This introduces a new section of the network which needs to be dealt
with properly. The externally facing DNS server is actually the iodine
daemon, which listens on 5353 and is mapped from 53 by guvnor. It
proxies requests outside io.distorted.org.uk on to the usual server
listening on port 53.
safe:172.29.199.64/27 \
untrusted:default
defiface $if_untrusted \
safe:172.29.199.64/27 \
untrusted:default
defiface $if_untrusted \
- untrusted:172.29.198.0/24
+ untrusted:172.29.198.0/25
defvpn $if_vpn safe 172.29.199.128/27 \
crybaby:172.29.199.129
defvpn $if_vpn safe 172.29.199.128/27 \
crybaby:172.29.199.129
+defiface $if_iodine untrusted:172.29.198.128/28
defiface $if_its_mz safe:172.29.199.160/30
defiface $if_its_pi safe:192.168.0.0/24
defiface $if_its_mz safe:172.29.199.160/30
defiface $if_its_pi safe:192.168.0.0/24
if_untrusted=eth0
if_trusted=eth0
if_vpn=eth0
if_untrusted=eth0
if_trusted=eth0
if_vpn=eth0
if_its_mz=its-mz
if_its_pi=its-pi
if_its_mz=its-mz
if_its_pi=its-pi
defport rsync 873
defport squid 3128
defport tripe 4070
defport rsync 873
defport squid 3128
defport tripe 4070
defport postgresql 5432
defport gnutella_svc 6346
defport mpd 6600
defport postgresql 5432
defport gnutella_svc 6346
defport mpd 6600
if_untrusted=eth0.1
if_trusted=eth0.0
if_vpn=vpn-+
if_untrusted=eth0.1
if_trusted=eth0.0
if_vpn=vpn-+
if_its_mz=eth0.0
if_its_pi=eth0.0
if_its_mz=eth0.0
if_its_pi=eth0.0
## Externally visible services.
allowservices inbound tcp \
finger ident \
## Externally visible services.
allowservices inbound tcp \
finger ident \
ssh \
smtp \
gnutella_svc \
ssh \
smtp \
gnutella_svc \
allowservices inbound tcp \
tor_public tor_directory
allowservices inbound udp \
allowservices inbound tcp \
tor_public tor_directory
allowservices inbound udp \