X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~mdw/git/firewall/blobdiff_plain/c69e203ab24c15ca1e398dd5678bff41d48c6d57..39efdaa33bf16dab8dd69ad7c173ae9d8c9cac8e:/local.m4

diff --git a/local.m4 b/local.m4
index 0618693..37da67a 100644
--- a/local.m4
+++ b/local.m4
@@ -47,11 +47,18 @@ m4_divert(26)m4_dnl
 
 defnet default untrusted
 
-## Colocated hosts.
-defhost jaguar
+## Hosts.
 defhost jaguar
 	iface eth0 default
 
+m4_divert(80)m4_dnl
+###--------------------------------------------------------------------------
+### Connection tracking helper modules.
+
+for i in ftp; do
+  modprobe nf_conntrack_$i
+done
+
 m4_divert(80)m4_dnl
 ###--------------------------------------------------------------------------
 ### Special forwarding exemptions.
@@ -146,6 +153,16 @@ openports inbound
 run ip46tables -A inbound -j forbidden
 run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
 
+## Allow responses from the scary outside world into the untrusted net, but
+## don't let untrusted things run services.
+case $forward in
+  1)
+    run ip46tables -A FORWARD -j ACCEPT \
+	-m mark --mark $to_untrusted/$(( $MASK_FROM | $MASK_TO )) \
+	-m state --state ESTABLISHED,RELATED
+    ;;
+esac
+
 ## Otherwise process as indicated by the mark.
 for i in $inchains; do
   run ip46tables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT