martians, 0)
+
###--------------------------------------------------------------------------
### Network interfaces.
m4_divert(44)m4_dnl
## Interface definitions.
###--------------------------------------------------------------------------
### Network interfaces.
m4_divert(44)m4_dnl
## Interface definitions.
-if_untrusted=eth0
-if_trusted=eth0
-if_vpn=eth0
-if_iodine=eth0
-if_its_mz=eth0
-if_its_pi=eth0
+if_dmz=eth0
+if_trusted=eth1
+if_safe=$if_dmz,$if_trusted
+if_untrusted=$if_dmz,$if_trusted
+if_vpn=$if_dmz,$if_trusted
+if_iodine=$if_dmz,$if_trusted
+if_its_mz=$if_dmz,$if_trusted
+if_its_pi=$if_dmz,$if_trusted
m4_divert(-1)
###--------------------------------------------------------------------------
m4_divert(-1)
###--------------------------------------------------------------------------
m4_divert(44)m4_dnl
## Interface definitions.
m4_divert(44)m4_dnl
## Interface definitions.
-if_vpn=eth0
-if_iodine=eth0
-if_its_mz=eth0
-if_its_pi=eth0
+if_dmz=$if_trusted
+if_safe=$if_dmz
+if_untrusted=$if_dmz
+if_vpn=$if_dmz
+if_iodine=$if_dmz
+if_its_mz=$if_dmz
+if_its_pi=$if_dmz
m4_divert(-1)
###--------------------------------------------------------------------------
m4_divert(-1)
###--------------------------------------------------------------------------
## This host isn't a router.
setconf(forward, 0)
## This host isn't a router.
setconf(forward, 0)
+## This host is involved in a routing asymmetry.
+setconf(rp_filter, 0)
+setconf(log_martians, 0)
+
###--------------------------------------------------------------------------
### Network interfaces.
m4_divert(44)m4_dnl
## Interface definitions.
###--------------------------------------------------------------------------
### Network interfaces.
m4_divert(44)m4_dnl
## Interface definitions.
-if_untrusted=br0
-if_trusted=br0
-if_vpn=br0
-if_iodine=br0
-if_its_mz=br0
-if_its_pi=br0
+if_dmz=br-dmz
+if_trusted=br-unsafe
+if_safe=$if_dmz,$if_trusted
+if_untrusted=$if_dmz,$if_trusted
+if_vpn=$if_dmz,$if_trusted
+if_iodine=$if_dmz,$if_trusted
+if_its_mz=$if_dmz,$if_trusted
+if_its_pi=$if_dmz,$if_trusted
m4_divert(-1)
###--------------------------------------------------------------------------
m4_divert(-1)
###--------------------------------------------------------------------------
## This host isn't a router.
setconf(forward, 0)
## This host isn't a router.
setconf(forward, 0)
+## This host is involved in a routing asymmetry.
+setconf(rp_filter, 0)
+setconf(log_martians, 0)
+
###--------------------------------------------------------------------------
### Network interfaces.
m4_divert(44)m4_dnl
## Interface definitions.
###--------------------------------------------------------------------------
### Network interfaces.
m4_divert(44)m4_dnl
## Interface definitions.
-if_untrusted=eth0
-if_trusted=eth0
-if_vpn=eth0
-if_iodine=eth0
-if_its_mz=eth0
-if_its_pi=eth0
+if_dmz=eth0
+if_trusted=eth1
+if_safe=$if_dmz,$if_trusted
+if_untrusted=$if_dmz,$if_trusted
+if_vpn=$if_dmz,$if_trusted
+if_iodine=$if_dmz,$if_trusted
+if_its_mz=$if_dmz,$if_trusted
+if_its_pi=$if_dmz,$if_trusted
m4_divert(-1)
###--------------------------------------------------------------------------
m4_divert(-1)
###--------------------------------------------------------------------------
m4_divert(46)m4_dnl
## Networks and routing.
m4_divert(46)m4_dnl
## Networks and routing.
+defiface $if_dmz \
+ trusted:62.49.204.144/28 \
+ trusted:172.29.199.0/25 \
+ untrusted:default
+defiface $if_trusted \
+ trusted:172.29.199.0/25 \
+ untrusted:default
+defiface $if_safe safe:172.29.199.192/26
defiface $if_untrusted \
untrusted:172.29.198.0/25
defvpn $if_vpn safe 172.29.199.128/27 \
defiface $if_untrusted \
untrusted:172.29.198.0/25
defvpn $if_vpn safe 172.29.199.128/27 \
defiface $if_iodine untrusted:172.29.198.128/28
defiface $if_its_mz safe:172.29.199.160/30
defiface $if_its_pi safe:192.168.0.0/24
defiface $if_iodine untrusted:172.29.198.128/28
defiface $if_its_mz safe:172.29.199.160/30
defiface $if_its_pi safe:192.168.0.0/24
-defiface $if_trusted \
- trusted:172.29.199.0/26 \
- safe:172.29.199.64/27 \
- untrusted:default
## Default NTP servers.
ntp_servers="158.152.1.76 158.152.1.204 194.159.253.2 195.173.57.232"
## Default NTP servers.
ntp_servers="158.152.1.76 158.152.1.204 194.159.253.2 195.173.57.232"
-s 172.29.198.0/23 \
-p udp --source-port $port_bootpc --destination-port $port_bootps
-s 172.29.198.0/23 \
-p udp --source-port $port_bootpc --destination-port $port_bootps
-## Incoming broadcast multicast on a network interface associated with the
-## trusted network is OK, since it must have originated there (or been
-## forwarded, but we don't do that yet).
-run iptables -A inbound -j ACCEPT \
+## Incoming multicast on a network interface associated with a trusted
+## network is OK, since it must have originated there (or been forwarded, but
+## we don't do that yet).
+for i in $(echo $if_trusted $if_dmz $if_safe | sed 'y/,/ /'); do
+ echo $i
+done | {
+ seen=:
+ while read i; do
+ case "$seen" in *:$i:*) continue ;; esac
+ seen=$seen$i:
+ run iptables -A inbound -j ACCEPT \
-s 0.0.0.0 -d 224.0.0.0/24 \
-s 0.0.0.0 -d 224.0.0.0/24 \
## Allow incoming ping. This is the only ICMP left.
run ip46tables -A inbound -j ACCEPT -p icmp
## Allow incoming ping. This is the only ICMP left.
run ip46tables -A inbound -j ACCEPT -p icmp
### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
###--------------------------------------------------------------------------
### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
###--------------------------------------------------------------------------
+### Config settings.
+
+## This router is involved in a routing asymmetry.
+setconf(rp_filter, 0)
+setconf(log_martians, 0)
+
+###--------------------------------------------------------------------------
### Network interfaces.
m4_divert(44)m4_dnl
## Interface definitions.
### Network interfaces.
m4_divert(44)m4_dnl
## Interface definitions.
-if_untrusted=eth1
-if_trusted=eth0
-if_vpn=eth0
-if_iodine=eth0
-if_its_mz=eth0
-if_its_pi=eth0
+if_dmz=eth0
+if_trusted=eth1
+if_safe=eth2
+if_untrusted=eth3
+if_vpn=$if_dmz,$if_trusted
+if_iodine=$if_dmz,$if_trusted
+if_its_mz=$if_dmz,$if_trusted
+if_its_pi=$if_dmz,$if_trusted
m4_divert(-1)
###--------------------------------------------------------------------------
m4_divert(-1)
###--------------------------------------------------------------------------
## This host isn't a router.
setconf(forward, 0)
## This host isn't a router.
setconf(forward, 0)
+## This host is involved in a routing asymmetry.
+setconf(rp_filter, 0)
+setconf(log_martians, 0)
+
###--------------------------------------------------------------------------
### Network interfaces.
m4_divert(44)m4_dnl
## Interface definitions.
###--------------------------------------------------------------------------
### Network interfaces.
m4_divert(44)m4_dnl
## Interface definitions.
-if_untrusted=eth0
-if_trusted=eth0
-if_vpn=eth0
-if_iodine=eth0
-if_its_mz=eth0
-if_its_pi=eth0
+if_dmz=eth0
+if_trusted=eth1
+if_safe=$if_dmz,$if_trusted
+if_untrusted=$if_dmz,$if_trusted
+if_vpn=$if_dmz,$if_trusted
+if_iodine=$if_dmz,$if_trusted
+if_its_mz=$if_dmz,$if_trusted
+if_its_pi=$if_dmz,$if_trusted
m4_divert(-1)
###--------------------------------------------------------------------------
m4_divert(-1)
###--------------------------------------------------------------------------
### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
###--------------------------------------------------------------------------
### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
###--------------------------------------------------------------------------
+### Config settings.
+
+## This router is involved in a routing asymmetry.
+setconf(rp_filter, 0)
+setconf(log_martians, 0)
+
+###--------------------------------------------------------------------------
### Network interfaces.
m4_divert(44)m4_dnl
## Interface definitions.
### Network interfaces.
m4_divert(44)m4_dnl
## Interface definitions.
-if_untrusted=eth0.1
-if_trusted=eth0.0
+if_dmz=eth0.0
+if_trusted=eth0.1
+if_safe=$if_dmz,$if_trusted
+if_untrusted=eth0.3
if_vpn=vpn-+
if_iodine=dns+
if_vpn=vpn-+
if_iodine=dns+
-if_its_mz=eth0.0
-if_its_pi=eth0.0
+if_its_mz=$if_dmz,$if_trusted
+if_its_pi=$if_dmz,$if_trusted
m4_divert(-1)
###--------------------------------------------------------------------------
m4_divert(-1)
###--------------------------------------------------------------------------