From 16838f5907ea531799a81a693667c3d3d03737b0 Mon Sep 17 00:00:00 2001 From: Mark Wooding Date: Mon, 5 Mar 2012 23:51:44 +0000 Subject: [PATCH 01/16] functions.m4: Write the netclass ids to the trace output. --- functions.m4 | 1 + 1 file changed, 1 insertion(+) diff --git a/functions.m4 b/functions.m4 index 891b037..d059de6 100644 --- a/functions.m4 +++ b/functions.m4 @@ -389,6 +389,7 @@ defnetclass () { ## Pass 1. Establish the from_NAME and to_NAME constants, and the ## netclass's mask bit. + trace "netclass $name = $netclassindex" eval from_$name=$(( $netclassindex << $BIT_FROM )) eval to_$name=$(( $netclassindex << $BIT_TO )) eval _mask_$name=$(( 1 << ($netclassindex + $BIT_MASK) )) -- 2.11.0 From fc489c1628dedacbfca3f709ceac03aee0663b98 Mon Sep 17 00:00:00 2001 From: Mark Wooding Date: Tue, 6 Mar 2012 10:38:07 +0000 Subject: [PATCH 02/16] local.m4: Fix IGMP acceptance (debris from old interface declarations). The rules which allowed incoming IGMP were written in terms of (a) the old $if_... variables which have now disappeared, and (b) an explicit list of the `trusted' networks. Fix this to use the new system: walk the list of networks, examine their classes, and determine the interfaces. --- local.m4 | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/local.m4 b/local.m4 index b31b649..36f76b3 100644 --- a/local.m4 +++ b/local.m4 @@ -237,18 +237,18 @@ run iptables -A inbound -j ACCEPT \ ## Incoming multicast on a network interface associated with a trusted ## network is OK, since it must have originated there (or been forwarded, but ## we don't do that yet). -for i in $(echo $if_trusted $if_dmz $if_safe | sed 'y/,/ /'); do - echo $i -done | { - seen=: - while read i; do - case "$seen" in *:$i:*) continue ;; esac - seen=$seen$i: +seen=:-: +for net in $allnets; do + eval class=\$net_class_$net + case $class in trusted) ;; *) continue ;; esac + for iface in $(net_interfaces FWHOST $net); do + case "$seen" in *:$iface:*) continue ;; esac + seen=$seen$iface: run iptables -A inbound -j ACCEPT \ -s 0.0.0.0 -d 224.0.0.0/24 \ - -i $i + -i $iface done -} +done ## Allow incoming ping. This is the only ICMP left. run ip46tables -A inbound -j ACCEPT -p icmp -- 2.11.0 From 18b341c2f12a4a504a2960457a22690cf781623d Mon Sep 17 00:00:00 2001 From: Mark Wooding Date: Tue, 6 Mar 2012 10:41:59 +0000 Subject: [PATCH 03/16] radius.m4: Use the correct interface name for NAT. This is the last of the network declaration switchover debris. --- radius.m4 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/radius.m4 b/radius.m4 index d698998..7f0dc2c 100644 --- a/radius.m4 +++ b/radius.m4 @@ -62,7 +62,7 @@ run iptables -t nat -F run iptables -t nat -X run iptables -t nat -N outbound -run iptables -t nat -A outbound -j RETURN ! -o $if_dmz +run iptables -t nat -A outbound -j RETURN ! -o eth0 run iptables -t nat -A outbound -j RETURN ! -s 172.29.198.0/23 run iptables -t nat -A outbound -j RETURN -d 62.49.204.144/28 run iptables -t nat -A outbound -j RETURN -d 172.29.198.0/23 -- 2.11.0 From dad380658e5cb8f7233bc5f8ab328a2959f9f6ce Mon Sep 17 00:00:00 2001 From: Mark Wooding Date: Tue, 6 Mar 2012 10:42:58 +0000 Subject: [PATCH 04/16] radius.m4: Forbid traffic directly to the NAT address. It should only be for forwarded traffic. --- radius.m4 | 3 +++ 1 file changed, 3 insertions(+) diff --git a/radius.m4 b/radius.m4 index 7f0dc2c..e543878 100644 --- a/radius.m4 +++ b/radius.m4 @@ -69,5 +69,8 @@ run iptables -t nat -A outbound -j RETURN -d 172.29.198.0/23 run iptables -t nat -A outbound -j SNAT --to-source 62.49.204.158 run iptables -t nat -A POSTROUTING -j outbound +## Forbid anything complicated to the NAT address. +run iptables -A INPUT -d 62.49.204.158 ! -p icmp -j REJECT + m4_divert(-1) ###----- That's all, folks -------------------------------------------------- -- 2.11.0 From ce6434f7d5bcd51d8bf006e38d7b25dcbf8b518f Mon Sep 17 00:00:00 2001 From: Mark Wooding Date: Tue, 6 Mar 2012 23:26:10 +0000 Subject: [PATCH 05/16] local.m4: Allow dmz/jump packets on unsafe/colo networks and vice versa. The routing asymmetry is too grim otherwise. Consider: * ibanez and vampire are both on dmz and unsafe; * vampire is a router on dmz, unsafe, and vpn, while ibanez is not a router; * crybaby is on vpn; * crybaby attempts to connect to ibanez.dmz. Now ibanez will respond with its dmz address as the source, and crybaby's vpn address as the destination. Based on the destination, it will choose to route the packet over the unsafe network. We must therefore let vampire know that this is a possibility. Similarly, ibanez must be prepared to allow packets from unsafe on its dmz interface because it's not a router: hence, to reach their destination, they'll have to be pushed over dmz by a router. It's therefore inevitable that we must abandon separation between these two networks (or start fiddling with policy routing, which just seems like more pain than it's worth). --- local.m4 | 40 ++++++++++++++++++++-------------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/local.m4 b/local.m4 index 36f76b3..0a1617f 100644 --- a/local.m4 +++ b/local.m4 @@ -75,23 +75,23 @@ defnet housebdry virtual ## House hosts. defhost radius router - iface eth0 dmz - iface eth1 unsafe + iface eth0 dmz unsafe + iface eth1 dmz unsafe iface eth2 safe iface eth3 untrusted defhost roadstar - iface eth0 dmz - iface eth1 unsafe + iface eth0 dmz unsafe + iface eth1 dmz unsafe defhost jem - iface eth0 dmz - iface eth1 unsafe + iface eth0 dmz unsafe + iface eth1 dmz unsafe defhost artist - iface eth0 dmz - iface eth1 unsafe + iface eth0 dmz unsafe + iface eth1 dmz unsafe defhost vampire router - iface eth0.0 dmz - iface eth0.1 unsafe + iface eth0.0 dmz unsafe + iface eth0.1 dmz unsafe iface eth0.3 untrusted iface dns0 dns iface vpn-+ vpn @@ -118,23 +118,23 @@ defnet colobdry virtual ## Colocated hosts. defhost fender - iface br-jump jump - iface br-colo colo + iface br-jump jump colo + iface br-colo jump colo defhost precision router - iface eth0 jump - iface eth1 colo + iface eth0 jump colo + iface eth1 jump colo iface vpn-+ vpn iface vpn-vampire housebdry vpn defhost telecaster - iface eth0 jump - iface eth1 colo + iface eth0 jump colo + iface eth1 jump colo defhost stratocaster - iface eth0 jump - iface eth1 colo + iface eth0 jump colo + iface eth1 jump colo defhost jazz - iface eth0 jump - iface eth1 colo + iface eth0 jump colo + iface eth1 jump colo ## Other networks. defnet hub virtual -- 2.11.0 From ace5a2fbd7d0044d7bc40e3555905b1f4a085250 Mon Sep 17 00:00:00 2001 From: Mark Wooding Date: Wed, 7 Mar 2012 02:52:25 +0000 Subject: [PATCH 06/16] functions: Move NTP server list out of line. Makes the `inbound' chain slightly more efficient in the common case. --- functions.m4 | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/functions.m4 b/functions.m4 index d059de6..2267af6 100644 --- a/functions.m4 +++ b/functions.m4 @@ -289,11 +289,12 @@ allowservices () { ## Add rules to CHAIN to allow NTP with NTPSERVERs. ntpclient () { set -e - chain=$1; shift - for ntp; do - run iptables -A $chain -s $ntp -j ACCEPT \ - -p udp --source-port 123 --destination-port 123 - done + ntpchain=$1; shift + + clearchain ntp-servers + for ntp; do run iptables -A ntp-servers -j ACCEPT -s $ntp; done + run iptables -A $ntpchain -j ntp-servers \ + -p udp --source-port 123 --destination-port 123 } ## dnsresolver CHAIN -- 2.11.0 From 06ff80827cd67ab85ee31fc32fc5e740bda9193e Mon Sep 17 00:00:00 2001 From: Mark Wooding Date: Wed, 7 Mar 2012 03:04:00 +0000 Subject: [PATCH 07/16] local.m4: Add `unsafe' to ibanez `br-dmz' interface. Accidentally omitted from the earlier change. --- local.m4 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/local.m4 b/local.m4 index 0a1617f..2d9cacb 100644 --- a/local.m4 +++ b/local.m4 @@ -97,7 +97,7 @@ defhost vampire iface vpn-+ vpn iface vpn-precision colobdry vpn defhost ibanez - iface br-dmz dmz + iface br-dmz dmz unsafe iface br-unsafe unsafe defhost gibson -- 2.11.0 From 1a42af95515f1f6920f0ba2b45576278bbc2c8cf Mon Sep 17 00:00:00 2001 From: Mark Wooding Date: Wed, 7 Mar 2012 03:06:01 +0000 Subject: [PATCH 08/16] Move per-host filtering to diversion 86 as promised. For some reason, most of them were on 84, and fender was on 82. --- artist.m4 | 2 +- fender.m4 | 2 +- gibson.m4 | 2 +- ibanez.m4 | 2 +- jem.m4 | 2 +- radius.m4 | 2 +- roadstar.m4 | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/artist.m4 b/artist.m4 index a04cc9c..013949d 100644 --- a/artist.m4 +++ b/artist.m4 @@ -24,7 +24,7 @@ ###-------------------------------------------------------------------------- ### artist-specific rules. -m4_divert(84)m4_dnl +m4_divert(86)m4_dnl ## Externally visible services. allowservices inbound tcp \ ssh \ diff --git a/fender.m4 b/fender.m4 index 05354bd..a6c7362 100644 --- a/fender.m4 +++ b/fender.m4 @@ -24,7 +24,7 @@ ###-------------------------------------------------------------------------- ### fender-specific rules. -m4_divert(82)m4_dnl +m4_divert(86)m4_dnl ## Externally visible services. allowservices inbound tcp \ ssh \ diff --git a/gibson.m4 b/gibson.m4 index 4416aee..75b4607 100644 --- a/gibson.m4 +++ b/gibson.m4 @@ -24,7 +24,7 @@ ###-------------------------------------------------------------------------- ### gibson-specific rules. -m4_divert(84)m4_dnl +m4_divert(86)m4_dnl ## Externally visible services. allowservices inbound tcp \ ssh \ diff --git a/ibanez.m4 b/ibanez.m4 index 93a816e..6769b05 100644 --- a/ibanez.m4 +++ b/ibanez.m4 @@ -24,7 +24,7 @@ ###-------------------------------------------------------------------------- ### ibanez-specific rules. -m4_divert(84)m4_dnl +m4_divert(86)m4_dnl ## Externally visible services. allowservices inbound tcp \ ssh \ diff --git a/jem.m4 b/jem.m4 index 7db1ce5..fc79e10 100644 --- a/jem.m4 +++ b/jem.m4 @@ -24,7 +24,7 @@ ###-------------------------------------------------------------------------- ### jem-specific rules. -m4_divert(84)m4_dnl +m4_divert(86)m4_dnl ## Set up the SAUCE sinbin. Unfortunately, ipset is a bit brittle. This ## isn't a completely critical part of the firewall security, so don't make ## this fail the entire script. diff --git a/radius.m4 b/radius.m4 index e543878..978a877 100644 --- a/radius.m4 +++ b/radius.m4 @@ -24,7 +24,7 @@ ###-------------------------------------------------------------------------- ### radius-specific rules. -m4_divert(84)m4_dnl +m4_divert(86)m4_dnl ## Externally visible services. allowservices inbound tcp \ ident \ diff --git a/roadstar.m4 b/roadstar.m4 index 4947a80..cbbd8e6 100644 --- a/roadstar.m4 +++ b/roadstar.m4 @@ -24,7 +24,7 @@ ###-------------------------------------------------------------------------- ### roadstar-specific rules. -m4_divert(84)m4_dnl +m4_divert(86)m4_dnl ## Externally visible services. allowservices inbound tcp \ ssh \ -- 2.11.0 From 677ef44ed3d745abddbb192ca4d53778819ffe6c Mon Sep 17 00:00:00 2001 From: Mark Wooding Date: Thu, 8 Mar 2012 18:56:48 +0000 Subject: [PATCH 09/16] classify.m4: Reject the RFC5737 documentation-only addresses. --- classify.m4 | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/classify.m4 b/classify.m4 index 8b6a650..16a92c9 100644 --- a/classify.m4 +++ b/classify.m4 @@ -245,7 +245,8 @@ done ## Fill in the black holes in the network. for addr in \ 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 \ - 127.0.0.0/8 192.0.2.0/24 + 127.0.0.0/8 \ + 192.0.2.0/24 198.51.100.0/24 203.0.113.0/24 do run iptables -t mangle -A in-default -s $addr -g bad-source-address done -- 2.11.0 From 1710944baa89bb9df8138eca8e1afbbc8aa88e4d Mon Sep 17 00:00:00 2001 From: Mark Wooding Date: Sun, 11 Mar 2012 05:03:21 +0000 Subject: [PATCH 10/16] functions.m4: Correct defaulting of IPv6 host addresses. --- functions.m4 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/functions.m4 b/functions.m4 index 2267af6..b78dcbe 100644 --- a/functions.m4 +++ b/functions.m4 @@ -498,7 +498,7 @@ host () { for n in $nn; do addr=${n%/*} base=${addr%::*} - case $a in ::*) aa=$addr$a ;; *) aa=$a ;; esac + case $a6 in ::*) aa=$base$a6 ;; *) aa=$a6 ;; esac eval host_inet6_$name=$aa done -- 2.11.0 From f967aa213004eec666fcaca562c1681e143135cf Mon Sep 17 00:00:00 2001 From: Mark Wooding Date: Sun, 11 Mar 2012 05:05:29 +0000 Subject: [PATCH 11/16] local.m4: The VPN will be available through the colo. --- local.m4 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/local.m4 b/local.m4 index 2d9cacb..f2b2b9c 100644 --- a/local.m4 +++ b/local.m4 @@ -60,7 +60,7 @@ defnet untrusted untrusted forwards househub defnet vpn safe addr 172.29.199.128/27 - forwards househub + forwards househub colohub host crybaby 1 host terror 2 defnet iodine untrusted -- 2.11.0 From e66833d3112cbea68ae6dfedeb59158ebc6bacd5 Mon Sep 17 00:00:00 2001 From: Mark Wooding Date: Sun, 11 Mar 2012 05:09:34 +0000 Subject: [PATCH 12/16] local.m4: Add routes to/from the `safe' network. --- local.m4 | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/local.m4 b/local.m4 index f2b2b9c..9d4d917 100644 --- a/local.m4 +++ b/local.m4 @@ -75,8 +75,8 @@ defnet housebdry virtual ## House hosts. defhost radius router - iface eth0 dmz unsafe - iface eth1 dmz unsafe + iface eth0 dmz unsafe safe + iface eth1 dmz unsafe safe iface eth2 safe iface eth3 untrusted defhost roadstar @@ -90,8 +90,9 @@ defhost artist iface eth1 dmz unsafe defhost vampire router - iface eth0.0 dmz unsafe - iface eth0.1 dmz unsafe + iface eth0.0 dmz unsafe safe + iface eth0.1 dmz unsafe safe + iface eth0.2 safe iface eth0.3 untrusted iface dns0 dns iface vpn-+ vpn -- 2.11.0 From b9e891b5acc222946f8e44f7c977f3c10232a188 Mon Sep 17 00:00:00 2001 From: Mark Wooding Date: Sun, 11 Mar 2012 05:10:12 +0000 Subject: [PATCH 13/16] local.m4: Define the IPv6 network structure. --- local.m4 | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/local.m4 b/local.m4 index 9d4d917..42ef732 100644 --- a/local.m4 +++ b/local.m4 @@ -47,19 +47,19 @@ m4_divert(26)m4_dnl ## House networks. defnet dmz trusted - addr 62.49.204.144/28 + addr 62.49.204.144/28 2001:470:1f09:1b98::/64 forwards unsafe untrusted defnet unsafe trusted - addr 172.29.199.0/25 + addr 172.29.199.0/25 2001:470:9740:1::/64 forwards househub defnet safe safe - addr 172.29.199.192/28 + addr 172.29.199.192/28 2001:470:9740:4001::/64 forwards househub defnet untrusted untrusted - addr 172.29.198.0/25 + addr 172.29.198.0/25 2001:470:9740:8001::/64 forwards househub defnet vpn safe - addr 172.29.199.128/27 + addr 172.29.199.128/27 2001:ba8:1d9:6000::/64 forwards househub colohub host crybaby 1 host terror 2 @@ -106,10 +106,10 @@ defhost gibson ## Colocated networks. defnet jump trusted - addr 212.13.198.64/28 + addr 212.13.198.64/28 2001:ba8:0:1d9::/64 forwards colohub defnet colo trusted - addr 172.29.199.176/28 + addr 172.29.199.176/28 2001:ba8:1d9:2::/64 forwards colohub defnet colohub virtual forwards colobdry jump colo @@ -141,8 +141,9 @@ defhost jazz defnet hub virtual forwards housebdry colobdry defnet default untrusted - addr 62.49.204.144/28 - addr 212.13.198.64/28 + addr 62.49.204.144/28 2001:470:1f09:1b98::/64 + addr 212.13.198.64/28 2001:ba8:0:1d9::/64 + addr 2001:ba8:1d9::/48 #temporary forwards dmz untrusted unsafe jump colo m4_divert(80)m4_dnl -- 2.11.0 From 216285e1f550316101d0c49d4420664a5dc74963 Mon Sep 17 00:00:00 2001 From: Mark Wooding Date: Sun, 11 Mar 2012 05:12:37 +0000 Subject: [PATCH 14/16] local.m4: Fix the `safe' network prefix length. --- local.m4 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/local.m4 b/local.m4 index 42ef732..f139f00 100644 --- a/local.m4 +++ b/local.m4 @@ -53,7 +53,7 @@ defnet unsafe trusted addr 172.29.199.0/25 2001:470:9740:1::/64 forwards househub defnet safe safe - addr 172.29.199.192/28 2001:470:9740:4001::/64 + addr 172.29.199.192/27 2001:470:9740:4001::/64 forwards househub defnet untrusted untrusted addr 172.29.198.0/25 2001:470:9740:8001::/64 -- 2.11.0 From f0033e0790c7f01b23f24504d3685cbaffc90f1f Mon Sep 17 00:00:00 2001 From: Mark Wooding Date: Sun, 11 Mar 2012 16:18:12 +0000 Subject: [PATCH 15/16] Introduce variable for expected input chains. Saves lots of messing with $forward. --- bookends.m4 | 4 ++++ icmp.m4 | 4 +--- local.m4 | 9 +++------ 3 files changed, 8 insertions(+), 9 deletions(-) diff --git a/bookends.m4 b/bookends.m4 index 69a721e..6faa91b 100644 --- a/bookends.m4 +++ b/bookends.m4 @@ -111,6 +111,10 @@ case $host_type_<::>FWHOST in esac setopt ip_forward $forward setdevopt forwarding $forward +case $forward in + 0) inchains="INPUT" ;; + 1) inchains="INPUT FORWARD" ;; +esac ## Set dynamic port allocation. setopt ip_local_port_range $open_port_min $open_port_max diff --git a/icmp.m4 b/icmp.m4 index 3de0483..d3a7507 100644 --- a/icmp.m4 +++ b/icmp.m4 @@ -42,9 +42,7 @@ m4_divert(58)m4_dnl run iptables -A check-icmp -j ACCEPT ## Done. -for i in INPUT FORWARD; do - run iptables -A $i -p icmp -j check-icmp -done +for i in $inchains; do run ip46tables -A $i -p icmp -j check-icmp; done m4_divert(-1) ###----- That's all, folks -------------------------------------------------- diff --git a/local.m4 b/local.m4 index f139f00..d91b171 100644 --- a/local.m4 +++ b/local.m4 @@ -264,12 +264,9 @@ run ip46tables -A inbound -j forbidden run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound ## Otherwise process as indicated by the mark. -run ip46tables -A INPUT -m mark ! --mark 0/$MASK_MASK -j ACCEPT -case $forward in - 1) - run ip46tables -A FORWARD -m mark ! --mark 0/$MASK_MASK -j ACCEPT - ;; -esac +for i in $inchains; do + run ip46tables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT +done m4_divert(-1) ###----- That's all, folks -------------------------------------------------- -- 2.11.0 From e2c5d32a16fdcf56738c022a2be48e14636bbe85 Mon Sep 17 00:00:00 2001 From: Mark Wooding Date: Sun, 11 Mar 2012 16:19:17 +0000 Subject: [PATCH 16/16] vampire.m4: Extend services to untrusted hosts over IPv6. --- vampire.m4 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/vampire.m4 b/vampire.m4 index fa79ee2..b3257c7 100644 --- a/vampire.m4 +++ b/vampire.m4 @@ -47,8 +47,8 @@ allowservices inbound udp \ ## Extend some services to local untrusted hosts. clearchain inbound-untrusted -run iptables -A inbound -j inbound-untrusted \ - -s 172.29.198.0/24 +run iptables -A inbound -j inbound-untrusted -s $net_inet_untrusted +run ip6tables -A inbound -j inbound-untrusted -s $net_inet6_untrusted allowservices inbound-untrusted tcp \ dns \ -- 2.11.0