From 1b534b6a971639a492666b35145b247e4f4a94a9 Mon Sep 17 00:00:00 2001
From: Mark Wooding <mdw@distorted.org.uk>
Date: Mon, 16 Feb 2015 09:55:23 +0000
Subject: [PATCH] local.m4: Protect the `untrusted' network from incoming
 requests.

Currently the untrusted network is vulnerable to incoming hostile IPv6
requests, and only protected from IPv4 by NAT.

I don't think it's especially useful to allow untrusted hosts to
provide externally facing services, so rather than deploy a new
network, I'm just going to change the policy for the existing one, and
forbid new connections and UDP traffic to untrusted hosts.  This
involves splitting out a separate network class for the external
Internet, which is now `scary'.
---
 local.m4 | 21 ++++++++++++++++-----
 1 file changed, 16 insertions(+), 5 deletions(-)

diff --git a/local.m4 b/local.m4
index 785a78b..b5cee43 100644
--- a/local.m4
+++ b/local.m4
@@ -112,10 +112,11 @@ m4_divert(-1)
 
 ## Define the available network classes.
 m4_divert(42)m4_dnl
-defnetclass untrusted	untrusted trusted	      mcast
-defnetclass trusted	untrusted trusted safe noloop mcast
-defnetclass safe	          trusted safe noloop mcast
-defnetclass noloop		  trusted safe	      mcast
+defnetclass scary	scary 		trusted		    mcast
+defnetclass untrusted	scary untrusted trusted		    mcast
+defnetclass trusted	scary untrusted trusted safe noloop mcast
+defnetclass safe			trusted safe noloop mcast
+defnetclass noloop			trusted safe	    mcast
 
 defnetclass link
 defnetclass mcast
@@ -253,7 +254,7 @@ defnet vpn safe
 defnet anycast trusted
 	addr 172.29.199.224/27 2001:ba8:1d9:0::/64
 	via dmz unsafe safe untrusted jump colo vpn
-defnet default untrusted
+defnet default scary
 	addr 62.49.204.144/28 2001:470:1f09:1b98::/64
 	addr 212.13.198.64/28 2001:ba8:0:1d9::/64
 	addr 2001:ba8:1d9::/48 #temporary
@@ -371,6 +372,16 @@ openports inbound
 run ip46tables -A inbound -j forbidden
 run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
 
+## Allow responses from the scary outside world into the untrusted net, but
+## don't let untrusted things run services.  [EXPERIMENTAL]
+case $forward in
+  1)
+    run ip46tables -A FORWARD -j ACCEPT \
+	-m mark --mark $(( $from_scary | $to_untrusted ))/$(( $MASK_FROM | $MASK_TO )) \
+	-m state --state ESTABLISHED,RELATED
+    ;;
+esac
+
 ## Otherwise process as indicated by the mark.
 for i in $inchains; do
   run ip46tables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT
-- 
2.11.0