source: hybrid/branches/releng-9/nanobsd/files/etc/pf.hybrid.conf@ 12908

Last change on this file since 12908 was 11543, checked in by rick, 12 years ago

Make the concentrator OpenVPN work. Please do mind that it potentially breaks
the code for external interfaces which also have an internal link on it (like
the watertoren setup) and no concentrator setup.

File size: 5.2 KB
Line 
1#
2# Wireless Leiden PF firewall configuration for (iLeiden) Proxy Setup.
3#
4# N.B: The features points are shared between all firewall configurations to
5# make comparisions more easy to do
6#
7# 1) It supports outgoing NAT to specified ports. The so called iLeiden setup.
8# 2) It supports incoming NAT from the private MGMT network, for maintenance use.
9# 3) It protects the private MGMT network from WL requests to it's own services.
10# 4) It portects the $ext_if by only allowing an subset of services.
11# 5) The Wireless Leiden facing interfaces are not firewalled.
12# 6) WL Captive Portal Support for interfaces who needs it.
13# 7) Optional: Exposure of WL services to the outside
14# 9) Protect the Wireless Network from junk traffic.
15#
16# Rick van der Zwet <rick@wirelessleiden.nl>
17#
18
19# Standard port allow listings
20allow_ext_in_tcp="ssh, domain, openvpn"
21allow_ext_in_udp="domain, snmp, openvpn"
22
23allow_ext_out_tcp = "domain, http, https, openvpn"
24allow_ext_out_udp = "domain, ntp, openvpn"
25
26
27# Default configuration for ALIX2 with vr0 as external interface and wlan0 as
28# the public accesspoint in iLeiden setup, no aliases on interfaces.
29ext_if="vr0"
30ext_ip="(vr0:0)"
31inet_if="vr0"
32inet_ip="(vr0:0)"
33captive_portal_interfaces="wlan0"
34publicnat="http,https"
35masterip="127.0.0.1"
36# For an traditional proxy setup set (no iLeiden clients!), uncomment:
37#publicnat=0
38
39# Global standards. NOT to be edited.
40wl_net="172.16.0.0/12"
41private="{ 10.0.0.0/8, 192.168.0.0/16 }"
42ileiden_ports="http,https"
43
44# Always be nice, and return the fact we are blocking the packets
45set block-policy return
46
47# Table used to authorized hosts (6)
48table <wlportal> persist counters
49
50# NAT MGMT to Wireless Leiden (2)
51nat on ! $ext_if from $private to $wl_net -> $masterip
52
53# Do NOT allow NAT to the Private Network (3)
54no nat from $wl_net to $private
55
56# Nat the internet for iLeiden functionality (1)
57nat on $inet_if inet proto tcp from $wl_net to ! $wl_net port { $publicnat } -> ($inet_if)
58
59
60# Redirect user to captive portal they have not clicked OK yet (6)
61no rdr on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port http
62rdr on { $captive_portal_interfaces } proto tcp from $wl_net to !$wl_net port http -> 172.31.255.1 port 8081
63
64# Load autogenerated entries, like the remote mappings (7)
65include "/etc/pf.hybrid.conf.local"
66
67# Make the device on WL find the proper gateway back (7)
68nat on ! $ext_if inet from any to $wl_net tagged SRV -> $masterip
69
70# Special allow rules for inbound piercing (7)
71pass in quick on $ext_if inet tagged SRV keep state
72
73# Localhost is considered safe (5)
74pass quick on lo0 all
75
76# By default all interfaces are open (5)
77pass all
78
79# By default deny all outgoing traffic to avoid systems spamming the network (9)
80block out on { $captive_portal_interfaces } from any to !$wl_net
81
82# Note: not even HTTPS traffic allowed for those who has not clicked OK yet (6)
83pass out on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port { $publicnat } keep state
84
85# External interface is permissive (4)
86block on $ext_if inet from any to !$wl_net
87block on $inet_if inet from any to !$wl_net
88
89# Allow internal WL traffic on alias $ext_if interfaces (5)
90pass in quick on $ext_if from $wl_net to $wl_net
91pass out quick on $ext_if from $wl_net to $wl_net
92
93# Expose some local services (4)
94pass in on $ext_if inet proto tcp from any to $ext_if port { $allow_ext_in_tcp } keep state
95pass in on $ext_if inet proto udp from any to $ext_if port { $allow_ext_in_udp } keep state
96pass in on $ext_if inet proto icmp from any to $ext_if icmp-type { echoreq }
97
98# Packets from the management LAN are allowed in (2)
99pass in on $ext_if from $private to $wl_net keep state
100
101# Packets going out are the ones to the internet with an certain limit (1)
102pass out on $inet_if inet proto tcp from $wl_net to any port { $publicnat } keep state \
103 (max-src-conn-rate 100/10, max-src-conn 10)
104
105# For proper functioning allow the local machine to initiate requests outside (4)
106pass out on $ext_if inet proto udp from $ext_if to any port { $allow_ext_out_udp } keep state
107pass out on $ext_if inet proto tcp from $ext_if to any port { $allow_ext_out_tcp } keep state
108pass out on $ext_if inet proto icmp from $ext_if to any icmp-type { echoreq, trace }
109
110# For proper functioning allow the local machine to initiate requests outside + vpn (4)
111pass out on $inet_if inet proto udp from $inet_if to any port { $allow_ext_out_udp } keep state
112pass out on $inet_if inet proto tcp from $inet_if to any port { $allow_ext_out_tcp } keep state
113pass out on $inet_if inet proto icmp from $inet_if to any icmp-type { echoreq, trace }
114
115# Uncomment to UDP traceroute from this host to start
116#pass out on $ext_if inet proto udp from $ext_if to any port 33434 >< 33464 keep state
117#pass out on $inet_if inet proto udp from $inet_if to any port 33434 >< 33464 keep state
118
119# Do not allow connections to the local MGNT LAN to start (3)
120block out on $ext_if from any to $private
121
122# Limited acess PRIVATE network to allow DHCP/DNS to function (3)
123pass out on $ext_if inet proto {udp, tcp} from $ext_if to $private port {domain} keep state
124
125# Uncomment to allow limited access to MGNT interfaces ON the private network (3)
126#pass out on $ext_if inet proto tcp from $ext_if to $private port {ssh, http, https} keep state
127
Note: See TracBrowser for help on using the repository browser.