Index: /branches/releng-9.0/nanobsd/files/etc/pf.hybrid.conf
===================================================================
--- /branches/releng-9.0/nanobsd/files/etc/pf.hybrid.conf	(revision 10586)
+++ /branches/releng-9.0/nanobsd/files/etc/pf.hybrid.conf	(revision 10589)
@@ -12,6 +12,4 @@
 # 6) WL Captive Portal Support for interfaces who needs it.
 # 7) Optional: Exposure of WL services to the outside
-# 8) Overrides default route for local orginating traffic to specific ports, needed for
-#    for normal proxy setup, which should NOT follow the iLeiden default route.
 # 9) Protect the Wireless Network from junk traffic.
 #
@@ -29,9 +27,8 @@
 ext_if="vr0"
 ext_if_net="vr0:network"
-ext_if_default_route="192.168.42.1"
 captive_portal_interfaces="wlan0"
 publicnat="http,https"
 masterip="127.0.0.1"
-# For an traditional proxy setup set, uncomment:
+# For an traditional proxy setup set (no iLeiden clients!), uncomment:
 #publicnat=0
 
@@ -51,7 +48,4 @@
 nat on $ext_if inet proto tcp from $wl_net to any port { $ileiden_ports } -> ($ext_if) 
 
-# Nat to the internet for packets which are orginating from itself for proxy functionality (8)
-nat on !$ext_if inet proto tcp from $wl_net to any port { $ileiden_ports } -> ($ext_if) 
-
 # Redirect some internal facing services outside, please mind also need allow rules (bottom of file) (7)
 rdr on $ext_if inet proto tcp from any to $ext_if port 8081 -> 172.16.4.46 port 80
@@ -66,8 +60,4 @@
 # By default all interfaces are open (5)
 pass all
-
-# This quirck is needed to override the routing table default route (8) 
-pass out on !$ext_if route-to ($ext_if $ext_if_default_route) proto tcp from any to !$wl_net port {22, 80, 443} user != unknown keep state
-pass out on !$ext_if route-to ($ext_if $ext_if_default_route) proto udp from any to !$wl_net port {53} user != unknown keep state
 
 # By default deny all outgoing traffic to avoid systems spamming the network (9)
Index: /branches/releng-9.0/nanobsd/files/etc/pf.proxy.conf
===================================================================
--- /branches/releng-9.0/nanobsd/files/etc/pf.proxy.conf	(revision 10586)
+++ /branches/releng-9.0/nanobsd/files/etc/pf.proxy.conf	(revision 10589)
@@ -1,50 +1,110 @@
-all_node="172.31.255.1/32"
+#
+# Wireless Leiden PF firewall configuration for (iLeiden) Proxy Setup.
+#
+# N.B: The features points are shared between all firewall configurations to
+# make comparisions more easy to do 
+#
+# 1) It supports outgoing NAT to specified ports. The so called iLeiden setup.
+# 2) It supports incoming NAT from the private MGMT network, for maintenance use.
+# 3) It protects the private MGMT network from WL requests to it's own services.
+# 4) It portects the $ext_if by only allowing an subset of services.
+# 5) The Wireless Leiden facing interfaces are not firewalled.
+# 6) WL Captive Portal Support for interfaces who needs it.
+# 7) Optional: Exposure of WL services to the outside
+# 8) Overrides default route for local orginating traffic to specific ports, needed for
+#    for normal proxy setup, which should NOT follow the iLeiden default route.
+# 9) Protect the Wireless Network from junk traffic.
+#
+# Rick van der Zwet <rick@wirelessleiden.nl>
+#
 wl_net="172.16.0.0/12"
-allow_ext_tcp="{22}"
-allow_ext_udp="{161}"
-allow_int_tcp="{22,3128}"
-allow_int_udp="{53,161,12345}"
-allow_int_udp_any="{67}"
+ileiden_ports="80,443"
+allow_ext_tcp="{ssh, domain}"
+allow_ext_udp="{domain, snmp}"
+private="{ 10.0.0.0/8, 172.16.0.0/12 192.168.0.0/16 }"
 
-private="{ 10.0.0.0/8 , 192.168.0.0/16 }"
 
-# Nat the internet
-nat on $ext_if from $wl_net to any port $publicnat -> ($ext_if) 
+# Default configuration for ALIX2 with vr0 as external interface and wlan0 as
+# the public accesspoint in iLeiden setup. 
+ext_if="vr0"
+ext_if_net="vr0:network"
+ext_if_gw="127.127.127.127"
+captive_portal_interfaces="wlan0"
+publicnat="http,https"
+masterip="127.0.0.1"
+# For an traditional proxy setup set, uncomment:
+#publicnat=0
 
-# Nat local wl access
-nat on $int_if from $private to $wl_net -> ($int_if)
+# Always be nice, and return the fact we are blocking the packets
+set block-policy return
 
-# Redirection, needs source natting and allow rules
-#rdr on $ext_if inet proto tcp from any to $ext_if port 1022 -> 192.168.84.1 port 22    
+# Table used to authorized hosts (6)
+table <wlportal> persist counters
 
-# Localhost is considered safe
+# NAT MGMT to Wireless Leiden (2)
+nat on ! $ext_if from $ext_if_net to $wl_net -> $masterip
+
+# Do NOT allow NAT to the Private Network (3)
+no nat from $wl_net to $private
+
+# Nat the internet for iLeiden functionality (1)
+nat on $ext_if inet proto tcp from $wl_net to any port { $ileiden_ports } -> ($ext_if) 
+
+# Nat to the internet for packets which are orginating from itself for proxy functionality (8)
+nat on !$ext_if inet proto tcp from $wl_net to any port { $ileiden_ports } -> ($ext_if) 
+
+# Redirect some internal facing services outside, please mind also need allow rules (bottom of file) (7)
+rdr on $ext_if inet proto tcp from any to $ext_if port 8081 -> 172.16.4.46 port 80
+
+# Redirect user to captive portal they have not clicked OK yet (6)
+no rdr on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port 80
+rdr on { $captive_portal_interfaces } proto tcp from $wl_net to !$wl_net port 80 -> 172.31.255.1 port 8081
+
+# Localhost is considered safe (5)
 pass quick on lo0 all
 
-# Block all
-block in on $ext_if from any to $ext_if
-block in on $int_if from any to $int_if
+# By default all interfaces are open (5)
+pass all
 
-# Allow private to private
-# Enable me to access anything
-pass out on {$ext_if, $int_if} keep state
+# This quirck is needed to override the routing table default route (8) 
+pass out on !$ext_if route-to ($ext_if $ext_if_gw) proto tcp from any to !$wl_net port {22, 80, 443} user != unknown keep state
+pass out on !$ext_if route-to ($ext_if $ext_if_gw) proto udp from any to !$wl_net port {53} user != unknown keep state
 
-# Allow internet access from the network
-pass in on $int_if inet proto tcp from $wl_net to any port $publicnat keep state
-block in on $int_if inet proto tcp from $wl_net to $int_if port $publicnat
+# By default deny all outgoing traffic to avoid systems spamming the network (9)
+block out on { $captive_portal_interfaces } from any to !$wl_net
 
-# Allow directives 
+# Note: not even HTTPS traffic allowed for those who has not clicked OK yet (6)
+pass out on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port { $ileiden_ports } keep state
+
+# External interface is permissive (4)
+block on $ext_if
+
+# Expose some local services (4)
 pass in on $ext_if inet proto tcp from any to $ext_if port $allow_ext_tcp keep state
 pass in on $ext_if inet proto udp from any to $ext_if port $allow_ext_udp keep state
+pass in on $ext_if inet proto icmp from any to $ext_if icmp-type { echoreq }
 
-pass in on $int_if inet proto tcp from $wl_net to $int_if port $allow_int_tcp keep state
-pass in on $int_if inet proto udp from $wl_net to $int_if port $allow_int_udp keep state
-pass in on $int_if inet proto icmp from $wl_net to $int_if keep state
+# Packets from the management LAN are allowed in (2)
+pass in on $ext_if from $private to $wl_net keep state
 
-# Allow wl access from local network
-pass on $ext_if from $private to $wl_net keep state
+# Allow exposing some WL Services to the inet (7)
+pass in on $ext_if inet proto tcp from any to $ext_if port { 8081 } keep state
 
-# Make sure to block local network access from wl
-block on $int_if from $wl_net to $private
+# Packets going out are the ones to the internet with an certain limit (1)
+pass out on $ext_if inet proto tcp from $wl_net to any port { $publicnat } keep state \
+ (max-src-conn-rate 100/10, max-src-conn 10)
 
-# Otherwise lvrouted breaks:
-pass in on $int_if
+# For proper functioning allow the local machine to initiate requests outside (4)
+pass out on $ext_if inet proto udp from $ext_if to any port{domain, 1194} keep state
+pass out on $ext_if inet proto tcp from $ext_if to any port{http, https, 1194} keep state
+pass out on $ext_if inet proto icmp from $ext_if to any icmp-type { echoreq }
+
+# Do not allow connections to the local MGNT LAN to start (3)
+block out on $ext_if from any to $private
+
+# Limited acess PRIVATE network to allow DHCP/DNS to function (3)
+pass out on $ext_if inet proto {udp, tcp} from $ext_if to $private port {domain} keep state
+
+# Uncomment to allow limited access to MGNT interfaces ON the private network (3)
+#pass out on $ext_if inet proto tcp from $ext_if to $private port {ssh, http, https} keep state
+