From: Mark Wooding Date: Sun, 12 Feb 2012 01:58:03 +0000 (+0000) Subject: Merge branch 'master' into emergency X-Git-Url: https://git.distorted.org.uk/~mdw/firewall/commitdiff_plain/2861f481552b0cd6c118e7169397e134fde03b15?hp=70b00235ca5a98cc79e1265b7d099f07f8924237 Merge branch 'master' into emergency * master: numbers.m4, gibson.m4: Allow gibson to receive IPMI responses. bookends.m4: Open up tables we clobbered at exit. fender: New host, with basic firewall. --- diff --git a/bookends.m4 b/bookends.m4 index b51f8ae..b29047b 100644 --- a/bookends.m4 +++ b/bookends.m4 @@ -217,5 +217,17 @@ for chain in INPUT FORWARD; do run ip46tables -A $chain -g forbidden done +## Allow stuff through unknown tables. +for ip in ip ip6; do + for table in $(cat /proc/net/${ip}_tables_names); do + case $table in mangle | filter) continue ;; esac + ${ip}tables -nL -t $table | + sed -n '/^Chain \([^ ]\+\) (policy .*$/ s//\1/p ' | + while read chain; do + run ${ip}tables -t $table -P $chain ACCEPT + done + done +done + m4_divert(-1) ###----- That's all, folks -------------------------------------------------- diff --git a/fender.m4 b/fender.m4 new file mode 100644 index 0000000..ea0fb32 --- /dev/null +++ b/fender.m4 @@ -0,0 +1,62 @@ +### -*-sh-*- +### +### Firewall configuration for fender actual +### +### (c) 2008 Mark Wooding +### + +###----- Licensing notice --------------------------------------------------- +### +### This program is free software; you can redistribute it and/or modify +### it under the terms of the GNU General Public License as published by +### the Free Software Foundation; either version 2 of the License, or +### (at your option) any later version. +### +### This program is distributed in the hope that it will be useful, +### but WITHOUT ANY WARRANTY; without even the implied warranty of +### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +### GNU General Public License for more details. +### +### You should have received a copy of the GNU General Public License +### along with this program; if not, write to the Free Software Foundation, +### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + +###-------------------------------------------------------------------------- +### Config settings. + +## This host isn't a router. +setconf(forward, 0) + +## This host is involved in a routing asymmetry. +setconf(rp_filter, 0) +setconf(log_martians, 0) + +###-------------------------------------------------------------------------- +### Network interfaces. + +m4_divert(44)m4_dnl +## Interface definitions. +if_untrusted=eth0 +if_dmz=$if_untrusted +if_safe=$if_dmz +if_trusted=$if_dmz +if_vpn=$if_dmz +if_iodine=$if_dmz +if_its_mz=$if_dmz +if_its_pi=$if_dmz + +m4_divert(-1) +###-------------------------------------------------------------------------- +### fender-specific rules. + +m4_divert(82)m4_dnl +## Externally visible services. +allowservices inbound tcp \ + ssh \ + ident + +## We have to provide NTP service. The guests sync to our clock. +ntpclient inbound $ntp_servers + +m4_divert(-1) +###----- That's all, folks -------------------------------------------------- diff --git a/gibson.m4 b/gibson.m4 index 7ccc260..1676153 100644 --- a/gibson.m4 +++ b/gibson.m4 @@ -54,5 +54,10 @@ allowservices inbound tcp \ allowservices inbound udp \ siplo:siphi +## IMPI client hacking. +run ip46tables -A inbound -j ACCEPT \ + -m state --state ESTABLISHED \ + -p udp --source-port $port_ipmi + m4_divert(-1) ###----- That's all, folks -------------------------------------------------- diff --git a/local.mk b/local.mk index d272914..e69fd29 100644 --- a/local.mk +++ b/local.mk @@ -12,4 +12,6 @@ HOSTS += roadstar HOSTS += jem HOSTS += artist +HOSTS += fender + HOSTS += gibson diff --git a/numbers.m4 b/numbers.m4 index 983e091..4d111da 100644 --- a/numbers.m4 +++ b/numbers.m4 @@ -44,6 +44,7 @@ defport https 443 defport microsoft_ds 445 defport syslog 514 # UDP only! defport submission 587 +defport ipmi 623 defport rsync 873 defport imaps 993 defport h323 1720