local.m4: Allow dmz/jump packets on unsafe/colo networks and vice versa.

The routing asymmetry is too grim otherwise.  Consider:

  * ibanez and vampire are both on dmz and unsafe;

  * vampire is a router on dmz, unsafe, and vpn, while ibanez is not a
    router;

  * crybaby is on vpn;

  * crybaby attempts to connect to ibanez.dmz.

Now ibanez will respond with its dmz address as the source, and
crybaby's vpn address as the destination.  Based on the destination, it
will choose to route the packet over the unsafe network.  We must
therefore let vampire know that this is a possibility.

Similarly, ibanez must be prepared to allow packets from unsafe
on its dmz interface because it's not a router: hence, to reach their
destination, they'll have to be pushed over dmz by a router.

It's therefore inevitable that we must abandon separation between these
two networks (or start fiddling with policy routing, which just seems
like more pain than it's worth).

diff --git a/local.m4 b/local.m4
index 36f76b3..0a1617f 100644 (file)
--- a/local.m4
+++ b/local.m4
@@ -75,23 +75,23 @@ defnet housebdry virtual
 ## House hosts.
 defhost radius
        router
-       iface eth0 dmz
-       iface eth1 unsafe
+       iface eth0 dmz unsafe
+       iface eth1 dmz unsafe
        iface eth2 safe
        iface eth3 untrusted
 defhost roadstar
-       iface eth0 dmz
-       iface eth1 unsafe
+       iface eth0 dmz unsafe
+       iface eth1 dmz unsafe
 defhost jem
-       iface eth0 dmz
-       iface eth1 unsafe
+       iface eth0 dmz unsafe
+       iface eth1 dmz unsafe
 defhost artist
-       iface eth0 dmz
-       iface eth1 unsafe
+       iface eth0 dmz unsafe
+       iface eth1 dmz unsafe
 defhost vampire
        router
-       iface eth0.0 dmz
-       iface eth0.1 unsafe
+       iface eth0.0 dmz unsafe
+       iface eth0.1 dmz unsafe
        iface eth0.3 untrusted
        iface dns0 dns
        iface vpn-+ vpn
@@ -118,23 +118,23 @@ defnet colobdry virtual
 
 ## Colocated hosts.
 defhost fender
-       iface br-jump jump
-       iface br-colo colo
+       iface br-jump jump colo
+       iface br-colo jump colo
 defhost precision
        router
-       iface eth0 jump
-       iface eth1 colo
+       iface eth0 jump colo
+       iface eth1 jump colo
        iface vpn-+ vpn
        iface vpn-vampire housebdry vpn
 defhost telecaster
-       iface eth0 jump
-       iface eth1 colo
+       iface eth0 jump colo
+       iface eth1 jump colo
 defhost stratocaster
-       iface eth0 jump
-       iface eth1 colo
+       iface eth0 jump colo
+       iface eth1 jump colo
 defhost jazz
-       iface eth0 jump
-       iface eth1 colo
+       iface eth0 jump colo
+       iface eth1 jump colo
 
 ## Other networks.
 defnet hub virtual