Ignore:
Timestamp:
Apr 26, 2012, 11:14:59 AM (13 years ago)
Author:
rick
Message:

Cosmetics for pf.hybrid.conf and sync the pf.node.conf with needed rules, with
same format of pf.hybrid.conf.

(We might to inclusions using anchors) some-day to keep the rules synced, but
for now, just two files.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • branches/releng-9.0/nanobsd/files/etc/pf.node.conf

    r10419 r10580  
    1 # Table used to authorized hosts
     1#
     2# Wireless Leiden PF firewall configuration for iLeiden Node.
     3#
     4# N.B: The features points are shared between all firewall configurations to
     5# make comparisions more easy to do
     6#
     7# 5) The Wireless Leiden facing interfaces are not firewalled.
     8# 6) WL Captive Portal Support for interfaces who needs it.
     9# 9) Protect the Wireless Network from junk traffic.
     10#
     11# Rick van der Zwet <rick@wirelessleiden.nl>
     12#
     13wl_net="172.16.0.0/12"
     14ileiden_ports="80,443"
     15
     16# Default configuration for ALIX2 with ue0 as public interface and wlan0 as
     17# the public accesspoint in iLeiden setup.
     18captive_portal_interfaces="ue0, wlan0"
     19
     20# Table used to authorized hosts (6)
    221table <wlportal> persist counters
    322
     
    524set block-policy return
    625
    7 # Localhost is considered safe and should thus not be filtered
    8 set skip on lo0
     26# Nat to the internet for packets which are orginating from itself for proxy functionality (8)
     27nat on !$ext_if inet proto tcp from $wl_net to any port { $ileiden_ports } -> ($ext_if)
    928
    10 wl_net="172.16.0.0/12"
    11 #captive_ifs="vr0,vr1,vr2,ue0"
     29# Redirect user to captive portal they have not clicked OK yet (6)
     30no rdr on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port 80
     31rdr on { $captive_portal_interfaces } proto tcp from $wl_net to !$wl_net port 80 -> 172.31.255.1 port 8081
    1232
    13 # Redirect user to captive portal they have not clicked OK yet.
    14 no rdr on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port 80
    15 rdr on { $captive_portal_interfaces } proto tcp from $wl_net to !$wl_net port 80 -> 127.0.0.1 port 8082
     33# Localhost is considered safe (5)
     34pass quick on lo0 all
    1635
    17 # Default allow
     36# By default all interfaces are open (5)
    1837pass all
     38
     39# By default deny all outgoing traffic to avoid systems spamming the network (9)
     40block out on { $captive_portal_interfaces } from any to !$wl_net
     41
     42# Note: not even HTTPS traffic allowed for those who has not clicked OK yet (6)
     43pass out on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port { $ileiden_ports } keep state
Note: See TracChangeset for help on using the changeset viewer.