chiark / gitweb /
~mdw / firewall / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: a0ade6f)
Major network restructuring.
authorMark Wooding <mdw@distorted.org.uk>
Sun, 10 Jul 2011 20:57:12 +0000 (21:57 +0100)
committerMark Wooding <mdw@distorted.org.uk>
Sun, 10 Jul 2011 21:13:23 +0000 (22:13 +0100)
We now have a globally routable /28.  Use this as the DMZ and the
network backbone.  The main servers (ibanez, radius, roadstar, jem,
artist and vampire) are on both the DMZ and the unsafe network.
radius is now the main internal router, though vampire is still on
several networks because it provides DHCP and DNS services.

This new configuration makes essential use of the ability (added to
defiface) to accept multiple interface names by setting lists of names
into the interface variables if_FOO.

There's another aspect of the routing complexity which we must address
here: multicasts can arrive on any of several trusted networks, and we
should accept them all.  (We must cope with interface name lists in the
interface variables here, and deduplicate.)

artist.m4 patch | blob | blame | history
gibson.m4 patch | blob | blame | history
ibanez.m4 patch | blob | blame | history
jem.m4 patch | blob | blame | history
local.m4 patch | blob | blame | history
radius.m4 patch | blob | blame | history
roadstar.m4 patch | blob | blame | history
vampire.m4 patch | blob | blame | history

diff --git a/artist.m4 b/artist.m4
index 19394ee288250f3dbcc12fbda0162ffcbd99ba69..d2ff17d8a8af7ba21dedafe4e3cb7cc751979d12 100644 (file)
--- a/artist.m4
+++ b/artist.m4
@@ -27,17 +27,23 @@
 ## This host isn't a router.
 setconf(forward, 0)
 
+## This host is involved in a routing asymmetry.
+setconf(rp_filter, 0)
+setconf(log_martians, 0)
+
 ###--------------------------------------------------------------------------
 ### Network interfaces.
 
 m4_divert(44)m4_dnl
 ## Interface definitions.
-if_untrusted=eth0
-if_trusted=eth0
-if_vpn=eth0
-if_iodine=eth0
-if_its_mz=eth0
-if_its_pi=eth0
+if_dmz=eth0
+if_trusted=eth1
+if_safe=$if_dmz,$if_trusted
+if_untrusted=$if_dmz,$if_trusted
+if_vpn=$if_dmz,$if_trusted
+if_iodine=$if_dmz,$if_trusted
+if_its_mz=$if_dmz,$if_trusted
+if_its_pi=$if_dmz,$if_trusted
 
 m4_divert(-1)
 ###--------------------------------------------------------------------------
diff --git a/gibson.m4 b/gibson.m4
index c49c36a5b734ecaee6aa80be6572c54689abd27e..d363b2b6ceea271791edf6b99c37870cd42f05d6 100644 (file)
--- a/gibson.m4
+++ b/gibson.m4
@@ -32,12 +32,14 @@ setconf(forward, 0)
 
 m4_divert(44)m4_dnl
 ## Interface definitions.
-if_untrusted=eth0
 if_trusted=eth0
-if_vpn=eth0
-if_iodine=eth0
-if_its_mz=eth0
-if_its_pi=eth0
+if_dmz=$if_trusted
+if_safe=$if_dmz
+if_untrusted=$if_dmz
+if_vpn=$if_dmz
+if_iodine=$if_dmz
+if_its_mz=$if_dmz
+if_its_pi=$if_dmz
 
 m4_divert(-1)
 ###--------------------------------------------------------------------------
diff --git a/ibanez.m4 b/ibanez.m4
index 384bd177912457f363a06df214271ce0866eb826..c8083e9b0eed5b5c3eeec20b6f965b22bfbcdc02 100644 (file)
--- a/ibanez.m4
+++ b/ibanez.m4
@@ -27,17 +27,23 @@
 ## This host isn't a router.
 setconf(forward, 0)
 
+## This host is involved in a routing asymmetry.
+setconf(rp_filter, 0)
+setconf(log_martians, 0)
+
 ###--------------------------------------------------------------------------
 ### Network interfaces.
 
 m4_divert(44)m4_dnl
 ## Interface definitions.
-if_untrusted=br0
-if_trusted=br0
-if_vpn=br0
-if_iodine=br0
-if_its_mz=br0
-if_its_pi=br0
+if_dmz=br-dmz
+if_trusted=br-unsafe
+if_safe=$if_dmz,$if_trusted
+if_untrusted=$if_dmz,$if_trusted
+if_vpn=$if_dmz,$if_trusted
+if_iodine=$if_dmz,$if_trusted
+if_its_mz=$if_dmz,$if_trusted
+if_its_pi=$if_dmz,$if_trusted
 
 m4_divert(-1)
 ###--------------------------------------------------------------------------
diff --git a/jem.m4 b/jem.m4
index f9922c9d58cb7a57ccd1f0f673ab9ad86bb6d7cf..c877300324bbd9493c0646438fc6cef82929f1ca 100644 (file)
--- a/jem.m4
+++ b/jem.m4
@@ -27,17 +27,23 @@
 ## This host isn't a router.
 setconf(forward, 0)
 
+## This host is involved in a routing asymmetry.
+setconf(rp_filter, 0)
+setconf(log_martians, 0)
+
 ###--------------------------------------------------------------------------
 ### Network interfaces.
 
 m4_divert(44)m4_dnl
 ## Interface definitions.
-if_untrusted=eth0
-if_trusted=eth0
-if_vpn=eth0
-if_iodine=eth0
-if_its_mz=eth0
-if_its_pi=eth0
+if_dmz=eth0
+if_trusted=eth1
+if_safe=$if_dmz,$if_trusted
+if_untrusted=$if_dmz,$if_trusted
+if_vpn=$if_dmz,$if_trusted
+if_iodine=$if_dmz,$if_trusted
+if_its_mz=$if_dmz,$if_trusted
+if_its_pi=$if_dmz,$if_trusted
 
 m4_divert(-1)
 ###--------------------------------------------------------------------------
diff --git a/local.m4 b/local.m4
index f6b5f46041a8af7284f82c4e3b2747d00b380175..2d880b91980103a848a148dd44dfd54560498ee2 100644 (file)
--- a/local.m4
+++ b/local.m4
@@ -38,6 +38,14 @@ m4_divert(-1)m4_dnl
 m4_divert(46)m4_dnl
 ## Networks and routing.
 
+defiface $if_dmz \
+       trusted:62.49.204.144/28 \
+       trusted:172.29.199.0/25 \
+       untrusted:default
+defiface $if_trusted \
+       trusted:172.29.199.0/25 \
+       untrusted:default
+defiface $if_safe safe:172.29.199.192/26
 defiface $if_untrusted \
        untrusted:172.29.198.0/25
 defvpn $if_vpn safe 172.29.199.128/27 \
@@ -46,10 +54,6 @@ defvpn $if_vpn safe 172.29.199.128/27 \
 defiface $if_iodine untrusted:172.29.198.128/28
 defiface $if_its_mz safe:172.29.199.160/30
 defiface $if_its_pi safe:192.168.0.0/24
-defiface $if_trusted \
-       trusted:172.29.199.0/26 \
-       safe:172.29.199.64/27 \
-       untrusted:default
 
 ## Default NTP servers.
 ntp_servers="158.152.1.76 158.152.1.204 194.159.253.2 195.173.57.232"
@@ -134,12 +138,21 @@ run iptables -A inbound -j ACCEPT \
        -s 172.29.198.0/23 \
        -p udp --source-port $port_bootpc --destination-port $port_bootps
 
-## Incoming broadcast multicast on a network interface associated with the
-## trusted network is OK, since it must have originated there (or been
-## forwarded, but we don't do that yet).
-run iptables -A inbound -j ACCEPT \
+## Incoming multicast on a network interface associated with a trusted
+## network is OK, since it must have originated there (or been forwarded, but
+## we don't do that yet).
+for i in $(echo $if_trusted $if_dmz $if_safe | sed 'y/,/ /'); do
+  echo $i
+done | {
+  seen=:
+  while read i; do
+    case "$seen" in *:$i:*) continue ;; esac
+    seen=$seen$i:
+    run iptables -A inbound -j ACCEPT \
        -s 0.0.0.0 -d 224.0.0.0/24 \
-       -i $if_trusted
+       -i $i
+  done
+}
 
 ## Allow incoming ping.  This is the only ICMP left.
 run ip46tables -A inbound -j ACCEPT -p icmp
diff --git a/radius.m4 b/radius.m4
index c1dcb90dd478da273e30dd796802a25c0ae2b118..b2c41ed7af362317c7f258e8d9d8c0e0c7633623 100644 (file)
--- a/radius.m4
+++ b/radius.m4
@@ -21,17 +21,26 @@
 ### along with this program; if not, write to the Free Software Foundation,
 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
 
+###--------------------------------------------------------------------------
+### Config settings.
+
+## This router is involved in a routing asymmetry.
+setconf(rp_filter, 0)
+setconf(log_martians, 0)
+
 ###--------------------------------------------------------------------------
 ### Network interfaces.
 
 m4_divert(44)m4_dnl
 ## Interface definitions.
-if_untrusted=eth1
-if_trusted=eth0
-if_vpn=eth0
-if_iodine=eth0
-if_its_mz=eth0
-if_its_pi=eth0
+if_dmz=eth0
+if_trusted=eth1
+if_safe=eth2
+if_untrusted=eth3
+if_vpn=$if_dmz,$if_trusted
+if_iodine=$if_dmz,$if_trusted
+if_its_mz=$if_dmz,$if_trusted
+if_its_pi=$if_dmz,$if_trusted
 
 m4_divert(-1)
 ###--------------------------------------------------------------------------
diff --git a/roadstar.m4 b/roadstar.m4
index dd810c2f165b63dc1bb8cb17b9da105ae045943a..101f4fe37f53ea133b053bd7805c210fa374af25 100644 (file)
--- a/roadstar.m4
+++ b/roadstar.m4
@@ -27,17 +27,23 @@
 ## This host isn't a router.
 setconf(forward, 0)
 
+## This host is involved in a routing asymmetry.
+setconf(rp_filter, 0)
+setconf(log_martians, 0)
+
 ###--------------------------------------------------------------------------
 ### Network interfaces.
 
 m4_divert(44)m4_dnl
 ## Interface definitions.
-if_untrusted=eth0
-if_trusted=eth0
-if_vpn=eth0
-if_iodine=eth0
-if_its_mz=eth0
-if_its_pi=eth0
+if_dmz=eth0
+if_trusted=eth1
+if_safe=$if_dmz,$if_trusted
+if_untrusted=$if_dmz,$if_trusted
+if_vpn=$if_dmz,$if_trusted
+if_iodine=$if_dmz,$if_trusted
+if_its_mz=$if_dmz,$if_trusted
+if_its_pi=$if_dmz,$if_trusted
 
 m4_divert(-1)
 ###--------------------------------------------------------------------------
diff --git a/vampire.m4 b/vampire.m4
index f6f5d4660a34548edd023de5c0da913311016e45..f21009c0d7ee766dff7c1851469ab4398b7de167 100644 (file)
--- a/vampire.m4
+++ b/vampire.m4
@@ -21,17 +21,26 @@
 ### along with this program; if not, write to the Free Software Foundation,
 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
 
+###--------------------------------------------------------------------------
+### Config settings.
+
+## This router is involved in a routing asymmetry.
+setconf(rp_filter, 0)
+setconf(log_martians, 0)
+
 ###--------------------------------------------------------------------------
 ### Network interfaces.
 
 m4_divert(44)m4_dnl
 ## Interface definitions.
-if_untrusted=eth0.1
-if_trusted=eth0.0
+if_dmz=eth0.0
+if_trusted=eth0.1
+if_safe=$if_dmz,$if_trusted
+if_untrusted=eth0.3
 if_vpn=vpn-+
 if_iodine=dns+
-if_its_mz=eth0.0
-if_its_pi=eth0.0
+if_its_mz=$if_dmz,$if_trusted
+if_its_pi=$if_dmz,$if_trusted
 
 m4_divert(-1)
 ###--------------------------------------------------------------------------
Firewall scripts for distorted.org.uk.