From: Mark Wooding <mdw@distorted.org.uk>
Date: Thu, 26 Mar 2015 16:51:38 +0000 (+0000)
Subject: Merge branch 'master' of git://git.distorted.org.uk/~mdw/firewall
X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~mdw/git/firewall/commitdiff_plain/39efdaa33bf16dab8dd69ad7c173ae9d8c9cac8e?hp=c69e203ab24c15ca1e398dd5678bff41d48c6d57

Merge branch 'master' of git://git.distorted.org.uk/~mdw/firewall

* 'master' of git://git.distorted.org.uk/~mdw/firewall: (29 commits)
  jaguar.m4, local.m4: Remove jaguar completely.
  jem.m4: External rsync service.
  radius.m4: Stop MSS clamping on egress now the external MTU is 1500.
  local.m4: Reinstate detailed filtering from scary networks.
  local.m4: Inbound restriction on untrusted is no longer experimental.
  local.m4: Protect the `untrusted' network from incoming requests.
  classify.m4: Fix some typos in the commentary.
  jazz.m4, numbers.m4: Expose the OpenPGP key server.
  local.m4: Proper configuration for groove.
  groove.m4: New host.
  artist.m4: Further Rygel hacking.
  artist.m4: Punch a hole for Rygel service to local (-ish) devices.
  local.m4: Boundary network addresses can legitimately transit the VPN.
  stratocaster.m4: Permit incoming finger.
  local.m4: Load connection tracking modules as standard.
  classify.m4: Forbid the v4-mapped and v4-compatible ranges.
  local.m4: Move VPN hosts to ...:1.
  telecaster.m4: Allow external DNS service.
  local.m4: Replacing IPv6 host routes with /112 networks.
  local.m4: Mention that the IPv6 VPN net is logically `safe'.
  ...

Conflicts:
	artist.m4
	fender.m4
	groove.m4
	jazz.m4
	jem.m4
	local.m4
	local.mk
	radius.m4
	stratocaster.m4
	telecaster.m4
---

diff --git a/Makefile b/Makefile
index 1c48383..a0cc605 100644
--- a/Makefile
+++ b/Makefile
@@ -147,7 +147,7 @@ check: $(THISHOST).sh
 ## Installation on a local host,
 install/$(THISHOST): $(THISHOST).sh
 	[ "x$(SCRIPTS)" = x ] || $(ROOT) install -m755 $(SCRIPTS) $(sbindir)
-	$(ROOT) ./$(THISHOST).sh replace
+	$(ROOT) ./$(THISHOST).sh replace </dev/tty
 
 ## Installation on a remote host.
 $(addprefix install/, $(OTHERHOSTS)): install/%: %.sh
diff --git a/base.m4 b/base.m4
index 8968025..659cdbf 100644
--- a/base.m4
+++ b/base.m4
@@ -67,7 +67,7 @@ m4_divert(0)m4_dnl
 
 ### BEGIN INIT INFO
 # Provides:		firewall
-# Required-Start:	mountkernfs
+# Required-Start:	$local_fs
 # Required-Stop:
 # X-Start-Before:	ifupdown
 # X-Stop-After:		ifupdown
diff --git a/classify.m4 b/classify.m4
index 1d87fdb..6254993 100644
--- a/classify.m4
+++ b/classify.m4
@@ -45,7 +45,7 @@ m4_divert(40)m4_dnl
 ###
 ### The mangle chains are arranged as follows.
 ###
-### The INPUT and FORWARD hooks simply invokes in-classify and out-classify
+### The INPUT and FORWARD hooks simply invoke in-classify and out-classify
 ### chains as subroutines.  These will tail-call appropriate classification
 ### chains.
 ###
@@ -57,11 +57,12 @@ m4_divert(40)m4_dnl
 ### goes to bad-source-address, which logs a message and drops the packet.
 ### The default interface is special.  If no explicit matches are found, it
 ### dispatches to in-default which forbids a few obviously evil things and
-### finally dispatches to mark-from-untrusted.
+### finally dispatches to mark-from-DEFAULT (usually `untrusted').
 ###
 ### The out-classify is simpler because it doesn't care about the interface.
 ### It simply checks each network range in turn, dispatching to mark-to-CLASS
-### on a match or mark-to-DEFAULT (probably untrusted) if there is no match.
+### on a match or mark-to-DEFAULT (probably `untrusted') if there is no
+### match.
 
 clearchain mangle:in-classify mangle:in-default mangle:out-classify
 clearchain mangle:local-source
@@ -95,7 +96,7 @@ run iptables -t mangle -A in-classify -j RETURN \
 ## over the loopback interface, I shouldn't see a packet from me over any
 ## other interface.  Except that I will if I sent a broadcast or multicast.
 ## Allow the broadcasts, and remember not to trust them.  There are no
-## broadcast addresses in IPv6 (only link-local multicast)m so we don't have
+## broadcast addresses in IPv6 (only link-local multicast) so we don't have
 ## to worry about that.
 run iptables -t mangle -A local-source -j RETURN \
 	-m addrtype --dst-type BROADCAST
@@ -320,8 +321,8 @@ for entry in $ifmap; do
 done
 
 ## Fill in the black holes in the network.  Some of these might actually be
-## known networks, so don't fill those in again.  See RFC5735 or its
-## successors.
+## known networks, so don't fill those in again.  See RFC5735 and RFC4291,
+## and their successors.
 for addr in \
 	10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 \
 	127.0.0.0/8 \
@@ -332,6 +333,7 @@ do
 done
 for addr in \
 	fc00::/7 \
+	::0:0/96 ::ffff:0:0/96 \
 	2001:db8::/32
 do
   case $alladdrs in *!$addr!*) continue ;; esac
diff --git a/functions.m4 b/functions.m4
index 1cd0db5..c0b90ed 100644
--- a/functions.m4
+++ b/functions.m4
@@ -349,6 +349,50 @@ openports () {
   run ip46tables -A $chain -p udp -g interesting --destination-port $1:$2
 }
 
+bcp38_setup=:
+bcp38 () {
+  ipv=$1 ifname=$2; shift 2
+  ## Add rules for BCP38 egress filtering for IP version IPV (either 4 or 6).
+  ## IFNAME is the outgoing interface; the remaining arguments are network
+  ## prefixes.
+
+  ## Sort out which command we're using
+  case $ipv in
+    4) ipt=iptables ;;
+    6) ipt=ip6tables ;;
+    *) echo >&2 "Unknown IP version $ipv"; exit 1 ;;
+  esac
+
+  ## If we've not set up the error chain then do that.
+  case $bcp38_setup in
+    :)
+      errorchain bcp38 DROP
+      clearchain bcp38-check
+      ip46tables -A bcp38-check -g bcp38
+      ;;
+  esac
+
+  ## Stitch our egress filter into the outbound chains if we haven't done
+  ## that yet.  Do this for both IP versions: if we're only ever given
+  ## IPv6 addresses for a particular interface then we assume that IPv4
+  ## packets aren't allowed on it at all.
+  case $bcp38_setup in
+    *:$ifname:*) ;;
+    *)
+      run ip46tables -A OUTPUT -j bcp38-check -o $ifname
+      case $forward in
+	1) run ip46tables -A FORWARD -j bcp38-check -o $ifname ;;
+      esac
+      bcp38_setup=$bcp38_setup$ifname:
+      ;;
+  esac
+
+  ## Finally, add in our allowed networks.
+  for i in "$@"; do
+    run $ipt -I bcp38-check -j RETURN -s $i
+  done
+}
+
 m4_divert(20)m4_dnl
 ###--------------------------------------------------------------------------
 ### Packet classification.
diff --git a/icmp.m4 b/icmp.m4
index 93c2973..3ccc6d9 100644
--- a/icmp.m4
+++ b/icmp.m4
@@ -38,7 +38,10 @@ m4_divert(58)m4_dnl
 run ip46tables -A check-icmp -j ACCEPT
 
 ## Done.
-for i in $inchains; do run ip46tables -A $i -p icmp -j check-icmp; done
+for i in $inchains; do
+  run iptables -A $i -p icmp -j check-icmp
+  run ip6tables -A $i -p icmpv6 -j check-icmp
+done
 
 m4_divert(-1)
 ###----- That's all, folks --------------------------------------------------
diff --git a/local.m4 b/local.m4
index 0618693..37da67a 100644
--- a/local.m4
+++ b/local.m4
@@ -47,11 +47,18 @@ m4_divert(26)m4_dnl
 
 defnet default untrusted
 
-## Colocated hosts.
-defhost jaguar
+## Hosts.
 defhost jaguar
 	iface eth0 default
 
+m4_divert(80)m4_dnl
+###--------------------------------------------------------------------------
+### Connection tracking helper modules.
+
+for i in ftp; do
+  modprobe nf_conntrack_$i
+done
+
 m4_divert(80)m4_dnl
 ###--------------------------------------------------------------------------
 ### Special forwarding exemptions.
@@ -146,6 +153,16 @@ openports inbound
 run ip46tables -A inbound -j forbidden
 run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
 
+## Allow responses from the scary outside world into the untrusted net, but
+## don't let untrusted things run services.
+case $forward in
+  1)
+    run ip46tables -A FORWARD -j ACCEPT \
+	-m mark --mark $to_untrusted/$(( $MASK_FROM | $MASK_TO )) \
+	-m state --state ESTABLISHED,RELATED
+    ;;
+esac
+
 ## Otherwise process as indicated by the mark.
 for i in $inchains; do
   run ip46tables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT
diff --git a/numbers.m4 b/numbers.m4
index 149afd4..547dce1 100644
--- a/numbers.m4
+++ b/numbers.m4
@@ -40,6 +40,7 @@ defport ident 113
 defport netbios_ns 137
 defport netbios_dgm 138
 defport netbios_ssn 139
+defport imap 143
 defport https 443
 defport microsoft_ds 445
 defport syslog 514			# UDP only!
@@ -49,6 +50,7 @@ defport ipmi 623
 defport rsync 873
 defport imaps 993
 defport h323 1720
+defport ssquid 3127
 defport squid 3128
 defport icp 3130
 defport tripe 4070
@@ -64,6 +66,7 @@ defport althttp1 8080
 defport tor_public 9001
 defport tor_directory 9030
 defport git 9418
+defport pgp_keys 11371
 defport i2p 16911
 defport disorder 23599
 defport udpkey 59274