source: hybrid/branches/releng-9.0/nanobsd/files/etc/pf.proxy.conf@ 10694

#
# Wireless Leiden PF firewall configuration for (iLeiden) Proxy Setup.
#
# N.B: The features points are shared between all firewall configurations to
# make comparisions more easy to do 
#
# 1) It supports outgoing NAT to specified ports. The so called iLeiden setup.
# 2) It supports incoming NAT from the private MGMT network, for maintenance use.
# 3) It protects the private MGMT network from WL requests to it's own services.
# 4) It portects the $ext_if by only allowing an subset of services.
# 5) The Wireless Leiden facing interfaces are not firewalled.
# 6) WL Captive Portal Support for interfaces who needs it.
# 7) Optional: Exposure of WL services to the outside
# 8) Overrides default route for local orginating traffic to specific ports, needed for
#    for normal proxy setup, which should NOT follow the iLeiden default route.
# 9) Protect the Wireless Network from junk traffic.
#
# Rick van der Zwet <rick@wirelessleiden.nl>
#

# Standard port allow listings
allow_ext_in_tcp="ssh, domain"
allow_ext_in_udp="domain, snmp"

allow_ext_out_tcp = "domain, http, https, 1194"
allow_ext_out_udp = "domain, ntp, 1194"

# Default configuration for ALIX2 with vr0 as external interface and wlan0 as
# the public accesspoint in iLeiden setup. 
ext_if="vr0"
ext_if_net="vr0:network"
ext_if_gw="127.127.127.127"
captive_portal_interfaces="wlan0"
#publicnat="http,https"
masterip="127.0.0.1"
# For an traditional proxy setup set, uncomment:
publicnat=0

# Global standards. NOT to be edited.
wl_net="172.16.0.0/12"
private="{ 10.0.0.0/8, 172.16.0.0/12 192.168.0.0/16 }"
ileiden_ports="http,https"


# Always be nice, and return the fact we are blocking the packets
set block-policy return

# Table used to authorized hosts (6)
table <wlportal> persist counters

# NAT MGMT to Wireless Leiden (2)
nat on ! $ext_if from $ext_if_net to $wl_net -> $masterip

# Do NOT allow NAT to the Private Network (3)
no nat from $wl_net to $private

# Nat the internet for iLeiden functionality (1)
nat on $ext_if inet proto tcp from $wl_net to any port { $publicnat } -> ($ext_if) 

# Nat to the internet for packets which are orginating from itself for proxy functionality (8)
nat on !$ext_if inet proto tcp from $wl_net to any port { $allow_ext_out_tcp } -> ($ext_if) 
nat on !$ext_if inet proto udp from $wl_net to any port { $allow_ext_out_udp } -> ($ext_if) 

# Redirect some internal facing services outside, please mind also need allow rules (bottom of file) (7)
rdr on $ext_if inet proto tcp from any to $ext_if port 8081 -> 172.16.4.46 port http

# Redirect user to captive portal they have not clicked OK yet (6)
no rdr on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port http
rdr on { $captive_portal_interfaces } proto tcp from $wl_net to !$wl_net port http -> 172.31.255.1 port 8081

# Localhost is considered safe (5)
pass quick on lo0 all

# By default all interfaces are open (5)
pass all

# This quirck is needed to override the routing table default route (8) 
pass out on !$ext_if route-to ($ext_if $ext_if_gw) proto tcp from any to !$wl_net port { $allow_ext_out_tcp } user != unknown keep state
pass out on !$ext_if route-to ($ext_if $ext_if_gw) proto udp from any to !$wl_net port { $allow_ext_out_udp } user != unknown keep state

# By default deny all outgoing traffic to avoid systems spamming the network (9)
block out on { $captive_portal_interfaces } from any to !$wl_net

# Note: not even HTTPS traffic allowed for those who has not clicked OK yet (6)
pass out on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port { $ileiden_ports } keep state

# External interface is permissive (4)
block on $ext_if

# Expose some local services (4)
pass in on $ext_if inet proto tcp from any to $ext_if port { $allow_ext_in_tcp } keep state
pass in on $ext_if inet proto udp from any to $ext_if port { $allow_ext_in_udp } keep state
pass in on $ext_if inet proto icmp from any to $ext_if icmp-type { echoreq }

# Packets from the management LAN are allowed in (2)
pass in on $ext_if from $private to $wl_net keep state

# Allow exposing some (internal) WL Services to the inet - see rdr on top as well (7)
pass in on $ext_if inet proto tcp from any to $ext_if port { 8081 } keep state

# Packets going out are the ones to the internet with an certain limit (1)
pass out on $ext_if inet proto tcp from $wl_net to any port { $publicnat } keep state \
 (max-src-conn-rate 100/10, max-src-conn 10)

# For proper functioning allow the local machine to initiate requests outside (4)
pass out on $ext_if inet proto tcp from $ext_if to any port { $allow_ext_out_tcp } keep state
pass out on $ext_if inet proto udp from $ext_if to any port { $allow_ext_out_udp } keep state
pass out on $ext_if inet proto icmp from $ext_if to any icmp-type { echoreq }

# Do not allow connections to the local MGNT LAN to start (3)
block out on $ext_if from any to $private

# Limited acess PRIVATE network to allow DHCP/DNS to function (3)
pass out on $ext_if inet proto {udp, tcp} from $ext_if to $private port {domain} keep state

# Uncomment to allow limited access to MGNT interfaces ON the private network (3)
#pass out on $ext_if inet proto tcp from $ext_if to $private port {ssh, http, https} keep state