source: hybrid/branches/releng-9.0/nanobsd/files/etc/pf.node.conf@ 10596

Last change on this file since 10596 was 10580, checked in by rick, 13 years ago

Cosmetics for pf.hybrid.conf and sync the pf.node.conf with needed rules, with
same format of pf.hybrid.conf.

(We might to inclusions using anchors) some-day to keep the rules synced, but
for now, just two files.

File size: 1.6 KB
Line 
1#
2# Wireless Leiden PF firewall configuration for iLeiden Node.
3#
4# N.B: The features points are shared between all firewall configurations to
5# make comparisions more easy to do
6#
7# 5) The Wireless Leiden facing interfaces are not firewalled.
8# 6) WL Captive Portal Support for interfaces who needs it.
9# 9) Protect the Wireless Network from junk traffic.
10#
11# Rick van der Zwet <rick@wirelessleiden.nl>
12#
13wl_net="172.16.0.0/12"
14ileiden_ports="80,443"
15
16# Default configuration for ALIX2 with ue0 as public interface and wlan0 as
17# the public accesspoint in iLeiden setup.
18captive_portal_interfaces="ue0, wlan0"
19
20# Table used to authorized hosts (6)
21table <wlportal> persist counters
22
23# Always be nice, and return the fact we are blocking the packets
24set block-policy return
25
26# Nat to the internet for packets which are orginating from itself for proxy functionality (8)
27nat on !$ext_if inet proto tcp from $wl_net to any port { $ileiden_ports } -> ($ext_if)
28
29# Redirect user to captive portal they have not clicked OK yet (6)
30no rdr on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port 80
31rdr on { $captive_portal_interfaces } proto tcp from $wl_net to !$wl_net port 80 -> 172.31.255.1 port 8081
32
33# Localhost is considered safe (5)
34pass quick on lo0 all
35
36# By default all interfaces are open (5)
37pass all
38
39# By default deny all outgoing traffic to avoid systems spamming the network (9)
40block out on { $captive_portal_interfaces } from any to !$wl_net
41
42# Note: not even HTTPS traffic allowed for those who has not clicked OK yet (6)
43pass out on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port { $ileiden_ports } keep state
Note: See TracBrowser for help on using the repository browser.