###--------------------------------------------------------------------------
### Network interfaces.
-m4_divert(44)m4_dnl
+m4_divert(28)m4_dnl
## Interface definitions.
if_dmz=eth0
if_trusted=eth1
###--------------------------------------------------------------------------
### artist-specific rules.
-m4_divert(82)m4_dnl
+m4_divert(84)m4_dnl
## Externally visible services.
allowservices inbound tcp \
ssh \
### Overall structure.
###
### 0 File header: shebang, do-not-edit warning. [base]
-### 5 Configuration. [config]
+### 4 Configuration. [config]
+### 6 Local settings. [local]
### 10 Prologue: command-line parsing and failsafe. [prologue]
### 20 Function definitions. [functions]
-### 25 Port numbers etc. [numbers]
+### 24 Port numbers etc. [numbers]
+### 26 Networks, hosts and interfaces. [local]
### 30 Initialization. [bookends]
### 30 Clear existing rules. [bookends]
### 32 Set safe IP options. [bookends]
### 34 Error chains. [bookends]
-### 36 Give loopback traffic a free pass. [bookends]
### 38 Utility chains. [functions]
### 40 Address classification. [classify]
### 42 Definition of address class policies. [local]
### 44 Definition of interfaces and addresses. [local]
### 46 Handling of default interface. [classify]
-### 50 ICMP filtering. [icmp]
-### 52 Local configuration. [local]
-### 58 Finally accept ICMP, hook onto INPUT and FORWARD. [icmp]
-### 60 Local configuration. [local]
+### 50 Packet filter. [bookends]
+### 60 ICMP filtering. [icmp]
+### 62 Local configuration. [local]
+### 68 Finally accept ICMP, hook onto INPUT and FORWARD. [icmp]
+### 80 Local configuration. [local]
+### 84 Locally bound packet inspection. [local]
+### 86 Per-host configuration. [HOST]
+### 88 Final filtering. [local]
### 90 Finishing touches. [bookends]
### 94 Set final policies. [bookends]
### 99 File footer: do-not-edit warning. [base]
errorchain interesting ACCEPT
## Not an error, just log interesting packets.
-m4_divert(36)m4_dnl
+m4_divert(50)m4_dnl
###--------------------------------------------------------------------------
### Standard filtering.
### along with this program; if not, write to the Free Software Foundation,
### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
-m4_divert(5)m4_dnl
+m4_divert(4)m4_dnl
###--------------------------------------------------------------------------
### Configuration.
###--------------------------------------------------------------------------
### Network interfaces.
-m4_divert(44)m4_dnl
+m4_divert(28)m4_dnl
## Interface definitions.
if_untrusted=eth0
if_dmz=$if_untrusted
###--------------------------------------------------------------------------
### Utility chains (used by function definitions).
-m4_divert(22)m4_dnl
+m4_divert(20)m4_dnl
###--------------------------------------------------------------------------
### Basic chain constructions.
run ip46tables -t $table -A $chain -j DROP
}
-m4_divert(24)m4_dnl
+m4_divert(20)m4_dnl
###--------------------------------------------------------------------------
### Basic option setting.
done
}
-m4_divert(26)m4_dnl
+m4_divert(20)m4_dnl
###--------------------------------------------------------------------------
### Packet filter construction.
-m frag --fragfirst
run ip6tables -A accept-non-init-frag -j ACCEPT
-m4_divert(26)m4_dnl
+m4_divert(20)m4_dnl
## allowservices CHAIN PROTO SERVICE ...
##
## Add rules to allow the SERVICES on the CHAIN.
run ip46tables -A $chain -p udp -g interesting --destination-port $1:$2
}
-m4_divert(28)m4_dnl
+m4_divert(20)m4_dnl
###--------------------------------------------------------------------------
### Packet classification.
###--------------------------------------------------------------------------
### Network interfaces.
-m4_divert(44)m4_dnl
+m4_divert(28)m4_dnl
## Interface definitions.
if_trusted=eth0
if_dmz=$if_trusted
###--------------------------------------------------------------------------
### gibson-specific rules.
-m4_divert(82)m4_dnl
+m4_divert(84)m4_dnl
## Externally visible services.
allowservices inbound tcp \
ssh \
###--------------------------------------------------------------------------
### Network interfaces.
-m4_divert(44)m4_dnl
+m4_divert(28)m4_dnl
## Interface definitions.
if_dmz=br-dmz
if_trusted=br-unsafe
###--------------------------------------------------------------------------
### ibanez-specific rules.
-m4_divert(82)m4_dnl
+m4_divert(84)m4_dnl
## Externally visible services.
allowservices inbound tcp \
ssh \
###--------------------------------------------------------------------------
### Network interfaces.
-m4_divert(44)m4_dnl
+m4_divert(28)m4_dnl
## Interface definitions.
if_dmz=eth0
if_trusted=eth1
###--------------------------------------------------------------------------
### jem-specific rules.
-m4_divert(82)m4_dnl
+m4_divert(84)m4_dnl
## Set up the SAUCE sinbin. Unfortunately, ipset is a bit brittle. This
## isn't a completely critical part of the firewall security, so don't make
## this fail the entire script.
defnetclass trusted untrusted trusted safe noloop
defnetclass safe trusted safe noloop
defnetclass noloop trusted safe
-m4_divert(-1)m4_dnl
+m4_divert(-1)
+m4_divert(26)m4_dnl
###--------------------------------------------------------------------------
### Network layout.
-m4_divert(46)m4_dnl
-## Networks and routing.
-
+m4_divert(44)m4_dnl
+## Network definitions.
defiface $if_dmz \
trusted:62.49.204.144/28 \
trusted:172.29.199.0/25 \
## Default NTP servers.
ntp_servers="158.152.1.76 158.152.1.204 194.159.253.2 195.173.57.232"
-m4_divert(60)m4_dnl
+m4_divert(80)m4_dnl
###--------------------------------------------------------------------------
### Special forwarding exemptions.
-m state --state ESTABLISHED
m4_divert(60)m4_dnl
+m4_divert(80)m4_dnl
###--------------------------------------------------------------------------
### Kill things we don't understand properly.
###
run ip6tables -A FORWARD -g poorly-understood \
-d ff::/8
-m4_divert(80)m4_dnl
+m4_divert(84)m4_dnl
###--------------------------------------------------------------------------
### Locally-bound packet inspection.
### along with this program; if not, write to the Free Software Foundation,
### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
-m4_divert(25)m4_dnl
+m4_divert(24)m4_dnl
###--------------------------------------------------------------------------
### Magic numbers.
###--------------------------------------------------------------------------
### Network interfaces.
-m4_divert(44)m4_dnl
+m4_divert(28)m4_dnl
## Interface definitions.
if_dmz=eth0
if_trusted=eth1
###--------------------------------------------------------------------------
### radius-specific rules.
-m4_divert(82)m4_dnl
+m4_divert(84)m4_dnl
## Externally visible services.
allowservices inbound tcp \
ident \
###--------------------------------------------------------------------------
### Network interfaces.
-m4_divert(44)m4_dnl
+m4_divert(28)m4_dnl
## Interface definitions.
if_dmz=eth0
if_trusted=eth1
###--------------------------------------------------------------------------
### roadstar-specific rules.
-m4_divert(82)m4_dnl
+m4_divert(84)m4_dnl
## Externally visible services.
allowservices inbound tcp \
ssh \
###--------------------------------------------------------------------------
### Network interfaces.
-m4_divert(44)m4_dnl
+m4_divert(28)m4_dnl
## Interface definitions.
if_dmz=eth0.0
if_trusted=eth0.1
###--------------------------------------------------------------------------
### vampire-specific rules.
-m4_divert(82)m4_dnl
+m4_divert(86)m4_dnl
## Externally visible services.
allowservices inbound tcp \
finger ident \