From: Mark Wooding <mdw@distorted.org.uk>
Date: Wed, 7 Mar 2012 02:52:52 +0000 (+0000)
Subject: Merge branch 'master' into emergency
X-Git-Url: https://git.distorted.org.uk/~mdw/firewall/commitdiff_plain/83495f9a91a4e0f15aa16d51401a188a88fea249?hp=fd965cc4be6fe6de25b3011aea708c41c3cd9e11

Merge branch 'master' into emergency

* master:
  functions: Move NTP server list out of line.
  local.m4: Allow dmz/jump packets on unsafe/colo networks and vice versa.
---

diff --git a/functions.m4 b/functions.m4
index d059de6..2267af6 100644
--- a/functions.m4
+++ b/functions.m4
@@ -289,11 +289,12 @@ allowservices () {
 ## Add rules to CHAIN to allow NTP with NTPSERVERs.
 ntpclient () {
   set -e
-  chain=$1; shift
-  for ntp; do
-    run iptables -A $chain -s $ntp -j ACCEPT \
-	    -p udp --source-port 123 --destination-port 123
-  done
+  ntpchain=$1; shift
+
+  clearchain ntp-servers
+  for ntp; do run iptables -A ntp-servers -j ACCEPT -s $ntp; done
+  run iptables -A $ntpchain -j ntp-servers \
+	  -p udp --source-port 123 --destination-port 123
 }
 
 ## dnsresolver CHAIN
diff --git a/local.m4 b/local.m4
index 36f76b3..0a1617f 100644
--- a/local.m4
+++ b/local.m4
@@ -75,23 +75,23 @@ defnet housebdry virtual
 ## House hosts.
 defhost radius
 	router
-	iface eth0 dmz
-	iface eth1 unsafe
+	iface eth0 dmz unsafe
+	iface eth1 dmz unsafe
 	iface eth2 safe
 	iface eth3 untrusted
 defhost roadstar
-	iface eth0 dmz
-	iface eth1 unsafe
+	iface eth0 dmz unsafe
+	iface eth1 dmz unsafe
 defhost jem
-	iface eth0 dmz
-	iface eth1 unsafe
+	iface eth0 dmz unsafe
+	iface eth1 dmz unsafe
 defhost artist
-	iface eth0 dmz
-	iface eth1 unsafe
+	iface eth0 dmz unsafe
+	iface eth1 dmz unsafe
 defhost vampire
 	router
-	iface eth0.0 dmz
-	iface eth0.1 unsafe
+	iface eth0.0 dmz unsafe
+	iface eth0.1 dmz unsafe
 	iface eth0.3 untrusted
 	iface dns0 dns
 	iface vpn-+ vpn
@@ -118,23 +118,23 @@ defnet colobdry virtual
 
 ## Colocated hosts.
 defhost fender
-	iface br-jump jump
-	iface br-colo colo
+	iface br-jump jump colo
+	iface br-colo jump colo
 defhost precision
 	router
-	iface eth0 jump
-	iface eth1 colo
+	iface eth0 jump colo
+	iface eth1 jump colo
 	iface vpn-+ vpn
 	iface vpn-vampire housebdry vpn
 defhost telecaster
-	iface eth0 jump
-	iface eth1 colo
+	iface eth0 jump colo
+	iface eth1 jump colo
 defhost stratocaster
-	iface eth0 jump
-	iface eth1 colo
+	iface eth0 jump colo
+	iface eth1 jump colo
 defhost jazz
-	iface eth0 jump
-	iface eth1 colo
+	iface eth0 jump colo
+	iface eth1 jump colo
 
 ## Other networks.
 defnet hub virtual