numbers.m4, vampire.m4: Serve TFTP to the untrusted network.

Refactor the untrusted-services stuff to make this less grim.

diff --git a/numbers.m4 b/numbers.m4
index 27491ff..e945f3c 100644 (file)
--- a/numbers.m4
+++ b/numbers.m4
@@ -33,6 +33,7 @@ defport smtp 25
 defport dns 53
 defport bootps 67
 defport bootpc 68
+defport tftp 69
 defport finger 79
 defport http 80
 defport ident 113

diff --git a/vampire.m4 b/vampire.m4
index f21009c..e378447 100644 (file)
--- a/vampire.m4
+++ b/vampire.m4
@@ -67,22 +67,17 @@ allowservices inbound udp \
        gnutella_svc \
        i2p
 
-## Provide DNS resolution to local untrusted hosts.
-for p in tcp udp; do
-  run iptables -A inbound -j ACCEPT \
-         -s 172.29.198.0/24 \
-         -p $p --destination-port $port_dns
-done
+## Extend some services to local untrusted hosts.
+clearchain inbound-untrusted
+run iptables -A inbound -j inbound-untrusted \
+       -s 172.29.198.0/24
 
-## Allow smb and nmb to untrusted hosts.  This is a bit experimental.
-run iptables -A inbound -j ACCEPT \
-       -s 172.29.198.0/24 \
-       -p udp -m multiport --destination-ports \
-               $port_netbios_ns,$port_netbios_dgm
-run iptables -A inbound -j ACCEPT \
-       -s 172.29.198.0/24 \
-       -p tcp -m multiport --destination-ports \
-               $port_netbios_ssn,$port_microsoft_ds
+allowservices inbound-untrusted tcp \
+       dns \
+       netbios_ssn microsoft_ds
+allowservices inbound-untrusted udp \
+       dns \
+       tftp
 
 ## Provide syslog for evolution.
 run iptables -A inbound -j ACCEPT \