chiark / gitweb /
~mdw / firewall / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 401b835)
Renumber the diversions.
authorMark Wooding <mdw@distorted.org.uk>
Mon, 5 Mar 2012 22:35:27 +0000 (22:35 +0000)
committerMark Wooding <mdw@distorted.org.uk>
Mon, 5 Mar 2012 23:54:59 +0000 (23:54 +0000)
Move the function definitions together; shift the host interface
definitions near the beginning of the file; and move the local filter
rules later to allow more room for built-in filtering.

14 files changed:
artist.m4 patch | blob | blame | history
base.m4 patch | blob | blame | history
bookends.m4 patch | blob | blame | history
config.m4 patch | blob | blame | history
fender.m4 patch | blob | blame | history
functions.m4 patch | blob | blame | history
gibson.m4 patch | blob | blame | history
ibanez.m4 patch | blob | blame | history
jem.m4 patch | blob | blame | history
local.m4 patch | blob | blame | history
numbers.m4 patch | blob | blame | history
radius.m4 patch | blob | blame | history
roadstar.m4 patch | blob | blame | history
vampire.m4 patch | blob | blame | history

diff --git a/artist.m4 b/artist.m4
index 1f97e7330ecdda70505323feeef57bcd3e548832..24a4a1c478239ab1365b87167a5f266ca496ee9f 100644 (file)
--- a/artist.m4
+++ b/artist.m4
@@ -34,7 +34,7 @@ setconf(log_martians, 0)
 ###--------------------------------------------------------------------------
 ### Network interfaces.
 
 ###--------------------------------------------------------------------------
 ### Network interfaces.
 
-m4_divert(44)m4_dnl
+m4_divert(28)m4_dnl
 ## Interface definitions.
 if_dmz=eth0
 if_trusted=eth1
 ## Interface definitions.
 if_dmz=eth0
 if_trusted=eth1
@@ -49,7 +49,7 @@ m4_divert(-1)
 ###--------------------------------------------------------------------------
 ### artist-specific rules.
 
 ###--------------------------------------------------------------------------
 ### artist-specific rules.
 
-m4_divert(82)m4_dnl
+m4_divert(84)m4_dnl
 ## Externally visible services.
 allowservices inbound tcp \
        ssh \
 ## Externally visible services.
 allowservices inbound tcp \
        ssh \
diff --git a/base.m4 b/base.m4
index 3a0172d4f3fb6285a19d01465f598e5c678ab902..89680258505d1a1e9feff122f857c35153e297df 100644 (file)
--- a/base.m4
+++ b/base.m4
@@ -29,24 +29,29 @@ m4_changecom(<:##:>)
 ### Overall structure.
 ###
 ###  0 File header: shebang, do-not-edit warning.              [base]
 ### Overall structure.
 ###
 ###  0 File header: shebang, do-not-edit warning.              [base]
-###  5 Configuration.                                          [config]
+###  4 Configuration.                                          [config]
+###  6   Local settings.                                       [local]
 ### 10 Prologue: command-line parsing and failsafe.            [prologue]
 ### 20 Function definitions.                                   [functions]
 ### 10 Prologue: command-line parsing and failsafe.            [prologue]
 ### 20 Function definitions.                                   [functions]
-### 25 Port numbers etc.                                       [numbers]
+### 24 Port numbers etc.                                       [numbers]
+### 26 Networks, hosts and interfaces.                         [local]
 ### 30 Initialization.                                         [bookends]
 ### 30   Clear existing rules.                                 [bookends]
 ### 32   Set safe IP options.                                  [bookends]
 ### 34   Error chains.                                         [bookends]
 ### 30 Initialization.                                         [bookends]
 ### 30   Clear existing rules.                                 [bookends]
 ### 32   Set safe IP options.                                  [bookends]
 ### 34   Error chains.                                         [bookends]
-### 36   Give loopback traffic a free pass.                    [bookends]
 ### 38   Utility chains.                                       [functions]
 ### 40 Address classification.                                 [classify]
 ### 42   Definition of address class policies.                 [local]
 ### 44   Definition of interfaces and addresses.               [local]
 ### 46   Handling of default interface.                        [classify]
 ### 38   Utility chains.                                       [functions]
 ### 40 Address classification.                                 [classify]
 ### 42   Definition of address class policies.                 [local]
 ### 44   Definition of interfaces and addresses.               [local]
 ### 46   Handling of default interface.                        [classify]
-### 50 ICMP filtering.                                         [icmp]
-### 52   Local configuration.                                  [local]
-### 58   Finally accept ICMP, hook onto INPUT and FORWARD.     [icmp]
-### 60 Local configuration.                                    [local]
+### 50 Packet filter.                                          [bookends]
+### 60 ICMP filtering.                                         [icmp]
+### 62   Local configuration.                                  [local]
+### 68   Finally accept ICMP, hook onto INPUT and FORWARD.     [icmp]
+### 80 Local configuration.                                    [local]
+### 84   Locally bound packet inspection.                      [local]
+### 86   Per-host configuration.                               [HOST]
+### 88   Final filtering.                                      [local]
 ### 90 Finishing touches.                                      [bookends]
 ### 94   Set final policies.                                   [bookends]
 ### 99 File footer: do-not-edit warning.                       [base]
 ### 90 Finishing touches.                                      [bookends]
 ### 94   Set final policies.                                   [bookends]
 ### 99 File footer: do-not-edit warning.                       [base]
diff --git a/bookends.m4 b/bookends.m4
index b29047b0c788946ba24a138c6240f65364842127..38b4e91a6deca8399657714b03b0a8c3c650b1ed 100644 (file)
--- a/bookends.m4
+++ b/bookends.m4
@@ -164,7 +164,7 @@ errorchain bad-destination-address REJECT
 errorchain interesting ACCEPT
 ## Not an error, just log interesting packets.
 
 errorchain interesting ACCEPT
 ## Not an error, just log interesting packets.
 
-m4_divert(36)m4_dnl
+m4_divert(50)m4_dnl
 ###--------------------------------------------------------------------------
 ### Standard filtering.
 
 ###--------------------------------------------------------------------------
 ### Standard filtering.
 
diff --git a/config.m4 b/config.m4
index 6756452cc6e0cbc737e46c2432bb37e1c3ec1b4b..4b059dfb4985ba3653ca556ead659124ea876091 100644 (file)
--- a/config.m4
+++ b/config.m4
@@ -21,7 +21,7 @@
 ### along with this program; if not, write to the Free Software Foundation,
 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
 
 ### along with this program; if not, write to the Free Software Foundation,
 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
 
-m4_divert(5)m4_dnl
+m4_divert(4)m4_dnl
 ###--------------------------------------------------------------------------
 ### Configuration.
 
 ###--------------------------------------------------------------------------
 ### Configuration.
 
diff --git a/fender.m4 b/fender.m4
index ea0fb32d40ad3021ff9065c2950d31139b5c8615..6161bd69e09bf3b37061de054e9c12d633b23ae6 100644 (file)
--- a/fender.m4
+++ b/fender.m4
@@ -34,7 +34,7 @@ setconf(log_martians, 0)
 ###--------------------------------------------------------------------------
 ### Network interfaces.
 
 ###--------------------------------------------------------------------------
 ### Network interfaces.
 
-m4_divert(44)m4_dnl
+m4_divert(28)m4_dnl
 ## Interface definitions.
 if_untrusted=eth0
 if_dmz=$if_untrusted
 ## Interface definitions.
 if_untrusted=eth0
 if_dmz=$if_untrusted
diff --git a/functions.m4 b/functions.m4
index 05decbfabc1076f838ed5698c624f8e364ce080b..555072e866c1fef4bca2e279c0722bd81d7e7fad 100644 (file)
--- a/functions.m4
+++ b/functions.m4
@@ -62,7 +62,7 @@ m4_divert(38)m4_dnl
 ###--------------------------------------------------------------------------
 ### Utility chains (used by function definitions).
 
 ###--------------------------------------------------------------------------
 ### Utility chains (used by function definitions).
 
-m4_divert(22)m4_dnl
+m4_divert(20)m4_dnl
 ###--------------------------------------------------------------------------
 ### Basic chain constructions.
 
 ###--------------------------------------------------------------------------
 ### Basic chain constructions.
 
@@ -122,7 +122,7 @@ errorchain () {
   run ip46tables -t $table -A $chain -j DROP
 }
 
   run ip46tables -t $table -A $chain -j DROP
 }
 
-m4_divert(24)m4_dnl
+m4_divert(20)m4_dnl
 ###--------------------------------------------------------------------------
 ### Basic option setting.
 
 ###--------------------------------------------------------------------------
 ### Basic option setting.
 
@@ -178,7 +178,7 @@ setdevopt () {
   done
 }
 
   done
 }
 
-m4_divert(26)m4_dnl
+m4_divert(20)m4_dnl
 ###--------------------------------------------------------------------------
 ### Packet filter construction.
 
 ###--------------------------------------------------------------------------
 ### Packet filter construction.
 
@@ -219,7 +219,7 @@ run ip6tables -A accept-non-init-frag -j RETURN \
        -m frag --fragfirst
 run ip6tables -A accept-non-init-frag -j ACCEPT
 
        -m frag --fragfirst
 run ip6tables -A accept-non-init-frag -j ACCEPT
 
-m4_divert(26)m4_dnl
+m4_divert(20)m4_dnl
 ## allowservices CHAIN PROTO SERVICE ...
 ##
 ## Add rules to allow the SERVICES on the CHAIN.
 ## allowservices CHAIN PROTO SERVICE ...
 ##
 ## Add rules to allow the SERVICES on the CHAIN.
@@ -306,7 +306,7 @@ openports () {
   run ip46tables -A $chain -p udp -g interesting --destination-port $1:$2
 }
 
   run ip46tables -A $chain -p udp -g interesting --destination-port $1:$2
 }
 
-m4_divert(28)m4_dnl
+m4_divert(20)m4_dnl
 ###--------------------------------------------------------------------------
 ### Packet classification.
 
 ###--------------------------------------------------------------------------
 ### Packet classification.
 
diff --git a/gibson.m4 b/gibson.m4
index 167615365274bfb38602bdd09960d0780ce4cde8..22bfe5786b83f7d80a9c079b5981e7d11fdd5a62 100644 (file)
--- a/gibson.m4
+++ b/gibson.m4
@@ -30,7 +30,7 @@ setconf(forward, 0)
 ###--------------------------------------------------------------------------
 ### Network interfaces.
 
 ###--------------------------------------------------------------------------
 ### Network interfaces.
 
-m4_divert(44)m4_dnl
+m4_divert(28)m4_dnl
 ## Interface definitions.
 if_trusted=eth0
 if_dmz=$if_trusted
 ## Interface definitions.
 if_trusted=eth0
 if_dmz=$if_trusted
@@ -45,7 +45,7 @@ m4_divert(-1)
 ###--------------------------------------------------------------------------
 ### gibson-specific rules.
 
 ###--------------------------------------------------------------------------
 ### gibson-specific rules.
 
-m4_divert(82)m4_dnl
+m4_divert(84)m4_dnl
 ## Externally visible services.
 allowservices inbound tcp \
        ssh \
 ## Externally visible services.
 allowservices inbound tcp \
        ssh \
diff --git a/ibanez.m4 b/ibanez.m4
index 2ec2c1c50bc5287e47d2f564d6c7a3493abe48b1..b2c158ed8698c0ebc3ba539f19e9d5f06a189b57 100644 (file)
--- a/ibanez.m4
+++ b/ibanez.m4
@@ -34,7 +34,7 @@ setconf(log_martians, 0)
 ###--------------------------------------------------------------------------
 ### Network interfaces.
 
 ###--------------------------------------------------------------------------
 ### Network interfaces.
 
-m4_divert(44)m4_dnl
+m4_divert(28)m4_dnl
 ## Interface definitions.
 if_dmz=br-dmz
 if_trusted=br-unsafe
 ## Interface definitions.
 if_dmz=br-dmz
 if_trusted=br-unsafe
@@ -49,7 +49,7 @@ m4_divert(-1)
 ###--------------------------------------------------------------------------
 ### ibanez-specific rules.
 
 ###--------------------------------------------------------------------------
 ### ibanez-specific rules.
 
-m4_divert(82)m4_dnl
+m4_divert(84)m4_dnl
 ## Externally visible services.
 allowservices inbound tcp \
        ssh \
 ## Externally visible services.
 allowservices inbound tcp \
        ssh \
diff --git a/jem.m4 b/jem.m4
index c91a104e1076ae7b0f8bfd02335da412df32d2e9..1f74d592afdfd408f2ca0004cdec16407d429829 100644 (file)
--- a/jem.m4
+++ b/jem.m4
@@ -34,7 +34,7 @@ setconf(log_martians, 0)
 ###--------------------------------------------------------------------------
 ### Network interfaces.
 
 ###--------------------------------------------------------------------------
 ### Network interfaces.
 
-m4_divert(44)m4_dnl
+m4_divert(28)m4_dnl
 ## Interface definitions.
 if_dmz=eth0
 if_trusted=eth1
 ## Interface definitions.
 if_dmz=eth0
 if_trusted=eth1
@@ -49,7 +49,7 @@ m4_divert(-1)
 ###--------------------------------------------------------------------------
 ### jem-specific rules.
 
 ###--------------------------------------------------------------------------
 ### jem-specific rules.
 
-m4_divert(82)m4_dnl
+m4_divert(84)m4_dnl
 ## Set up the SAUCE sinbin.  Unfortunately, ipset is a bit brittle.  This
 ## isn't a completely critical part of the firewall security, so don't make
 ## this fail the entire script.
 ## Set up the SAUCE sinbin.  Unfortunately, ipset is a bit brittle.  This
 ## isn't a completely critical part of the firewall security, so don't make
 ## this fail the entire script.
diff --git a/local.m4 b/local.m4
index 2d880b91980103a848a148dd44dfd54560498ee2..399e69c0c0739376e3d782115d1181ba1ceb5d59 100644 (file)
--- a/local.m4
+++ b/local.m4
@@ -30,14 +30,14 @@ defnetclass untrusted untrusted trusted
 defnetclass trusted untrusted trusted safe noloop
 defnetclass safe trusted safe noloop
 defnetclass noloop trusted safe
 defnetclass trusted untrusted trusted safe noloop
 defnetclass safe trusted safe noloop
 defnetclass noloop trusted safe
-m4_divert(-1)m4_dnl
+m4_divert(-1)
 
 
+m4_divert(26)m4_dnl
 ###--------------------------------------------------------------------------
 ### Network layout.
 
 ###--------------------------------------------------------------------------
 ### Network layout.
 
-m4_divert(46)m4_dnl
-## Networks and routing.
-
+m4_divert(44)m4_dnl
+## Network definitions.
 defiface $if_dmz \
        trusted:62.49.204.144/28 \
        trusted:172.29.199.0/25 \
 defiface $if_dmz \
        trusted:62.49.204.144/28 \
        trusted:172.29.199.0/25 \
@@ -58,7 +58,7 @@ defiface $if_its_pi safe:192.168.0.0/24
 ## Default NTP servers.
 ntp_servers="158.152.1.76 158.152.1.204 194.159.253.2 195.173.57.232"
 
 ## Default NTP servers.
 ntp_servers="158.152.1.76 158.152.1.204 194.159.253.2 195.173.57.232"
 
-m4_divert(60)m4_dnl
+m4_divert(80)m4_dnl
 ###--------------------------------------------------------------------------
 ### Special forwarding exemptions.
 
 ###--------------------------------------------------------------------------
 ### Special forwarding exemptions.
 
@@ -105,6 +105,7 @@ run ip6tables -A fwd-spec-nofrag -j ACCEPT \
        -m state --state ESTABLISHED
 
 m4_divert(60)m4_dnl
        -m state --state ESTABLISHED
 
 m4_divert(60)m4_dnl
+m4_divert(80)m4_dnl
 ###--------------------------------------------------------------------------
 ### Kill things we don't understand properly.
 ###
 ###--------------------------------------------------------------------------
 ### Kill things we don't understand properly.
 ###
@@ -119,7 +120,7 @@ run iptables -A FORWARD -g poorly-understood \
 run ip6tables -A FORWARD -g poorly-understood \
        -d ff::/8
 
 run ip6tables -A FORWARD -g poorly-understood \
        -d ff::/8
 
-m4_divert(80)m4_dnl
+m4_divert(84)m4_dnl
 ###--------------------------------------------------------------------------
 ### Locally-bound packet inspection.
 
 ###--------------------------------------------------------------------------
 ### Locally-bound packet inspection.
 
diff --git a/numbers.m4 b/numbers.m4
index ec86266014095cdeb5e7d358f217c5bdfdf025fb..d5ab0c19ab8307a83a41d3cb7804211bcf944cb2 100644 (file)
--- a/numbers.m4
+++ b/numbers.m4
@@ -21,7 +21,7 @@
 ### along with this program; if not, write to the Free Software Foundation,
 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
 
 ### along with this program; if not, write to the Free Software Foundation,
 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
 
-m4_divert(25)m4_dnl
+m4_divert(24)m4_dnl
 ###--------------------------------------------------------------------------
 ### Magic numbers.
 
 ###--------------------------------------------------------------------------
 ### Magic numbers.
 
diff --git a/radius.m4 b/radius.m4
index 029d9f15f714606a0972a5cd54a7803efbe7903d..75a7700bfc5136a14630fec50ad527c1bcb45d85 100644 (file)
--- a/radius.m4
+++ b/radius.m4
@@ -31,7 +31,7 @@ setconf(log_martians, 0)
 ###--------------------------------------------------------------------------
 ### Network interfaces.
 
 ###--------------------------------------------------------------------------
 ### Network interfaces.
 
-m4_divert(44)m4_dnl
+m4_divert(28)m4_dnl
 ## Interface definitions.
 if_dmz=eth0
 if_trusted=eth1
 ## Interface definitions.
 if_dmz=eth0
 if_trusted=eth1
@@ -46,7 +46,7 @@ m4_divert(-1)
 ###--------------------------------------------------------------------------
 ### radius-specific rules.
 
 ###--------------------------------------------------------------------------
 ### radius-specific rules.
 
-m4_divert(82)m4_dnl
+m4_divert(84)m4_dnl
 ## Externally visible services.
 allowservices inbound tcp \
        ident \
 ## Externally visible services.
 allowservices inbound tcp \
        ident \
diff --git a/roadstar.m4 b/roadstar.m4
index b2e330108780d618d0821c06b8a2c1358cdc39c4..0269caa26af7f8a2008bda4d21884fe00a32a97d 100644 (file)
--- a/roadstar.m4
+++ b/roadstar.m4
@@ -34,7 +34,7 @@ setconf(log_martians, 0)
 ###--------------------------------------------------------------------------
 ### Network interfaces.
 
 ###--------------------------------------------------------------------------
 ### Network interfaces.
 
-m4_divert(44)m4_dnl
+m4_divert(28)m4_dnl
 ## Interface definitions.
 if_dmz=eth0
 if_trusted=eth1
 ## Interface definitions.
 if_dmz=eth0
 if_trusted=eth1
@@ -49,7 +49,7 @@ m4_divert(-1)
 ###--------------------------------------------------------------------------
 ### roadstar-specific rules.
 
 ###--------------------------------------------------------------------------
 ### roadstar-specific rules.
 
-m4_divert(82)m4_dnl
+m4_divert(84)m4_dnl
 ## Externally visible services.
 allowservices inbound tcp \
        ssh \
 ## Externally visible services.
 allowservices inbound tcp \
        ssh \
diff --git a/vampire.m4 b/vampire.m4
index e3784472056210c701d7bc9be58a05da8bdd23d7..8e9bb6ade188d8b89f3dcb59ca716665b0cbdd5d 100644 (file)
--- a/vampire.m4
+++ b/vampire.m4
@@ -31,7 +31,7 @@ setconf(log_martians, 0)
 ###--------------------------------------------------------------------------
 ### Network interfaces.
 
 ###--------------------------------------------------------------------------
 ### Network interfaces.
 
-m4_divert(44)m4_dnl
+m4_divert(28)m4_dnl
 ## Interface definitions.
 if_dmz=eth0.0
 if_trusted=eth0.1
 ## Interface definitions.
 if_dmz=eth0.0
 if_trusted=eth0.1
@@ -46,7 +46,7 @@ m4_divert(-1)
 ###--------------------------------------------------------------------------
 ### vampire-specific rules.
 
 ###--------------------------------------------------------------------------
 ### vampire-specific rules.
 
-m4_divert(82)m4_dnl
+m4_divert(86)m4_dnl
 ## Externally visible services.
 allowservices inbound tcp \
        finger ident \
 ## Externally visible services.
 allowservices inbound tcp \
        finger ident \
Firewall scripts for distorted.org.uk.