Context Navigation

← Previous Revision
Latest Revision
Next Revision →
Blame
Revision Log

pf.conf@ 10407

Last change on this file since 10407 was 10242, checked in by richardvm, 13 years ago
sync pf setup of hybrid with that of the proxies.
File size: 2.1 KB

Line
1	wifi_if="wlan0"
2	all_node="172.31.255.1/32"
3
4	wl_net="172.16.0.0/12"
5	vpn_net="172.17.64.0/28"
6	allow_ext_tcp="{22}"
7	allow_ext_udp="{161}"
8	allow_int_tcp="{22,53,80,3128}"
9	allow_int_udp="{53,131,161,12345}"
10	allow_int_udp_any="{67}"
11
12	private="{ 10.0.0.0/8 , 192.168.0.0/16 }"
13
14	# Nat the internet
15	nat on $ext_if from $wl_net to any port $publicnat -> ($ext_if)
16
17	# Nat local wl access
18	nat on $int_if from $private to $wl_net -> ($int_if)
19
20	# Block all
21	block in on $ext_if
22	pass in on $int_if
23
24	# Allow wl access from access point (not yet reversed)
25	pass on $wifi_if from $wl_net to $wl_net
26
27	# Block this device from wifi
28	block in on $wifi_if inet from any to $wifi_if
29	block inet from any to $all_node
30
31	# Enable me to access anything
32	pass out on {$ext_if, $int_if, $wifi_if} keep state
33
34	# Allow internet access from the network
35	pass in on $wifi_if inet proto tcp from $wl_net to any port $publicnat keep state
36	block in on $wifi_if inet proto tcp from $wl_net to $wifi_if port $publicnat
37	block in on $wifi_if inet proto tcp from $wl_net to $all_node port $publicnat
38
39	# Allow directives
40	pass in on $ext_if inet proto tcp from any to $ext_if port $allow_ext_tcp keep state
41	pass in on $ext_if inet proto udp from any to $ext_if port $allow_ext_udp keep state
42
43	pass in on $int_if inet proto tcp from $wl_net to $vpn_net port $allow_int_tcp keep state
44	pass in on $int_if inet proto udp from $wl_net to $vpn_net port $allow_int_udp keep state
45	pass in on $int_if inet proto icmp from $wl_net to $vpn_net keep state
46	pass in on $int_if inet proto udp from any to any port $allow_int_udp_any keep state
47
48	pass in on $wifi_if inet proto tcp from $wl_net to $wl_net port $allow_int_tcp keep state
49	pass in on $wifi_if inet proto udp from $wl_net to $wl_net port $allow_int_udp keep state
50	pass in on $wifi_if inet proto icmp from $wl_net to $wl_net keep state
51	pass in on $wifi_if inet proto udp from any to any port $allow_int_udp_any keep state
52
53	# Allow wl access from local network
54	pass on $ext_if from $private to $wl_net keep state
55
56	# Make sure to block local network access from wl
57	block on $wifi_if from $wl_net to $private
58	block on $int_if from $wl_net to $private
59

Note: See TracBrowser for help on using the repository browser.

Download in other formats:

Original Format