Index: /branches/releng-9.0/nanobsd/files/etc/pf.hybrid.conf
===================================================================
--- /branches/releng-9.0/nanobsd/files/etc/pf.hybrid.conf	(revision 10446)
+++ /branches/releng-9.0/nanobsd/files/etc/pf.hybrid.conf	(revision 10446)
@@ -0,0 +1,63 @@
+#
+# Wirless Leiden PF firewall configuration for Proxy Setup. This firewall has 5
+# main features:
+#
+# 1) It supports outgoing NAT to specified ports. The so called iLeiden setup.
+# 2) It supports incoming NAT from the private MGMT network, for maintenance use.
+# 3) It protects the private MGMT network from WL requests to it's own services.
+# 4) It portects the $ext_if by only allowing an subset of services.
+# 5) The Wireless Leiden facing interfaces are not firewalled.
+#
+# Rick van der Zwet <rick@wirelessleiden.nl>
+#
+wl_net="172.16.0.0/12"
+allow_ext_tcp="{ssh, domain}"
+allow_ext_udp="{domain, snmp}"
+private="{ 10.0.0.0/8 , 172.16.0.0/12, 192.168.0.0/16 }"
+
+# Always be nice, and return the fact we are blocking the packets
+set block-policy return
+
+# NAT MGMT to Wireless Leiden (2)
+nat on lo0 from $private to $wl_net -> (lo0)
+
+# Nat the internet but NOT to Private Network (1)
+nat on $ext_if inet proto tcp from $wl_net to any port {http,https} -> ($ext_if) 
+# Do NOT allow NAT to the Private Network (3)
+no nat log on $ext_if from $wl_net to $private
+
+# Localhost is considered safe (5)
+pass quick on lo0 all
+
+# By default all interfaces are open (5)
+pass all
+
+# External interface is permissive (4)
+block on $ext_if
+
+# Expose some local services (4)
+pass in on $ext_if inet proto tcp from any to $ext_if port $allow_ext_tcp keep state
+pass in on $ext_if inet proto udp from any to $ext_if port $allow_ext_udp keep state
+pass in on $ext_if inet proto icmp from any to $ext_if icmp-type { echoreq }
+
+# Packets from the management LAN are allowed in (2)
+pass in on $ext_if from $private to $wl_net keep state
+
+# Packets going out are the ones to the internet with an certain limit (1)
+pass out on $ext_if inet proto tcp from $wl_net to any port { $publicnat } keep state \
+ (max-src-conn-rate 100/10, max-src-conn 10)
+
+# For proper functioning allow the local machine to initiate requests outside (4)
+pass out on $ext_if inet proto udp from $ext_if to any port{domain, 1194} keep state
+pass out on $ext_if inet proto tcp from $ext_if to any port{http, https, 1194} keep state
+pass out on $ext_if inet proto icmp from $ext_if to any icmp-type { echoreq }
+
+# Do not allow connections to the local MGNT LAN to start (3)
+block out on $ext_if from any to $private
+
+# Limited acess PRIVATE network to allow DHCP/DNS to function (3)
+pass out on $ext_if inet proto {udp, tcp} from $ext_if to $private port {domain} keep state
+
+# Uncomment to allow limited access to MGNT interfaces ON the private network (3)
+#pass out on $ext_if inet proto tcp from $ext_if to $private port {ssh, http, https} keep state
+
Index: /branches/releng-9.0/nanobsd/files/etc/rc.conf
===================================================================
--- /branches/releng-9.0/nanobsd/files/etc/rc.conf	(revision 10445)
+++ /branches/releng-9.0/nanobsd/files/etc/rc.conf	(revision 10446)
@@ -67,2 +67,5 @@
 #pf_rules="/etc/pf.node.conf"
 #pf_flags="-D captive_portal_interfaces=wlan0,wlan1"
+# Used with Hybrid Configuration
+#pf_rules="/etc/pf.hybrid.conf"
+#pf_flags="-D ext_if=vr0 -D publicnat=80,443"