Mark Wooding [Sun, 22 May 2011 20:43:32 +0000 (21:43 +0100)]
IPv6 firewall support.
Introduce half-hearted IPv6 support. A surprising amount of the
firewall structure carries over unchanged. The way fragmentation is
handled differs between IPv4 and IPv6, which is annoying. And
ip6tables(8) doesn't have the `addrtype' match which was so useful in
IPv4.
Mark Wooding [Sun, 22 May 2011 22:25:59 +0000 (23:25 +0100)]
local.mk: Introduce new target for testing.
This avoids trashing other hosts with maybe broken firewalls.
Mark Wooding [Sun, 22 May 2011 21:12:01 +0000 (22:12 +0100)]
Whitespace fixing.
Mark Wooding [Fri, 20 May 2011 14:15:51 +0000 (15:15 +0100)]
vampire: Allow incoming IMAPS and Submission.
Should have been done a while ago, when vampire took over responsibility
for mail.
Mark Wooding [Mon, 7 Mar 2011 11:06:51 +0000 (11:06 +0000)]
Merge branch 'master' of /home/mdw/public-git/firewall
* 'master' of /home/mdw/public-git/firewall:
vampire: Allow outside access to squid.
vampire: Allow SMB from the untrusted network.
Mark Wooding [Mon, 7 Mar 2011 11:02:35 +0000 (11:02 +0000)]
vampire: Allow outside access to squid.
This is to provide an escape hatch against the office's cretinous web
filter thing.
Mark Wooding [Mon, 7 Mar 2011 11:01:43 +0000 (11:01 +0000)]
vampire: Allow SMB from the untrusted network.
This lets the Wii get to the media library, which is nice.
Mark Wooding [Mon, 17 Jan 2011 15:31:07 +0000 (15:31 +0000)]
metalzone: Allow incoming `submission' connections.
Like SMTP, but allows authenticated users to send mail anywhere. Useful
for mobile devices.
Mark Wooding [Mon, 17 Jan 2011 15:30:06 +0000 (15:30 +0000)]
Merge branch 'master' of /home/mdw/public-git/firewall
* 'master' of /home/mdw/public-git/firewall:
local.m4: Put the default network stanza at the end.
local.m4: Note terror's participation in the VPN.
Mark Wooding [Sun, 9 May 2010 16:09:51 +0000 (17:09 +0100)]
local.m4: Put the default network stanza at the end.
Otherwise packets get mistakenly classified as being to-untrusted and
stuff doesn't work properly. Most notably, forwarding between VPN hosts
fails.
Mark Wooding [Sun, 9 May 2010 09:47:37 +0000 (10:47 +0100)]
local.m4: Note terror's participation in the VPN.
Mark Wooding [Tue, 27 Apr 2010 15:25:53 +0000 (16:25 +0100)]
Merge branch 'master' of /home/mdw/public-git/firewall
* 'master' of /home/mdw/public-git/firewall:
vampire: Allow incoming I2P traffic.
Mark Wooding [Mon, 26 Apr 2010 19:52:42 +0000 (20:52 +0100)]
vampire: Allow incoming I2P traffic.
Mark Wooding [Sat, 24 Apr 2010 22:17:04 +0000 (23:17 +0100)]
metalzone: Open up incoming IMAPS.
Mark Wooding [Sat, 17 Apr 2010 15:39:42 +0000 (16:39 +0100)]
Merge branch 'master' of /home/mdw/public-git/firewall
* 'master' of /home/mdw/public-git/firewall:
vampire.m4: Allow MPD again.
Add iodine support..
vampire: Open `disorder' port; close `mpd'.
vampire: Allow MPD traffic through.
Mark Wooding [Sat, 17 Apr 2010 15:38:56 +0000 (16:38 +0100)]
vampire.m4: Allow MPD again.
Mark Wooding [Sat, 17 Apr 2010 15:37:28 +0000 (16:37 +0100)]
Merge branch 'master' of metalzone:public-git/firewall
* 'master' of metalzone:public-git/firewall:
functions.m4, local.m4: Handle fragments in a useful way.
classify.m4: Correct summary line at the top.
vampire.m4: Remove the magical DNS DDoS hack.
Mark Wooding [Sat, 17 Apr 2010 15:35:24 +0000 (16:35 +0100)]
Add iodine support..
This introduces a new section of the network which needs to be dealt
with properly. The externally facing DNS server is actually the iodine
daemon, which listens on 5353 and is mapped from 53 by guvnor. It
proxies requests outside io.distorted.org.uk on to the usual server
listening on port 53.
Mark Wooding [Thu, 15 Apr 2010 15:23:39 +0000 (16:23 +0100)]
local.mk: Fix spurious failure.
`false && mumble' bug; should know better.
Mark Wooding [Thu, 15 Apr 2010 14:49:49 +0000 (15:49 +0100)]
functions.m4, local.m4: Handle fragments in a useful way.
Add a function for defining standard rules on a chain: currently it only
provides fragment-handling policy.
The fragment policy is to pass fragments unmolested, except for TCP. An
IP stack which can't reassemble fragments safely needs more protection
than we can provide here.
Note that this only affects `inbound' chains. The forwarding rules
don't usually work at the level of individual ports, so this is OK; the
ones that do have been nobbled to refuse IP fragments.
Mark Wooding [Thu, 15 Apr 2010 12:53:56 +0000 (13:53 +0100)]
classify.m4: Correct summary line at the top.
Wow, that must have been wrong for a long time.
Mark Wooding [Thu, 8 Apr 2010 19:18:30 +0000 (20:18 +0100)]
vampire.m4: Remove the magical DNS DDoS hack.
We're going to use fail2ban for this job (and others). So we don't need
logtrawl any more.
Mark Wooding [Mon, 1 Feb 2010 16:55:22 +0000 (16:55 +0000)]
vampire: Open `disorder' port; close `mpd'.
Mark Wooding [Thu, 28 Jan 2010 12:24:35 +0000 (12:24 +0000)]
vampire: Allow MPD traffic through.
Mark Wooding [Thu, 23 Jul 2009 11:24:08 +0000 (12:24 +0100)]
vampire.m4: Log messages when rejecting DNS DDOS packets.
Mark Wooding [Thu, 4 Jun 2009 14:55:44 +0000 (15:55 +0100)]
vampire: Add special hook for DNS badness.
There's a DDOS attack which works by sending DNS servers bogus requests
with spoofed source addresses. The servers' error reports end up
bombarding the victim.
The `logtrawl' program maintains an ipset listing the known victim IP
addresses based on the DNS server's logs; here, we /drop/ matching
packets -- otherwise the ICMP fallout would do just as well as the DNS
errors at clobbering the victim. Fortunately this isn't very evil,
since DNS over UDP is unreliable anyway.
It may be that `logtrawl' grows up to do more of this stuff later.
Mark Wooding [Tue, 13 Jan 2009 18:11:39 +0000 (18:11 +0000)]
vampire: Add accounting rules for Tor on the OUTPUT chain.
This will tell me what I actually wanted to know.
Mark Wooding [Mon, 12 Jan 2009 21:40:20 +0000 (21:40 +0000)]
vampire: Move tor ports to a separate rule.
This way we can get separate accounting for tor traffic.
Mark Wooding [Mon, 12 Jan 2009 15:10:22 +0000 (15:10 +0000)]
vampire: Open up public ports for tor.
Mark Wooding [Wed, 7 Jan 2009 19:04:52 +0000 (19:04 +0000)]
local.mk: Add install rule.
Mark Wooding [Wed, 7 Jan 2009 19:04:36 +0000 (19:04 +0000)]
Makefile: Put default rule before local makefile.
Otherwise rules in local.mk become the default.
Mark Wooding [Wed, 7 Jan 2009 19:03:59 +0000 (19:03 +0000)]
bookends: Prevent packets with destination localhost.
Linux blocks these anyway, but it's good to be sure.
Mark Wooding [Wed, 7 Jan 2009 18:55:01 +0000 (18:55 +0000)]
functions: Don't prefix log messages with `new' any more.
This was done to distinguish messages from the old firewall script.
We don't need it any more.
Mark Wooding [Wed, 7 Jan 2009 18:54:22 +0000 (18:54 +0000)]
filter: Bogus file, unused.
Not sure how this one got left behind.
Mark Wooding [Wed, 10 Dec 2008 10:00:35 +0000 (10:00 +0000)]
Initial commit of fancy firewall infrastructure.