Merge branch 'master' of git://git.distorted.org.uk/~mdw/firewall

[firewall] / local.m4

diff --git a/local.m4 b/local.m4
index 0618693042f11b421401b9ecf303a873b27401a4..37da67a788048cb3a48d5969601d8f1ebc7cbf79 100644 (file)
--- a/local.m4
+++ b/local.m4
@@ -47,11 +47,18 @@ m4_divert(26)m4_dnl
 
 defnet default untrusted
 
-## Colocated hosts.
-defhost jaguar
+## Hosts.
 defhost jaguar
        iface eth0 default
 
+m4_divert(80)m4_dnl
+###--------------------------------------------------------------------------
+### Connection tracking helper modules.
+
+for i in ftp; do
+  modprobe nf_conntrack_$i
+done
+
 m4_divert(80)m4_dnl
 ###--------------------------------------------------------------------------
 ### Special forwarding exemptions.
@@ -146,6 +153,16 @@ openports inbound
 run ip46tables -A inbound -j forbidden
 run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
 
+## Allow responses from the scary outside world into the untrusted net, but
+## don't let untrusted things run services.
+case $forward in
+  1)
+    run ip46tables -A FORWARD -j ACCEPT \
+       -m mark --mark $to_untrusted/$(( $MASK_FROM | $MASK_TO )) \
+       -m state --state ESTABLISHED,RELATED
+    ;;
+esac
+
 ## Otherwise process as indicated by the mark.
 for i in $inchains; do
   run ip46tables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT