1 | #
|
---|
2 | # Wireless Leiden PF firewall configuration for iLeiden Node.
|
---|
3 | #
|
---|
4 | # N.B: The features points are shared between all firewall configurations to
|
---|
5 | # make comparisions more easy to do
|
---|
6 | #
|
---|
7 | # 5) The Wireless Leiden facing interfaces are not firewalled.
|
---|
8 | # 6) WL Captive Portal Support for interfaces who needs it.
|
---|
9 | # 9) Protect the Wireless Network from junk traffic.
|
---|
10 | #
|
---|
11 | # Rick van der Zwet <rick@wirelessleiden.nl>
|
---|
12 | #
|
---|
13 |
|
---|
14 | # Global standards. NOT to be edited.
|
---|
15 | wl_net="172.16.0.0/12"
|
---|
16 | private="{ 10.0.0.0/8, 172.16.0.0/12 192.168.0.0/16 }"
|
---|
17 | ileiden_ports="http,https"
|
---|
18 | publicnat="http,https"
|
---|
19 |
|
---|
20 | # Default configuration for ALIX2 with ue0 as public interface and wlan0 as
|
---|
21 | # the public accesspoint in iLeiden setup.
|
---|
22 | captive_portal_interfaces="ue0, wlan0"
|
---|
23 |
|
---|
24 | # Table used to authorized hosts (6)
|
---|
25 | table <wlportal> persist counters
|
---|
26 |
|
---|
27 | # Always be nice, and return the fact we are blocking the packets
|
---|
28 | set block-policy return
|
---|
29 |
|
---|
30 | # Redirect user to captive portal they have not clicked OK yet (6)
|
---|
31 | no rdr on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port 80
|
---|
32 | rdr on { $captive_portal_interfaces } proto tcp from $wl_net to !$wl_net port 80 -> 172.31.255.1 port 8081
|
---|
33 |
|
---|
34 | # Localhost is considered safe (5)
|
---|
35 | pass quick on lo0 all
|
---|
36 |
|
---|
37 | # By default all interfaces are open (5)
|
---|
38 | pass all
|
---|
39 |
|
---|
40 | # By default deny all outgoing traffic to avoid systems spamming the network (9)
|
---|
41 | block in on { $captive_portal_interfaces } from any to !$wl_net
|
---|
42 |
|
---|
43 | # Quickly drop out, with nice return value, avoiding endless connections on portal setup (6)
|
---|
44 | block return in quick on { $captive_portal_interfaces } proto tcp from !<wlportal> to !$wl_net port { $publicnat }
|
---|
45 |
|
---|
46 | # Note: not even HTTPS traffic allowed for those who has not clicked OK yet (6)
|
---|
47 | pass in on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port { $ileiden_ports } keep state
|
---|