+++ /dev/null
-### -*-sh-*-
-###
-### Firewall configuration for artist
-###
-### (c) 2008 Mark Wooding
-###
-
-###----- Licensing notice ---------------------------------------------------
-###
-### This program is free software; you can redistribute it and/or modify
-### it under the terms of the GNU General Public License as published by
-### the Free Software Foundation; either version 2 of the License, or
-### (at your option) any later version.
-###
-### This program is distributed in the hope that it will be useful,
-### but WITHOUT ANY WARRANTY; without even the implied warranty of
-### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-### GNU General Public License for more details.
-###
-### You should have received a copy of the GNU General Public License
-### along with this program; if not, write to the Free Software Foundation,
-### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
-
-###--------------------------------------------------------------------------
-### artist-specific rules.
-
-m4_divert(86)m4_dnl
-## Externally visible services.
-allowservices inbound tcp \
- ssh \
- ident \
- ftp ftp_data \
- http https \
- disorder \
- tor_public tor_directory i2p
-allowservices inbound udp \
- i2p
-
-## Allow smb and nmb to untrusted hosts.
-run iptables -A inbound -j ACCEPT \
- -s 172.29.198.0/24 \
- -p udp -m multiport --destination-ports \
- $port_netbios_ns,$port_netbios_dgm
-run iptables -A inbound -j ACCEPT \
- -s 172.29.198.0/24 \
- -p tcp -m multiport --destination-ports \
- $port_netbios_ssn,$port_microsoft_ds
-
-## Open ports for Rygel.
-run iptables -A inbound -j ACCEPT -s 172.29.198.0/23 -p igmp
-run iptables -A inbound -j ACCEPT -s 172.29.198.0/23 \
- -d 239.255.255.250 -p udp --destination-port 1900
-run iptables -A inbound -j ACCEPT -s 172.29.198.0/23 \
- -p tcp --destination-port 9501
-
-## Other interesting things.
-dnsresolver inbound
-
-m4_divert(-1)
-###----- That's all, folks --------------------------------------------------
+++ /dev/null
-### -*-sh-*-
-###
-### Firewall configuration for fender actual
-###
-### (c) 2008 Mark Wooding
-###
-
-###----- Licensing notice ---------------------------------------------------
-###
-### This program is free software; you can redistribute it and/or modify
-### it under the terms of the GNU General Public License as published by
-### the Free Software Foundation; either version 2 of the License, or
-### (at your option) any later version.
-###
-### This program is distributed in the hope that it will be useful,
-### but WITHOUT ANY WARRANTY; without even the implied warranty of
-### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-### GNU General Public License for more details.
-###
-### You should have received a copy of the GNU General Public License
-### along with this program; if not, write to the Free Software Foundation,
-### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
-
-###--------------------------------------------------------------------------
-### fender-specific rules.
-
-m4_divert(86)m4_dnl
-## Externally visible services.
-allowservices inbound tcp \
- ssh \
- ident
-
-## We have to provide NTP service. The guests sync to our clock.
-ntpclient inbound $ntp_servers
-
-## Guaranteed black hole. Put this at the very front of the chain.
-run iptables -I INPUT -d 212.13.198.78 -j DROP
-run ip6tables -I INPUT -d 2001:ba8:0:1d9::ffff -j DROP
-
-## Ethernet bridge-level filtering for source addresses.
-run ebtables -F
-for i in log limit ip ip6; do run modprobe ebt-$i; done
-
-for c in bad-source-addr check-eth0 bcp38 check-bcp38; do
- run ebtables -X $c >/dev/null 2>&1 || :
-done
-
-for ch in bad-source-addr bcp38; do
- run ebtables -N $ch
- run ebtables -A $ch \
- --limit 20/second --limit-burst 100 \
- --log-prefix "fw: $ch(br)" --log-ip --log-ip6
- run ebtables -A $ch -j DROP
-done
-
-run ebtables -N check-eth0
-run ebtables -A check-eth0 -j RETURN -p ip --ip-source ! 212.13.198.64/28
-run ebtables -A check-eth0 -j RETURN -p ip6 --ip6-source 2001:ba8:0:1d9::1
-run ebtables -A check-eth0 -j bad-source-addr \
- -p ip6 --ip6-source 2001:ba8:1d9::/48
-run ebtables -A check-eth0 -j bad-source-addr \
- -p ip6 --ip6-source 2001:ba8:0:1d9::/64
-run ebtables -A check-eth0 -j RETURN -p ip6
-run ebtables -A check-eth0 -j RETURN -p ip --ip-source 212.13.198.64/30
-run ebtables -A check-eth0 -j RETURN -p ip --ip-source 212.13.198.68
-run ebtables -A check-eth0 -j bad-source-addr -p ip
-run ebtables -A INPUT -j check-eth0 -i bond0
-run ebtables -A FORWARD -j check-eth0 -i bond0
-
-run ebtables -N check-bcp38
-run ebtables -A check-bcp38 -j RETURN -p ip --ip-source 212.13.198.64/28
-run ebtables -A check-bcp38 -j bcp38 -p ip
-run ebtables -A check-bcp38 -j RETURN -p ip6 --ip6-source 2001:ba8:0:1d9::/64
-run ebtables -A check-bcp38 -j RETURN -p ip6 --ip6-source 2001:ba8:1d9::/48
-run ebtables -A check-bcp38 -j RETURN -p ip6 --ip6-source fe80::/10
-run ebtables -A check-bcp38 -j bcp38 -p ip6
-run ebtables -A FORWARD -j check-bcp38 -o bond0
-
-## There's a hideous bug in Linux' 3.2.51-1's ebtables: for some reason it
-## misparses (at least) locally originated multicast packets, and tries to
-## extract IP header fields relative to the start of the Ethernet frame. The
-## result is obviously a hideous mess. Don't try to do BCP38 checking for
-## locally originated packets until this is fixed.
-##run ebtables -A OUTPUT -j check-bcp38 -o bond0
-
-m4_divert(-1)
-###----- That's all, folks --------------------------------------------------
+++ /dev/null
-### -*-sh-*-
-###
-### Firewall configuration for gibson
-###
-### (c) 2008 Mark Wooding
-###
-
-###----- Licensing notice ---------------------------------------------------
-###
-### This program is free software; you can redistribute it and/or modify
-### it under the terms of the GNU General Public License as published by
-### the Free Software Foundation; either version 2 of the License, or
-### (at your option) any later version.
-###
-### This program is distributed in the hope that it will be useful,
-### but WITHOUT ANY WARRANTY; without even the implied warranty of
-### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-### GNU General Public License for more details.
-###
-### You should have received a copy of the GNU General Public License
-### along with this program; if not, write to the Free Software Foundation,
-### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
-
-###--------------------------------------------------------------------------
-### gibson-specific rules.
-
-m4_divert(86)m4_dnl
-## Externally visible services.
-allowservices inbound tcp \
- ssh \
- ident \
- h323
-allowservices inbound udp \
- siplo:siphi
-
-## IMPI client hacking.
-run ip46tables -A inbound -j ACCEPT \
- -m state --state ESTABLISHED \
- -p udp --source-port $port_ipmi
-
-m4_divert(-1)
-###----- That's all, folks --------------------------------------------------
+++ /dev/null
-### -*-sh-*-
-###
-### Firewall configuration for groove
-###
-### (c) 2008 Mark Wooding
-###
-
-###----- Licensing notice ---------------------------------------------------
-###
-### This program is free software; you can redistribute it and/or modify
-### it under the terms of the GNU General Public License as published by
-### the Free Software Foundation; either version 2 of the License, or
-### (at your option) any later version.
-###
-### This program is distributed in the hope that it will be useful,
-### but WITHOUT ANY WARRANTY; without even the implied warranty of
-### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-### GNU General Public License for more details.
-###
-### You should have received a copy of the GNU General Public License
-### along with this program; if not, write to the Free Software Foundation,
-### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
-
-###--------------------------------------------------------------------------
-### groove-specific rules.
-
-m4_divert(86)m4_dnl
-## Externally visible services.
-allowservices inbound tcp \
- ssh \
- ident \
- http https \
- disorder
-allowservices inbound udp \
- tripe
-
-## Other interesting things.
-dnsresolver inbound
-
-m4_divert(-1)
-###----- That's all, folks --------------------------------------------------
+++ /dev/null
-### -*-sh-*-
-###
-### Firewall configuration for ibanez
-###
-### (c) 2008 Mark Wooding
-###
-
-###----- Licensing notice ---------------------------------------------------
-###
-### This program is free software; you can redistribute it and/or modify
-### it under the terms of the GNU General Public License as published by
-### the Free Software Foundation; either version 2 of the License, or
-### (at your option) any later version.
-###
-### This program is distributed in the hope that it will be useful,
-### but WITHOUT ANY WARRANTY; without even the implied warranty of
-### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-### GNU General Public License for more details.
-###
-### You should have received a copy of the GNU General Public License
-### along with this program; if not, write to the Free Software Foundation,
-### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
-
-###--------------------------------------------------------------------------
-### ibanez-specific rules.
-
-m4_divert(86)m4_dnl
-## Externally visible services.
-allowservices inbound tcp \
- ssh \
- ident
-allowservices inbound udp \
- udpkey
-
-## We have to provide NTP service. The guests sync to our clock.
-ntpclient inbound $ntp_servers
-
-## Provide NTP service to untrusted clients.
-iptables -A inbound -p udp -j ACCEPT \
- --source-port 123 --destination-port 123 \
- -s 172.29.198.0/23
-ip6tables -A inbound -p udp -j ACCEPT \
- --source-port 123 --destination-port 123 \
- -s 2001:470:9740::/48
-
-m4_divert(-1)
-###----- That's all, folks --------------------------------------------------
### -*-sh-*-
###
-### Firewall configuration for orange
+### Firewall configuration for jaguar
###
### (c) 2008 Mark Wooding
###
### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
###--------------------------------------------------------------------------
-### orange-specific rules.
+### jaguar-specific rules.
m4_divert(86)m4_dnl
## Externally visible services.
allowservices inbound tcp \
ssh \
ident \
- http https \
- disorder
-allowservices inbound udp \
- tripe
+ http https althttp0 althttp1
## Other interesting things.
dnsresolver inbound
+++ /dev/null
-### -*-sh-*-
-###
-### Firewall configuration for jazz
-###
-### (c) 2008 Mark Wooding
-###
-
-###----- Licensing notice ---------------------------------------------------
-###
-### This program is free software; you can redistribute it and/or modify
-### it under the terms of the GNU General Public License as published by
-### the Free Software Foundation; either version 2 of the License, or
-### (at your option) any later version.
-###
-### This program is distributed in the hope that it will be useful,
-### but WITHOUT ANY WARRANTY; without even the implied warranty of
-### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-### GNU General Public License for more details.
-###
-### You should have received a copy of the GNU General Public License
-### along with this program; if not, write to the Free Software Foundation,
-### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
-
-###--------------------------------------------------------------------------
-### jazz-specific rules.
-
-m4_divert(86)m4_dnl
-## Externally visible services.
-allowservices inbound tcp \
- ssh \
- ident \
- http https \
- pgp_keys \
- tor_public tor_directory i2p
-allowservices inbound udp \
- tripe \
- i2p
-
-## Other interesting things.
-dnsresolver inbound
-dnsserver inbound
-
-## Temporary NAT for iodine tunnel.
-for i in PREROUTING OUTPUT POSTROUTING; do
- run iptables -t nat -P $i ACCEPT 2>/dev/null || :
- run iptables -t nat -F $i 2>/dev/null || :
-done
-run iptables -t nat -F
-run iptables -t nat -X
-
-iptables -t nat -N outbound
-run iptables -t nat -A outbound -j RETURN ! -i dns+
-run iptables -t nat -A outbound -j RETURN ! -s 172.29.198.128/28
-run iptables -t nat -A outbound -j RETURN -d 172.29.198.0/23
-run iptables -t nat -A outbound -j SNAT --to-source 212.13.198.77
-iptables -t nat -A POSTROUTING -j outbound
-
-m4_divert(-1)
-###----- That's all, folks --------------------------------------------------
+++ /dev/null
-### -*-sh-*-
-###
-### Firewall configuration for jem
-###
-### (c) 2008 Mark Wooding
-###
-
-###----- Licensing notice ---------------------------------------------------
-###
-### This program is free software; you can redistribute it and/or modify
-### it under the terms of the GNU General Public License as published by
-### the Free Software Foundation; either version 2 of the License, or
-### (at your option) any later version.
-###
-### This program is distributed in the hope that it will be useful,
-### but WITHOUT ANY WARRANTY; without even the implied warranty of
-### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-### GNU General Public License for more details.
-###
-### You should have received a copy of the GNU General Public License
-### along with this program; if not, write to the Free Software Foundation,
-### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
-
-###--------------------------------------------------------------------------
-### jem-specific rules.
-
-m4_divert(86)m4_dnl
-## Set up the SAUCE sinbin. Unfortunately, ipset is a bit brittle. This
-## isn't a completely critical part of the firewall security, so don't make
-## this fail the entire script.
-errorchain sauce REJECT
-makeset sauce iphash || :
-iptables -A inbound -g sauce -m set --match-set sauce src || :
-
-## Externally visible services.
-allowservices inbound tcp \
- ssh \
- ident \
- smtp submission \
- imaps \
- http https rsync \
- git
-
-## Provide DNS resolution to local untrusted hosts.
-for p in tcp udp; do
- run iptables -A inbound -j ACCEPT \
- -s 172.29.198.0/24 \
- -p $p --destination-port $port_dns
-done
-
-## Other interesting things.
-dnsresolver inbound
-
-m4_divert(-1)
-###----- That's all, folks --------------------------------------------------
###--------------------------------------------------------------------------
### Packet classification.
-## IPv4 addressing.
-##
-## There are two small blocks of publicly routable IPv4 addresses, and a
-## block of RFC1918 private-use addresses allocated from the Cambridge G-RIN.
-## The former are as follows.
-##
-## 62.49.204.144/28
-## House border network (dmz). We have all of these, but .145
-## is reserved for the router.
-##
-## 212.13.18.64/28
-## Jump colocated network (jump). .65--68 are used by Jump
-## network infrastructure; we get the rest.
-##
-## The latter is the block 172.29.196.0/22. Currently the low half is
-## unallocated (and may be returned to the G-RIN); the remaining addresses
-## are allocated as follows.
-##
-## 172.29.198.0/24 Untrusted networks.
-## .0/25 house wireless net
-## .128/28 iodine (IP-over-DNS) network
-##
-## 172.29.199.0/24 Trusted networks.
-## .0/25 house wired network
-## .128/27 mobile VPN hosts
-## .160/28 reserved, except .160/30 allocated for ITS
-## .176/28 internal colocated network
-## .192/27 house safe network
-## .224/27 anycast services
-
-## IPv6 addressing.
-##
-## There are five blocks of publicly routable IPv6 addresses, though some of
-## them aren't very interesting. The ranges are as follows.
-##
-## 2001:470:1f08:1b98::/64
-## Hurricane Electric tunnel network: only :1 (HE) and :2
-## (radius) are used.
-##
-## 2001:470:1f09:1b98::/64
-## House border network (dmz).
-##
-## 2001:470:9740::/48
-## Main house range. See below for allocation policy.
-##
-## 2001:ba8:0:1d9::/64
-## Jump border network (jump): :1 is the router (supplied by
-## Jump); other addresses are ours.
-##
-## 2001:ba8:1d9::/48
-## Main colocated range. See below for allocation policy.
-##
-## Addresses in the /64 networks are simply allocated in ascending order.
-## The /48s are split into /64s by appending a 16-bit network number. The
-## top nibble of the network number classifies the network, as follows.
-##
-## 8xxx Untrusted
-## 6xxx Virtual, safe
-## 4xxx Safe
-## 0xxx Unsafe, trusted
-##
-## These have been chosen so that network properties can be deduced by
-## inspecting bits of the network number:
-##
-## Bit 15 If set, the network is untrusted; otherwise it is trusted.
-## Bit 14 If set, the network is safe; otherwise it is unsafe.
-##
-## Finally, the low-order nibbles identify the site.
-##
-## 0 No specific site: mobile VPN endpoints or anycast addresses.
-## 1 House.
-## 2 Jump colocation.
-##
-## Usually site-0 networks are allocated from the Jump range to improve
-## expected performance from/to external sites which don't engage in our
-## dynamic routing protocols.
-
## Define the available network classes.
m4_divert(42)m4_dnl
-defnetclass scary scary trusted mcast
-defnetclass untrusted scary untrusted trusted mcast
-defnetclass trusted scary untrusted trusted safe noloop mcast
-defnetclass safe trusted safe noloop mcast
-defnetclass noloop trusted safe mcast
+defnetclass untrusted untrusted mcast
defnetclass link
defnetclass mcast
###--------------------------------------------------------------------------
### Network layout.
-## House networks.
-defnet dmz trusted
- addr 62.49.204.144/28 2001:470:1f09:1b98::/64
- via unsafe untrusted
-defnet unsafe trusted
- addr 172.29.199.0/25 2001:470:9740:1::/64
- via househub
-defnet safe safe
- addr 172.29.199.192/27 2001:470:9740:4001::/64
- via househub
-defnet untrusted untrusted
- addr 172.29.198.0/25 2001:470:9740:8001::/64
- via househub
-
-defnet househub virtual
- via housebdry dmz unsafe safe untrusted
-defnet housebdry virtual
- via househub hub
-
-## House hosts.
-defhost radius
- hosttype router
- iface eth0 dmz unsafe safe untrusted vpn sgo colobdry default
- iface eth1 dmz unsafe safe untrusted vpn sgo colobdry default
- iface eth2 dmz unsafe safe untrusted vpn sgo colobdry
- iface eth3 unsafe untrusted vpn default
- iface ppp0 default
- iface t6-he default
- iface vpn-precision colobdry vpn sgo
- iface vpn-chiark sgo
- iface vpn-+ vpn
-defhost roadstar
- iface eth0 dmz unsafe
- iface eth1 dmz unsafe
-defhost jem
- iface eth0 dmz unsafe
- iface eth1 dmz unsafe
-defhost artist
- hosttype router
- iface eth0 dmz unsafe untrusted
- iface eth1 dmz unsafe untrusted
- iface eth3 unsafe untrusted
-defhost vampire
- hosttype router
- iface eth0.4 dmz unsafe untrusted safe vpn sgo colobdry
- iface eth0.5 dmz unsafe untrusted safe vpn sgo colobdry
- iface eth0.6 dmz unsafe safe untrusted vpn sgo colobdry
- iface eth0.7 unsafe untrusted vpn
- iface vpn-precision colobdry vpn sgo
- iface vpn-chiark sgo
- iface vpn-+ vpn
-defhost ibanez
- iface br-dmz dmz unsafe
- iface br-unsafe unsafe
-defhost orange
- iface wlan0 untrusted
- iface vpn-radius unsafe
-defhost groove
- iface eth0 unsafe
- iface wlan0 untrusted
- iface vpn-radius unsafe
-
-defhost gibson
- hosttype client
- iface eth0 unsafe
-
-## Colocated networks.
-defnet jump trusted
- addr 212.13.198.64/28 2001:ba8:0:1d9::/64
- via colohub
-defnet colo trusted
- addr 172.29.199.176/28 2001:ba8:1d9:2::/64
- via colohub
-defnet colohub virtual
- via colobdry jump colo
-defnet colobdry virtual
- via colohub hub
-defnet iodine untrusted
- addr 172.29.198.128/28
- via colohub
-
-## Colocated hosts.
-defhost fender
- iface br-jump jump colo
- iface br-colo jump colo
-defhost precision
- hosttype router
- iface eth0 jump colo vpn sgo
- iface eth1 jump colo vpn sgo
- iface vpn-mango binswood
- iface vpn-radius housebdry vpn sgo
- iface vpn-chiark sgo
- iface vpn-+ vpn
-defhost telecaster
- iface eth0 jump colo
- iface eth1 jump colo
-defhost stratocaster
- iface eth0 jump colo
- iface eth1 jump colo
-defhost jazz
- hosttype router
- iface eth0 jump colo vpn
- iface eth1 jump colo vpn
- iface dns0 iodine
- iface vpn-+ vpn
-
-## Other networks.
-defnet hub virtual
- via housebdry colobdry
-defnet sgo noloop
- addr !172.29.198.0/23
- addr 10.0.0.0/8
- addr 172.16.0.0/12
- addr 192.168.0.0/16
- via househub colohub
-defnet vpn safe
- addr 172.29.199.128/27 2001:ba8:1d9:6000::/64
- via househub colohub
- host crybaby 1 ::1:1
- host terror 2 ::2:1
- host orange 3 ::3:1
- host haze 4 ::4:1
- host groove 5 ::5:1
-defnet anycast trusted
- addr 172.29.199.224/27 2001:ba8:1d9:0::/64
- via dmz unsafe safe untrusted jump colo vpn
-defnet default scary
- addr 62.49.204.144/28 2001:470:1f09:1b98::/64
- addr 212.13.198.64/28 2001:ba8:0:1d9::/64
- addr 2001:ba8:1d9::/48 #temporary
- via dmz unsafe untrusted jump colo
-
-## Satellite networks.
-defnet binswood noloop
- addr 10.165.27.0/24
- via colohub
+defnet default untrusted
-defhost mango
- hosttype router
- iface eth0 binswood default
- iface vpn-precision colo
+## Hosts.
+defhost jaguar
+ iface eth0 default
m4_divert(80)m4_dnl
###--------------------------------------------------------------------------
## Inspect inbound packets from untrusted sources.
run ip46tables -A inbound -j forbidden
-run ip46tables -A INPUT -m mark --mark $from_scary/$MASK_FROM -g inbound
run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
## Allow responses from the scary outside world into the untrusted net, but
case $forward in
1)
run ip46tables -A FORWARD -j ACCEPT \
- -m mark --mark $(( $from_scary | $to_untrusted ))/$(( $MASK_FROM | $MASK_TO )) \
+ -m mark --mark $to_untrusted/$(( $MASK_FROM | $MASK_TO )) \
-m state --state ESTABLISHED,RELATED
;;
esac
MAIN_M4_SOURCES += local.m4
## The avaiable hosts.
-HOSTS += vampire
-
-HOSTS += orange
-HOSTS += mango
-HOSTS += groove
-
-HOSTS += ibanez
-HOSTS += radius
-HOSTS += roadstar
-HOSTS += jem
-HOSTS += artist
-
-HOSTS += fender
-HOSTS += precision
-HOSTS += telecaster
-HOSTS += stratocaster
-HOSTS += jazz
-
-HOSTS += gibson
+HOSTS += jaguar
+++ /dev/null
-### -*-sh-*-
-###
-### Firewall configuration for mango
-###
-### (c) 2008 Mark Wooding
-###
-
-###----- Licensing notice ---------------------------------------------------
-###
-### This program is free software; you can redistribute it and/or modify
-### it under the terms of the GNU General Public License as published by
-### the Free Software Foundation; either version 2 of the License, or
-### (at your option) any later version.
-###
-### This program is distributed in the hope that it will be useful,
-### but WITHOUT ANY WARRANTY; without even the implied warranty of
-### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-### GNU General Public License for more details.
-###
-### You should have received a copy of the GNU General Public License
-### along with this program; if not, write to the Free Software Foundation,
-### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
-
-###--------------------------------------------------------------------------
-### mango-specific rules.
-
-m4_divert(86)m4_dnl
-## Externally visible services.
-allowservices inbound tcp \
- ssh
-allowservices inbound udp \
- tripe
-
-## Other interesting things.
-dnsresolver inbound
-
-## Trust the surrounding environment.
-run iptables -A INPUT -j ACCEPT -s 10.165.27.0/24
-
-## NAT for remote administration.
-for i in PREROUTING OUTPUT POSTROUTING; do
- run iptables -t nat -P $i ACCEPT 2>/dev/null || :
- run iptables -t nat -F $i 2>/dev/null || :
-done
-run iptables -t nat -F
-run iptables -t nat -X
-
-run iptables -t nat -A POSTROUTING -j SNAT --to-source 10.165.27.3 \
- -s 172.29.198.0/23 -d 10.165.27.0/24 -o eth0
-
-clearchain nat:portfwd
-run iptables -t nat -A portfwd -j DNAT \
- -p tcp --dport 3128 --to-destination 172.29.199.228
-for c in OUTPUT PREROUTING; do
- run iptables -t nat -A $c -j portfwd \
- -s 10.165.27.0/24 -d 10.165.27.3
-done
-
-m4_divert(-1)
-###----- That's all, folks --------------------------------------------------
defport gnutella_svc 6346
defport mpd 6600
defport irc 6667
+defport althttp0 8000
+defport althttp1 8080
defport tor_public 9001
defport tor_directory 9030
defport git 9418
+++ /dev/null
-### -*-sh-*-
-###
-### Firewall configuration for precision
-###
-### (c) 2008 Mark Wooding
-###
-
-###----- Licensing notice ---------------------------------------------------
-###
-### This program is free software; you can redistribute it and/or modify
-### it under the terms of the GNU General Public License as published by
-### the Free Software Foundation; either version 2 of the License, or
-### (at your option) any later version.
-###
-### This program is distributed in the hope that it will be useful,
-### but WITHOUT ANY WARRANTY; without even the implied warranty of
-### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-### GNU General Public License for more details.
-###
-### You should have received a copy of the GNU General Public License
-### along with this program; if not, write to the Free Software Foundation,
-### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
-
-###--------------------------------------------------------------------------
-### precision-specific rules.
-
-m4_divert(86)m4_dnl
-## Externally visible services.
-allowservices inbound tcp \
- ident \
- ssh
-allowservices inbound udp \
- tripe
-
-## Other interesting things.
-dnsresolver inbound
-dnsserver inbound
-
-m4_divert(-1)
-###----- That's all, folks --------------------------------------------------
+++ /dev/null
-### -*-sh-*-
-###
-### Firewall configuration for radius
-###
-### (c) 2008 Mark Wooding
-###
-
-###----- Licensing notice ---------------------------------------------------
-###
-### This program is free software; you can redistribute it and/or modify
-### it under the terms of the GNU General Public License as published by
-### the Free Software Foundation; either version 2 of the License, or
-### (at your option) any later version.
-###
-### This program is distributed in the hope that it will be useful,
-### but WITHOUT ANY WARRANTY; without even the implied warranty of
-### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-### GNU General Public License for more details.
-###
-### You should have received a copy of the GNU General Public License
-### along with this program; if not, write to the Free Software Foundation,
-### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
-
-###--------------------------------------------------------------------------
-### radius-specific rules.
-
-m4_divert(86)m4_dnl
-## Externally visible services.
-allowservices inbound tcp \
- ident \
- ssh
-allowservices inbound udp \
- tripe
-
-## Provide syslog for evolution.
-run iptables -A inbound -j ACCEPT \
- -s 172.29.198.2 \
- -p udp --destination-port $port_syslog
-
-## Other interesting things.
-dnsresolver inbound
-dnsserver inbound
-
-## IPv6 6-in-4 tunnel.
-run iptables -A inbound -j ACCEPT \
- -p $proto_ipv6 -s 216.66.80.26
-
-## Permitted special forwarding.
-makeset fwd-allow-http nethash || :
-iptables -A fwd-spec-nofrag -j ACCEPT \
- -m set --match-set fwd-allow-http dst \
- -p tcp --destination-port $port_http \
- -m mark --mark $to_untrusted/$MASK_TO
-iptables -A fwd-spec-nofrag -j ACCEPT \
- -m set --match-set fwd-allow-http src \
- -p tcp --destination-port $port_http \
- -m mark --mark $from_untrusted/$MASK_FROM \
- -m state --state ESTABLISHED
-
-## BCP38 filtering. Note that addresses here are seen before NAT is applied.
-bcp38 4 ppp0 62.49.204.144/28 172.29.198.0/23
-bcp38 6 t6-he \
- 2001:470:1f08:1b98::2 2001:470:1f09:1b98::/64 \
- 2001:470:9740::/48
-
-## NAT for RFC1918 addresses.
-for i in PREROUTING OUTPUT POSTROUTING; do
- run iptables -t nat -P $i ACCEPT 2>/dev/null || :
- run iptables -t nat -F $i 2>/dev/null || :
-done
-run iptables -t nat -F
-run iptables -t nat -X
-
-run iptables -t nat -N outbound
-run iptables -t nat -A outbound -j RETURN ! -o ppp0
-run iptables -t nat -A outbound -j RETURN ! -s 172.29.198.0/23
-run iptables -t nat -A outbound -j RETURN -d 62.49.204.144/28
-run iptables -t nat -A outbound -j RETURN -d 172.29.198.0/23
-
-## An awful hack.
-##run iptables -t nat -A outbound -j DNETMAP --reuse \
-## -s 172.29.199.44 --prefix 62.49.204.157
-##run iptables -t nat -A outbound -j DNETMAP --reuse \
-## -s 172.29.198.34 --prefix 62.49.204.157
-##run iptables -t nat -A outbound -j DNETMAP --reuse \
-## -s 172.29.198.11 --prefix 62.49.204.157
-##run iptables -t nat -A PREROUTING -j DNETMAP
-
-run iptables -t nat -A outbound -j SNAT --to-source 62.49.204.158
-run iptables -t nat -A POSTROUTING -j outbound
-
-## Set up NAT protocol helpers. In particular, SIP needs some special
-## twiddling.
-run modprobe nf_conntrack_sip \
- ports=5060 \
- sip_direct_signalling=0 \
- sip_direct_media=0
-for p in ftp sip h323; do
- run modprobe nf_nat_$p
-done
-
-## Forbid anything complicated to the NAT address. Be sure to allow ident,
-## though.
-run iptables -A INPUT -d 62.49.204.158 -p tcp -j ACCEPT \
- -m multiport --destination-ports=113
-run iptables -A INPUT -d 62.49.204.158 ! -p icmp -j REJECT
-
-m4_divert(-1)
-###----- That's all, folks --------------------------------------------------
+++ /dev/null
-### -*-sh-*-
-###
-### Firewall configuration for roadstar
-###
-### (c) 2008 Mark Wooding
-###
-
-###----- Licensing notice ---------------------------------------------------
-###
-### This program is free software; you can redistribute it and/or modify
-### it under the terms of the GNU General Public License as published by
-### the Free Software Foundation; either version 2 of the License, or
-### (at your option) any later version.
-###
-### This program is distributed in the hope that it will be useful,
-### but WITHOUT ANY WARRANTY; without even the implied warranty of
-### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-### GNU General Public License for more details.
-###
-### You should have received a copy of the GNU General Public License
-### along with this program; if not, write to the Free Software Foundation,
-### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
-
-###--------------------------------------------------------------------------
-### roadstar-specific rules.
-
-m4_divert(86)m4_dnl
-## Externally visible services.
-allowservices inbound tcp \
- ssh \
- ident \
- ftp ftp_data \
- rsync \
- http https squid
-
-## Provide DNS resolution to local untrusted hosts.
-for p in tcp udp; do
- run iptables -A inbound -j ACCEPT \
- -s 172.29.198.0/24 \
- -p $p --destination-port $port_dns
-done
-
-## Other interesting things.
-dnsresolver inbound
-
-m4_divert(-1)
-###----- That's all, folks --------------------------------------------------
+++ /dev/null
-### -*-sh-*-
-###
-### Firewall configuration for stratocaster
-###
-### (c) 2008 Mark Wooding
-###
-
-###----- Licensing notice ---------------------------------------------------
-###
-### This program is free software; you can redistribute it and/or modify
-### it under the terms of the GNU General Public License as published by
-### the Free Software Foundation; either version 2 of the License, or
-### (at your option) any later version.
-###
-### This program is distributed in the hope that it will be useful,
-### but WITHOUT ANY WARRANTY; without even the implied warranty of
-### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-### GNU General Public License for more details.
-###
-### You should have received a copy of the GNU General Public License
-### along with this program; if not, write to the Free Software Foundation,
-### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
-
-###--------------------------------------------------------------------------
-### stratocaster-specific rules.
-
-m4_divert(86)m4_dnl
-## Set up the SAUCE sinbin. Unfortunately, ipset is a bit brittle. This
-## isn't a completely critical part of the firewall security, so don't make
-## this fail the entire script.
-errorchain sauce REJECT
-makeset sauce iphash || :
-iptables -A inbound -g sauce -m set --match-set sauce src || :
-
-## Externally visible services.
-allowservices inbound tcp \
- ssh \
- ident finger \
- smtp submission \
- imap imaps \
- http https \
- rsync \
- git
-
-## Other interesting things.
-dnsresolver inbound
-
-m4_divert(-1)
-###----- That's all, folks --------------------------------------------------
+++ /dev/null
-### -*-sh-*-
-###
-### Firewall configuration for telecaster
-###
-### (c) 2008 Mark Wooding
-###
-
-###----- Licensing notice ---------------------------------------------------
-###
-### This program is free software; you can redistribute it and/or modify
-### it under the terms of the GNU General Public License as published by
-### the Free Software Foundation; either version 2 of the License, or
-### (at your option) any later version.
-###
-### This program is distributed in the hope that it will be useful,
-### but WITHOUT ANY WARRANTY; without even the implied warranty of
-### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-### GNU General Public License for more details.
-###
-### You should have received a copy of the GNU General Public License
-### along with this program; if not, write to the Free Software Foundation,
-### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
-
-###--------------------------------------------------------------------------
-### telecaster-specific rules.
-
-m4_divert(86)m4_dnl
-## Externally visible services.
-allowservices inbound tcp \
- ssh \
- ident \
- ftp ftp_data \
- rsync \
- http https squid ssquid
-
-run iptables -A inbound -j ACCEPT \
- -p udp --destination-port $port_icp \
- -m limit --limit 10/second --limit-burst 100
-
-## Other interesting things.
-dnsresolver inbound
-dnsserver inbound
-
-m4_divert(-1)
-###----- That's all, folks --------------------------------------------------
+++ /dev/null
-### -*-sh-*-
-###
-### Firewall configuration for vampire
-###
-### (c) 2008 Mark Wooding
-###
-
-###----- Licensing notice ---------------------------------------------------
-###
-### This program is free software; you can redistribute it and/or modify
-### it under the terms of the GNU General Public License as published by
-### the Free Software Foundation; either version 2 of the License, or
-### (at your option) any later version.
-###
-### This program is distributed in the hope that it will be useful,
-### but WITHOUT ANY WARRANTY; without even the implied warranty of
-### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-### GNU General Public License for more details.
-###
-### You should have received a copy of the GNU General Public License
-### along with this program; if not, write to the Free Software Foundation,
-### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
-
-###--------------------------------------------------------------------------
-### vampire-specific rules.
-
-m4_divert(86)m4_dnl
-## Externally visible services.
-allowservices inbound tcp \
- finger ident \
- ssh \
- smtp submission \
- gnutella_svc \
- ftp ftp_data \
- rsync \
- imaps \
- disorder mpd \
- http https squid \
- git \
- tor_public tor_directory i2p
-allowservices inbound udp \
- tripe \
- gnutella_svc \
- i2p
-
-## Extend some services to local untrusted hosts.
-clearchain inbound-untrusted
-run iptables -A inbound -j inbound-untrusted -s $net_inet_untrusted
-run ip6tables -A inbound -j inbound-untrusted -s $net_inet6_untrusted
-
-allowservices inbound-untrusted tcp \
- dns \
- lpd \
- netbios_ssn microsoft_ds
-allowservices inbound-untrusted udp \
- dns \
- tftp
-
-## Provide syslog for evolution.
-run iptables -A inbound -j ACCEPT \
- -s 172.29.198.2 \
- -p udp --destination-port $port_syslog
-
-## Watch outgoing Tor usage.
-run iptables -A OUTPUT -m multiport \
- -p tcp --source-ports $port_tor_public,$port_tor_directory
-
-## Other interesting things.
-dnsresolver inbound
-dnsserver inbound
-ntpclient inbound $ntp_servers
-
-## Provide NTP service to untrusted clients.
-iptables -A inbound -p udp -j ACCEPT \
- --source-port 123 --destination-port 123 \
- -s 172.29.198.0/23
-ip6tables -A inbound -p udp -j ACCEPT \
- --source-port 123 --destination-port 123 \
- -s 2001:470:9740::/48
-
-m4_divert(-1)
-###----- That's all, folks --------------------------------------------------
~mdw / firewall / commitdiff