Changeset 10206 in hybrid for branches/releng-9.0/nanobsd/files

Timestamp:

Mar 17, 2012, 5:45:39 PM (13 years ago)

Author:

richardvm

Message:

firewalling a bit better

Location:

branches/releng-9.0/nanobsd/files/etc

Files:

• ipfw.sh (modified) (1 diff)
• pf.conf.ileiden (modified) (3 diffs)
• rc.conf (modified) (1 diff)

branches/releng-9.0/nanobsd/files/etc/ipfw.sh

@@ -66 +66 @@
 for INF in $captive_portal_interfaces; do
   ${fwcmd} add 10100 fwd 172.31.255.1,8081 tcp from any to not 172.16.0.0/12 80 in via ${INF}
-  ${fwcmd} add 11000 deny ip from any to any in via ${INF}
+  ${fwcmd} add 11000 deny ip from any to not 172.16.0.0/12 443 in via ${INF} 
 done

branches/releng-9.0/nanobsd/files/etc/pf.conf.ileiden

@@ -2 +2 @@
 int_if="tap0" 
 wifi_if="wlan0"
+all_node="172.31.255.1/32"
 
 wl_net="172.16.0.0/12"
 vpn_net="172.17.64.0/28"
 
-publicnat="{80, 443}"
+publicnat="{80, 443, 22}"
 allow_ext_tcp="{22}"
 allow_ext_udp="{161}"
-allow_int_tcp="{22,53,80,3128,12345}"
-allow_int_udp="{53,67,68,131,161,12345}"
+allow_int_tcp="{22,53,80,3128}"
+allow_int_udp="{53,131,161,12345}"
+allow_int_udp_any="{67}"
 
 private="{ 10.0.0.0/8 , 192.168.0.0/16 }"
@@ -18 +20 @@
 
 # Nat local wl access
-nat on $int_if from any to $wl_net -> ($int_if)
-pass on $ext_if from any to $wl_net keep state
+nat on $int_if from $private to $wl_net -> ($int_if)
 
 # Block all
@@ -25 +26 @@
 pass in on $int_if
 
+# Allow wl access from access point (not yet reversed)
+pass on $wifi_if from $wl_net to $wl_net
+
+# Block this device from wifi
+block in on $wifi_if inet from any to $wifi_if
+block inet from any to $all_node
+
+# Enable me to access anything
+pass out on {$ext_if, $int_if, $wifi_if} keep state
+
+# Allow internet access from the network
+pass in on $wifi_if inet proto tcp from $wl_net to any port $publicnat keep state
+block in on $wifi_if inet proto tcp from $wl_net to $wifi_if port $publicnat
+block in on $wifi_if inet proto tcp from $wl_net to $all_node port $publicnat
+
+# Allow directives 
+pass in on $ext_if inet proto tcp from any to $ext_if port $allow_ext_tcp keep state
+pass in on $ext_if inet proto udp from any to $ext_if port $allow_ext_udp keep state
+
+pass in on $int_if inet proto tcp from $wl_net to $vpn_net port $allow_int_tcp keep state
+pass in on $int_if inet proto udp from $wl_net to $vpn_net port $allow_int_udp keep state
+pass in on $int_if inet proto icmp from $wl_net to $vpn_net keep state
+pass in on $int_if inet proto udp from any to any port $allow_int_udp_any keep state
+
+pass in on $wifi_if inet proto tcp from $wl_net to $wl_net port $allow_int_tcp keep state
+pass in on $wifi_if inet proto udp from $wl_net to $wl_net port $allow_int_udp keep state
+pass in on $wifi_if inet proto icmp from $wl_net to $wl_net keep state
+pass in on $wifi_if inet proto udp from any to any port $allow_int_udp_any keep state
+
+# Allow wl access from local network
+pass on $ext_if from $private to $wl_net keep state
+
 # Make sure to block local network access from wl
 block on $wifi_if from $wl_net to $private
 block on $int_if from $wl_net to $private
 
-# Allow wl access from access point (not yet reversed)
-pass on $wifi_if from $wl_net to $wl_net
-
-# Allow directives 
-pass in on $ext_if inet proto tcp from any to $ext_if port $allow_ext_tcp keep state
-pass in on $ext_if inet proto udp from any to $ext_if port $allow_ext_udp keep state
-pass in on $int_if inet proto tcp from any to $vpn_net port $allow_int_tcp keep state
-pass in on $int_if inet proto udp from any to $vpn_net port $allow_int_udp keep state
-pass in on $int_if inet proto icmp from $wl_net to $vpn_net keep state
-
-# Enable statefull firewalling
-pass out on {$ext_if, $int_if} keep state
-
-
-

branches/releng-9.0/nanobsd/files/etc/rc.conf

@@ -58 +58 @@
 pf_enable="YES"
 pf_rules="/etc/pf.conf.ileiden"
-pf_flags=""
 pf2_enable="YES"