From: Mark Wooding <mdw@distorted.org.uk>
Date: Mon, 11 May 2015 14:16:48 +0000 (+0100)
Subject: local.m4: We don't have an untrusted network.
X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~mdw/git/firewall/commitdiff_plain/3dc88ddc002964ace632e757ee7161fa26715e0e

local.m4: We don't have an untrusted network.
---

diff --git a/local.m4 b/local.m4
index 37da67a..f0702c3 100644
--- a/local.m4
+++ b/local.m4
@@ -153,16 +153,6 @@ openports inbound
 run ip46tables -A inbound -j forbidden
 run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
 
-## Allow responses from the scary outside world into the untrusted net, but
-## don't let untrusted things run services.
-case $forward in
-  1)
-    run ip46tables -A FORWARD -j ACCEPT \
-	-m mark --mark $to_untrusted/$(( $MASK_FROM | $MASK_TO )) \
-	-m state --state ESTABLISHED,RELATED
-    ;;
-esac
-
 ## Otherwise process as indicated by the mark.
 for i in $inchains; do
   run ip46tables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT