Mark Wooding [Sun, 7 Feb 2016 22:10:18 +0000 (22:10 +0000)]
New host universe.
Mark Wooding [Thu, 1 Oct 2015 07:15:06 +0000 (08:15 +0100)]
local.m4, local.mk, national.m4: New virtual host `national'.
Hosted by Linode in Dallas, TX.
Mark Wooding [Thu, 1 Oct 2015 07:14:21 +0000 (08:14 +0100)]
local.m4: New address range for untrusted VPN hosts.
Mark Wooding [Mon, 11 May 2015 14:17:32 +0000 (15:17 +0100)]
functions.m4 (ntpclient): Handle NTP servers with IPv6 addresses.
Mark Wooding [Mon, 11 May 2015 02:28:16 +0000 (03:28 +0100)]
local.m4: Allow IPv6 ping separately.
This seems to have broken recently.
Mark Wooding [Wed, 1 Apr 2015 18:50:20 +0000 (19:50 +0100)]
telecaster.m4: External SMTP service for mailing lists.
Mark Wooding [Wed, 1 Apr 2015 18:39:50 +0000 (19:39 +0100)]
local.mk: Remove orange and mango.
They're not currently active.
Mark Wooding [Wed, 1 Apr 2015 18:38:19 +0000 (19:38 +0100)]
jem.m4, vampire.m4: Cull some external services.
jem never provided externally facing email. vampire used to, but
doesn't any more. It also doesn't provide a slew of other random
services. Block them all.
Mark Wooding [Wed, 1 Apr 2015 18:37:56 +0000 (19:37 +0100)]
local.m4: gibson now uses explicit VLAN tagging.
Mark Wooding [Thu, 26 Mar 2015 21:57:00 +0000 (21:57 +0000)]
functions.m4: Only call `allow-non-init-frag' on fragments.
Otherwise we let in all non-fragmented packets. Oops.
Mark Wooding [Thu, 26 Mar 2015 16:45:05 +0000 (16:45 +0000)]
jaguar.m4, local.m4: Remove jaguar completely.
Its firewall configuration is now in /usr/local/src/firewall on jaguar
itself.
Mark Wooding [Thu, 19 Mar 2015 12:43:07 +0000 (12:43 +0000)]
jem.m4: External rsync service.
Mark Wooding [Thu, 19 Mar 2015 12:41:05 +0000 (12:41 +0000)]
radius.m4: Stop MSS clamping on egress now the external MTU is 1500.
And there was great rejoicing!
Mark Wooding [Sat, 28 Feb 2015 12:43:49 +0000 (12:43 +0000)]
local.m4: Reinstate detailed filtering from scary networks.
This got lost when I split scary out of untrusted. Oops.
Mark Wooding [Tue, 24 Feb 2015 22:16:32 +0000 (22:16 +0000)]
local.m4: Inbound restriction on untrusted is no longer experimental.
Mark Wooding [Mon, 16 Feb 2015 09:55:23 +0000 (09:55 +0000)]
local.m4: Protect the `untrusted' network from incoming requests.
Currently the untrusted network is vulnerable to incoming hostile IPv6
requests, and only protected from IPv4 by NAT.
I don't think it's especially useful to allow untrusted hosts to
provide externally facing services, so rather than deploy a new
network, I'm just going to change the policy for the existing one, and
forbid new connections and UDP traffic to untrusted hosts. This
involves splitting out a separate network class for the external
Internet, which is now `scary'.
Mark Wooding [Mon, 16 Feb 2015 09:54:54 +0000 (09:54 +0000)]
classify.m4: Fix some typos in the commentary.
Mark Wooding [Mon, 9 Feb 2015 14:19:03 +0000 (14:19 +0000)]
jazz.m4, numbers.m4: Expose the OpenPGP key server.
Mark Wooding [Sat, 7 Feb 2015 19:47:55 +0000 (19:47 +0000)]
local.m4: Proper configuration for groove.
Mark Wooding [Sat, 7 Feb 2015 14:28:49 +0000 (14:28 +0000)]
groove.m4: New host.
Mark Wooding [Sat, 7 Feb 2015 14:28:15 +0000 (14:28 +0000)]
artist.m4: Further Rygel hacking.
Mark Wooding [Fri, 5 Sep 2014 15:34:54 +0000 (16:34 +0100)]
artist.m4: Punch a hole for Rygel service to local (-ish) devices.
Mark Wooding [Tue, 15 Jul 2014 09:50:17 +0000 (10:50 +0100)]
local.m4: Boundary network addresses can legitimately transit the VPN.
This is IPv6-specific. Suppose an internal host on one end of a VPN
connection sends a packet to a host on the boundary network at the
other end. This packet will go via the public Internet -- fine. But
the other end will reply, and route the packet through the VPN because
it's an internal address. So we should allow it or we break
connectivity.
The right answer is probably to arrange for the routing to be
symmetrical, either by forcing the original packet to go through the
VPN or the reply to go around it, but both of these would seem to
involve messing with policy routing in a complicated way. The current
situation seems weird but not especially harmful.
Mark Wooding [Tue, 15 Jul 2014 09:48:09 +0000 (10:48 +0100)]
stratocaster.m4: Permit incoming finger.
Mark Wooding [Sun, 29 Jun 2014 18:47:22 +0000 (19:47 +0100)]
local.m4: Load connection tracking modules as standard.
This will make FTP work properly, at least.
Mark Wooding [Sun, 27 Apr 2014 17:12:07 +0000 (18:12 +0100)]
classify.m4: Forbid the v4-mapped and v4-compatible ranges.
These shouldn't be appearing as source addresses.
Mark Wooding [Mon, 21 Apr 2014 21:21:48 +0000 (22:21 +0100)]
local.m4: Move VPN hosts to ...:1.
Linux thinks that host addresses which coincide with network base
addresses are `anycast', and that this means that it shouldn't send
ICMP errors to them. This is obviously ridiculous. so move hosts to
address ...:1 to prevent this stupidity.
Mark Wooding [Sun, 20 Apr 2014 11:57:52 +0000 (12:57 +0100)]
telecaster.m4: Allow external DNS service.
Mark Wooding [Sat, 19 Apr 2014 11:41:45 +0000 (12:41 +0100)]
local.m4: Replacing IPv6 host routes with /112 networks.
Linux has a bug: it doesn't make route cache entries for remote hosts
if there's already a host route, and it only attaches path-MTU
information to cache entries. The result is that it doesn't handle
ICMPv6 `packet too big' messages properly for destinations with host
routes.
I'm bodging this by replacing all of the host routes with tiny /112
networks. It's awful, but it seems to work. The convention is that
the `host part' of the net is always zero.
Mark Wooding [Fri, 18 Apr 2014 13:10:18 +0000 (14:10 +0100)]
local.m4: Mention that the IPv6 VPN net is logically `safe'.
Mark Wooding [Fri, 18 Apr 2014 13:07:53 +0000 (14:07 +0100)]
icmp.m4: Actually track the correct ICMPv6 protocol.
Silly program thinks that `icmp' on IPv6 doesn't mean the same as
`icmpv6'.
Mark Wooding [Sat, 8 Mar 2014 14:58:29 +0000 (14:58 +0000)]
Makefile: Explicit stdin from terminal, so `make -j' builds work.
Arrange that stdin is /dev/tty for local installs so that they can be
confirmed manually.
Mark Wooding [Sat, 8 Mar 2014 14:54:39 +0000 (14:54 +0000)]
fender.m4: BCP38 source-address filtering, at ebtables level.
I found an annoying bug here, reported to Debian as #741101.
Mark Wooding [Sat, 8 Mar 2014 14:54:07 +0000 (14:54 +0000)]
fender.m4: Reformat the ebtables hacking a bit.
Mark Wooding [Sat, 8 Mar 2014 14:51:24 +0000 (14:51 +0000)]
functions.m4, radius.m4: BCP38 filtering for outbound traffic.
Mark Wooding [Fri, 7 Mar 2014 00:27:13 +0000 (00:27 +0000)]
base.m4: Run firewall after local filesystems are mounted.
Annoyingly, ipset(8) is in /usr, and this breaks the firewall at boot
if it's run too early.
Mark Wooding [Wed, 12 Feb 2014 15:27:38 +0000 (15:27 +0000)]
numbers.m4, stratocaster.m4: Public-facing IMAP server.
It supports (and insists on, indeed) using `STARTTLS', so this is
sensible.
Mark Wooding [Tue, 7 Jan 2014 17:08:55 +0000 (17:08 +0000)]
numbers.m4, telecaster.m4: TLS-enabled web cache.
Mark Wooding [Tue, 10 Sep 2013 12:40:00 +0000 (13:40 +0100)]
local.mk: jaguar's firewall is maintained locally now.
Mark Wooding [Wed, 4 Sep 2013 10:00:56 +0000 (11:00 +0100)]
fender.m4: Trap bad source IP addresses at the ethernet bridge layer.
Since we don't have control of the Jump router, and it doesn't seem to
trap spoofed packets, we must do that ourselves.
Mark Wooding [Mon, 2 Sep 2013 16:45:57 +0000 (17:45 +0100)]
jazz.m4: Allow iodine hosts NATed internet access.
Mark Wooding [Mon, 2 Sep 2013 16:45:13 +0000 (17:45 +0100)]
jaguar.m4, local.m4, local.mk: New host.
Mark Wooding [Mon, 6 May 2013 11:34:16 +0000 (12:34 +0100)]
telecaster.m4: Rate-limit incoming ICP.
Mark Wooding [Mon, 6 May 2013 11:33:07 +0000 (12:33 +0100)]
functions.m4: Partially cope with ipset(8) command-line overhaul.
They've completely changed the syntax. The old one seems still
available for now, but we should switch over completely now that
wheezy is released.
Mark Wooding [Fri, 19 Apr 2013 14:18:16 +0000 (15:18 +0100)]
numbers.m4, telecaster.m4: Expose the Squid ICP port.
Mark Wooding [Fri, 19 Apr 2013 14:17:29 +0000 (15:17 +0100)]
mango.m4: Reverse NAT into the main network.
Allow access to internal web proxy and so on.
Mark Wooding [Fri, 19 Apr 2013 14:15:52 +0000 (15:15 +0100)]
classify.m4: Document the source of blacklisted address blocks.
Mark Wooding [Tue, 26 Mar 2013 15:50:59 +0000 (15:50 +0000)]
jazz.m4: No, jazz is not a nameserver.
At all. Why...?
Mark Wooding [Tue, 26 Mar 2013 15:41:30 +0000 (15:41 +0000)]
mango.m4: Tighten up the SNAT rules.
Mark Wooding [Sat, 16 Mar 2013 19:32:30 +0000 (19:32 +0000)]
config.m4: Extend the upper limit on open ports.
This will make using mosh(1) much more pleasant. I'm sure that the
limit used to be around 65K, but I don't remember why I reduced it.
Mark Wooding [Sun, 10 Feb 2013 12:59:23 +0000 (12:59 +0000)]
New host `mango'.
Mark Wooding [Sat, 9 Feb 2013 15:59:12 +0000 (15:59 +0000)]
classify.m4: Hook the INPUT and FORWARD chains, not PREROUTING.
The latter are done after NAT has resolved the source and destination
addresses, so we can actually do the job right.
Mark Wooding [Sat, 9 Feb 2013 13:32:23 +0000 (13:32 +0000)]
ibanez.m4: Open an explicit hole for `udpkey'.
Mark Wooding [Sat, 9 Feb 2013 13:32:02 +0000 (13:32 +0000)]
local.m4: Yet more explicit networks for asymmetric routing.
Mark Wooding [Sat, 26 Jan 2013 14:39:45 +0000 (14:39 +0000)]
local.m4: New satellite network `binswood'.
Mark Wooding [Sat, 26 Jan 2013 14:38:33 +0000 (14:38 +0000)]
local.m4: Make the net-class policies easier to read.
Mark Wooding [Sat, 26 Jan 2013 14:34:19 +0000 (14:34 +0000)]
local.m4: Nothing should forward via `iodine'.
Mark Wooding [Sat, 26 Jan 2013 14:32:20 +0000 (14:32 +0000)]
functions.m4, local.m4: Rename `forwards' to `via'.
In fact, it lists the networks to which this one might forward packets,
rather than the networks whose packets this one forwards. Hopefully the
name change will reduce confusion.
Mark Wooding [Sun, 13 Jan 2013 20:48:53 +0000 (20:48 +0000)]
New host `orange'.
Mark Wooding [Sun, 13 Jan 2013 19:15:18 +0000 (19:15 +0000)]
ibanez.m4, vampire.m4: Provide NTP service to untrusted hosts.
Mark Wooding [Tue, 8 Jan 2013 16:07:22 +0000 (16:07 +0000)]
bookends.m4: Better check for bridging.
Mark Wooding [Sat, 29 Dec 2012 01:35:52 +0000 (01:35 +0000)]
stratocaster.m4: Provide rsync service.
Mark Wooding [Fri, 28 Dec 2012 17:59:33 +0000 (17:59 +0000)]
{roadstar,jem,telecaster,stratocaster}.m4: Move Git to login servers.
This avoids lots of annoying messing about with NFS. Maybe when
wheezy is released I'll move these back.
Mark Wooding [Fri, 28 Dec 2012 17:55:00 +0000 (17:55 +0000)]
artist.m4: Moved the `rawk' server to artist.
Maybe for the second time.
Mark Wooding [Sat, 15 Dec 2012 18:52:57 +0000 (18:52 +0000)]
jazz.m4, local.m4: Make jazz be a TrIPE endpoint.
It's running the IP-over-DNS endpoint, and life becomes very tricky if
it's not also the VPN endpoint. There's knock-on stuff: jazz becomes
a router, and VPN traffic can flow over the colo and jump nets.
Mark Wooding [Fri, 14 Dec 2012 17:57:34 +0000 (17:57 +0000)]
numbers.m4: Add port number for IRC.
Not that it's used anywhere yet.
Mark Wooding [Thu, 13 Dec 2012 10:06:24 +0000 (10:06 +0000)]
Makefile: If the user overrides HOSTS, don't install locally anyway.
Mark Wooding [Thu, 13 Dec 2012 10:02:28 +0000 (10:02 +0000)]
local.m4: Add a prose commentary on address allocation.
The IPv4 allocation is summarized in the DNS zone repository; the IPv6
allocation wasn't described anywhere at all.
Mark Wooding [Tue, 11 Dec 2012 10:23:42 +0000 (10:23 +0000)]
functions.m4: Correctly clear `to' network field in packet mark.
I thibk this worked before anyway, but it's good to fix it properly.
Mark Wooding [Tue, 11 Dec 2012 09:43:34 +0000 (09:43 +0000)]
classify.m4: Dispatch on destination addresses to correct chains.
Mark Wooding [Tue, 11 Dec 2012 09:33:49 +0000 (09:33 +0000)]
classify.m4: Classify individual host routes correctly.
For some reason, were just using whatever value of `$class' was left
lying around. Not very clever, really.
Mark Wooding [Tue, 11 Dec 2012 09:30:15 +0000 (09:30 +0000)]
classify.m4: Clean up interface map tracing.
Remove duplicate dump of the interface, and only dump the list of known
networks once at the very end.
Mark Wooding [Tue, 11 Dec 2012 09:43:15 +0000 (09:43 +0000)]
functions.m4: Fix up commentary for `matchnets'.
Mark Wooding [Tue, 11 Dec 2012 09:32:36 +0000 (09:32 +0000)]
local.m4, jazz.m4: Move iodine endpoint to jazz.
Mark Wooding [Tue, 11 Dec 2012 09:33:04 +0000 (09:33 +0000)]
numbers.m4, vampire.m4: Expose print server to local untrusted hosts.
Let's hope they don't use up all of my paper.
Mark Wooding [Sun, 14 Oct 2012 19:41:58 +0000 (20:41 +0100)]
radius.m4: Allow external servers to contact the identd.
Otherwise all requests for NATted connections will fail.
Mark Wooding [Sun, 14 Oct 2012 16:25:25 +0000 (17:25 +0100)]
local.m4, radius.m4: radius is now the host gateway to the net.
The MTU is low because the PPPoE<->PPPoA modem uses 8 bytes from the
ethernet frame size limit, and Demon has a tendency to be useless
about breaking path-MTU discovery; so apply TCP MSS clamping.
Mark Wooding [Wed, 12 Sep 2012 08:51:59 +0000 (09:51 +0100)]
local.m4: artist should expect untrusted source addrs on dmz and unsafe.
An untrusted device, not on the VPN, will be routed to artist through
radius.
Mark Wooding [Wed, 12 Sep 2012 08:51:05 +0000 (09:51 +0100)]
local.m4: Track VLAN renumbering in vampire's interface names.
Mark Wooding [Fri, 8 Jun 2012 00:51:05 +0000 (01:51 +0100)]
Rate limiting for incoming DNS queries over UDP.
We provide DNSsec-signed responses, and could be used as a DDoS
amplifier. Apply rate-limiting to incoming traffic to mitigate this
effect.
This should be removed if and when BIND acquires its own more
intelligent rate-limiting.
Mark Wooding [Fri, 8 Jun 2012 00:28:45 +0000 (01:28 +0100)]
radius.m4: Handy ipset hook for ad-hoc safe/unstrusted exceptions.
Mark Wooding [Fri, 8 Jun 2012 00:27:39 +0000 (01:27 +0100)]
local.m4: Refactor common SSH permission between safe/untrusted hosts.
Actually the same rules work for IPv4 and IPv6, so we should only write
them once.
Mark Wooding [Thu, 3 May 2012 11:45:39 +0000 (12:45 +0100)]
local.m4: Packets can be routed over the safe network.
Mark Wooding [Wed, 25 Apr 2012 17:07:48 +0000 (18:07 +0100)]
local.m4: Add the colocated servers to the VPN.
Mark Wooding [Mon, 23 Apr 2012 00:20:28 +0000 (01:20 +0100)]
local.m4: Untrusted source addresses appear on the backbone.
This happens because of router redundancy. Case in point: suppose
vampire is selected via IPv6 router discovery, but radius owns the
external tunnel. Then vampire will forward the packet over the
backbone to radius, which mustn't reject it.
(This isn't a security problem because the untrusted network isn't (by
definition) trusted very much for anything.
Mark Wooding [Mon, 23 Apr 2012 00:20:10 +0000 (01:20 +0100)]
bookends.m4: Allow redirects to (non-routing) hosts.
Mark Wooding [Fri, 20 Apr 2012 20:57:24 +0000 (21:57 +0100)]
Configuration for new colocated virtual servers.
Mark Wooding [Fri, 20 Apr 2012 20:55:48 +0000 (21:55 +0100)]
local.m4: More interfaces for artist.
Firstly, artist needs an interface on the untrusted network so that it
can provide convincing SMB. Secondly, it will eventually provide the
iodine gateway, and will need to forward packets appropriately.
Mark Wooding [Fri, 20 Apr 2012 20:54:22 +0000 (21:54 +0100)]
local.m4: Default addresses reach the IPv6 tunnel interface.
Mark Wooding [Fri, 20 Apr 2012 20:53:33 +0000 (21:53 +0100)]
jem.m4, artist.m4: Allow answers to DNS queries.
Mark Wooding [Fri, 20 Apr 2012 20:44:14 +0000 (21:44 +0100)]
radius.m4: Load NAT helpers (from
d119795).
Mark Wooding [Thu, 15 Mar 2012 02:48:33 +0000 (02:48 +0000)]
bookends.m4: Configure IPv6 router advertisement stuff.
Servers are expected to listen in on the routing protocols, so even
though they aren't actually routers, they still shouldn't listen to
the advertisements.
Mark Wooding [Thu, 15 Mar 2012 02:47:52 +0000 (02:47 +0000)]
functions.m4, local.m4: Introduce more kinds of hosts.
Mark Wooding [Thu, 15 Mar 2012 02:39:08 +0000 (02:39 +0000)]
functions.m4: Actually set the IPv6 options.
Mark Wooding [Fri, 30 Mar 2012 16:30:42 +0000 (17:30 +0100)]
fender.m4: Define an address to be a guaranteed black hole.
Mark Wooding [Fri, 23 Mar 2012 16:04:22 +0000 (16:04 +0000)]
local.m4: A new network for the SGO VPN.
Mark Wooding [Fri, 23 Mar 2012 16:02:25 +0000 (16:02 +0000)]
functions.m4, classify.m4: Handle negative address ranges.
That is, a network can explicitly exclude an address range. Ranges are
checked in order, so you carve out a hole in the middle of a range by
putting a negative range first for the hole first, and the big network
afterwards.
This involves a fairly major rearrangement of the address classification
machinery. Again.
Mark Wooding [Fri, 23 Mar 2012 16:00:52 +0000 (16:00 +0000)]
Make FW_NOACT work properly.
Some calls to iptables(8) and friends weren't through `run', so fix
these. Also skip the initial flushing. We probably want to skip the
final dump, but don't do that yet.
Mark Wooding [Sat, 17 Mar 2012 16:02:59 +0000 (16:02 +0000)]
local.m4: Declare network for anycast services.
Mark Wooding [Sat, 17 Mar 2012 16:02:35 +0000 (16:02 +0000)]
local.m4: Reorder forwarding networks for `default'.
Makes it easier to read.