From 1a9376721557a63bac53fdc748683486511a2717 Mon Sep 17 00:00:00 2001 From: Mark Wooding Date: Tue, 15 Jul 2014 10:48:09 +0100 Subject: [PATCH 01/16] stratocaster.m4: Permit incoming finger. --- stratocaster.m4 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stratocaster.m4 b/stratocaster.m4 index da7bd68..e2811cb 100644 --- a/stratocaster.m4 +++ b/stratocaster.m4 @@ -35,7 +35,7 @@ iptables -A inbound -g sauce -m set --match-set sauce src || : ## Externally visible services. allowservices inbound tcp \ ssh \ - ident \ + ident finger \ smtp submission \ imap imaps \ http https \ -- 2.11.0 From a28edce0d98fdb75c76edadbd9509d682b7992b0 Mon Sep 17 00:00:00 2001 From: Mark Wooding Date: Tue, 15 Jul 2014 10:50:17 +0100 Subject: [PATCH 02/16] local.m4: Boundary network addresses can legitimately transit the VPN. This is IPv6-specific. Suppose an internal host on one end of a VPN connection sends a packet to a host on the boundary network at the other end. This packet will go via the public Internet -- fine. But the other end will reply, and route the packet through the VPN because it's an internal address. So we should allow it or we break connectivity. The right answer is probably to arrange for the routing to be symmetrical, either by forcing the original packet to go through the VPN or the reply to go around it, but both of these would seem to involve messing with policy routing in a complicated way. The current situation seems weird but not especially harmful. --- local.m4 | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/local.m4 b/local.m4 index ab8249f..da26a37 100644 --- a/local.m4 +++ b/local.m4 @@ -143,7 +143,6 @@ defnet househub virtual via housebdry dmz unsafe safe untrusted defnet housebdry virtual via househub hub - noxit dmz ## House hosts. defhost radius @@ -199,7 +198,6 @@ defnet colohub virtual via colobdry jump colo defnet colobdry virtual via colohub hub - noxit jump defnet iodine untrusted addr 172.29.198.128/28 via colohub @@ -246,6 +244,7 @@ defnet vpn safe host crybaby 1 ::1:1 host terror 2 ::2:1 host orange 3 ::3:1 + host haze 4 ::4:1 defnet anycast trusted addr 172.29.199.224/27 2001:ba8:1d9:0::/64 via dmz unsafe safe untrusted jump colo vpn -- 2.11.0 From 85a49f386123c07b8078120374d2a562ad8b8df9 Mon Sep 17 00:00:00 2001 From: Mark Wooding Date: Fri, 5 Sep 2014 16:34:54 +0100 Subject: [PATCH 03/16] artist.m4: Punch a hole for Rygel service to local (-ish) devices. --- artist.m4 | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/artist.m4 b/artist.m4 index 8b066a7..b6a8111 100644 --- a/artist.m4 +++ b/artist.m4 @@ -46,6 +46,12 @@ run iptables -A inbound -j ACCEPT \ -p tcp -m multiport --destination-ports \ $port_netbios_ssn,$port_microsoft_ds +## Open ports for Rygel. +run iptables -A inbound -j ACCEPT -s 172.29.198.0/23 \ + -d 239.255.255.250 -p udp --destination-port 1900 +run iptables -A INPUT -j ACCEPT -s 172.29.198.0/23 \ + -p tcp --destination-port 9501 + ## Other interesting things. dnsresolver inbound -- 2.11.0 From 193f386b6081567bf43fcbc6bf9b9842d2c645bc Mon Sep 17 00:00:00 2001 From: Mark Wooding Date: Sat, 7 Feb 2015 14:28:15 +0000 Subject: [PATCH 04/16] artist.m4: Further Rygel hacking. --- artist.m4 | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/artist.m4 b/artist.m4 index b6a8111..2997769 100644 --- a/artist.m4 +++ b/artist.m4 @@ -47,9 +47,10 @@ run iptables -A inbound -j ACCEPT \ $port_netbios_ssn,$port_microsoft_ds ## Open ports for Rygel. +run iptables -A inbound -j ACCEPT -s 172.29.198.0/23 -p igmp run iptables -A inbound -j ACCEPT -s 172.29.198.0/23 \ -d 239.255.255.250 -p udp --destination-port 1900 -run iptables -A INPUT -j ACCEPT -s 172.29.198.0/23 \ +run iptables -A inbound -j ACCEPT -s 172.29.198.0/23 \ -p tcp --destination-port 9501 ## Other interesting things. -- 2.11.0 From 49b81a663c69fd67ec8cf8739602b5dbe287486e Mon Sep 17 00:00:00 2001 From: Mark Wooding Date: Sat, 7 Feb 2015 14:28:49 +0000 Subject: [PATCH 05/16] groove.m4: New host. --- groove.m4 | 41 +++++++++++++++++++++++++++++++++++++++++ local.m4 | 2 ++ local.mk | 1 + 3 files changed, 44 insertions(+) create mode 100644 groove.m4 diff --git a/groove.m4 b/groove.m4 new file mode 100644 index 0000000..2c861d1 --- /dev/null +++ b/groove.m4 @@ -0,0 +1,41 @@ +### -*-sh-*- +### +### Firewall configuration for groove +### +### (c) 2008 Mark Wooding +### + +###----- Licensing notice --------------------------------------------------- +### +### This program is free software; you can redistribute it and/or modify +### it under the terms of the GNU General Public License as published by +### the Free Software Foundation; either version 2 of the License, or +### (at your option) any later version. +### +### This program is distributed in the hope that it will be useful, +### but WITHOUT ANY WARRANTY; without even the implied warranty of +### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +### GNU General Public License for more details. +### +### You should have received a copy of the GNU General Public License +### along with this program; if not, write to the Free Software Foundation, +### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + +###-------------------------------------------------------------------------- +### groove-specific rules. + +m4_divert(86)m4_dnl +## Externally visible services. +allowservices inbound tcp \ + ssh \ + ident \ + http https \ + disorder +allowservices inbound udp \ + tripe + +## Other interesting things. +dnsresolver inbound + +m4_divert(-1) +###----- That's all, folks -------------------------------------------------- diff --git a/local.m4 b/local.m4 index da26a37..288769c 100644 --- a/local.m4 +++ b/local.m4 @@ -182,6 +182,8 @@ defhost ibanez defhost orange iface wlan0 untrusted iface vpn-radius unsafe +defhost groove + iface eth0 unsafe defhost gibson hosttype client diff --git a/local.mk b/local.mk index e6ed935..6c01364 100644 --- a/local.mk +++ b/local.mk @@ -8,6 +8,7 @@ HOSTS += vampire HOSTS += orange HOSTS += mango +HOSTS += groove HOSTS += ibanez HOSTS += radius -- 2.11.0 From 24ddb0075e83f9563b831ff476ae9568b4c2534a Mon Sep 17 00:00:00 2001 From: Mark Wooding Date: Sat, 7 Feb 2015 19:47:55 +0000 Subject: [PATCH 06/16] local.m4: Proper configuration for groove. --- local.m4 | 3 +++ 1 file changed, 3 insertions(+) diff --git a/local.m4 b/local.m4 index 288769c..785a78b 100644 --- a/local.m4 +++ b/local.m4 @@ -184,6 +184,8 @@ defhost orange iface vpn-radius unsafe defhost groove iface eth0 unsafe + iface wlan0 untrusted + iface vpn-radius unsafe defhost gibson hosttype client @@ -247,6 +249,7 @@ defnet vpn safe host terror 2 ::2:1 host orange 3 ::3:1 host haze 4 ::4:1 + host groove 5 ::5:1 defnet anycast trusted addr 172.29.199.224/27 2001:ba8:1d9:0::/64 via dmz unsafe safe untrusted jump colo vpn -- 2.11.0 From 8a03622959c862fef4cd46fbcaa9c76e082513d4 Mon Sep 17 00:00:00 2001 From: Mark Wooding Date: Mon, 9 Feb 2015 14:19:03 +0000 Subject: [PATCH 07/16] jazz.m4, numbers.m4: Expose the OpenPGP key server. --- jazz.m4 | 1 + numbers.m4 | 1 + 2 files changed, 2 insertions(+) diff --git a/jazz.m4 b/jazz.m4 index f77a251..2ec398e 100644 --- a/jazz.m4 +++ b/jazz.m4 @@ -30,6 +30,7 @@ allowservices inbound tcp \ ssh \ ident \ http https \ + pgp_keys \ tor_public tor_directory i2p allowservices inbound udp \ tripe \ diff --git a/numbers.m4 b/numbers.m4 index 0f92b8b..aeffdd1 100644 --- a/numbers.m4 +++ b/numbers.m4 @@ -64,6 +64,7 @@ defport irc 6667 defport tor_public 9001 defport tor_directory 9030 defport git 9418 +defport pgp_keys 11371 defport i2p 16911 defport disorder 23599 defport udpkey 59274 -- 2.11.0 From 4aa2b49cc41cd34e1fc54858ca26c190d5b925cc Mon Sep 17 00:00:00 2001 From: Mark Wooding Date: Mon, 16 Feb 2015 09:54:54 +0000 Subject: [PATCH 08/16] classify.m4: Fix some typos in the commentary. --- classify.m4 | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/classify.m4 b/classify.m4 index 7c60407..6254993 100644 --- a/classify.m4 +++ b/classify.m4 @@ -45,7 +45,7 @@ m4_divert(40)m4_dnl ### ### The mangle chains are arranged as follows. ### -### The INPUT and FORWARD hooks simply invokes in-classify and out-classify +### The INPUT and FORWARD hooks simply invoke in-classify and out-classify ### chains as subroutines. These will tail-call appropriate classification ### chains. ### @@ -57,11 +57,12 @@ m4_divert(40)m4_dnl ### goes to bad-source-address, which logs a message and drops the packet. ### The default interface is special. If no explicit matches are found, it ### dispatches to in-default which forbids a few obviously evil things and -### finally dispatches to mark-from-untrusted. +### finally dispatches to mark-from-DEFAULT (usually `untrusted'). ### ### The out-classify is simpler because it doesn't care about the interface. ### It simply checks each network range in turn, dispatching to mark-to-CLASS -### on a match or mark-to-DEFAULT (probably untrusted) if there is no match. +### on a match or mark-to-DEFAULT (probably `untrusted') if there is no +### match. clearchain mangle:in-classify mangle:in-default mangle:out-classify clearchain mangle:local-source @@ -95,7 +96,7 @@ run iptables -t mangle -A in-classify -j RETURN \ ## over the loopback interface, I shouldn't see a packet from me over any ## other interface. Except that I will if I sent a broadcast or multicast. ## Allow the broadcasts, and remember not to trust them. There are no -## broadcast addresses in IPv6 (only link-local multicast)m so we don't have +## broadcast addresses in IPv6 (only link-local multicast) so we don't have ## to worry about that. run iptables -t mangle -A local-source -j RETURN \ -m addrtype --dst-type BROADCAST -- 2.11.0 From 1b534b6a971639a492666b35145b247e4f4a94a9 Mon Sep 17 00:00:00 2001 From: Mark Wooding Date: Mon, 16 Feb 2015 09:55:23 +0000 Subject: [PATCH 09/16] local.m4: Protect the `untrusted' network from incoming requests. Currently the untrusted network is vulnerable to incoming hostile IPv6 requests, and only protected from IPv4 by NAT. I don't think it's especially useful to allow untrusted hosts to provide externally facing services, so rather than deploy a new network, I'm just going to change the policy for the existing one, and forbid new connections and UDP traffic to untrusted hosts. This involves splitting out a separate network class for the external Internet, which is now `scary'. --- local.m4 | 21 ++++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/local.m4 b/local.m4 index 785a78b..b5cee43 100644 --- a/local.m4 +++ b/local.m4 @@ -112,10 +112,11 @@ m4_divert(-1) ## Define the available network classes. m4_divert(42)m4_dnl -defnetclass untrusted untrusted trusted mcast -defnetclass trusted untrusted trusted safe noloop mcast -defnetclass safe trusted safe noloop mcast -defnetclass noloop trusted safe mcast +defnetclass scary scary trusted mcast +defnetclass untrusted scary untrusted trusted mcast +defnetclass trusted scary untrusted trusted safe noloop mcast +defnetclass safe trusted safe noloop mcast +defnetclass noloop trusted safe mcast defnetclass link defnetclass mcast @@ -253,7 +254,7 @@ defnet vpn safe defnet anycast trusted addr 172.29.199.224/27 2001:ba8:1d9:0::/64 via dmz unsafe safe untrusted jump colo vpn -defnet default untrusted +defnet default scary addr 62.49.204.144/28 2001:470:1f09:1b98::/64 addr 212.13.198.64/28 2001:ba8:0:1d9::/64 addr 2001:ba8:1d9::/48 #temporary @@ -371,6 +372,16 @@ openports inbound run ip46tables -A inbound -j forbidden run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound +## Allow responses from the scary outside world into the untrusted net, but +## don't let untrusted things run services. [EXPERIMENTAL] +case $forward in + 1) + run ip46tables -A FORWARD -j ACCEPT \ + -m mark --mark $(( $from_scary | $to_untrusted ))/$(( $MASK_FROM | $MASK_TO )) \ + -m state --state ESTABLISHED,RELATED + ;; +esac + ## Otherwise process as indicated by the mark. for i in $inchains; do run ip46tables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT -- 2.11.0 From 43e20546eefaa0057685ac0b62ba33f97870e13d Mon Sep 17 00:00:00 2001 From: Mark Wooding Date: Tue, 24 Feb 2015 22:16:32 +0000 Subject: [PATCH 10/16] local.m4: Inbound restriction on untrusted is no longer experimental. --- local.m4 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/local.m4 b/local.m4 index b5cee43..59ab342 100644 --- a/local.m4 +++ b/local.m4 @@ -373,7 +373,7 @@ run ip46tables -A inbound -j forbidden run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound ## Allow responses from the scary outside world into the untrusted net, but -## don't let untrusted things run services. [EXPERIMENTAL] +## don't let untrusted things run services. case $forward in 1) run ip46tables -A FORWARD -j ACCEPT \ -- 2.11.0 From 4f8c198960217f631e0fcb20e8615fc93c3d1da2 Mon Sep 17 00:00:00 2001 From: Mark Wooding Date: Sat, 28 Feb 2015 12:43:49 +0000 Subject: [PATCH 11/16] local.m4: Reinstate detailed filtering from scary networks. This got lost when I split scary out of untrusted. Oops. --- local.m4 | 1 + 1 file changed, 1 insertion(+) diff --git a/local.m4 b/local.m4 index 59ab342..7e7ad15 100644 --- a/local.m4 +++ b/local.m4 @@ -370,6 +370,7 @@ openports inbound ## Inspect inbound packets from untrusted sources. run ip46tables -A inbound -j forbidden +run ip46tables -A INPUT -m mark --mark $from_scary/$MASK_FROM -g inbound run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound ## Allow responses from the scary outside world into the untrusted net, but -- 2.11.0 From 8aafed8d2b59a54e0aa9bd1bbb89ed24a2870988 Mon Sep 17 00:00:00 2001 From: Mark Wooding Date: Thu, 19 Mar 2015 12:41:05 +0000 Subject: [PATCH 12/16] radius.m4: Stop MSS clamping on egress now the external MTU is 1500. And there was great rejoicing! --- radius.m4 | 5 ----- 1 file changed, 5 deletions(-) diff --git a/radius.m4 b/radius.m4 index 0db7c51..d8efa4f 100644 --- a/radius.m4 +++ b/radius.m4 @@ -89,11 +89,6 @@ run iptables -t nat -A outbound -j RETURN -d 172.29.198.0/23 run iptables -t nat -A outbound -j SNAT --to-source 62.49.204.158 run iptables -t nat -A POSTROUTING -j outbound -## TCP MSS clamping to help given Demon's sluggish approach to fragmentation- -## needed errors. -run ip46tables -t mangle -A FORWARD -o ppp0 -p tcp --tcp-flags SYN,RST SYN \ - -j TCPMSS --clamp-mss-to-pmtu - ## Set up NAT protocol helpers. In particular, SIP needs some special ## twiddling. run modprobe nf_conntrack_sip \ -- 2.11.0 From 2c23db94feafe3a8db9aa4b3e7d7640857c18225 Mon Sep 17 00:00:00 2001 From: Mark Wooding Date: Thu, 19 Mar 2015 12:43:07 +0000 Subject: [PATCH 13/16] jem.m4: External rsync service. --- jem.m4 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/jem.m4 b/jem.m4 index 9ab3dad..a1e9f92 100644 --- a/jem.m4 +++ b/jem.m4 @@ -38,7 +38,7 @@ allowservices inbound tcp \ ident \ smtp submission \ imaps \ - http https \ + http https rsync \ git ## Provide DNS resolution to local untrusted hosts. -- 2.11.0 From 36549b8b973f43892f1316919440a94b358a981b Mon Sep 17 00:00:00 2001 From: Mark Wooding Date: Thu, 26 Mar 2015 16:45:05 +0000 Subject: [PATCH 14/16] jaguar.m4, local.m4: Remove jaguar completely. Its firewall configuration is now in /usr/local/src/firewall on jaguar itself. --- jaguar.m4 | 38 -------------------------------------- local.m4 | 2 -- 2 files changed, 40 deletions(-) delete mode 100644 jaguar.m4 diff --git a/jaguar.m4 b/jaguar.m4 deleted file mode 100644 index f37debe..0000000 --- a/jaguar.m4 +++ /dev/null @@ -1,38 +0,0 @@ -### -*-sh-*- -### -### Firewall configuration for jaguar -### -### (c) 2008 Mark Wooding -### - -###----- Licensing notice --------------------------------------------------- -### -### This program is free software; you can redistribute it and/or modify -### it under the terms of the GNU General Public License as published by -### the Free Software Foundation; either version 2 of the License, or -### (at your option) any later version. -### -### This program is distributed in the hope that it will be useful, -### but WITHOUT ANY WARRANTY; without even the implied warranty of -### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -### GNU General Public License for more details. -### -### You should have received a copy of the GNU General Public License -### along with this program; if not, write to the Free Software Foundation, -### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. - -###-------------------------------------------------------------------------- -### jaguar-specific rules. - -m4_divert(86)m4_dnl -## Externally visible services. -allowservices inbound tcp \ - ssh \ - ident \ - http https - -## Other interesting things. -dnsresolver inbound - -m4_divert(-1) -###----- That's all, folks -------------------------------------------------- diff --git a/local.m4 b/local.m4 index 7e7ad15..7cda718 100644 --- a/local.m4 +++ b/local.m4 @@ -225,8 +225,6 @@ defhost telecaster defhost stratocaster iface eth0 jump colo iface eth1 jump colo -defhost jaguar - iface eth0 jump defhost jazz hosttype router iface eth0 jump colo vpn -- 2.11.0 From 3596231a92081cbe4fb32c474d6e6554fdc6c457 Mon Sep 17 00:00:00 2001 From: Mark Wooding Date: Thu, 26 Mar 2015 21:57:00 +0000 Subject: [PATCH 15/16] functions.m4: Only call `allow-non-init-frag' on fragments. Otherwise we let in all non-fragmented packets. Oops. --- functions.m4 | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/functions.m4 b/functions.m4 index c0b90ed..c8a08c4 100644 --- a/functions.m4 +++ b/functions.m4 @@ -239,7 +239,8 @@ m4_divert(38)m4_dnl run ip6tables -N accept-non-init-frag run ip6tables -A accept-non-init-frag -j RETURN \ -m frag --fragfirst -run ip6tables -A accept-non-init-frag -j ACCEPT +run ip6tables -A accept-non-init-frag -j ACCEPT \ + -m ipv6header --header frag m4_divert(20)m4_dnl ## allowservices CHAIN PROTO SERVICE ... -- 2.11.0 From 15e9eeffacf76820fe2ba0176030ac2b5b6560ea Mon Sep 17 00:00:00 2001 From: Mark Wooding Date: Wed, 1 Apr 2015 19:37:56 +0100 Subject: [PATCH 16/16] local.m4: gibson now uses explicit VLAN tagging. --- local.m4 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/local.m4 b/local.m4 index 7cda718..45bdfac 100644 --- a/local.m4 +++ b/local.m4 @@ -190,7 +190,7 @@ defhost groove defhost gibson hosttype client - iface eth0 unsafe + iface eth0.5 unsafe ## Colocated networks. defnet jump trusted -- 2.11.0