| 1 | #
|
|---|
| 2 | # Wireless Leiden PF firewall configuration for (iLeiden) Proxy Setup.
|
|---|
| 3 | #
|
|---|
| 4 | # N.B: The features points are shared between all firewall configurations to
|
|---|
| 5 | # make comparisions more easy to do
|
|---|
| 6 | #
|
|---|
| 7 | # 1) It supports outgoing NAT to specified ports. The so called iLeiden setup.
|
|---|
| 8 | # 2) It supports incoming NAT from the private MGMT network, for maintenance use.
|
|---|
| 9 | # 3) It protects the private MGMT network from WL requests to it's own services.
|
|---|
| 10 | # 4) It portects the $ext_if by only allowing an subset of services.
|
|---|
| 11 | # 5) The Wireless Leiden facing interfaces are not firewalled.
|
|---|
| 12 | # 6) WL Captive Portal Support for interfaces who needs it.
|
|---|
| 13 | # 7) Optional: Exposure of WL services to the outside
|
|---|
| 14 | # 9) Protect the Wireless Network from junk traffic.
|
|---|
| 15 | #
|
|---|
| 16 | # Rick van der Zwet <rick@wirelessleiden.nl>
|
|---|
| 17 | #
|
|---|
| 18 |
|
|---|
| 19 | # Standard port allow listings
|
|---|
| 20 | allow_ext_in_tcp="ssh, domain"
|
|---|
| 21 | allow_ext_in_udp="domain, snmp"
|
|---|
| 22 |
|
|---|
| 23 | allow_ext_out_tcp = "domain, http, https, 1194"
|
|---|
| 24 | allow_ext_out_udp = "domain, ntp, 1194"
|
|---|
| 25 |
|
|---|
| 26 | # Default configuration for ALIX2 with vr0 as external interface and wlan0 as
|
|---|
| 27 | # the public accesspoint in iLeiden setup.
|
|---|
| 28 | ext_if="vr0"
|
|---|
| 29 | ext_if_net="vr0:network"
|
|---|
| 30 | captive_portal_interfaces="wlan0"
|
|---|
| 31 | publicnat="http,https"
|
|---|
| 32 | masterip="127.0.0.1"
|
|---|
| 33 | # For an traditional proxy setup set (no iLeiden clients!), uncomment:
|
|---|
| 34 | #publicnat=0
|
|---|
| 35 |
|
|---|
| 36 | # Global standards. NOT to be edited.
|
|---|
| 37 | wl_net="172.16.0.0/12"
|
|---|
| 38 | private="{ 10.0.0.0/8, 172.16.0.0/12 192.168.0.0/16 }"
|
|---|
| 39 | ileiden_ports="http,https"
|
|---|
| 40 |
|
|---|
| 41 | # Always be nice, and return the fact we are blocking the packets
|
|---|
| 42 | set block-policy return
|
|---|
| 43 |
|
|---|
| 44 | # Table used to authorized hosts (6)
|
|---|
| 45 | table <wlportal> persist counters
|
|---|
| 46 |
|
|---|
| 47 | # NAT MGMT to Wireless Leiden (2)
|
|---|
| 48 | nat on ! $ext_if from $ext_if_net to $wl_net -> $masterip
|
|---|
| 49 |
|
|---|
| 50 | # Do NOT allow NAT to the Private Network (3)
|
|---|
| 51 | no nat from $wl_net to $private
|
|---|
| 52 |
|
|---|
| 53 | # Nat the internet for iLeiden functionality (1)
|
|---|
| 54 | nat on $ext_if inet proto tcp from $wl_net to any port { $publicnat } -> ($ext_if)
|
|---|
| 55 |
|
|---|
| 56 | # Redirect some internal facing services outside, please mind also need allow rules (bottom of file) (7)
|
|---|
| 57 | rdr on $ext_if inet proto tcp from any to $ext_if port 8081 -> 172.16.4.46 port http
|
|---|
| 58 |
|
|---|
| 59 | # Redirect user to captive portal they have not clicked OK yet (6)
|
|---|
| 60 | no rdr on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port http
|
|---|
| 61 | rdr on { $captive_portal_interfaces } proto tcp from $wl_net to !$wl_net port http -> 172.31.255.1 port 8081
|
|---|
| 62 |
|
|---|
| 63 | # Localhost is considered safe (5)
|
|---|
| 64 | pass quick on lo0 all
|
|---|
| 65 |
|
|---|
| 66 | # By default all interfaces are open (5)
|
|---|
| 67 | pass all
|
|---|
| 68 |
|
|---|
| 69 | # By default deny all outgoing traffic to avoid systems spamming the network (9)
|
|---|
| 70 | block out on { $captive_portal_interfaces } from any to !$wl_net
|
|---|
| 71 |
|
|---|
| 72 | # Note: not even HTTPS traffic allowed for those who has not clicked OK yet (6)
|
|---|
| 73 | pass out on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port { $publicnat } keep state
|
|---|
| 74 |
|
|---|
| 75 | # External interface is permissive (4)
|
|---|
| 76 | block on $ext_if
|
|---|
| 77 |
|
|---|
| 78 | # Expose some local services (4)
|
|---|
| 79 | pass in on $ext_if inet proto tcp from any to $ext_if port { $allow_ext_in_tcp } keep state
|
|---|
| 80 | pass in on $ext_if inet proto udp from any to $ext_if port { $allow_ext_in_udp } keep state
|
|---|
| 81 | pass in on $ext_if inet proto icmp from any to $ext_if icmp-type { echoreq }
|
|---|
| 82 |
|
|---|
| 83 | # Packets from the management LAN are allowed in (2)
|
|---|
| 84 | pass in on $ext_if from $private to $wl_net keep state
|
|---|
| 85 |
|
|---|
| 86 | # Allow exposing some (internal) WL Services to the inet - see rdr on top as well (7)
|
|---|
| 87 | pass in on $ext_if inet proto tcp from any to $ext_if port { 8081 } keep state
|
|---|
| 88 |
|
|---|
| 89 | # Packets going out are the ones to the internet with an certain limit (1)
|
|---|
| 90 | pass out on $ext_if inet proto tcp from $wl_net to any port { $publicnat } keep state \
|
|---|
| 91 | (max-src-conn-rate 100/10, max-src-conn 10)
|
|---|
| 92 |
|
|---|
| 93 | # For proper functioning allow the local machine to initiate requests outside (4)
|
|---|
| 94 | pass out on $ext_if inet proto udp from $ext_if to any port { $allow_ext_out_udp } keep state
|
|---|
| 95 | pass out on $ext_if inet proto tcp from $ext_if to any port { $allow_ext_out_tcp } keep state
|
|---|
| 96 | pass out on $ext_if inet proto icmp from $ext_if to any icmp-type { echoreq }
|
|---|
| 97 |
|
|---|
| 98 | # Do not allow connections to the local MGNT LAN to start (3)
|
|---|
| 99 | block out on $ext_if from any to $private
|
|---|
| 100 |
|
|---|
| 101 | # Limited acess PRIVATE network to allow DHCP/DNS to function (3)
|
|---|
| 102 | pass out on $ext_if inet proto {udp, tcp} from $ext_if to $private port {domain} keep state
|
|---|
| 103 |
|
|---|
| 104 | # Uncomment to allow limited access to MGNT interfaces ON the private network (3)
|
|---|
| 105 | #pass out on $ext_if inet proto tcp from $ext_if to $private port {ssh, http, https} keep state
|
|---|
| 106 |
|
|---|
