From: Mark Wooding Date: Sun, 10 Jul 2011 20:57:12 +0000 (+0100) Subject: Major network restructuring. X-Git-Url: https://git.distorted.org.uk/~mdw/firewall/commitdiff_plain/08926d25f80fecabb4ef2b3f1e63b3a361ecdb59 Major network restructuring. We now have a globally routable /28. Use this as the DMZ and the network backbone. The main servers (ibanez, radius, roadstar, jem, artist and vampire) are on both the DMZ and the unsafe network. radius is now the main internal router, though vampire is still on several networks because it provides DHCP and DNS services. This new configuration makes essential use of the ability (added to defiface) to accept multiple interface names by setting lists of names into the interface variables if_FOO. There's another aspect of the routing complexity which we must address here: multicasts can arrive on any of several trusted networks, and we should accept them all. (We must cope with interface name lists in the interface variables here, and deduplicate.) --- diff --git a/artist.m4 b/artist.m4 index 19394ee..d2ff17d 100644 --- a/artist.m4 +++ b/artist.m4 @@ -27,17 +27,23 @@ ## This host isn't a router. setconf(forward, 0) +## This host is involved in a routing asymmetry. +setconf(rp_filter, 0) +setconf(log_martians, 0) + ###-------------------------------------------------------------------------- ### Network interfaces. m4_divert(44)m4_dnl ## Interface definitions. -if_untrusted=eth0 -if_trusted=eth0 -if_vpn=eth0 -if_iodine=eth0 -if_its_mz=eth0 -if_its_pi=eth0 +if_dmz=eth0 +if_trusted=eth1 +if_safe=$if_dmz,$if_trusted +if_untrusted=$if_dmz,$if_trusted +if_vpn=$if_dmz,$if_trusted +if_iodine=$if_dmz,$if_trusted +if_its_mz=$if_dmz,$if_trusted +if_its_pi=$if_dmz,$if_trusted m4_divert(-1) ###-------------------------------------------------------------------------- diff --git a/gibson.m4 b/gibson.m4 index c49c36a..d363b2b 100644 --- a/gibson.m4 +++ b/gibson.m4 @@ -32,12 +32,14 @@ setconf(forward, 0) m4_divert(44)m4_dnl ## Interface definitions. -if_untrusted=eth0 if_trusted=eth0 -if_vpn=eth0 -if_iodine=eth0 -if_its_mz=eth0 -if_its_pi=eth0 +if_dmz=$if_trusted +if_safe=$if_dmz +if_untrusted=$if_dmz +if_vpn=$if_dmz +if_iodine=$if_dmz +if_its_mz=$if_dmz +if_its_pi=$if_dmz m4_divert(-1) ###-------------------------------------------------------------------------- diff --git a/ibanez.m4 b/ibanez.m4 index 384bd17..c8083e9 100644 --- a/ibanez.m4 +++ b/ibanez.m4 @@ -27,17 +27,23 @@ ## This host isn't a router. setconf(forward, 0) +## This host is involved in a routing asymmetry. +setconf(rp_filter, 0) +setconf(log_martians, 0) + ###-------------------------------------------------------------------------- ### Network interfaces. m4_divert(44)m4_dnl ## Interface definitions. -if_untrusted=br0 -if_trusted=br0 -if_vpn=br0 -if_iodine=br0 -if_its_mz=br0 -if_its_pi=br0 +if_dmz=br-dmz +if_trusted=br-unsafe +if_safe=$if_dmz,$if_trusted +if_untrusted=$if_dmz,$if_trusted +if_vpn=$if_dmz,$if_trusted +if_iodine=$if_dmz,$if_trusted +if_its_mz=$if_dmz,$if_trusted +if_its_pi=$if_dmz,$if_trusted m4_divert(-1) ###-------------------------------------------------------------------------- diff --git a/jem.m4 b/jem.m4 index f9922c9..c877300 100644 --- a/jem.m4 +++ b/jem.m4 @@ -27,17 +27,23 @@ ## This host isn't a router. setconf(forward, 0) +## This host is involved in a routing asymmetry. +setconf(rp_filter, 0) +setconf(log_martians, 0) + ###-------------------------------------------------------------------------- ### Network interfaces. m4_divert(44)m4_dnl ## Interface definitions. -if_untrusted=eth0 -if_trusted=eth0 -if_vpn=eth0 -if_iodine=eth0 -if_its_mz=eth0 -if_its_pi=eth0 +if_dmz=eth0 +if_trusted=eth1 +if_safe=$if_dmz,$if_trusted +if_untrusted=$if_dmz,$if_trusted +if_vpn=$if_dmz,$if_trusted +if_iodine=$if_dmz,$if_trusted +if_its_mz=$if_dmz,$if_trusted +if_its_pi=$if_dmz,$if_trusted m4_divert(-1) ###-------------------------------------------------------------------------- diff --git a/local.m4 b/local.m4 index f6b5f46..2d880b9 100644 --- a/local.m4 +++ b/local.m4 @@ -38,6 +38,14 @@ m4_divert(-1)m4_dnl m4_divert(46)m4_dnl ## Networks and routing. +defiface $if_dmz \ + trusted:62.49.204.144/28 \ + trusted:172.29.199.0/25 \ + untrusted:default +defiface $if_trusted \ + trusted:172.29.199.0/25 \ + untrusted:default +defiface $if_safe safe:172.29.199.192/26 defiface $if_untrusted \ untrusted:172.29.198.0/25 defvpn $if_vpn safe 172.29.199.128/27 \ @@ -46,10 +54,6 @@ defvpn $if_vpn safe 172.29.199.128/27 \ defiface $if_iodine untrusted:172.29.198.128/28 defiface $if_its_mz safe:172.29.199.160/30 defiface $if_its_pi safe:192.168.0.0/24 -defiface $if_trusted \ - trusted:172.29.199.0/26 \ - safe:172.29.199.64/27 \ - untrusted:default ## Default NTP servers. ntp_servers="158.152.1.76 158.152.1.204 194.159.253.2 195.173.57.232" @@ -134,12 +138,21 @@ run iptables -A inbound -j ACCEPT \ -s 172.29.198.0/23 \ -p udp --source-port $port_bootpc --destination-port $port_bootps -## Incoming broadcast multicast on a network interface associated with the -## trusted network is OK, since it must have originated there (or been -## forwarded, but we don't do that yet). -run iptables -A inbound -j ACCEPT \ +## Incoming multicast on a network interface associated with a trusted +## network is OK, since it must have originated there (or been forwarded, but +## we don't do that yet). +for i in $(echo $if_trusted $if_dmz $if_safe | sed 'y/,/ /'); do + echo $i +done | { + seen=: + while read i; do + case "$seen" in *:$i:*) continue ;; esac + seen=$seen$i: + run iptables -A inbound -j ACCEPT \ -s 0.0.0.0 -d 224.0.0.0/24 \ - -i $if_trusted + -i $i + done +} ## Allow incoming ping. This is the only ICMP left. run ip46tables -A inbound -j ACCEPT -p icmp diff --git a/radius.m4 b/radius.m4 index c1dcb90..b2c41ed 100644 --- a/radius.m4 +++ b/radius.m4 @@ -22,16 +22,25 @@ ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. ###-------------------------------------------------------------------------- +### Config settings. + +## This router is involved in a routing asymmetry. +setconf(rp_filter, 0) +setconf(log_martians, 0) + +###-------------------------------------------------------------------------- ### Network interfaces. m4_divert(44)m4_dnl ## Interface definitions. -if_untrusted=eth1 -if_trusted=eth0 -if_vpn=eth0 -if_iodine=eth0 -if_its_mz=eth0 -if_its_pi=eth0 +if_dmz=eth0 +if_trusted=eth1 +if_safe=eth2 +if_untrusted=eth3 +if_vpn=$if_dmz,$if_trusted +if_iodine=$if_dmz,$if_trusted +if_its_mz=$if_dmz,$if_trusted +if_its_pi=$if_dmz,$if_trusted m4_divert(-1) ###-------------------------------------------------------------------------- diff --git a/roadstar.m4 b/roadstar.m4 index dd810c2..101f4fe 100644 --- a/roadstar.m4 +++ b/roadstar.m4 @@ -27,17 +27,23 @@ ## This host isn't a router. setconf(forward, 0) +## This host is involved in a routing asymmetry. +setconf(rp_filter, 0) +setconf(log_martians, 0) + ###-------------------------------------------------------------------------- ### Network interfaces. m4_divert(44)m4_dnl ## Interface definitions. -if_untrusted=eth0 -if_trusted=eth0 -if_vpn=eth0 -if_iodine=eth0 -if_its_mz=eth0 -if_its_pi=eth0 +if_dmz=eth0 +if_trusted=eth1 +if_safe=$if_dmz,$if_trusted +if_untrusted=$if_dmz,$if_trusted +if_vpn=$if_dmz,$if_trusted +if_iodine=$if_dmz,$if_trusted +if_its_mz=$if_dmz,$if_trusted +if_its_pi=$if_dmz,$if_trusted m4_divert(-1) ###-------------------------------------------------------------------------- diff --git a/vampire.m4 b/vampire.m4 index f6f5d46..f21009c 100644 --- a/vampire.m4 +++ b/vampire.m4 @@ -22,16 +22,25 @@ ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. ###-------------------------------------------------------------------------- +### Config settings. + +## This router is involved in a routing asymmetry. +setconf(rp_filter, 0) +setconf(log_martians, 0) + +###-------------------------------------------------------------------------- ### Network interfaces. m4_divert(44)m4_dnl ## Interface definitions. -if_untrusted=eth0.1 -if_trusted=eth0.0 +if_dmz=eth0.0 +if_trusted=eth0.1 +if_safe=$if_dmz,$if_trusted +if_untrusted=eth0.3 if_vpn=vpn-+ if_iodine=dns+ -if_its_mz=eth0.0 -if_its_pi=eth0.0 +if_its_mz=$if_dmz,$if_trusted +if_its_pi=$if_dmz,$if_trusted m4_divert(-1) ###--------------------------------------------------------------------------