Changeset 10610 in hybrid
- Timestamp:
- Apr 29, 2012, 1:51:20 PM (13 years ago)
- Location:
- branches/releng-9.0/nanobsd/files/etc
- Files:
-
- 3 edited
Legend:
- Unmodified
- Added
- Removed
-
branches/releng-9.0/nanobsd/files/etc/pf.hybrid.conf
r10606 r10610 16 16 # Rick van der Zwet <rick@wirelessleiden.nl> 17 17 # 18 wl_net="172.16.0.0/12"19 ileiden_ports="80,443"20 allow_ext_tcp="{ssh, domain}"21 allow_ext_udp="{domain, snmp}"22 private="{ 10.0.0.0/8, 172.16.0.0/12 192.168.0.0/16 }"23 18 19 # Standard port allow listings 20 allow_ext_in_tcp="ssh, domain" 21 allow_ext_in_udp="domain, snmp" 22 23 allow_ext_out_tcp = "domain, http, https, 1194" 24 allow_ext_out_udp = "domain, ntp, 1194" 24 25 25 26 # Default configuration for ALIX2 with vr0 as external interface and wlan0 as … … 32 33 # For an traditional proxy setup set (no iLeiden clients!), uncomment: 33 34 #publicnat=0 35 36 # Global standards. NOT to be edited. 37 wl_net="172.16.0.0/12" 38 private="{ 10.0.0.0/8, 172.16.0.0/12 192.168.0.0/16 }" 39 ileiden_ports="http,https" 34 40 35 41 # Always be nice, and return the fact we are blocking the packets … … 46 52 47 53 # Nat the internet for iLeiden functionality (1) 48 nat on $ext_if inet proto tcp from $wl_net to any port { $ ileiden_ports} -> ($ext_if)54 nat on $ext_if inet proto tcp from $wl_net to any port { $publicnat } -> ($ext_if) 49 55 50 56 # Redirect some internal facing services outside, please mind also need allow rules (bottom of file) (7) 51 rdr on $ext_if inet proto tcp from any to $ext_if port 8081 -> 172.16.4.46 port 8057 rdr on $ext_if inet proto tcp from any to $ext_if port 8081 -> 172.16.4.46 port http 52 58 53 59 # Redirect user to captive portal they have not clicked OK yet (6) 54 no rdr on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port 8055 rdr on { $captive_portal_interfaces } proto tcp from $wl_net to !$wl_net port 80-> 172.31.255.1 port 808160 no rdr on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port http 61 rdr on { $captive_portal_interfaces } proto tcp from $wl_net to !$wl_net port http -> 172.31.255.1 port 8081 56 62 57 63 # Localhost is considered safe (5) … … 65 71 66 72 # Note: not even HTTPS traffic allowed for those who has not clicked OK yet (6) 67 pass out on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port { $ ileiden_ports} keep state73 pass out on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port { $publicnat } keep state 68 74 69 75 # External interface is permissive (4) … … 71 77 72 78 # Expose some local services (4) 73 pass in on $ext_if inet proto tcp from any to $ext_if port $allow_ext_tcpkeep state74 pass in on $ext_if inet proto udp from any to $ext_if port $allow_ext_udpkeep state79 pass in on $ext_if inet proto tcp from any to $ext_if port { $allow_ext_in_tcp } keep state 80 pass in on $ext_if inet proto udp from any to $ext_if port { $allow_ext_in_udp } keep state 75 81 pass in on $ext_if inet proto icmp from any to $ext_if icmp-type { echoreq } 76 82 … … 78 84 pass in on $ext_if from $private to $wl_net keep state 79 85 80 # Allow exposing some WL Services to the inet(7)86 # Allow exposing some (internal) WL Services to the inet - see rdr on top as well (7) 81 87 pass in on $ext_if inet proto tcp from any to $ext_if port { 8081 } keep state 82 88 … … 86 92 87 93 # For proper functioning allow the local machine to initiate requests outside (4) 88 pass out on $ext_if inet proto udp from $ext_if to any port {domain, 1194, ntp} keep state89 pass out on $ext_if inet proto tcp from $ext_if to any port {http, https, 1194} keep state94 pass out on $ext_if inet proto udp from $ext_if to any port { $allow_ext_out_udp } keep state 95 pass out on $ext_if inet proto tcp from $ext_if to any port { $allow_ext_out_tcp } keep state 90 96 pass out on $ext_if inet proto icmp from $ext_if to any icmp-type { echoreq } 91 97 -
branches/releng-9.0/nanobsd/files/etc/pf.node.conf
r10580 r10610 11 11 # Rick van der Zwet <rick@wirelessleiden.nl> 12 12 # 13 14 # Global standards. NOT to be edited. 13 15 wl_net="172.16.0.0/12" 14 ileiden_ports="80,443" 16 private="{ 10.0.0.0/8, 172.16.0.0/12 192.168.0.0/16 }" 17 ileiden_ports="http,https" 18 15 19 16 20 # Default configuration for ALIX2 with ue0 as public interface and wlan0 as -
branches/releng-9.0/nanobsd/files/etc/pf.proxy.conf
r10589 r10610 18 18 # Rick van der Zwet <rick@wirelessleiden.nl> 19 19 # 20 wl_net="172.16.0.0/12"21 ileiden_ports="80,443"22 allow_ext_tcp="{ssh, domain}"23 allow_ext_udp="{domain, snmp}"24 private="{ 10.0.0.0/8, 172.16.0.0/12 192.168.0.0/16 }"25 20 21 # Standard port allow listings 22 allow_ext_in_tcp="ssh, domain" 23 allow_ext_in_udp="domain, snmp" 24 25 allow_ext_out_tcp = "domain, http, https, 1194" 26 allow_ext_out_udp = "domain, ntp, 1194" 26 27 27 28 # Default configuration for ALIX2 with vr0 as external interface and wlan0 as … … 31 32 ext_if_gw="127.127.127.127" 32 33 captive_portal_interfaces="wlan0" 33 publicnat="http,https"34 #publicnat="http,https" 34 35 masterip="127.0.0.1" 35 36 # For an traditional proxy setup set, uncomment: 36 #publicnat=0 37 publicnat=0 38 39 # Global standards. NOT to be edited. 40 wl_net="172.16.0.0/12" 41 private="{ 10.0.0.0/8, 172.16.0.0/12 192.168.0.0/16 }" 42 ileiden_ports="http,https" 43 37 44 38 45 # Always be nice, and return the fact we are blocking the packets … … 49 56 50 57 # Nat the internet for iLeiden functionality (1) 51 nat on $ext_if inet proto tcp from $wl_net to any port { $ ileiden_ports} -> ($ext_if)58 nat on $ext_if inet proto tcp from $wl_net to any port { $publicnat } -> ($ext_if) 52 59 53 60 # Nat to the internet for packets which are orginating from itself for proxy functionality (8) 54 nat on !$ext_if inet proto tcp from $wl_net to any port { $ileiden_ports } -> ($ext_if) 61 nat on !$ext_if inet proto tcp from $wl_net to any port { $allow_ext_out_tcp } -> ($ext_if) 62 nat on !$ext_if inet proto udp from $wl_net to any port { $allow_ext_out_udp } -> ($ext_if) 55 63 56 64 # Redirect some internal facing services outside, please mind also need allow rules (bottom of file) (7) 57 rdr on $ext_if inet proto tcp from any to $ext_if port 8081 -> 172.16.4.46 port 8065 rdr on $ext_if inet proto tcp from any to $ext_if port 8081 -> 172.16.4.46 port http 58 66 59 67 # Redirect user to captive portal they have not clicked OK yet (6) 60 no rdr on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port 8061 rdr on { $captive_portal_interfaces } proto tcp from $wl_net to !$wl_net port 80-> 172.31.255.1 port 808168 no rdr on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port http 69 rdr on { $captive_portal_interfaces } proto tcp from $wl_net to !$wl_net port http -> 172.31.255.1 port 8081 62 70 63 71 # Localhost is considered safe (5) … … 68 76 69 77 # This quirck is needed to override the routing table default route (8) 70 pass out on !$ext_if route-to ($ext_if $ext_if_gw) proto tcp from any to !$wl_net port { 22, 80, 443} user != unknown keep state71 pass out on !$ext_if route-to ($ext_if $ext_if_gw) proto udp from any to !$wl_net port { 53} user != unknown keep state78 pass out on !$ext_if route-to ($ext_if $ext_if_gw) proto tcp from any to !$wl_net port { $allow_ext_out_tcp } user != unknown keep state 79 pass out on !$ext_if route-to ($ext_if $ext_if_gw) proto udp from any to !$wl_net port { $allow_ext_out_udp } user != unknown keep state 72 80 73 81 # By default deny all outgoing traffic to avoid systems spamming the network (9) … … 81 89 82 90 # Expose some local services (4) 83 pass in on $ext_if inet proto tcp from any to $ext_if port $allow_ext_tcpkeep state84 pass in on $ext_if inet proto udp from any to $ext_if port $allow_ext_udpkeep state91 pass in on $ext_if inet proto tcp from any to $ext_if port { $allow_ext_in_tcp } keep state 92 pass in on $ext_if inet proto udp from any to $ext_if port { $allow_ext_in_udp } keep state 85 93 pass in on $ext_if inet proto icmp from any to $ext_if icmp-type { echoreq } 86 94 … … 88 96 pass in on $ext_if from $private to $wl_net keep state 89 97 90 # Allow exposing some WL Services to the inet(7)98 # Allow exposing some (internal) WL Services to the inet - see rdr on top as well (7) 91 99 pass in on $ext_if inet proto tcp from any to $ext_if port { 8081 } keep state 92 100 … … 96 104 97 105 # For proper functioning allow the local machine to initiate requests outside (4) 98 pass out on $ext_if inet proto udp from $ext_if to any port{domain, 1194} keep state99 pass out on $ext_if inet proto tcp from $ext_if to any port{http, https, 1194} keep state106 pass out on $ext_if inet proto tcp from $ext_if to any port { $allow_ext_out_tcp } keep state 107 pass out on $ext_if inet proto udp from $ext_if to any port { $allow_ext_out_udp } keep state 100 108 pass out on $ext_if inet proto icmp from $ext_if to any icmp-type { echoreq } 101 109
Note:
See TracChangeset
for help on using the changeset viewer.