From ce6434f7d5bcd51d8bf006e38d7b25dcbf8b518f Mon Sep 17 00:00:00 2001
From: Mark Wooding <mdw@distorted.org.uk>
Date: Tue, 6 Mar 2012 23:26:10 +0000
Subject: [PATCH] local.m4: Allow dmz/jump packets on unsafe/colo networks and
 vice versa.

The routing asymmetry is too grim otherwise.  Consider:

  * ibanez and vampire are both on dmz and unsafe;

  * vampire is a router on dmz, unsafe, and vpn, while ibanez is not a
    router;

  * crybaby is on vpn;

  * crybaby attempts to connect to ibanez.dmz.

Now ibanez will respond with its dmz address as the source, and
crybaby's vpn address as the destination.  Based on the destination, it
will choose to route the packet over the unsafe network.  We must
therefore let vampire know that this is a possibility.

Similarly, ibanez must be prepared to allow packets from unsafe
on its dmz interface because it's not a router: hence, to reach their
destination, they'll have to be pushed over dmz by a router.

It's therefore inevitable that we must abandon separation between these
two networks (or start fiddling with policy routing, which just seems
like more pain than it's worth).
---
 local.m4 | 40 ++++++++++++++++++++--------------------
 1 file changed, 20 insertions(+), 20 deletions(-)

diff --git a/local.m4 b/local.m4
index 36f76b3..0a1617f 100644
--- a/local.m4
+++ b/local.m4
@@ -75,23 +75,23 @@ defnet housebdry virtual
 ## House hosts.
 defhost radius
 	router
-	iface eth0 dmz
-	iface eth1 unsafe
+	iface eth0 dmz unsafe
+	iface eth1 dmz unsafe
 	iface eth2 safe
 	iface eth3 untrusted
 defhost roadstar
-	iface eth0 dmz
-	iface eth1 unsafe
+	iface eth0 dmz unsafe
+	iface eth1 dmz unsafe
 defhost jem
-	iface eth0 dmz
-	iface eth1 unsafe
+	iface eth0 dmz unsafe
+	iface eth1 dmz unsafe
 defhost artist
-	iface eth0 dmz
-	iface eth1 unsafe
+	iface eth0 dmz unsafe
+	iface eth1 dmz unsafe
 defhost vampire
 	router
-	iface eth0.0 dmz
-	iface eth0.1 unsafe
+	iface eth0.0 dmz unsafe
+	iface eth0.1 dmz unsafe
 	iface eth0.3 untrusted
 	iface dns0 dns
 	iface vpn-+ vpn
@@ -118,23 +118,23 @@ defnet colobdry virtual
 
 ## Colocated hosts.
 defhost fender
-	iface br-jump jump
-	iface br-colo colo
+	iface br-jump jump colo
+	iface br-colo jump colo
 defhost precision
 	router
-	iface eth0 jump
-	iface eth1 colo
+	iface eth0 jump colo
+	iface eth1 jump colo
 	iface vpn-+ vpn
 	iface vpn-vampire housebdry vpn
 defhost telecaster
-	iface eth0 jump
-	iface eth1 colo
+	iface eth0 jump colo
+	iface eth1 jump colo
 defhost stratocaster
-	iface eth0 jump
-	iface eth1 colo
+	iface eth0 jump colo
+	iface eth1 jump colo
 defhost jazz
-	iface eth0 jump
-	iface eth1 colo
+	iface eth0 jump colo
+	iface eth1 jump colo
 
 ## Other networks.
 defnet hub virtual
-- 
2.11.0