Changeset 10580 in hybrid for branches/releng-9.0/nanobsd/files/etc/pf.hybrid.conf

Timestamp:

Apr 26, 2012, 11:14:59 AM (13 years ago)

Author:

rick

Message:

Cosmetics for pf.hybrid.conf and sync the pf.node.conf with needed rules, with
same format of pf.hybrid.conf.

(We might to inclusions using anchors) some-day to keep the rules synced, but
for now, just two files.

File:

• branches/releng-9.0/nanobsd/files/etc/pf.hybrid.conf (modified) (4 diffs)

branches/releng-9.0/nanobsd/files/etc/pf.hybrid.conf

@@ -1 +1 @@
 #
-# Wirless Leiden PF firewall configuration for Proxy Setup. This firewall has 5
-# main features:
+# Wireless Leiden PF firewall configuration for (iLeiden) Proxy Setup.
+#
+# N.B: The features points are shared between all firewall configurations to
+# make comparisions more easy to do 
 #
 # 1) It supports outgoing NAT to specified ports. The so called iLeiden setup.
@@ -13 +15 @@
 #    for normal proxy setup, which should NOT follow the iLeiden default route.
 # 9) Protect the Wireless Network from junk traffic.
+#
+# Rick van der Zwet <rick@wirelessleiden.nl>
+#
 wl_net="172.16.0.0/12"
+ileiden_ports="80,443"
 allow_ext_tcp="{ssh, domain}"
 allow_ext_udp="{domain, snmp}"
@@ -43 +49 @@
 
 # Nat the internet for iLeiden functionality (1)
-nat on $ext_if inet proto tcp from $wl_net to any port { 80,443 } -> ($ext_if) 
+nat on $ext_if inet proto tcp from $wl_net to any port { $ileiden_ports } -> ($ext_if) 
 
 # Nat to the internet for packets which are orginating from itself for proxy functionality (8)
-nat on !$ext_if inet proto tcp from $wl_net to any port { 80,443 } -> ($ext_if) 
+nat on !$ext_if inet proto tcp from $wl_net to any port { $ileiden_ports } -> ($ext_if) 
 
-
-# Redirection needs source natting and allow rules (see below) (7)
+# Redirect some internal facing services outside, please mind also need allow rules (bottom of file) (7)
 rdr on $ext_if inet proto tcp from any to $ext_if port 8081 -> 172.16.4.46 port 80
 
@@ -70 +75 @@
 
 # Note: not even HTTPS traffic allowed for those who has not clicked OK yet (6)
-pass out on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port { 80, 443 } keep state
+pass out on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port { $ileiden_ports } keep state
 
 # External interface is permissive (4)