Index: /branches/releng-9.0/nanobsd/files/etc/ipfw.sh =================================================================== --- /branches/releng-9.0/nanobsd/files/etc/ipfw.sh (revision 10205) +++ /branches/releng-9.0/nanobsd/files/etc/ipfw.sh (revision 10206) @@ -66,4 +66,4 @@ for INF in $captive_portal_interfaces; do ${fwcmd} add 10100 fwd 172.31.255.1,8081 tcp from any to not 172.16.0.0/12 80 in via ${INF} - ${fwcmd} add 11000 deny ip from any to any in via ${INF} + ${fwcmd} add 11000 deny ip from any to not 172.16.0.0/12 443 in via ${INF} done Index: /branches/releng-9.0/nanobsd/files/etc/pf.conf.ileiden =================================================================== --- /branches/releng-9.0/nanobsd/files/etc/pf.conf.ileiden (revision 10205) +++ /branches/releng-9.0/nanobsd/files/etc/pf.conf.ileiden (revision 10206) @@ -2,13 +2,15 @@ int_if="tap0" wifi_if="wlan0" +all_node="172.31.255.1/32" wl_net="172.16.0.0/12" vpn_net="172.17.64.0/28" -publicnat="{80, 443}" +publicnat="{80, 443, 22}" allow_ext_tcp="{22}" allow_ext_udp="{161}" -allow_int_tcp="{22,53,80,3128,12345}" -allow_int_udp="{53,67,68,131,161,12345}" +allow_int_tcp="{22,53,80,3128}" +allow_int_udp="{53,131,161,12345}" +allow_int_udp_any="{67}" private="{ 10.0.0.0/8 , 192.168.0.0/16 }" @@ -18,6 +20,5 @@ # Nat local wl access -nat on $int_if from any to $wl_net -> ($int_if) -pass on $ext_if from any to $wl_net keep state +nat on $int_if from $private to $wl_net -> ($int_if) # Block all @@ -25,21 +26,38 @@ pass in on $int_if +# Allow wl access from access point (not yet reversed) +pass on $wifi_if from $wl_net to $wl_net + +# Block this device from wifi +block in on $wifi_if inet from any to $wifi_if +block inet from any to $all_node + +# Enable me to access anything +pass out on {$ext_if, $int_if, $wifi_if} keep state + +# Allow internet access from the network +pass in on $wifi_if inet proto tcp from $wl_net to any port $publicnat keep state +block in on $wifi_if inet proto tcp from $wl_net to $wifi_if port $publicnat +block in on $wifi_if inet proto tcp from $wl_net to $all_node port $publicnat + +# Allow directives +pass in on $ext_if inet proto tcp from any to $ext_if port $allow_ext_tcp keep state +pass in on $ext_if inet proto udp from any to $ext_if port $allow_ext_udp keep state + +pass in on $int_if inet proto tcp from $wl_net to $vpn_net port $allow_int_tcp keep state +pass in on $int_if inet proto udp from $wl_net to $vpn_net port $allow_int_udp keep state +pass in on $int_if inet proto icmp from $wl_net to $vpn_net keep state +pass in on $int_if inet proto udp from any to any port $allow_int_udp_any keep state + +pass in on $wifi_if inet proto tcp from $wl_net to $wl_net port $allow_int_tcp keep state +pass in on $wifi_if inet proto udp from $wl_net to $wl_net port $allow_int_udp keep state +pass in on $wifi_if inet proto icmp from $wl_net to $wl_net keep state +pass in on $wifi_if inet proto udp from any to any port $allow_int_udp_any keep state + +# Allow wl access from local network +pass on $ext_if from $private to $wl_net keep state + # Make sure to block local network access from wl block on $wifi_if from $wl_net to $private block on $int_if from $wl_net to $private -# Allow wl access from access point (not yet reversed) -pass on $wifi_if from $wl_net to $wl_net - -# Allow directives -pass in on $ext_if inet proto tcp from any to $ext_if port $allow_ext_tcp keep state -pass in on $ext_if inet proto udp from any to $ext_if port $allow_ext_udp keep state -pass in on $int_if inet proto tcp from any to $vpn_net port $allow_int_tcp keep state -pass in on $int_if inet proto udp from any to $vpn_net port $allow_int_udp keep state -pass in on $int_if inet proto icmp from $wl_net to $vpn_net keep state - -# Enable statefull firewalling -pass out on {$ext_if, $int_if} keep state - - - Index: /branches/releng-9.0/nanobsd/files/etc/rc.conf =================================================================== --- /branches/releng-9.0/nanobsd/files/etc/rc.conf (revision 10205) +++ /branches/releng-9.0/nanobsd/files/etc/rc.conf (revision 10206) @@ -58,4 +58,3 @@ pf_enable="YES" pf_rules="/etc/pf.conf.ileiden" -pf_flags="" pf2_enable="YES"