### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
###--------------------------------------------------------------------------
-### Config settings.
-
-## This host isn't a router.
-setconf(forward, 0)
-
-## This host is involved in a routing asymmetry.
-setconf(rp_filter, 0)
-setconf(log_martians, 0)
-
-###--------------------------------------------------------------------------
### artist-specific rules.
m4_divert(84)m4_dnl
## Set forwarding options. Apparently setting ip_forward clobbers other
## settings, so put this first.
+case $host_type_<::>FWHOST in
+ router) forward=1 ;;
+ *) forward=0 ;;
+esac
setopt ip_forward $forward
setdevopt forwarding $forward
fi
fi
-## Turn on the reverse-path filter, and log weird things.
-setdevopt rp_filter $rp_filter
-setdevopt log_martians $log_martians
+## Turn off the reverse-path filter. It's basically useless: the filter does
+## nothing at all for single-homed hosts; and multi-homed hosts tend to have
+## routing aysmmetries if there's any kind of cycle.
+setdevopt rp_filter 0
+setdevopt log_martians 0
## Turn off things which can mess with our routing decisions.
setdevopt accept_source_route 0
-d ::1
## We shouldn't be asked to forward things with link-local addresses.
-run iptables -A FORWARD -g bad-source-address \
- -s 169.254.0.0/16
-run iptables -A FORWARD -g bad-destination-address \
- -d 169.254.0.0/16
-run ip6tables -A FORWARD -g bad-source-address \
- -s fe80::/10
-run ip6tables -A FORWARD -g bad-destination-address \
- -d fe80::/10
+case $forward in
+ 1)
+ run iptables -A FORWARD -g bad-source-address \
+ -s 169.254.0.0/16
+ run iptables -A FORWARD -g bad-destination-address \
+ -d 169.254.0.0/16
+ run ip6tables -A FORWARD -g bad-source-address \
+ -s fe80::/10
+ run ip6tables -A FORWARD -g bad-destination-address \
+ -d fe80::/10
+ ;;
+esac
## Also, don't forward link-local broadcast or multicast.
-run iptables -A FORWARD -g bad-destination-address \
- -d 255.255.255.255
-run iptables -A FORWARD -g bad-destination-address \
- -m addrtype --dst-type BROADCAST
-run iptables -A FORWARD -g bad-destination-address \
- -d 224.0.0.0/24
-for x in 0 1 2 3 4 5 6 7 8 9 a b c d e f; do
- run ip6tables -A FORWARD -g bad-destination-address \
- -d fe${x}2::/16
-done
+case $forward in
+ 1)
+ run iptables -A FORWARD -g bad-destination-address \
+ -d 255.255.255.255
+ run iptables -A FORWARD -g bad-destination-address \
+ -m addrtype --dst-type BROADCAST
+ run iptables -A FORWARD -g bad-destination-address \
+ -d 224.0.0.0/24
+ for x in 0 1 2 3 4 5 6 7 8 9 a b c d e f; do
+ run ip6tables -A FORWARD -g bad-destination-address \
+ -d fe${x}2::/16
+ done
+ ;;
+esac
## Add a hook for fail2ban.
clearchain fail2ban
## Which chains to preserve.
defconf(preserve_chains, )
-## Whether to permit forwarding.
-defconf(forward, 1)
-
-## Whether to turn on the reverse-path filter.
-defconf(rp_filter, 1)
-
-## Whether to turn on logging of martian packets.
-defconf(log_martians, 1)
-
m4_divert(-1)
###----- That's all, folks --------------------------------------------------
### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
###--------------------------------------------------------------------------
-### Config settings.
-
-## This host isn't a router.
-setconf(forward, 0)
-
-## This host is involved in a routing asymmetry.
-setconf(rp_filter, 0)
-setconf(log_martians, 0)
-
-###--------------------------------------------------------------------------
### fender-specific rules.
m4_divert(82)m4_dnl
### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
###--------------------------------------------------------------------------
-### Config settings.
-
-## This host isn't a router.
-setconf(forward, 0)
-
-###--------------------------------------------------------------------------
### gibson-specific rules.
m4_divert(84)m4_dnl
### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
###--------------------------------------------------------------------------
-### Config settings.
-
-## This host isn't a router.
-setconf(forward, 0)
-
-## This host is involved in a routing asymmetry.
-setconf(rp_filter, 0)
-setconf(log_martians, 0)
-
-###--------------------------------------------------------------------------
### ibanez-specific rules.
m4_divert(84)m4_dnl
### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
###--------------------------------------------------------------------------
-### Config settings.
-
-## This host isn't a router.
-setconf(forward, 0)
-
-## This host is involved in a routing asymmetry.
-setconf(rp_filter, 0)
-setconf(log_martians, 0)
-
-###--------------------------------------------------------------------------
### jem-specific rules.
m4_divert(84)m4_dnl
###--------------------------------------------------------------------------
### Special forwarding exemptions.
-## Only allow these packets if they're not fragmented. (Don't trust safe
-## hosts's fragment reassembly to be robust against malicious fragments.)
-## There's a hideous bug in iptables 1.4.11.1 which botches the meaning of
-## `! -f', so we do the negation using early return from a subchain.
-clearchain fwd-spec-nofrag
-run iptables -A fwd-spec-nofrag -j RETURN --fragment
-run ip6tables -A fwd-spec-nofrag -j RETURN \
- -m ipv6header --soft --header frag
-run iptables -A FORWARD -j fwd-spec-nofrag
-
-## Allow ping from safe/noloop to untrusted networks.
-run iptables -A fwd-spec-nofrag -j ACCEPT \
- -p icmp --icmp-type echo-request \
- -m mark --mark $to_untrusted/$MASK_TO
-run iptables -A fwd-spec-nofrag -j ACCEPT \
- -p icmp --icmp-type echo-reply \
- -m mark --mark $from_untrusted/$MASK_FROM \
- -m state --state ESTABLISHED
-run ip6tables -A fwd-spec-nofrag -j ACCEPT \
- -p ipv6-icmp --icmpv6-type echo-request \
- -m mark --mark $to_untrusted/$MASK_TO
-run ip6tables -A fwd-spec-nofrag -j ACCEPT \
- -p ipv6-icmp --icmpv6-type echo-reply \
- -m mark --mark $from_untrusted/$MASK_FROM \
- -m state --state ESTABLISHED
-
-## Allow SSH from safe/noloop to untrusted networks.
-run iptables -A fwd-spec-nofrag -j ACCEPT \
- -p tcp --destination-port $port_ssh \
- -m mark --mark $to_untrusted/$MASK_TO
-run iptables -A fwd-spec-nofrag -j ACCEPT \
- -p tcp --source-port $port_ssh \
- -m mark --mark $from_untrusted/$MASK_FROM \
- -m state --state ESTABLISHED
-run ip6tables -A fwd-spec-nofrag -j ACCEPT \
- -p tcp --destination-port $port_ssh \
- -m mark --mark $to_untrusted/$MASK_TO
-run ip6tables -A fwd-spec-nofrag -j ACCEPT \
- -p tcp --source-port $port_ssh \
- -m mark --mark $from_untrusted/$MASK_FROM \
- -m state --state ESTABLISHED
-
-m4_divert(60)m4_dnl
+case $forward in
+ 1)
+
+ ## Only allow these packets if they're not fragmented. (Don't trust safe
+ ## hosts's fragment reassembly to be robust against malicious fragments.)
+ ## There's a hideous bug in iptables 1.4.11.1 which botches the meaning
+ ## of `! -f', so we do the negation using early return from a subchain.
+ clearchain fwd-spec-nofrag
+ run iptables -A fwd-spec-nofrag -j RETURN --fragment
+ run ip6tables -A fwd-spec-nofrag -j RETURN \
+ -m ipv6header --soft --header frag
+ run iptables -A FORWARD -j fwd-spec-nofrag
+
+ ## Allow ping from safe/noloop to untrusted networks.
+ run iptables -A fwd-spec-nofrag -j ACCEPT \
+ -p icmp --icmp-type echo-request \
+ -m mark --mark $to_untrusted/$MASK_TO
+ run iptables -A fwd-spec-nofrag -j ACCEPT \
+ -p icmp --icmp-type echo-reply \
+ -m mark --mark $from_untrusted/$MASK_FROM \
+ -m state --state ESTABLISHED
+ run ip6tables -A fwd-spec-nofrag -j ACCEPT \
+ -p ipv6-icmp --icmpv6-type echo-request \
+ -m mark --mark $to_untrusted/$MASK_TO
+ run ip6tables -A fwd-spec-nofrag -j ACCEPT \
+ -p ipv6-icmp --icmpv6-type echo-reply \
+ -m mark --mark $from_untrusted/$MASK_FROM \
+ -m state --state ESTABLISHED
+
+ ## Allow SSH from safe/noloop to untrusted networks.
+ run iptables -A fwd-spec-nofrag -j ACCEPT \
+ -p tcp --destination-port $port_ssh \
+ -m mark --mark $to_untrusted/$MASK_TO
+ run iptables -A fwd-spec-nofrag -j ACCEPT \
+ -p tcp --source-port $port_ssh \
+ -m mark --mark $from_untrusted/$MASK_FROM \
+ -m state --state ESTABLISHED
+ run ip6tables -A fwd-spec-nofrag -j ACCEPT \
+ -p tcp --destination-port $port_ssh \
+ -m mark --mark $to_untrusted/$MASK_TO
+ run ip6tables -A fwd-spec-nofrag -j ACCEPT \
+ -p tcp --source-port $port_ssh \
+ -m mark --mark $from_untrusted/$MASK_FROM \
+ -m state --state ESTABLISHED
+
+ ;;
+esac
+
m4_divert(80)m4_dnl
###--------------------------------------------------------------------------
### Kill things we don't understand properly.
errorchain poorly-understood REJECT
## Ban multicast destination addresses in forwarding.
-run iptables -A FORWARD -g poorly-understood \
- -d 224.0.0.0/4
-run ip6tables -A FORWARD -g poorly-understood \
- -d ff::/8
+case $forward in
+ 1)
+ run iptables -A FORWARD -g poorly-understood \
+ -d 224.0.0.0/4
+ run ip6tables -A FORWARD -g poorly-understood \
+ -d ff::/8
+ ;;
+esac
m4_divert(84)m4_dnl
###--------------------------------------------------------------------------
run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
## Otherwise process as indicated by the mark.
-for i in INPUT FORWARD; do
- run ip46tables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT
-done
+run ip46tables -A INPUT -m mark ! --mark 0/$MASK_MASK -j ACCEPT
+case $forward in
+ 1)
+ run ip46tables -A FORWARD -m mark ! --mark 0/$MASK_MASK -j ACCEPT
+ ;;
+esac
m4_divert(-1)
###----- That's all, folks --------------------------------------------------
### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
###--------------------------------------------------------------------------
-### Config settings.
-
-## This router is involved in a routing asymmetry.
-setconf(rp_filter, 0)
-setconf(log_martians, 0)
-
-###--------------------------------------------------------------------------
### radius-specific rules.
m4_divert(84)m4_dnl
### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
###--------------------------------------------------------------------------
-### Config settings.
-
-## This host isn't a router.
-setconf(forward, 0)
-
-## This host is involved in a routing asymmetry.
-setconf(rp_filter, 0)
-setconf(log_martians, 0)
-
-###--------------------------------------------------------------------------
### roadstar-specific rules.
m4_divert(84)m4_dnl
### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
###--------------------------------------------------------------------------
-### Config settings.
-
-## This router is involved in a routing asymmetry.
-setconf(rp_filter, 0)
-setconf(log_martians, 0)
-
-###--------------------------------------------------------------------------
### vampire-specific rules.
m4_divert(86)m4_dnl
~mdw / firewall / commitdiff