From: Mark Wooding <mdw@distorted.org.uk>
Date: Sat, 11 Feb 2012 18:30:05 +0000 (+0000)
Subject: numbers.m4, vampire.m4: Serve TFTP to the untrusted network.
X-Git-Url: https://git.distorted.org.uk/~mdw/firewall/commitdiff_plain/d84128ea08ab3f1af3d2d25907ee18e2edf0283a

numbers.m4, vampire.m4: Serve TFTP to the untrusted network.

Refactor the untrusted-services stuff to make this less grim.
---

diff --git a/numbers.m4 b/numbers.m4
index 27491ff..e945f3c 100644
--- a/numbers.m4
+++ b/numbers.m4
@@ -33,6 +33,7 @@ defport smtp 25
 defport dns 53
 defport bootps 67
 defport bootpc 68
+defport tftp 69
 defport finger 79
 defport http 80
 defport ident 113
diff --git a/vampire.m4 b/vampire.m4
index f21009c..e378447 100644
--- a/vampire.m4
+++ b/vampire.m4
@@ -67,22 +67,17 @@ allowservices inbound udp \
 	gnutella_svc \
 	i2p
 
-## Provide DNS resolution to local untrusted hosts.
-for p in tcp udp; do
-  run iptables -A inbound -j ACCEPT \
-	  -s 172.29.198.0/24 \
-	  -p $p --destination-port $port_dns
-done
+## Extend some services to local untrusted hosts.
+clearchain inbound-untrusted
+run iptables -A inbound -j inbound-untrusted \
+	-s 172.29.198.0/24
 
-## Allow smb and nmb to untrusted hosts.  This is a bit experimental.
-run iptables -A inbound -j ACCEPT \
-	-s 172.29.198.0/24 \
-	-p udp -m multiport --destination-ports \
-		$port_netbios_ns,$port_netbios_dgm
-run iptables -A inbound -j ACCEPT \
-	-s 172.29.198.0/24 \
-	-p tcp -m multiport --destination-ports \
-		$port_netbios_ssn,$port_microsoft_ds
+allowservices inbound-untrusted tcp \
+	dns \
+	netbios_ssn microsoft_ds
+allowservices inbound-untrusted udp \
+	dns \
+	tftp
 
 ## Provide syslog for evolution.
 run iptables -A inbound -j ACCEPT \