~mdw / firewall / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 401b835)
Renumber the diversions.
authorMark Wooding <mdw@distorted.org.uk>
Mon, 5 Mar 2012 22:35:27 +0000 (22:35 +0000)
committerMark Wooding <mdw@distorted.org.uk>
Mon, 5 Mar 2012 23:54:59 +0000 (23:54 +0000)
Move the function definitions together; shift the host interface
definitions near the beginning of the file; and move the local filter
rules later to allow more room for built-in filtering.

14 files changed:
artist.m4 patch | blob | blame | history
base.m4 patch | blob | blame | history
bookends.m4 patch | blob | blame | history
config.m4 patch | blob | blame | history
fender.m4 patch | blob | blame | history
functions.m4 patch | blob | blame | history
gibson.m4 patch | blob | blame | history
ibanez.m4 patch | blob | blame | history
jem.m4 patch | blob | blame | history
local.m4 patch | blob | blame | history
numbers.m4 patch | blob | blame | history
radius.m4 patch | blob | blame | history
roadstar.m4 patch | blob | blame | history
vampire.m4 patch | blob | blame | history

diff --git a/artist.m4 b/artist.m4
index 1f97e73..24a4a1c 100644 (file)
--- a/artist.m4
+++ b/artist.m4
@@ -34,7 +34,7 @@ setconf(log_martians, 0)
 ###--------------------------------------------------------------------------
 ### Network interfaces.
 
 ###--------------------------------------------------------------------------
 ### Network interfaces.
 
-m4_divert(44)m4_dnl
+m4_divert(28)m4_dnl
 ## Interface definitions.
 if_dmz=eth0
 if_trusted=eth1
 ## Interface definitions.
 if_dmz=eth0
 if_trusted=eth1
@@ -49,7 +49,7 @@ m4_divert(-1)
 ###--------------------------------------------------------------------------
 ### artist-specific rules.
 
 ###--------------------------------------------------------------------------
 ### artist-specific rules.
 
-m4_divert(82)m4_dnl
+m4_divert(84)m4_dnl
 ## Externally visible services.
 allowservices inbound tcp \
        ssh \
 ## Externally visible services.
 allowservices inbound tcp \
        ssh \
diff --git a/base.m4 b/base.m4
index 3a0172d..8968025 100644 (file)
--- a/base.m4
+++ b/base.m4
@@ -29,24 +29,29 @@ m4_changecom(<:##:>)
 ### Overall structure.
 ###
 ###  0 File header: shebang, do-not-edit warning.              [base]
 ### Overall structure.
 ###
 ###  0 File header: shebang, do-not-edit warning.              [base]
-###  5 Configuration.                                          [config]
+###  4 Configuration.                                          [config]
+###  6   Local settings.                                       [local]
 ### 10 Prologue: command-line parsing and failsafe.            [prologue]
 ### 20 Function definitions.                                   [functions]
 ### 10 Prologue: command-line parsing and failsafe.            [prologue]
 ### 20 Function definitions.                                   [functions]
-### 25 Port numbers etc.                                       [numbers]
+### 24 Port numbers etc.                                       [numbers]
+### 26 Networks, hosts and interfaces.                         [local]
 ### 30 Initialization.                                         [bookends]
 ### 30   Clear existing rules.                                 [bookends]
 ### 32   Set safe IP options.                                  [bookends]
 ### 34   Error chains.                                         [bookends]
 ### 30 Initialization.                                         [bookends]
 ### 30   Clear existing rules.                                 [bookends]
 ### 32   Set safe IP options.                                  [bookends]
 ### 34   Error chains.                                         [bookends]
-### 36   Give loopback traffic a free pass.                    [bookends]
 ### 38   Utility chains.                                       [functions]
 ### 40 Address classification.                                 [classify]
 ### 42   Definition of address class policies.                 [local]
 ### 44   Definition of interfaces and addresses.               [local]
 ### 46   Handling of default interface.                        [classify]
 ### 38   Utility chains.                                       [functions]
 ### 40 Address classification.                                 [classify]
 ### 42   Definition of address class policies.                 [local]
 ### 44   Definition of interfaces and addresses.               [local]
 ### 46   Handling of default interface.                        [classify]
-### 50 ICMP filtering.                                         [icmp]
-### 52   Local configuration.                                  [local]
-### 58   Finally accept ICMP, hook onto INPUT and FORWARD.     [icmp]
-### 60 Local configuration.                                    [local]
+### 50 Packet filter.                                          [bookends]
+### 60 ICMP filtering.                                         [icmp]
+### 62   Local configuration.                                  [local]
+### 68   Finally accept ICMP, hook onto INPUT and FORWARD.     [icmp]
+### 80 Local configuration.                                    [local]
+### 84   Locally bound packet inspection.                      [local]
+### 86   Per-host configuration.                               [HOST]
+### 88   Final filtering.                                      [local]
 ### 90 Finishing touches.                                      [bookends]
 ### 94   Set final policies.                                   [bookends]
 ### 99 File footer: do-not-edit warning.                       [base]
 ### 90 Finishing touches.                                      [bookends]
 ### 94   Set final policies.                                   [bookends]
 ### 99 File footer: do-not-edit warning.                       [base]
diff --git a/bookends.m4 b/bookends.m4
index b29047b..38b4e91 100644 (file)
--- a/bookends.m4
+++ b/bookends.m4
@@ -164,7 +164,7 @@ errorchain bad-destination-address REJECT
 errorchain interesting ACCEPT
 ## Not an error, just log interesting packets.
 
 errorchain interesting ACCEPT
 ## Not an error, just log interesting packets.
 
-m4_divert(36)m4_dnl
+m4_divert(50)m4_dnl
 ###--------------------------------------------------------------------------
 ### Standard filtering.
 
 ###--------------------------------------------------------------------------
 ### Standard filtering.
 
diff --git a/config.m4 b/config.m4
index 6756452..4b059df 100644 (file)
--- a/config.m4
+++ b/config.m4
@@ -21,7 +21,7 @@
 ### along with this program; if not, write to the Free Software Foundation,
 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
 
 ### along with this program; if not, write to the Free Software Foundation,
 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
 
-m4_divert(5)m4_dnl
+m4_divert(4)m4_dnl
 ###--------------------------------------------------------------------------
 ### Configuration.
 
 ###--------------------------------------------------------------------------
 ### Configuration.
 
diff --git a/fender.m4 b/fender.m4
index ea0fb32..6161bd6 100644 (file)
--- a/fender.m4
+++ b/fender.m4
@@ -34,7 +34,7 @@ setconf(log_martians, 0)
 ###--------------------------------------------------------------------------
 ### Network interfaces.
 
 ###--------------------------------------------------------------------------
 ### Network interfaces.
 
-m4_divert(44)m4_dnl
+m4_divert(28)m4_dnl
 ## Interface definitions.
 if_untrusted=eth0
 if_dmz=$if_untrusted
 ## Interface definitions.
 if_untrusted=eth0
 if_dmz=$if_untrusted
diff --git a/functions.m4 b/functions.m4
index 05decbf..555072e 100644 (file)
--- a/functions.m4
+++ b/functions.m4
@@ -62,7 +62,7 @@ m4_divert(38)m4_dnl
 ###--------------------------------------------------------------------------
 ### Utility chains (used by function definitions).
 
 ###--------------------------------------------------------------------------
 ### Utility chains (used by function definitions).
 
-m4_divert(22)m4_dnl
+m4_divert(20)m4_dnl
 ###--------------------------------------------------------------------------
 ### Basic chain constructions.
 
 ###--------------------------------------------------------------------------
 ### Basic chain constructions.
 
@@ -122,7 +122,7 @@ errorchain () {
   run ip46tables -t $table -A $chain -j DROP
 }
 
   run ip46tables -t $table -A $chain -j DROP
 }
 
-m4_divert(24)m4_dnl
+m4_divert(20)m4_dnl
 ###--------------------------------------------------------------------------
 ### Basic option setting.
 
 ###--------------------------------------------------------------------------
 ### Basic option setting.
 
@@ -178,7 +178,7 @@ setdevopt () {
   done
 }
 
   done
 }
 
-m4_divert(26)m4_dnl
+m4_divert(20)m4_dnl
 ###--------------------------------------------------------------------------
 ### Packet filter construction.
 
 ###--------------------------------------------------------------------------
 ### Packet filter construction.
 
@@ -219,7 +219,7 @@ run ip6tables -A accept-non-init-frag -j RETURN \
        -m frag --fragfirst
 run ip6tables -A accept-non-init-frag -j ACCEPT
 
        -m frag --fragfirst
 run ip6tables -A accept-non-init-frag -j ACCEPT
 
-m4_divert(26)m4_dnl
+m4_divert(20)m4_dnl
 ## allowservices CHAIN PROTO SERVICE ...
 ##
 ## Add rules to allow the SERVICES on the CHAIN.
 ## allowservices CHAIN PROTO SERVICE ...
 ##
 ## Add rules to allow the SERVICES on the CHAIN.
@@ -306,7 +306,7 @@ openports () {
   run ip46tables -A $chain -p udp -g interesting --destination-port $1:$2
 }
 
   run ip46tables -A $chain -p udp -g interesting --destination-port $1:$2
 }
 
-m4_divert(28)m4_dnl
+m4_divert(20)m4_dnl
 ###--------------------------------------------------------------------------
 ### Packet classification.
 
 ###--------------------------------------------------------------------------
 ### Packet classification.
 
diff --git a/gibson.m4 b/gibson.m4
index 1676153..22bfe57 100644 (file)
--- a/gibson.m4
+++ b/gibson.m4
@@ -30,7 +30,7 @@ setconf(forward, 0)
 ###--------------------------------------------------------------------------
 ### Network interfaces.
 
 ###--------------------------------------------------------------------------
 ### Network interfaces.
 
-m4_divert(44)m4_dnl
+m4_divert(28)m4_dnl
 ## Interface definitions.
 if_trusted=eth0
 if_dmz=$if_trusted
 ## Interface definitions.
 if_trusted=eth0
 if_dmz=$if_trusted
@@ -45,7 +45,7 @@ m4_divert(-1)
 ###--------------------------------------------------------------------------
 ### gibson-specific rules.
 
 ###--------------------------------------------------------------------------
 ### gibson-specific rules.
 
-m4_divert(82)m4_dnl
+m4_divert(84)m4_dnl
 ## Externally visible services.
 allowservices inbound tcp \
        ssh \
 ## Externally visible services.
 allowservices inbound tcp \
        ssh \
diff --git a/ibanez.m4 b/ibanez.m4
index 2ec2c1c..b2c158e 100644 (file)
--- a/ibanez.m4
+++ b/ibanez.m4
@@ -34,7 +34,7 @@ setconf(log_martians, 0)
 ###--------------------------------------------------------------------------
 ### Network interfaces.
 
 ###--------------------------------------------------------------------------
 ### Network interfaces.
 
-m4_divert(44)m4_dnl
+m4_divert(28)m4_dnl
 ## Interface definitions.
 if_dmz=br-dmz
 if_trusted=br-unsafe
 ## Interface definitions.
 if_dmz=br-dmz
 if_trusted=br-unsafe
@@ -49,7 +49,7 @@ m4_divert(-1)
 ###--------------------------------------------------------------------------
 ### ibanez-specific rules.
 
 ###--------------------------------------------------------------------------
 ### ibanez-specific rules.
 
-m4_divert(82)m4_dnl
+m4_divert(84)m4_dnl
 ## Externally visible services.
 allowservices inbound tcp \
        ssh \
 ## Externally visible services.
 allowservices inbound tcp \
        ssh \
diff --git a/jem.m4 b/jem.m4
index c91a104..1f74d59 100644 (file)
--- a/jem.m4
+++ b/jem.m4
@@ -34,7 +34,7 @@ setconf(log_martians, 0)
 ###--------------------------------------------------------------------------
 ### Network interfaces.
 
 ###--------------------------------------------------------------------------
 ### Network interfaces.
 
-m4_divert(44)m4_dnl
+m4_divert(28)m4_dnl
 ## Interface definitions.
 if_dmz=eth0
 if_trusted=eth1
 ## Interface definitions.
 if_dmz=eth0
 if_trusted=eth1
@@ -49,7 +49,7 @@ m4_divert(-1)
 ###--------------------------------------------------------------------------
 ### jem-specific rules.
 
 ###--------------------------------------------------------------------------
 ### jem-specific rules.
 
-m4_divert(82)m4_dnl
+m4_divert(84)m4_dnl
 ## Set up the SAUCE sinbin.  Unfortunately, ipset is a bit brittle.  This
 ## isn't a completely critical part of the firewall security, so don't make
 ## this fail the entire script.
 ## Set up the SAUCE sinbin.  Unfortunately, ipset is a bit brittle.  This
 ## isn't a completely critical part of the firewall security, so don't make
 ## this fail the entire script.
diff --git a/local.m4 b/local.m4
index 2d880b9..399e69c 100644 (file)
--- a/local.m4
+++ b/local.m4
@@ -30,14 +30,14 @@ defnetclass untrusted untrusted trusted
 defnetclass trusted untrusted trusted safe noloop
 defnetclass safe trusted safe noloop
 defnetclass noloop trusted safe
 defnetclass trusted untrusted trusted safe noloop
 defnetclass safe trusted safe noloop
 defnetclass noloop trusted safe
-m4_divert(-1)m4_dnl
+m4_divert(-1)
 
 
+m4_divert(26)m4_dnl
 ###--------------------------------------------------------------------------
 ### Network layout.
 
 ###--------------------------------------------------------------------------
 ### Network layout.
 
-m4_divert(46)m4_dnl
-## Networks and routing.
-
+m4_divert(44)m4_dnl
+## Network definitions.
 defiface $if_dmz \
        trusted:62.49.204.144/28 \
        trusted:172.29.199.0/25 \
 defiface $if_dmz \
        trusted:62.49.204.144/28 \
        trusted:172.29.199.0/25 \
@@ -58,7 +58,7 @@ defiface $if_its_pi safe:192.168.0.0/24
 ## Default NTP servers.
 ntp_servers="158.152.1.76 158.152.1.204 194.159.253.2 195.173.57.232"
 
 ## Default NTP servers.
 ntp_servers="158.152.1.76 158.152.1.204 194.159.253.2 195.173.57.232"
 
-m4_divert(60)m4_dnl
+m4_divert(80)m4_dnl
 ###--------------------------------------------------------------------------
 ### Special forwarding exemptions.
 
 ###--------------------------------------------------------------------------
 ### Special forwarding exemptions.
 
@@ -105,6 +105,7 @@ run ip6tables -A fwd-spec-nofrag -j ACCEPT \
        -m state --state ESTABLISHED
 
 m4_divert(60)m4_dnl
        -m state --state ESTABLISHED
 
 m4_divert(60)m4_dnl
+m4_divert(80)m4_dnl
 ###--------------------------------------------------------------------------
 ### Kill things we don't understand properly.
 ###
 ###--------------------------------------------------------------------------
 ### Kill things we don't understand properly.
 ###
@@ -119,7 +120,7 @@ run iptables -A FORWARD -g poorly-understood \
 run ip6tables -A FORWARD -g poorly-understood \
        -d ff::/8
 
 run ip6tables -A FORWARD -g poorly-understood \
        -d ff::/8
 
-m4_divert(80)m4_dnl
+m4_divert(84)m4_dnl
 ###--------------------------------------------------------------------------
 ### Locally-bound packet inspection.
 
 ###--------------------------------------------------------------------------
 ### Locally-bound packet inspection.
 
diff --git a/numbers.m4 b/numbers.m4
index ec86266..d5ab0c1 100644 (file)
--- a/numbers.m4
+++ b/numbers.m4
@@ -21,7 +21,7 @@
 ### along with this program; if not, write to the Free Software Foundation,
 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
 
 ### along with this program; if not, write to the Free Software Foundation,
 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
 
-m4_divert(25)m4_dnl
+m4_divert(24)m4_dnl
 ###--------------------------------------------------------------------------
 ### Magic numbers.
 
 ###--------------------------------------------------------------------------
 ### Magic numbers.
 
diff --git a/radius.m4 b/radius.m4
index 029d9f1..75a7700 100644 (file)
--- a/radius.m4
+++ b/radius.m4
@@ -31,7 +31,7 @@ setconf(log_martians, 0)
 ###--------------------------------------------------------------------------
 ### Network interfaces.
 
 ###--------------------------------------------------------------------------
 ### Network interfaces.
 
-m4_divert(44)m4_dnl
+m4_divert(28)m4_dnl
 ## Interface definitions.
 if_dmz=eth0
 if_trusted=eth1
 ## Interface definitions.
 if_dmz=eth0
 if_trusted=eth1
@@ -46,7 +46,7 @@ m4_divert(-1)
 ###--------------------------------------------------------------------------
 ### radius-specific rules.
 
 ###--------------------------------------------------------------------------
 ### radius-specific rules.
 
-m4_divert(82)m4_dnl
+m4_divert(84)m4_dnl
 ## Externally visible services.
 allowservices inbound tcp \
        ident \
 ## Externally visible services.
 allowservices inbound tcp \
        ident \
diff --git a/roadstar.m4 b/roadstar.m4
index b2e3301..0269caa 100644 (file)
--- a/roadstar.m4
+++ b/roadstar.m4
@@ -34,7 +34,7 @@ setconf(log_martians, 0)
 ###--------------------------------------------------------------------------
 ### Network interfaces.
 
 ###--------------------------------------------------------------------------
 ### Network interfaces.
 
-m4_divert(44)m4_dnl
+m4_divert(28)m4_dnl
 ## Interface definitions.
 if_dmz=eth0
 if_trusted=eth1
 ## Interface definitions.
 if_dmz=eth0
 if_trusted=eth1
@@ -49,7 +49,7 @@ m4_divert(-1)
 ###--------------------------------------------------------------------------
 ### roadstar-specific rules.
 
 ###--------------------------------------------------------------------------
 ### roadstar-specific rules.
 
-m4_divert(82)m4_dnl
+m4_divert(84)m4_dnl
 ## Externally visible services.
 allowservices inbound tcp \
        ssh \
 ## Externally visible services.
 allowservices inbound tcp \
        ssh \
diff --git a/vampire.m4 b/vampire.m4
index e378447..8e9bb6a 100644 (file)
--- a/vampire.m4
+++ b/vampire.m4
@@ -31,7 +31,7 @@ setconf(log_martians, 0)
 ###--------------------------------------------------------------------------
 ### Network interfaces.
 
 ###--------------------------------------------------------------------------
 ### Network interfaces.
 
-m4_divert(44)m4_dnl
+m4_divert(28)m4_dnl
 ## Interface definitions.
 if_dmz=eth0.0
 if_trusted=eth0.1
 ## Interface definitions.
 if_dmz=eth0.0
 if_trusted=eth0.1
@@ -46,7 +46,7 @@ m4_divert(-1)
 ###--------------------------------------------------------------------------
 ### vampire-specific rules.
 
 ###--------------------------------------------------------------------------
 ### vampire-specific rules.
 
-m4_divert(82)m4_dnl
+m4_divert(86)m4_dnl
 ## Externally visible services.
 allowservices inbound tcp \
        finger ident \
 ## Externally visible services.
 allowservices inbound tcp \
        finger ident \
Firewall scripts for distorted.org.uk.