This introduces a new section of the network which needs to be dealt
with properly. The externally facing DNS server is actually the iodine
daemon, which listens on 5353 and is mapped from 53 by guvnor. It
proxies requests outside io.distorted.org.uk on to the usual server
listening on port 53.
safe:172.29.199.64/27 \
untrusted:default
defiface $if_untrusted \
- untrusted:172.29.198.0/24
+ untrusted:172.29.198.0/25
defvpn $if_vpn safe 172.29.199.128/27 \
crybaby:172.29.199.129
+defiface $if_iodine untrusted:172.29.198.128/28
defiface $if_its_mz safe:172.29.199.160/30
defiface $if_its_pi safe:192.168.0.0/24
if_untrusted=eth0
if_trusted=eth0
if_vpn=eth0
+if_iodine=eth0
if_its_mz=its-mz
if_its_pi=its-pi
defport rsync 873
defport squid 3128
defport tripe 4070
+defport iodine 5353
defport postgresql 5432
defport gnutella_svc 6346
defport mpd 6600
if_untrusted=eth0.1
if_trusted=eth0.0
if_vpn=vpn-+
+if_iodine=dns+
if_its_mz=eth0.0
if_its_pi=eth0.0
## Externally visible services.
allowservices inbound tcp \
finger ident \
- dns \
+ dns iodine \
ssh \
smtp \
gnutella_svc \
allowservices inbound tcp \
tor_public tor_directory
allowservices inbound udp \
- dns \
+ dns iodine \
tripe \
gnutella_svc