From: Mark Wooding Date: Sat, 17 Apr 2010 15:37:28 +0000 (+0100) Subject: Merge branch 'master' of metalzone:public-git/firewall X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~mdw/git/firewall/commitdiff_plain/4d0888c3de7cc02ae6cc6556358eff7b86bf46d3?hp=ecdca1312d3214c5039e7f783330a90bbfeae2db Merge branch 'master' of metalzone:public-git/firewall * 'master' of metalzone:public-git/firewall: functions.m4, local.m4: Handle fragments in a useful way. classify.m4: Correct summary line at the top. vampire.m4: Remove the magical DNS DDoS hack. --- diff --git a/local.m4 b/local.m4 index 2b1b898..b321cde 100644 --- a/local.m4 +++ b/local.m4 @@ -43,9 +43,10 @@ defiface $if_trusted \ safe:172.29.199.64/27 \ untrusted:default defiface $if_untrusted \ - untrusted:172.29.198.0/24 + untrusted:172.29.198.0/25 defvpn $if_vpn safe 172.29.199.128/27 \ crybaby:172.29.199.129 +defiface $if_iodine untrusted:172.29.198.128/28 defiface $if_its_mz safe:172.29.199.160/30 defiface $if_its_pi safe:192.168.0.0/24 diff --git a/metalzone.m4 b/metalzone.m4 index 62804c6..eb4dd2b 100644 --- a/metalzone.m4 +++ b/metalzone.m4 @@ -29,6 +29,7 @@ m4_divert(44)m4_dnl if_untrusted=eth0 if_trusted=eth0 if_vpn=eth0 +if_iodine=eth0 if_its_mz=its-mz if_its_pi=its-pi diff --git a/numbers.m4 b/numbers.m4 index 83de747..9596c96 100644 --- a/numbers.m4 +++ b/numbers.m4 @@ -40,11 +40,14 @@ defport syslog 514 # UDP only! defport rsync 873 defport squid 3128 defport tripe 4070 +defport iodine 5353 defport postgresql 5432 defport gnutella_svc 6346 +defport mpd 6600 defport tor_public 9001 defport tor_directory 9030 defport git 9418 +defport disorder 23599 m4_divert(-1) ###----- That's all, folks -------------------------------------------------- diff --git a/vampire.m4 b/vampire.m4 index 13e37bd..2f8c105 100644 --- a/vampire.m4 +++ b/vampire.m4 @@ -29,6 +29,7 @@ m4_divert(44)m4_dnl if_untrusted=eth0.1 if_trusted=eth0.0 if_vpn=vpn-+ +if_iodine=dns+ if_its_mz=eth0.0 if_its_pi=eth0.0 @@ -40,18 +41,19 @@ m4_divert(82)m4_dnl ## Externally visible services. allowservices inbound tcp \ finger ident \ - dns \ + dns iodine \ ssh \ smtp \ gnutella_svc \ ftp ftp_data \ rsync \ + disorder \ http https \ git allowservices inbound tcp \ tor_public tor_directory allowservices inbound udp \ - dns \ + dns iodine \ tripe \ gnutella_svc