From: Mark Wooding <mdw@distorted.org.uk>
Date: Mon, 16 Feb 2015 09:55:23 +0000 (+0000)
Subject: local.m4: Protect the `untrusted' network from incoming requests.
X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~mdw/git/firewall/commitdiff_plain/1b534b6a971639a492666b35145b247e4f4a94a9?hp=1b534b6a971639a492666b35145b247e4f4a94a9

local.m4: Protect the `untrusted' network from incoming requests.

Currently the untrusted network is vulnerable to incoming hostile IPv6
requests, and only protected from IPv4 by NAT.

I don't think it's especially useful to allow untrusted hosts to
provide externally facing services, so rather than deploy a new
network, I'm just going to change the policy for the existing one, and
forbid new connections and UDP traffic to untrusted hosts.  This
involves splitting out a separate network class for the external
Internet, which is now `scary'.
---