source: hybrid/branches/releng-10/nanobsd/files/etc/pf.hybrid.conf@ 13160

Last change on this file since 13160 was 13160, checked in by rick, 10 years ago

Fix open DNS relay issue by closing down to the proper networks.

File size: 5.7 KB
Line 
1#
2# Wireless Leiden PF firewall configuration for (iLeiden) Proxy Setup.
3#
4# N.B: The features points are shared between all firewall configurations to
5# make comparisions more easy to do
6#
7# 1) It supports outgoing NAT to specified ports. The so called iLeiden setup.
8# 2) It supports incoming NAT from the private MGMT network, for maintenance use.
9# 3) It protects the private MGMT network from WL requests to it's own services.
10# 4) It portects the $ext_if by only allowing an subset of services.
11# 5) The Wireless Leiden facing interfaces are not firewalled.
12# 6) WL Captive Portal Support for interfaces who needs it.
13# 7) Optional: Exposure of WL services to the outside
14# 9) Protect the Wireless Network from junk traffic.
15#
16# Rick van der Zwet <rick@wirelessleiden.nl>
17#
18
19# Standard port allow listings for external services
20allow_ext_in_tcp="ssh, openvpn"
21allow_ext_in_udp="snmp, openvpn"
22
23# Standard port allow listings for services at host network (in case of NAT)
24allow_private_in_tcp="domain"
25allow_private_in_udp="domain"
26
27allow_ext_out_tcp = "domain, http, https, openvpn"
28allow_ext_out_udp = "domain, ntp, openvpn"
29
30
31# Default configuration for ALIX2 with vr0 as external interface and wlan0 as
32# the public accesspoint in iLeiden setup, no aliases on interfaces.
33ext_if="vr0"
34ext_ip="(vr0:0)"
35inet_if="vr0"
36inet_ip="(vr0:0)"
37captive_portal_interfaces="wlan0"
38publicnat="http,https"
39masterip="127.0.0.1"
40# For an traditional proxy setup set (no iLeiden clients!), uncomment:
41#publicnat=0
42
43# Global standards. NOT to be edited.
44wl_net="172.16.0.0/12"
45private="{ 10.0.0.0/8, 192.168.0.0/16 }"
46ileiden_ports="http,https"
47
48# Always be nice, and return the fact we are blocking the packets
49set block-policy return
50
51# Table used to authorized hosts (6)
52table <wlportal> persist counters
53
54# NAT MGMT to Wireless Leiden (2)
55nat on ! $ext_if from $private to $wl_net -> $masterip
56
57# Do NOT allow NAT to the Private Network (3)
58no nat from $wl_net to $private
59
60# Nat the internet for iLeiden functionality (1)
61nat on $inet_if inet proto tcp from $wl_net to ! $wl_net port { $publicnat } -> ($inet_if)
62
63
64# Redirect user to captive portal they have not clicked OK yet (6)
65no rdr on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port http
66rdr on { $captive_portal_interfaces } proto tcp from $wl_net to !$wl_net port http -> 172.31.255.1 port 8081
67
68# Load autogenerated entries, like the remote mappings (7)
69include "/etc/pf.hybrid.conf.local"
70
71# Make the device on WL find the proper gateway back (7)
72nat on ! $ext_if inet from any to $wl_net tagged SRV -> $masterip
73
74# Special allow rules for inbound piercing (7)
75pass in quick on $ext_if inet tagged SRV keep state
76
77# Localhost is considered safe (5)
78pass quick on lo0 all
79
80# By default all interfaces are open (5)
81pass all
82
83# By default deny all outgoing traffic to avoid systems spamming the network (9)
84block out on { $captive_portal_interfaces } from any to !$wl_net
85
86# Note: not even HTTPS traffic allowed for those who has not clicked OK yet (6)
87pass out on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port { $publicnat } keep state
88
89# External interface is permissive (4)
90block on $ext_if inet from any to !$wl_net
91block on $inet_if inet from any to !$wl_net
92
93# Allow internal WL traffic on alias $ext_if interfaces (5)
94pass in quick on $ext_if from $wl_net to $wl_net
95pass out quick on $ext_if from $wl_net to $wl_net
96
97# Expose some local services for internal (NATted) network (4)
98pass in on $ext_if inet proto tcp from $private to $ext_if port { $allow_private_in_tcp } keep state
99pass in on $ext_if inet proto udp from $private to $ext_if port { $allow_private_in_udp } keep state
100pass in on $ext_if inet proto icmp from $private to $ext_if icmp-type { echoreq }
101
102# Expose some local services for the external world (WWW) network (4)
103pass in on $ext_if inet proto tcp from any to $ext_if port { $allow_ext_in_tcp } keep state
104pass in on $ext_if inet proto udp from any to $ext_if port { $allow_ext_in_udp } keep state
105pass in on $ext_if inet proto icmp from any to $ext_if icmp-type { echoreq }
106
107# Packets from the management LAN are allowed in (2)
108pass in on $ext_if from $private to $wl_net keep state
109
110# Packets going out are the ones to the internet with an certain limit (1)
111pass out on $inet_if inet proto tcp from $wl_net to any port { $publicnat } keep state \
112 (max-src-conn-rate 100/10, max-src-conn 10)
113
114# For proper functioning allow the local machine to initiate requests outside (4)
115pass out on $ext_if inet proto udp from $ext_if to any port { $allow_ext_out_udp } keep state
116pass out on $ext_if inet proto tcp from $ext_if to any port { $allow_ext_out_tcp } keep state
117pass out on $ext_if inet proto icmp from $ext_if to any icmp-type { echoreq, trace }
118
119# For proper functioning allow the local machine to initiate requests outside + vpn (4)
120pass out on $inet_if inet proto udp from $inet_if to any port { $allow_ext_out_udp } keep state
121pass out on $inet_if inet proto tcp from $inet_if to any port { $allow_ext_out_tcp } keep state
122pass out on $inet_if inet proto icmp from $inet_if to any icmp-type { echoreq, trace }
123
124# Uncomment to UDP traceroute from this host to start
125#pass out on $ext_if inet proto udp from $ext_if to any port 33434 >< 33464 keep state
126#pass out on $inet_if inet proto udp from $inet_if to any port 33434 >< 33464 keep state
127
128# Do not allow connections to the local MGNT LAN to start (3)
129block out on $ext_if from any to $private
130
131# Limited acess PRIVATE network to allow DHCP/DNS to function (3)
132pass out on $ext_if inet proto {udp, tcp} from $ext_if to $private port {domain} keep state
133
134# Uncomment to allow limited access to MGNT interfaces ON the private network (3)
135#pass out on $ext_if inet proto tcp from $ext_if to $private port {ssh, http, https} keep state
136
Note: See TracBrowser for help on using the repository browser.