Changeset 10580 in hybrid for branches/releng-9.0/nanobsd/files


Ignore:
Timestamp:
Apr 26, 2012, 11:14:59 AM (13 years ago)
Author:
rick
Message:

Cosmetics for pf.hybrid.conf and sync the pf.node.conf with needed rules, with
same format of pf.hybrid.conf.

(We might to inclusions using anchors) some-day to keep the rules synced, but
for now, just two files.

Location:
branches/releng-9.0/nanobsd/files/etc
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • branches/releng-9.0/nanobsd/files/etc/pf.hybrid.conf

    r10579 r10580  
    11#
    2 # Wirless Leiden PF firewall configuration for Proxy Setup. This firewall has 5
    3 # main features:
     2# Wireless Leiden PF firewall configuration for (iLeiden) Proxy Setup.
     3#
     4# N.B: The features points are shared between all firewall configurations to
     5# make comparisions more easy to do
    46#
    57# 1) It supports outgoing NAT to specified ports. The so called iLeiden setup.
     
    1315#    for normal proxy setup, which should NOT follow the iLeiden default route.
    1416# 9) Protect the Wireless Network from junk traffic.
     17#
     18# Rick van der Zwet <rick@wirelessleiden.nl>
     19#
    1520wl_net="172.16.0.0/12"
     21ileiden_ports="80,443"
    1622allow_ext_tcp="{ssh, domain}"
    1723allow_ext_udp="{domain, snmp}"
     
    4349
    4450# Nat the internet for iLeiden functionality (1)
    45 nat on $ext_if inet proto tcp from $wl_net to any port { 80,443 } -> ($ext_if)
     51nat on $ext_if inet proto tcp from $wl_net to any port { $ileiden_ports } -> ($ext_if)
    4652
    4753# Nat to the internet for packets which are orginating from itself for proxy functionality (8)
    48 nat on !$ext_if inet proto tcp from $wl_net to any port { 80,443 } -> ($ext_if)
     54nat on !$ext_if inet proto tcp from $wl_net to any port { $ileiden_ports } -> ($ext_if)
    4955
    50 
    51 # Redirection needs source natting and allow rules (see below) (7)
     56# Redirect some internal facing services outside, please mind also need allow rules (bottom of file) (7)
    5257rdr on $ext_if inet proto tcp from any to $ext_if port 8081 -> 172.16.4.46 port 80
    5358
     
    7075
    7176# Note: not even HTTPS traffic allowed for those who has not clicked OK yet (6)
    72 pass out on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port { 80, 443 } keep state
     77pass out on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port { $ileiden_ports } keep state
    7378
    7479# External interface is permissive (4)
  • branches/releng-9.0/nanobsd/files/etc/pf.node.conf

    r10419 r10580  
    1 # Table used to authorized hosts
     1#
     2# Wireless Leiden PF firewall configuration for iLeiden Node.
     3#
     4# N.B: The features points are shared between all firewall configurations to
     5# make comparisions more easy to do
     6#
     7# 5) The Wireless Leiden facing interfaces are not firewalled.
     8# 6) WL Captive Portal Support for interfaces who needs it.
     9# 9) Protect the Wireless Network from junk traffic.
     10#
     11# Rick van der Zwet <rick@wirelessleiden.nl>
     12#
     13wl_net="172.16.0.0/12"
     14ileiden_ports="80,443"
     15
     16# Default configuration for ALIX2 with ue0 as public interface and wlan0 as
     17# the public accesspoint in iLeiden setup.
     18captive_portal_interfaces="ue0, wlan0"
     19
     20# Table used to authorized hosts (6)
    221table <wlportal> persist counters
    322
     
    524set block-policy return
    625
    7 # Localhost is considered safe and should thus not be filtered
    8 set skip on lo0
     26# Nat to the internet for packets which are orginating from itself for proxy functionality (8)
     27nat on !$ext_if inet proto tcp from $wl_net to any port { $ileiden_ports } -> ($ext_if)
    928
    10 wl_net="172.16.0.0/12"
    11 #captive_ifs="vr0,vr1,vr2,ue0"
     29# Redirect user to captive portal they have not clicked OK yet (6)
     30no rdr on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port 80
     31rdr on { $captive_portal_interfaces } proto tcp from $wl_net to !$wl_net port 80 -> 172.31.255.1 port 8081
    1232
    13 # Redirect user to captive portal they have not clicked OK yet.
    14 no rdr on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port 80
    15 rdr on { $captive_portal_interfaces } proto tcp from $wl_net to !$wl_net port 80 -> 127.0.0.1 port 8082
     33# Localhost is considered safe (5)
     34pass quick on lo0 all
    1635
    17 # Default allow
     36# By default all interfaces are open (5)
    1837pass all
     38
     39# By default deny all outgoing traffic to avoid systems spamming the network (9)
     40block out on { $captive_portal_interfaces } from any to !$wl_net
     41
     42# Note: not even HTTPS traffic allowed for those who has not clicked OK yet (6)
     43pass out on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port { $ileiden_ports } keep state
Note: See TracChangeset for help on using the changeset viewer.