Mark Wooding [Sat, 8 Mar 2014 14:51:24 +0000 (14:51 +0000)]
functions.m4, radius.m4: BCP38 filtering for outbound traffic.
Mark Wooding [Fri, 7 Mar 2014 00:27:13 +0000 (00:27 +0000)]
base.m4: Run firewall after local filesystems are mounted.
Annoyingly, ipset(8) is in /usr, and this breaks the firewall at boot
if it's run too early.
Mark Wooding [Wed, 12 Feb 2014 15:27:38 +0000 (15:27 +0000)]
numbers.m4, stratocaster.m4: Public-facing IMAP server.
It supports (and insists on, indeed) using `STARTTLS', so this is
sensible.
Mark Wooding [Tue, 7 Jan 2014 17:08:55 +0000 (17:08 +0000)]
numbers.m4, telecaster.m4: TLS-enabled web cache.
Mark Wooding [Tue, 10 Sep 2013 12:40:00 +0000 (13:40 +0100)]
local.mk: jaguar's firewall is maintained locally now.
Mark Wooding [Wed, 4 Sep 2013 10:00:56 +0000 (11:00 +0100)]
fender.m4: Trap bad source IP addresses at the ethernet bridge layer.
Since we don't have control of the Jump router, and it doesn't seem to
trap spoofed packets, we must do that ourselves.
Mark Wooding [Mon, 2 Sep 2013 16:45:57 +0000 (17:45 +0100)]
jazz.m4: Allow iodine hosts NATed internet access.
Mark Wooding [Mon, 2 Sep 2013 16:45:13 +0000 (17:45 +0100)]
jaguar.m4, local.m4, local.mk: New host.
Mark Wooding [Mon, 6 May 2013 11:34:16 +0000 (12:34 +0100)]
telecaster.m4: Rate-limit incoming ICP.
Mark Wooding [Mon, 6 May 2013 11:33:07 +0000 (12:33 +0100)]
functions.m4: Partially cope with ipset(8) command-line overhaul.
They've completely changed the syntax. The old one seems still
available for now, but we should switch over completely now that
wheezy is released.
Mark Wooding [Fri, 19 Apr 2013 14:18:16 +0000 (15:18 +0100)]
numbers.m4, telecaster.m4: Expose the Squid ICP port.
Mark Wooding [Fri, 19 Apr 2013 14:17:29 +0000 (15:17 +0100)]
mango.m4: Reverse NAT into the main network.
Allow access to internal web proxy and so on.
Mark Wooding [Fri, 19 Apr 2013 14:15:52 +0000 (15:15 +0100)]
classify.m4: Document the source of blacklisted address blocks.
Mark Wooding [Tue, 26 Mar 2013 15:50:59 +0000 (15:50 +0000)]
jazz.m4: No, jazz is not a nameserver.
At all. Why...?
Mark Wooding [Tue, 26 Mar 2013 15:41:30 +0000 (15:41 +0000)]
mango.m4: Tighten up the SNAT rules.
Mark Wooding [Sat, 16 Mar 2013 19:32:30 +0000 (19:32 +0000)]
config.m4: Extend the upper limit on open ports.
This will make using mosh(1) much more pleasant. I'm sure that the
limit used to be around 65K, but I don't remember why I reduced it.
Mark Wooding [Sun, 10 Feb 2013 12:59:23 +0000 (12:59 +0000)]
New host `mango'.
Mark Wooding [Sat, 9 Feb 2013 15:59:12 +0000 (15:59 +0000)]
classify.m4: Hook the INPUT and FORWARD chains, not PREROUTING.
The latter are done after NAT has resolved the source and destination
addresses, so we can actually do the job right.
Mark Wooding [Sat, 9 Feb 2013 13:32:23 +0000 (13:32 +0000)]
ibanez.m4: Open an explicit hole for `udpkey'.
Mark Wooding [Sat, 9 Feb 2013 13:32:02 +0000 (13:32 +0000)]
local.m4: Yet more explicit networks for asymmetric routing.
Mark Wooding [Sat, 26 Jan 2013 14:39:45 +0000 (14:39 +0000)]
local.m4: New satellite network `binswood'.
Mark Wooding [Sat, 26 Jan 2013 14:38:33 +0000 (14:38 +0000)]
local.m4: Make the net-class policies easier to read.
Mark Wooding [Sat, 26 Jan 2013 14:34:19 +0000 (14:34 +0000)]
local.m4: Nothing should forward via `iodine'.
Mark Wooding [Sat, 26 Jan 2013 14:32:20 +0000 (14:32 +0000)]
functions.m4, local.m4: Rename `forwards' to `via'.
In fact, it lists the networks to which this one might forward packets,
rather than the networks whose packets this one forwards. Hopefully the
name change will reduce confusion.
Mark Wooding [Sun, 13 Jan 2013 20:48:53 +0000 (20:48 +0000)]
New host `orange'.
Mark Wooding [Sun, 13 Jan 2013 19:15:18 +0000 (19:15 +0000)]
ibanez.m4, vampire.m4: Provide NTP service to untrusted hosts.
Mark Wooding [Tue, 8 Jan 2013 16:07:22 +0000 (16:07 +0000)]
bookends.m4: Better check for bridging.
Mark Wooding [Sat, 29 Dec 2012 01:35:52 +0000 (01:35 +0000)]
stratocaster.m4: Provide rsync service.
Mark Wooding [Fri, 28 Dec 2012 17:59:33 +0000 (17:59 +0000)]
{roadstar,jem,telecaster,stratocaster}.m4: Move Git to login servers.
This avoids lots of annoying messing about with NFS. Maybe when
wheezy is released I'll move these back.
Mark Wooding [Fri, 28 Dec 2012 17:55:00 +0000 (17:55 +0000)]
artist.m4: Moved the `rawk' server to artist.
Maybe for the second time.
Mark Wooding [Sat, 15 Dec 2012 18:52:57 +0000 (18:52 +0000)]
jazz.m4, local.m4: Make jazz be a TrIPE endpoint.
It's running the IP-over-DNS endpoint, and life becomes very tricky if
it's not also the VPN endpoint. There's knock-on stuff: jazz becomes
a router, and VPN traffic can flow over the colo and jump nets.
Mark Wooding [Fri, 14 Dec 2012 17:57:34 +0000 (17:57 +0000)]
numbers.m4: Add port number for IRC.
Not that it's used anywhere yet.
Mark Wooding [Thu, 13 Dec 2012 10:06:24 +0000 (10:06 +0000)]
Makefile: If the user overrides HOSTS, don't install locally anyway.
Mark Wooding [Thu, 13 Dec 2012 10:02:28 +0000 (10:02 +0000)]
local.m4: Add a prose commentary on address allocation.
The IPv4 allocation is summarized in the DNS zone repository; the IPv6
allocation wasn't described anywhere at all.
Mark Wooding [Tue, 11 Dec 2012 10:23:42 +0000 (10:23 +0000)]
functions.m4: Correctly clear `to' network field in packet mark.
I thibk this worked before anyway, but it's good to fix it properly.
Mark Wooding [Tue, 11 Dec 2012 09:43:34 +0000 (09:43 +0000)]
classify.m4: Dispatch on destination addresses to correct chains.
Mark Wooding [Tue, 11 Dec 2012 09:33:49 +0000 (09:33 +0000)]
classify.m4: Classify individual host routes correctly.
For some reason, were just using whatever value of `$class' was left
lying around. Not very clever, really.
Mark Wooding [Tue, 11 Dec 2012 09:30:15 +0000 (09:30 +0000)]
classify.m4: Clean up interface map tracing.
Remove duplicate dump of the interface, and only dump the list of known
networks once at the very end.
Mark Wooding [Tue, 11 Dec 2012 09:43:15 +0000 (09:43 +0000)]
functions.m4: Fix up commentary for `matchnets'.
Mark Wooding [Tue, 11 Dec 2012 09:32:36 +0000 (09:32 +0000)]
local.m4, jazz.m4: Move iodine endpoint to jazz.
Mark Wooding [Tue, 11 Dec 2012 09:33:04 +0000 (09:33 +0000)]
numbers.m4, vampire.m4: Expose print server to local untrusted hosts.
Let's hope they don't use up all of my paper.
Mark Wooding [Sun, 14 Oct 2012 19:41:58 +0000 (20:41 +0100)]
radius.m4: Allow external servers to contact the identd.
Otherwise all requests for NATted connections will fail.
Mark Wooding [Sun, 14 Oct 2012 16:25:25 +0000 (17:25 +0100)]
local.m4, radius.m4: radius is now the host gateway to the net.
The MTU is low because the PPPoE<->PPPoA modem uses 8 bytes from the
ethernet frame size limit, and Demon has a tendency to be useless
about breaking path-MTU discovery; so apply TCP MSS clamping.
Mark Wooding [Wed, 12 Sep 2012 08:51:59 +0000 (09:51 +0100)]
local.m4: artist should expect untrusted source addrs on dmz and unsafe.
An untrusted device, not on the VPN, will be routed to artist through
radius.
Mark Wooding [Wed, 12 Sep 2012 08:51:05 +0000 (09:51 +0100)]
local.m4: Track VLAN renumbering in vampire's interface names.
Mark Wooding [Fri, 8 Jun 2012 00:51:05 +0000 (01:51 +0100)]
Rate limiting for incoming DNS queries over UDP.
We provide DNSsec-signed responses, and could be used as a DDoS
amplifier. Apply rate-limiting to incoming traffic to mitigate this
effect.
This should be removed if and when BIND acquires its own more
intelligent rate-limiting.
Mark Wooding [Fri, 8 Jun 2012 00:28:45 +0000 (01:28 +0100)]
radius.m4: Handy ipset hook for ad-hoc safe/unstrusted exceptions.
Mark Wooding [Fri, 8 Jun 2012 00:27:39 +0000 (01:27 +0100)]
local.m4: Refactor common SSH permission between safe/untrusted hosts.
Actually the same rules work for IPv4 and IPv6, so we should only write
them once.
Mark Wooding [Thu, 3 May 2012 11:45:39 +0000 (12:45 +0100)]
local.m4: Packets can be routed over the safe network.
Mark Wooding [Wed, 25 Apr 2012 17:07:48 +0000 (18:07 +0100)]
local.m4: Add the colocated servers to the VPN.
Mark Wooding [Mon, 23 Apr 2012 00:20:28 +0000 (01:20 +0100)]
local.m4: Untrusted source addresses appear on the backbone.
This happens because of router redundancy. Case in point: suppose
vampire is selected via IPv6 router discovery, but radius owns the
external tunnel. Then vampire will forward the packet over the
backbone to radius, which mustn't reject it.
(This isn't a security problem because the untrusted network isn't (by
definition) trusted very much for anything.
Mark Wooding [Mon, 23 Apr 2012 00:20:10 +0000 (01:20 +0100)]
bookends.m4: Allow redirects to (non-routing) hosts.
Mark Wooding [Fri, 20 Apr 2012 20:57:24 +0000 (21:57 +0100)]
Configuration for new colocated virtual servers.
Mark Wooding [Fri, 20 Apr 2012 20:55:48 +0000 (21:55 +0100)]
local.m4: More interfaces for artist.
Firstly, artist needs an interface on the untrusted network so that it
can provide convincing SMB. Secondly, it will eventually provide the
iodine gateway, and will need to forward packets appropriately.
Mark Wooding [Fri, 20 Apr 2012 20:54:22 +0000 (21:54 +0100)]
local.m4: Default addresses reach the IPv6 tunnel interface.
Mark Wooding [Fri, 20 Apr 2012 20:53:33 +0000 (21:53 +0100)]
jem.m4, artist.m4: Allow answers to DNS queries.
Mark Wooding [Fri, 20 Apr 2012 20:44:14 +0000 (21:44 +0100)]
radius.m4: Load NAT helpers (from
d119795).
Mark Wooding [Thu, 15 Mar 2012 02:48:33 +0000 (02:48 +0000)]
bookends.m4: Configure IPv6 router advertisement stuff.
Servers are expected to listen in on the routing protocols, so even
though they aren't actually routers, they still shouldn't listen to
the advertisements.
Mark Wooding [Thu, 15 Mar 2012 02:47:52 +0000 (02:47 +0000)]
functions.m4, local.m4: Introduce more kinds of hosts.
Mark Wooding [Thu, 15 Mar 2012 02:39:08 +0000 (02:39 +0000)]
functions.m4: Actually set the IPv6 options.
Mark Wooding [Fri, 30 Mar 2012 16:30:42 +0000 (17:30 +0100)]
fender.m4: Define an address to be a guaranteed black hole.
Mark Wooding [Fri, 23 Mar 2012 16:04:22 +0000 (16:04 +0000)]
local.m4: A new network for the SGO VPN.
Mark Wooding [Fri, 23 Mar 2012 16:02:25 +0000 (16:02 +0000)]
functions.m4, classify.m4: Handle negative address ranges.
That is, a network can explicitly exclude an address range. Ranges are
checked in order, so you carve out a hole in the middle of a range by
putting a negative range first for the hole first, and the big network
afterwards.
This involves a fairly major rearrangement of the address classification
machinery. Again.
Mark Wooding [Fri, 23 Mar 2012 16:00:52 +0000 (16:00 +0000)]
Make FW_NOACT work properly.
Some calls to iptables(8) and friends weren't through `run', so fix
these. Also skip the initial flushing. We probably want to skip the
final dump, but don't do that yet.
Mark Wooding [Sat, 17 Mar 2012 16:02:59 +0000 (16:02 +0000)]
local.m4: Declare network for anycast services.
Mark Wooding [Sat, 17 Mar 2012 16:02:35 +0000 (16:02 +0000)]
local.m4: Reorder forwarding networks for `default'.
Makes it easier to read.
Mark Wooding [Sat, 17 Mar 2012 16:02:03 +0000 (16:02 +0000)]
local.m4: Move `vpn' to the common networks section.
It's not really geographical.
Mark Wooding [Sun, 11 Mar 2012 23:58:09 +0000 (23:58 +0000)]
Overhaul address classification for link-local and non-unicast addresses.
The previous attempts just weren't working. Intead, assign them their
own classes, and work things using the forwarding masks. There's a
minor wrinkle, that we must handle forwarded packets differently from
inbound ones if they involve link-local addresses, but this is handled
with a fixup in the mangle INPUT chain.
The other significant change here is that the mangle table is now
responsible for selecting packets with bogus destination addresses for
rejection -- though it can't do the rejection itself because of a
kernel restriction.
Mark Wooding [Mon, 12 Mar 2012 00:02:05 +0000 (00:02 +0000)]
functions.m4: Publish the per-class forwarding bitmasks.
Just a matter of renaming the variables which hold them.
Mark Wooding [Sun, 11 Mar 2012 19:51:57 +0000 (19:51 +0000)]
functions.m4: The mark-{from,to}-* rules no longer own the packet marks.
These rules now have to be more careful about exactly which parts of
the mark field they clobber.
Mark Wooding [Sun, 11 Mar 2012 16:35:37 +0000 (16:35 +0000)]
classify.m4: Use canonical forms for IPv6 addresses.
Mark Wooding [Sun, 11 Mar 2012 16:34:38 +0000 (16:34 +0000)]
local.m4: Actually use the IPv6 fragmentation forbidding filter.
Mark Wooding [Sun, 11 Mar 2012 16:33:25 +0000 (16:33 +0000)]
Extend proper ICMP handling to IPv6.
Take the opportunity to use the `icmpv6' protocol name throughout.
Fortunately, in a few places where we use `ip46tables', it's actually
possible to use plain `-p icmp'.
Mark Wooding [Sun, 11 Mar 2012 16:30:08 +0000 (16:30 +0000)]
bookends.m4: Optimize checking for forwarding IPv6 link-local multicast.
Apply a coarse filter to detect all multicast, and dispatch to a
finer-grained one to detect link-local multicast addresses. This
would be much easier if the flags and scope fields were the other way
around.
Also fix it to use the correct address range.
Mark Wooding [Sun, 11 Mar 2012 16:19:17 +0000 (16:19 +0000)]
vampire.m4: Extend services to untrusted hosts over IPv6.
Mark Wooding [Sun, 11 Mar 2012 16:18:12 +0000 (16:18 +0000)]
Introduce variable for expected input chains.
Saves lots of messing with $forward.
Mark Wooding [Sun, 11 Mar 2012 05:12:37 +0000 (05:12 +0000)]
local.m4: Fix the `safe' network prefix length.
Mark Wooding [Sun, 11 Mar 2012 05:10:12 +0000 (05:10 +0000)]
local.m4: Define the IPv6 network structure.
Mark Wooding [Sun, 11 Mar 2012 05:09:34 +0000 (05:09 +0000)]
local.m4: Add routes to/from the `safe' network.
Mark Wooding [Sun, 11 Mar 2012 05:05:29 +0000 (05:05 +0000)]
local.m4: The VPN will be available through the colo.
Mark Wooding [Sun, 11 Mar 2012 05:03:21 +0000 (05:03 +0000)]
functions.m4: Correct defaulting of IPv6 host addresses.
Mark Wooding [Thu, 8 Mar 2012 18:56:48 +0000 (18:56 +0000)]
classify.m4: Reject the RFC5737 documentation-only addresses.
Mark Wooding [Wed, 7 Mar 2012 03:06:01 +0000 (03:06 +0000)]
Move per-host filtering to diversion 86 as promised.
For some reason, most of them were on 84, and fender was on 82.
Mark Wooding [Wed, 7 Mar 2012 03:04:00 +0000 (03:04 +0000)]
local.m4: Add `unsafe' to ibanez `br-dmz' interface.
Accidentally omitted from the earlier change.
Mark Wooding [Wed, 7 Mar 2012 02:52:25 +0000 (02:52 +0000)]
functions: Move NTP server list out of line.
Makes the `inbound' chain slightly more efficient in the common case.
Mark Wooding [Tue, 6 Mar 2012 23:26:10 +0000 (23:26 +0000)]
local.m4: Allow dmz/jump packets on unsafe/colo networks and vice versa.
The routing asymmetry is too grim otherwise. Consider:
* ibanez and vampire are both on dmz and unsafe;
* vampire is a router on dmz, unsafe, and vpn, while ibanez is not a
router;
* crybaby is on vpn;
* crybaby attempts to connect to ibanez.dmz.
Now ibanez will respond with its dmz address as the source, and
crybaby's vpn address as the destination. Based on the destination, it
will choose to route the packet over the unsafe network. We must
therefore let vampire know that this is a possibility.
Similarly, ibanez must be prepared to allow packets from unsafe
on its dmz interface because it's not a router: hence, to reach their
destination, they'll have to be pushed over dmz by a router.
It's therefore inevitable that we must abandon separation between these
two networks (or start fiddling with policy routing, which just seems
like more pain than it's worth).
Mark Wooding [Tue, 6 Mar 2012 10:42:58 +0000 (10:42 +0000)]
radius.m4: Forbid traffic directly to the NAT address.
It should only be for forwarded traffic.
Mark Wooding [Tue, 6 Mar 2012 10:41:59 +0000 (10:41 +0000)]
radius.m4: Use the correct interface name for NAT.
This is the last of the network declaration switchover debris.
Mark Wooding [Tue, 6 Mar 2012 10:38:07 +0000 (10:38 +0000)]
local.m4: Fix IGMP acceptance (debris from old interface declarations).
The rules which allowed incoming IGMP were written in terms of (a) the
old $if_... variables which have now disappeared, and (b) an explicit
list of the `trusted' networks. Fix this to use the new system: walk
the list of networks, examine their classes, and determine the
interfaces.
Mark Wooding [Mon, 5 Mar 2012 23:51:44 +0000 (23:51 +0000)]
functions.m4: Write the netclass ids to the trace output.
Mark Wooding [Mon, 5 Mar 2012 23:51:00 +0000 (23:51 +0000)]
bookends.m4: If debugging, dump the final tables.
This makes it rather easier to see what's gone wrong when the update
times out.
Mark Wooding [Mon, 5 Mar 2012 23:39:23 +0000 (23:39 +0000)]
Determine forwarding and reverse-path filtering from host definitions.
There's an explicit declaration for routers. Reverse-path filtering is
just turned off: the routing asymmetries break things too badly on
multi-homed hosts, and it's useless for single-homed hosts.
Mark Wooding [Mon, 5 Mar 2012 23:16:25 +0000 (23:16 +0000)]
Overhaul address classification.
The current system isn't scaling. Adding new networks in particular is
very difficult, and requires subtle changes to all of the host
definitions -- which is also rather tedious.
This new version overhauls the way that the classification chains are
constructed. The important part is that they're now derived from a
single description of the entire network. (This isn't necessary: the
network and hosts could be scattered arbitrarily, but it makes
management easier for me.)
The critical bit is the algorithm in `net_interfaces' which computes
which networks' source addresses can arrive at a particular interface.
This algorithm isn't especially clever (what with being written in
Bourne shell and all) but seems to do the job fairly well, and it has
enough knobs to tweak that getting the right answer isn't too hard.
Mark Wooding [Mon, 5 Mar 2012 23:27:37 +0000 (23:27 +0000)]
local.m4: Promote the NTP server configuration to a proper variable.
Mark Wooding [Mon, 5 Mar 2012 22:35:27 +0000 (22:35 +0000)]
Renumber the diversions.
Move the function definitions together; shift the host interface
definitions near the beginning of the file; and move the local filter
rules later to allow more room for built-in filtering.
Mark Wooding [Mon, 5 Mar 2012 22:34:59 +0000 (22:34 +0000)]
fixup! WIP on emergency:
7a108d1 Makefile: New target for tracking diversions.
Mark Wooding [Mon, 5 Mar 2012 10:40:30 +0000 (10:40 +0000)]
Makefile: New target for tracking diversions.
Mark Wooding [Mon, 5 Mar 2012 09:46:35 +0000 (09:46 +0000)]
Makefile, base.m4: Inject the target hostname into the generated script.
This means we can identify the target in the comment header. It will be
even more useful later.
Mark Wooding [Sun, 12 Feb 2012 01:53:23 +0000 (01:53 +0000)]
numbers.m4, gibson.m4: Allow gibson to receive IPMI responses.
Useful for managing fancy server boxes.
Mark Wooding [Sun, 12 Feb 2012 01:52:29 +0000 (01:52 +0000)]
bookends.m4: Open up tables we clobbered at exit.
Otherwise the `raw' table gets left dropping everything. I've no idea
why this didn't actually break everything for ages.