source: hybrid/branches/releng-9.0/nanobsd/files/etc/pf.node.conf@ 10580

#
# Wireless Leiden PF firewall configuration for iLeiden Node.
#
# N.B: The features points are shared between all firewall configurations to
# make comparisions more easy to do 
#
# 5) The Wireless Leiden facing interfaces are not firewalled.
# 6) WL Captive Portal Support for interfaces who needs it.
# 9) Protect the Wireless Network from junk traffic.
#
# Rick van der Zwet <rick@wirelessleiden.nl>
#
wl_net="172.16.0.0/12"
ileiden_ports="80,443"

# Default configuration for ALIX2 with ue0 as public interface and wlan0 as
# the public accesspoint in iLeiden setup. 
captive_portal_interfaces="ue0, wlan0"

# Table used to authorized hosts (6)
table <wlportal> persist counters

# Always be nice, and return the fact we are blocking the packets
set block-policy return

# Nat to the internet for packets which are orginating from itself for proxy functionality (8)
nat on !$ext_if inet proto tcp from $wl_net to any port { $ileiden_ports } -> ($ext_if) 

# Redirect user to captive portal they have not clicked OK yet (6)
no rdr on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port 80
rdr on { $captive_portal_interfaces } proto tcp from $wl_net to !$wl_net port 80 -> 172.31.255.1 port 8081

# Localhost is considered safe (5)
pass quick on lo0 all

# By default all interfaces are open (5)
pass all

# By default deny all outgoing traffic to avoid systems spamming the network (9)
block out on { $captive_portal_interfaces } from any to !$wl_net

# Note: not even HTTPS traffic allowed for those who has not clicked OK yet (6)
pass out on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port { $ileiden_ports } keep state