firewall
8 months agolocal.m4: Update external NTP servers. master
Mark Wooding [Wed, 3 Feb 2021 00:01:18 +0000 (00:01 +0000)]
local.m4: Update external NTP servers.

18 months agolocal.m4: Add entry for new laptop `spirit'.
Mark Wooding [Wed, 8 Apr 2020 11:53:11 +0000 (12:53 +0100)]
local.m4: Add entry for new laptop `spirit'.

2 years agolocal.m4, precision.m4: Introduce `vpnnat' network class for nefarious hacks.
Mark Wooding [Wed, 26 Dec 2018 16:16:49 +0000 (16:16 +0000)]
local.m4, precision.m4: Introduce `vpnnat' network class for nefarious hacks.

This allows hosts to route to the outside world via a remote VPN
endpoint, in order to work around local network problems or geographical
restrictions.

2 years agolocal.mk: Reinstate mango.
Mark Wooding [Wed, 26 Dec 2018 12:41:11 +0000 (12:41 +0000)]
local.mk: Reinstate mango.

4 years agolocal.m4: Filter out source routing in the firewall.
Mark Wooding [Mon, 2 Oct 2017 01:01:35 +0000 (02:01 +0100)]
local.m4: Filter out source routing in the firewall.

Don't rely on `sysctl' options.  This means that everyone must now have
`xtables-addons' installed.

4 years agolocal.m4: Don't expect `forbidden' to return.
Mark Wooding [Mon, 2 Oct 2017 01:01:14 +0000 (02:01 +0100)]
local.m4: Don't expect `forbidden' to return.

4 years agolocal.m4: Add the `hippotat' network.
Mark Wooding [Sun, 1 Oct 2017 14:39:18 +0000 (15:39 +0100)]
local.m4: Add the `hippotat' network.

This is for Ian Jackson's `Asinine IP Over HTTP' utility.

4 years agoclassify.m4: Note the older site-local IPv6 range.
Mark Wooding [Sun, 1 Oct 2017 14:38:42 +0000 (15:38 +0100)]
classify.m4: Note the older site-local IPv6 range.

4 years agoclassify.m4: Fix typo in commentary.
Mark Wooding [Sun, 1 Oct 2017 14:38:22 +0000 (15:38 +0100)]
classify.m4: Fix typo in commentary.

4 years agotelecaster.m4: Open the old (implicit-TLS) `ftps' port.
Mark Wooding [Fri, 22 Sep 2017 19:13:51 +0000 (20:13 +0100)]
telecaster.m4: Open the old (implicit-TLS) `ftps' port.

Also add a `numbers.m4' entry.

4 years agoroadstar.m4, telecaster.m4: No need to open the `ftp_data' port.
Mark Wooding [Fri, 22 Sep 2017 19:12:54 +0000 (20:12 +0100)]
roadstar.m4, telecaster.m4: No need to open the `ftp_data' port.

4 years agobase.m4: Improve LSB header to delay firewall shutdown.
Mark Wooding [Sun, 2 Jul 2017 16:41:32 +0000 (17:41 +0100)]
base.m4: Improve LSB header to delay firewall shutdown.

Running this before bind and NFS-unmount should make shutting down
faster.

4 years agolocal.m4: gibson uses untagged packets for the unsafe network now.
Mark Wooding [Sat, 22 Oct 2016 18:03:15 +0000 (19:03 +0100)]
local.m4: gibson uses untagged packets for the unsafe network now.

5 years agolocal.m4: Designate `vpn' as `trusted' rather than `safe'.
Mark Wooding [Fri, 1 Jul 2016 21:08:43 +0000 (22:08 +0100)]
local.m4: Designate `vpn' as `trusted' rather than `safe'.

It turns out to be too annoying that VPN hosts can't talk to untrusted
things.

5 years agonational.m4: Configure as an authoritative DNS server.
Mark Wooding [Fri, 1 Jul 2016 20:40:09 +0000 (21:40 +0100)]
national.m4: Configure as an authoritative DNS server.

The DNSSEC means that I don't have to trust the DNS servers, and
national is geographically separated and in an entirely different AS.

5 years agoFinish the switchover to Andrews & Arnold.
Mark Wooding [Fri, 1 Jul 2016 20:32:07 +0000 (21:32 +0100)]
Finish the switchover to Andrews & Arnold.

  * Remove the old HE netblock.  I've switched the house over to using
    the A&A IPv6 netblock throughout because multihoming just isn't
    going to work well.

  * Remove the `aaisp' network name now that I've decided we're not
    doing parallel running.

  * Allocate a little gateway network for the PPP-terminating router.
    It turns out that if I don't do this then it uses a completely bogus
    default source address for the PPP interface.

  * Incidentally, fix the NTP-server netblocks to include the Jump range
    as well as the house range.

5 years agofender.m4: Fix silly typo in comment.
Mark Wooding [Fri, 1 Jul 2016 20:29:43 +0000 (21:29 +0100)]
fender.m4: Fix silly typo in comment.

5 years agolocal.m4: Prepare for switchover to A&A.
Mark Wooding [Mon, 27 Jun 2016 09:54:17 +0000 (10:54 +0100)]
local.m4: Prepare for switchover to A&A.

5 years agolocal.m4: Fix whitespace oddity.
Mark Wooding [Mon, 27 Jun 2016 09:54:01 +0000 (10:54 +0100)]
local.m4: Fix whitespace oddity.

5 years agofender.m4: Provide NTP service to untrusted clients.
Mark Wooding [Wed, 15 Jun 2016 00:18:52 +0000 (01:18 +0100)]
fender.m4: Provide NTP service to untrusted clients.

e.g., national, which has been languishing...

5 years agoNew host universe.
Mark Wooding [Sun, 7 Feb 2016 22:10:18 +0000 (22:10 +0000)]
New host universe.

6 years agolocal.m4, local.mk, national.m4: New virtual host `national'.
Mark Wooding [Thu, 1 Oct 2015 07:15:06 +0000 (08:15 +0100)]
local.m4, local.mk, national.m4: New virtual host `national'.

Hosted by Linode in Dallas, TX.

6 years agolocal.m4: New address range for untrusted VPN hosts.
Mark Wooding [Thu, 1 Oct 2015 07:14:21 +0000 (08:14 +0100)]
local.m4: New address range for untrusted VPN hosts.

6 years agofunctions.m4 (ntpclient): Handle NTP servers with IPv6 addresses.
Mark Wooding [Mon, 11 May 2015 14:17:32 +0000 (15:17 +0100)]
functions.m4 (ntpclient): Handle NTP servers with IPv6 addresses.

6 years agolocal.m4: Allow IPv6 ping separately.
Mark Wooding [Mon, 11 May 2015 02:28:16 +0000 (03:28 +0100)]
local.m4: Allow IPv6 ping separately.

This seems to have broken recently.

6 years agotelecaster.m4: External SMTP service for mailing lists.
Mark Wooding [Wed, 1 Apr 2015 18:50:20 +0000 (19:50 +0100)]
telecaster.m4: External SMTP service for mailing lists.

6 years agolocal.mk: Remove orange and mango.
Mark Wooding [Wed, 1 Apr 2015 18:39:50 +0000 (19:39 +0100)]
local.mk: Remove orange and mango.

They're not currently active.

6 years agojem.m4, vampire.m4: Cull some external services.
Mark Wooding [Wed, 1 Apr 2015 18:38:19 +0000 (19:38 +0100)]
jem.m4, vampire.m4: Cull some external services.

jem never provided externally facing email.  vampire used to, but
doesn't any more.  It also doesn't provide a slew of other random
services.  Block them all.

6 years agolocal.m4: gibson now uses explicit VLAN tagging.
Mark Wooding [Wed, 1 Apr 2015 18:37:56 +0000 (19:37 +0100)]
local.m4: gibson now uses explicit VLAN tagging.

6 years agofunctions.m4: Only call `allow-non-init-frag' on fragments.
Mark Wooding [Thu, 26 Mar 2015 21:57:00 +0000 (21:57 +0000)]
functions.m4: Only call `allow-non-init-frag' on fragments.

Otherwise we let in all non-fragmented packets.  Oops.

6 years agojaguar.m4, local.m4: Remove jaguar completely.
Mark Wooding [Thu, 26 Mar 2015 16:45:05 +0000 (16:45 +0000)]
jaguar.m4, local.m4: Remove jaguar completely.

Its firewall configuration is now in /usr/local/src/firewall on jaguar
itself.

6 years agojem.m4: External rsync service.
Mark Wooding [Thu, 19 Mar 2015 12:43:07 +0000 (12:43 +0000)]
jem.m4: External rsync service.

6 years agoradius.m4: Stop MSS clamping on egress now the external MTU is 1500.
Mark Wooding [Thu, 19 Mar 2015 12:41:05 +0000 (12:41 +0000)]
radius.m4: Stop MSS clamping on egress now the external MTU is 1500.

And there was great rejoicing!

6 years agolocal.m4: Reinstate detailed filtering from scary networks.
Mark Wooding [Sat, 28 Feb 2015 12:43:49 +0000 (12:43 +0000)]
local.m4: Reinstate detailed filtering from scary networks.

This got lost when I split scary out of untrusted.  Oops.

6 years agolocal.m4: Inbound restriction on untrusted is no longer experimental.
Mark Wooding [Tue, 24 Feb 2015 22:16:32 +0000 (22:16 +0000)]
local.m4: Inbound restriction on untrusted is no longer experimental.

6 years agolocal.m4: Protect the `untrusted' network from incoming requests.
Mark Wooding [Mon, 16 Feb 2015 09:55:23 +0000 (09:55 +0000)]
local.m4: Protect the `untrusted' network from incoming requests.

Currently the untrusted network is vulnerable to incoming hostile IPv6
requests, and only protected from IPv4 by NAT.

I don't think it's especially useful to allow untrusted hosts to
provide externally facing services, so rather than deploy a new
network, I'm just going to change the policy for the existing one, and
forbid new connections and UDP traffic to untrusted hosts.  This
involves splitting out a separate network class for the external
Internet, which is now `scary'.

6 years agoclassify.m4: Fix some typos in the commentary.
Mark Wooding [Mon, 16 Feb 2015 09:54:54 +0000 (09:54 +0000)]
classify.m4: Fix some typos in the commentary.

6 years agojazz.m4, numbers.m4: Expose the OpenPGP key server.
Mark Wooding [Mon, 9 Feb 2015 14:19:03 +0000 (14:19 +0000)]
jazz.m4, numbers.m4: Expose the OpenPGP key server.

6 years agolocal.m4: Proper configuration for groove.
Mark Wooding [Sat, 7 Feb 2015 19:47:55 +0000 (19:47 +0000)]
local.m4: Proper configuration for groove.

6 years agogroove.m4: New host.
Mark Wooding [Sat, 7 Feb 2015 14:28:49 +0000 (14:28 +0000)]
groove.m4: New host.

6 years agoartist.m4: Further Rygel hacking.
Mark Wooding [Sat, 7 Feb 2015 14:28:15 +0000 (14:28 +0000)]
artist.m4: Further Rygel hacking.

7 years agoartist.m4: Punch a hole for Rygel service to local (-ish) devices.
Mark Wooding [Fri, 5 Sep 2014 15:34:54 +0000 (16:34 +0100)]
artist.m4: Punch a hole for Rygel service to local (-ish) devices.

7 years agolocal.m4: Boundary network addresses can legitimately transit the VPN.
Mark Wooding [Tue, 15 Jul 2014 09:50:17 +0000 (10:50 +0100)]
local.m4: Boundary network addresses can legitimately transit the VPN.

This is IPv6-specific.  Suppose an internal host on one end of a VPN
connection sends a packet to a host on the boundary network at the
other end.  This packet will go via the public Internet -- fine.  But
the other end will reply, and route the packet through the VPN because
it's an internal address.  So we should allow it or we break
connectivity.

The right answer is probably to arrange for the routing to be
symmetrical, either by forcing the original packet to go through the
VPN or the reply to go around it, but both of these would seem to
involve messing with policy routing in a complicated way.  The current
situation seems weird but not especially harmful.

7 years agostratocaster.m4: Permit incoming finger.
Mark Wooding [Tue, 15 Jul 2014 09:48:09 +0000 (10:48 +0100)]
stratocaster.m4: Permit incoming finger.

7 years agolocal.m4: Load connection tracking modules as standard.
Mark Wooding [Sun, 29 Jun 2014 18:47:22 +0000 (19:47 +0100)]
local.m4: Load connection tracking modules as standard.

This will make FTP work properly, at least.

7 years agoclassify.m4: Forbid the v4-mapped and v4-compatible ranges.
Mark Wooding [Sun, 27 Apr 2014 17:12:07 +0000 (18:12 +0100)]
classify.m4: Forbid the v4-mapped and v4-compatible ranges.

These shouldn't be appearing as source addresses.

7 years agolocal.m4: Move VPN hosts to ...:1.
Mark Wooding [Mon, 21 Apr 2014 21:21:48 +0000 (22:21 +0100)]
local.m4: Move VPN hosts to ...:1.

Linux thinks that host addresses which coincide with network base
addresses are `anycast', and that this means that it shouldn't send
ICMP errors to them.  This is obviously ridiculous. so move hosts to
address ...:1 to prevent this stupidity.

7 years agotelecaster.m4: Allow external DNS service.
Mark Wooding [Sun, 20 Apr 2014 11:57:52 +0000 (12:57 +0100)]
telecaster.m4: Allow external DNS service.

7 years agolocal.m4: Replacing IPv6 host routes with /112 networks.
Mark Wooding [Sat, 19 Apr 2014 11:41:45 +0000 (12:41 +0100)]
local.m4: Replacing IPv6 host routes with /112 networks.

Linux has a bug: it doesn't make route cache entries for remote hosts
if there's already a host route, and it only attaches path-MTU
information to cache entries.  The result is that it doesn't handle
ICMPv6 `packet too big' messages properly for destinations with host
routes.

I'm bodging this by replacing all of the host routes with tiny /112
networks.  It's awful, but it seems to work.  The convention is that
the `host part' of the net is always zero.

7 years agolocal.m4: Mention that the IPv6 VPN net is logically `safe'.
Mark Wooding [Fri, 18 Apr 2014 13:10:18 +0000 (14:10 +0100)]
local.m4: Mention that the IPv6 VPN net is logically `safe'.

7 years agoicmp.m4: Actually track the correct ICMPv6 protocol.
Mark Wooding [Fri, 18 Apr 2014 13:07:53 +0000 (14:07 +0100)]
icmp.m4: Actually track the correct ICMPv6 protocol.

Silly program thinks that `icmp' on IPv6 doesn't mean the same as
`icmpv6'.

7 years agoMakefile: Explicit stdin from terminal, so `make -j' builds work.
Mark Wooding [Sat, 8 Mar 2014 14:58:29 +0000 (14:58 +0000)]
Makefile: Explicit stdin from terminal, so `make -j' builds work.

Arrange that stdin is /dev/tty for local installs so that they can be
confirmed manually.

7 years agofender.m4: BCP38 source-address filtering, at ebtables level.
Mark Wooding [Sat, 8 Mar 2014 14:54:39 +0000 (14:54 +0000)]
fender.m4: BCP38 source-address filtering, at ebtables level.

I found an annoying bug here, reported to Debian as #741101.

7 years agofender.m4: Reformat the ebtables hacking a bit.
Mark Wooding [Sat, 8 Mar 2014 14:54:07 +0000 (14:54 +0000)]
fender.m4: Reformat the ebtables hacking a bit.

7 years agofunctions.m4, radius.m4: BCP38 filtering for outbound traffic.
Mark Wooding [Sat, 8 Mar 2014 14:51:24 +0000 (14:51 +0000)]
functions.m4, radius.m4: BCP38 filtering for outbound traffic.

7 years agobase.m4: Run firewall after local filesystems are mounted.
Mark Wooding [Fri, 7 Mar 2014 00:27:13 +0000 (00:27 +0000)]
base.m4: Run firewall after local filesystems are mounted.

Annoyingly, ipset(8) is in /usr, and this breaks the firewall at boot
if it's run too early.

7 years agonumbers.m4, stratocaster.m4: Public-facing IMAP server.
Mark Wooding [Wed, 12 Feb 2014 15:27:38 +0000 (15:27 +0000)]
numbers.m4, stratocaster.m4: Public-facing IMAP server.

It supports (and insists on, indeed) using `STARTTLS', so this is
sensible.

7 years agonumbers.m4, telecaster.m4: TLS-enabled web cache.
Mark Wooding [Tue, 7 Jan 2014 17:08:55 +0000 (17:08 +0000)]
numbers.m4, telecaster.m4: TLS-enabled web cache.

8 years agolocal.mk: jaguar's firewall is maintained locally now.
Mark Wooding [Tue, 10 Sep 2013 12:40:00 +0000 (13:40 +0100)]
local.mk: jaguar's firewall is maintained locally now.

8 years agofender.m4: Trap bad source IP addresses at the ethernet bridge layer.
Mark Wooding [Wed, 4 Sep 2013 10:00:56 +0000 (11:00 +0100)]
fender.m4: Trap bad source IP addresses at the ethernet bridge layer.

Since we don't have control of the Jump router, and it doesn't seem to
trap spoofed packets, we must do that ourselves.

8 years agojazz.m4: Allow iodine hosts NATed internet access.
Mark Wooding [Mon, 2 Sep 2013 16:45:57 +0000 (17:45 +0100)]
jazz.m4: Allow iodine hosts NATed internet access.

8 years agojaguar.m4, local.m4, local.mk: New host.
Mark Wooding [Mon, 2 Sep 2013 16:45:13 +0000 (17:45 +0100)]
jaguar.m4, local.m4, local.mk: New host.

8 years agotelecaster.m4: Rate-limit incoming ICP.
Mark Wooding [Mon, 6 May 2013 11:34:16 +0000 (12:34 +0100)]
telecaster.m4: Rate-limit incoming ICP.

8 years agofunctions.m4: Partially cope with ipset(8) command-line overhaul.
Mark Wooding [Mon, 6 May 2013 11:33:07 +0000 (12:33 +0100)]
functions.m4: Partially cope with ipset(8) command-line overhaul.

They've completely changed the syntax.  The old one seems still
available for now, but we should switch over completely now that
wheezy is released.

8 years agonumbers.m4, telecaster.m4: Expose the Squid ICP port.
Mark Wooding [Fri, 19 Apr 2013 14:18:16 +0000 (15:18 +0100)]
numbers.m4, telecaster.m4: Expose the Squid ICP port.

8 years agomango.m4: Reverse NAT into the main network.
Mark Wooding [Fri, 19 Apr 2013 14:17:29 +0000 (15:17 +0100)]
mango.m4: Reverse NAT into the main network.

Allow access to internal web proxy and so on.

8 years agoclassify.m4: Document the source of blacklisted address blocks.
Mark Wooding [Fri, 19 Apr 2013 14:15:52 +0000 (15:15 +0100)]
classify.m4: Document the source of blacklisted address blocks.

8 years agojazz.m4: No, jazz is not a nameserver.
Mark Wooding [Tue, 26 Mar 2013 15:50:59 +0000 (15:50 +0000)]
jazz.m4: No, jazz is not a nameserver.

At all.  Why...?

8 years agomango.m4: Tighten up the SNAT rules.
Mark Wooding [Tue, 26 Mar 2013 15:41:30 +0000 (15:41 +0000)]
mango.m4: Tighten up the SNAT rules.

8 years agoconfig.m4: Extend the upper limit on open ports.
Mark Wooding [Sat, 16 Mar 2013 19:32:30 +0000 (19:32 +0000)]
config.m4: Extend the upper limit on open ports.

This will make using mosh(1) much more pleasant.  I'm sure that the
limit used to be around 65K, but I don't remember why I reduced it.

8 years agoNew host `mango'.
Mark Wooding [Sun, 10 Feb 2013 12:59:23 +0000 (12:59 +0000)]
New host `mango'.

8 years agoclassify.m4: Hook the INPUT and FORWARD chains, not PREROUTING.
Mark Wooding [Sat, 9 Feb 2013 15:59:12 +0000 (15:59 +0000)]
classify.m4: Hook the INPUT and FORWARD chains, not PREROUTING.

The latter are done after NAT has resolved the source and destination
addresses, so we can actually do the job right.

8 years agoibanez.m4: Open an explicit hole for `udpkey'.
Mark Wooding [Sat, 9 Feb 2013 13:32:23 +0000 (13:32 +0000)]
ibanez.m4: Open an explicit hole for `udpkey'.

8 years agolocal.m4: Yet more explicit networks for asymmetric routing.
Mark Wooding [Sat, 9 Feb 2013 13:32:02 +0000 (13:32 +0000)]
local.m4: Yet more explicit networks for asymmetric routing.

8 years agolocal.m4: New satellite network `binswood'.
Mark Wooding [Sat, 26 Jan 2013 14:39:45 +0000 (14:39 +0000)]
local.m4: New satellite network `binswood'.

8 years agolocal.m4: Make the net-class policies easier to read.
Mark Wooding [Sat, 26 Jan 2013 14:38:33 +0000 (14:38 +0000)]
local.m4: Make the net-class policies easier to read.

8 years agolocal.m4: Nothing should forward via `iodine'.
Mark Wooding [Sat, 26 Jan 2013 14:34:19 +0000 (14:34 +0000)]
local.m4: Nothing should forward via `iodine'.

8 years agofunctions.m4, local.m4: Rename `forwards' to `via'.
Mark Wooding [Sat, 26 Jan 2013 14:32:20 +0000 (14:32 +0000)]
functions.m4, local.m4: Rename `forwards' to `via'.

In fact, it lists the networks to which this one might forward packets,
rather than the networks whose packets this one forwards.  Hopefully the
name change will reduce confusion.

8 years agoNew host `orange'.
Mark Wooding [Sun, 13 Jan 2013 20:48:53 +0000 (20:48 +0000)]
New host `orange'.

8 years agoibanez.m4, vampire.m4: Provide NTP service to untrusted hosts.
Mark Wooding [Sun, 13 Jan 2013 19:15:18 +0000 (19:15 +0000)]
ibanez.m4, vampire.m4: Provide NTP service to untrusted hosts.

8 years agobookends.m4: Better check for bridging.
Mark Wooding [Tue, 8 Jan 2013 16:07:22 +0000 (16:07 +0000)]
bookends.m4: Better check for bridging.

8 years agostratocaster.m4: Provide rsync service.
Mark Wooding [Sat, 29 Dec 2012 01:35:52 +0000 (01:35 +0000)]
stratocaster.m4: Provide rsync service.

8 years ago{roadstar,jem,telecaster,stratocaster}.m4: Move Git to login servers.
Mark Wooding [Fri, 28 Dec 2012 17:59:33 +0000 (17:59 +0000)]
{roadstar,jem,telecaster,stratocaster}.m4: Move Git to login servers.

This avoids lots of annoying messing about with NFS.  Maybe when
wheezy is released I'll move these back.

8 years agoartist.m4: Moved the `rawk' server to artist.
Mark Wooding [Fri, 28 Dec 2012 17:55:00 +0000 (17:55 +0000)]
artist.m4: Moved the `rawk' server to artist.

Maybe for the second time.

8 years agojazz.m4, local.m4: Make jazz be a TrIPE endpoint.
Mark Wooding [Sat, 15 Dec 2012 18:52:57 +0000 (18:52 +0000)]
jazz.m4, local.m4: Make jazz be a TrIPE endpoint.

It's running the IP-over-DNS endpoint, and life becomes very tricky if
it's not also the VPN endpoint.  There's knock-on stuff: jazz becomes
a router, and VPN traffic can flow over the colo and jump nets.

8 years agonumbers.m4: Add port number for IRC.
Mark Wooding [Fri, 14 Dec 2012 17:57:34 +0000 (17:57 +0000)]
numbers.m4: Add port number for IRC.

Not that it's used anywhere yet.

8 years agoMakefile: If the user overrides HOSTS, don't install locally anyway.
Mark Wooding [Thu, 13 Dec 2012 10:06:24 +0000 (10:06 +0000)]
Makefile: If the user overrides HOSTS, don't install locally anyway.

8 years agolocal.m4: Add a prose commentary on address allocation.
Mark Wooding [Thu, 13 Dec 2012 10:02:28 +0000 (10:02 +0000)]
local.m4: Add a prose commentary on address allocation.

The IPv4 allocation is summarized in the DNS zone repository; the IPv6
allocation wasn't described anywhere at all.

8 years agofunctions.m4: Correctly clear `to' network field in packet mark.
Mark Wooding [Tue, 11 Dec 2012 10:23:42 +0000 (10:23 +0000)]
functions.m4: Correctly clear `to' network field in packet mark.

I thibk this worked before anyway, but it's good to fix it properly.

8 years agoclassify.m4: Dispatch on destination addresses to correct chains.
Mark Wooding [Tue, 11 Dec 2012 09:43:34 +0000 (09:43 +0000)]
classify.m4: Dispatch on destination addresses to correct chains.

8 years agoclassify.m4: Classify individual host routes correctly.
Mark Wooding [Tue, 11 Dec 2012 09:33:49 +0000 (09:33 +0000)]
classify.m4: Classify individual host routes correctly.

For some reason, were just using whatever value of `$class' was left
lying around.  Not very clever, really.

8 years agoclassify.m4: Clean up interface map tracing.
Mark Wooding [Tue, 11 Dec 2012 09:30:15 +0000 (09:30 +0000)]
classify.m4: Clean up interface map tracing.

Remove duplicate dump of the interface, and only dump the list of known
networks once at the very end.

8 years agofunctions.m4: Fix up commentary for `matchnets'.
Mark Wooding [Tue, 11 Dec 2012 09:43:15 +0000 (09:43 +0000)]
functions.m4: Fix up commentary for `matchnets'.

8 years agolocal.m4, jazz.m4: Move iodine endpoint to jazz.
Mark Wooding [Tue, 11 Dec 2012 09:32:36 +0000 (09:32 +0000)]
local.m4, jazz.m4: Move iodine endpoint to jazz.

8 years agonumbers.m4, vampire.m4: Expose print server to local untrusted hosts.
Mark Wooding [Tue, 11 Dec 2012 09:33:04 +0000 (09:33 +0000)]
numbers.m4, vampire.m4: Expose print server to local untrusted hosts.

Let's hope they don't use up all of my paper.

9 years agoradius.m4: Allow external servers to contact the identd.
Mark Wooding [Sun, 14 Oct 2012 19:41:58 +0000 (20:41 +0100)]
radius.m4: Allow external servers to contact the identd.

Otherwise all requests for NATted connections will fail.

9 years agolocal.m4, radius.m4: radius is now the host gateway to the net.
Mark Wooding [Sun, 14 Oct 2012 16:25:25 +0000 (17:25 +0100)]
local.m4, radius.m4: radius is now the host gateway to the net.

The MTU is low because the PPPoE<->PPPoA modem uses 8 bytes from the
ethernet frame size limit, and Demon has a tendency to be useless
about breaking path-MTU discovery; so apply TCP MSS clamping.

9 years agolocal.m4: artist should expect untrusted source addrs on dmz and unsafe.
Mark Wooding [Wed, 12 Sep 2012 08:51:59 +0000 (09:51 +0100)]
local.m4: artist should expect untrusted source addrs on dmz and unsafe.

An untrusted device, not on the VPN, will be routed to artist through
radius.

9 years agolocal.m4: Track VLAN renumbering in vampire's interface names.
Mark Wooding [Wed, 12 Sep 2012 08:51:05 +0000 (09:51 +0100)]
local.m4: Track VLAN renumbering in vampire's interface names.

9 years agoRate limiting for incoming DNS queries over UDP.
Mark Wooding [Fri, 8 Jun 2012 00:51:05 +0000 (01:51 +0100)]
Rate limiting for incoming DNS queries over UDP.

We provide DNSsec-signed responses, and could be used as a DDoS
amplifier.  Apply rate-limiting to incoming traffic to mitigate this
effect.

This should be removed if and when BIND acquires its own more
intelligent rate-limiting.