source: hybrid/branches/releng-11/nanobsd/files/etc/pf.node.conf@ 14262

#
# Wireless Leiden PF firewall configuration for iLeiden Node.
#
# N.B: The features points are shared between all firewall configurations to
# make comparisions more easy to do 
#
# 5) The Wireless Leiden facing interfaces are not firewalled.
# 6) WL Captive Portal Support for interfaces who needs it.
# 9) Protect the Wireless Network from junk traffic.
#
# Rick van der Zwet <rick@wirelessleiden.nl>
#

# Global standards. NOT to be edited.
wl_net="172.16.0.0/12"
private="{ 10.0.0.0/8, 172.16.0.0/12 192.168.0.0/16 }"
ileiden_ports="http,https"
publicnat="http,https"

# Default configuration for ALIX2 with ue0 as public interface and wlan0 as
# the public accesspoint in iLeiden setup. 
captive_portal_interfaces="ue0, wlan0"

# Table used to authorized hosts (6)
table <wlportal> persist counters

# Always be nice, and return the fact we are blocking the packets
set block-policy return

# Redirect user to captive portal they have not clicked OK yet (6)
no rdr on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port 80
rdr on { $captive_portal_interfaces } proto tcp from $wl_net to !$wl_net port 80 -> 172.31.255.1 port 8081

# Localhost is considered safe (5)
pass quick on lo0 all

# By default all interfaces are open (5)
pass all

# By default deny all outgoing traffic to avoid systems spamming the network (9)
block in on { $captive_portal_interfaces } from any to !$wl_net

# Quickly drop out, with nice return value, avoiding endless connections on portal setup (6)
block return in quick on { $captive_portal_interfaces } proto tcp from !<wlportal> to !$wl_net port { $publicnat }

# Note: not even HTTPS traffic allowed for those who has not clicked OK yet (6)
pass in on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port { $ileiden_ports } keep state