Changeset 10610 in hybrid for branches/releng-9.0


Ignore:
Timestamp:
Apr 29, 2012, 1:51:20 PM (13 years ago)
Author:
rick
Message:

Makes variables and templates much cleaner allowing easy edits and mutations.
Stop hiding logic at duplicate places.

Related-To: nodefactory#129

Location:
branches/releng-9.0/nanobsd/files/etc
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • branches/releng-9.0/nanobsd/files/etc/pf.hybrid.conf

    r10606 r10610  
    1616# Rick van der Zwet <rick@wirelessleiden.nl>
    1717#
    18 wl_net="172.16.0.0/12"
    19 ileiden_ports="80,443"
    20 allow_ext_tcp="{ssh, domain}"
    21 allow_ext_udp="{domain, snmp}"
    22 private="{ 10.0.0.0/8, 172.16.0.0/12 192.168.0.0/16 }"
    2318
     19# Standard port allow listings
     20allow_ext_in_tcp="ssh, domain"
     21allow_ext_in_udp="domain, snmp"
     22
     23allow_ext_out_tcp = "domain, http, https, 1194"
     24allow_ext_out_udp = "domain, ntp, 1194"
    2425
    2526# Default configuration for ALIX2 with vr0 as external interface and wlan0 as
     
    3233# For an traditional proxy setup set (no iLeiden clients!), uncomment:
    3334#publicnat=0
     35
     36# Global standards. NOT to be edited.
     37wl_net="172.16.0.0/12"
     38private="{ 10.0.0.0/8, 172.16.0.0/12 192.168.0.0/16 }"
     39ileiden_ports="http,https"
    3440
    3541# Always be nice, and return the fact we are blocking the packets
     
    4652
    4753# Nat the internet for iLeiden functionality (1)
    48 nat on $ext_if inet proto tcp from $wl_net to any port { $ileiden_ports } -> ($ext_if)
     54nat on $ext_if inet proto tcp from $wl_net to any port { $publicnat } -> ($ext_if)
    4955
    5056# Redirect some internal facing services outside, please mind also need allow rules (bottom of file) (7)
    51 rdr on $ext_if inet proto tcp from any to $ext_if port 8081 -> 172.16.4.46 port 80
     57rdr on $ext_if inet proto tcp from any to $ext_if port 8081 -> 172.16.4.46 port http
    5258
    5359# Redirect user to captive portal they have not clicked OK yet (6)
    54 no rdr on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port 80
    55 rdr on { $captive_portal_interfaces } proto tcp from $wl_net to !$wl_net port 80 -> 172.31.255.1 port 8081
     60no rdr on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port http
     61rdr on { $captive_portal_interfaces } proto tcp from $wl_net to !$wl_net port http -> 172.31.255.1 port 8081
    5662
    5763# Localhost is considered safe (5)
     
    6571
    6672# Note: not even HTTPS traffic allowed for those who has not clicked OK yet (6)
    67 pass out on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port { $ileiden_ports } keep state
     73pass out on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port { $publicnat } keep state
    6874
    6975# External interface is permissive (4)
     
    7177
    7278# Expose some local services (4)
    73 pass in on $ext_if inet proto tcp from any to $ext_if port $allow_ext_tcp keep state
    74 pass in on $ext_if inet proto udp from any to $ext_if port $allow_ext_udp keep state
     79pass in on $ext_if inet proto tcp from any to $ext_if port { $allow_ext_in_tcp } keep state
     80pass in on $ext_if inet proto udp from any to $ext_if port { $allow_ext_in_udp } keep state
    7581pass in on $ext_if inet proto icmp from any to $ext_if icmp-type { echoreq }
    7682
     
    7884pass in on $ext_if from $private to $wl_net keep state
    7985
    80 # Allow exposing some WL Services to the inet (7)
     86# Allow exposing some (internal) WL Services to the inet - see rdr on top as well (7)
    8187pass in on $ext_if inet proto tcp from any to $ext_if port { 8081 } keep state
    8288
     
    8692
    8793# For proper functioning allow the local machine to initiate requests outside (4)
    88 pass out on $ext_if inet proto udp from $ext_if to any port{domain, 1194, ntp} keep state
    89 pass out on $ext_if inet proto tcp from $ext_if to any port{http, https, 1194} keep state
     94pass out on $ext_if inet proto udp from $ext_if to any port { $allow_ext_out_udp } keep state
     95pass out on $ext_if inet proto tcp from $ext_if to any port { $allow_ext_out_tcp } keep state
    9096pass out on $ext_if inet proto icmp from $ext_if to any icmp-type { echoreq }
    9197
  • branches/releng-9.0/nanobsd/files/etc/pf.node.conf

    r10580 r10610  
    1111# Rick van der Zwet <rick@wirelessleiden.nl>
    1212#
     13
     14# Global standards. NOT to be edited.
    1315wl_net="172.16.0.0/12"
    14 ileiden_ports="80,443"
     16private="{ 10.0.0.0/8, 172.16.0.0/12 192.168.0.0/16 }"
     17ileiden_ports="http,https"
     18
    1519
    1620# Default configuration for ALIX2 with ue0 as public interface and wlan0 as
  • branches/releng-9.0/nanobsd/files/etc/pf.proxy.conf

    r10589 r10610  
    1818# Rick van der Zwet <rick@wirelessleiden.nl>
    1919#
    20 wl_net="172.16.0.0/12"
    21 ileiden_ports="80,443"
    22 allow_ext_tcp="{ssh, domain}"
    23 allow_ext_udp="{domain, snmp}"
    24 private="{ 10.0.0.0/8, 172.16.0.0/12 192.168.0.0/16 }"
    2520
     21# Standard port allow listings
     22allow_ext_in_tcp="ssh, domain"
     23allow_ext_in_udp="domain, snmp"
     24
     25allow_ext_out_tcp = "domain, http, https, 1194"
     26allow_ext_out_udp = "domain, ntp, 1194"
    2627
    2728# Default configuration for ALIX2 with vr0 as external interface and wlan0 as
     
    3132ext_if_gw="127.127.127.127"
    3233captive_portal_interfaces="wlan0"
    33 publicnat="http,https"
     34#publicnat="http,https"
    3435masterip="127.0.0.1"
    3536# For an traditional proxy setup set, uncomment:
    36 #publicnat=0
     37publicnat=0
     38
     39# Global standards. NOT to be edited.
     40wl_net="172.16.0.0/12"
     41private="{ 10.0.0.0/8, 172.16.0.0/12 192.168.0.0/16 }"
     42ileiden_ports="http,https"
     43
    3744
    3845# Always be nice, and return the fact we are blocking the packets
     
    4956
    5057# Nat the internet for iLeiden functionality (1)
    51 nat on $ext_if inet proto tcp from $wl_net to any port { $ileiden_ports } -> ($ext_if)
     58nat on $ext_if inet proto tcp from $wl_net to any port { $publicnat } -> ($ext_if)
    5259
    5360# Nat to the internet for packets which are orginating from itself for proxy functionality (8)
    54 nat on !$ext_if inet proto tcp from $wl_net to any port { $ileiden_ports } -> ($ext_if)
     61nat on !$ext_if inet proto tcp from $wl_net to any port { $allow_ext_out_tcp } -> ($ext_if)
     62nat on !$ext_if inet proto udp from $wl_net to any port { $allow_ext_out_udp } -> ($ext_if)
    5563
    5664# Redirect some internal facing services outside, please mind also need allow rules (bottom of file) (7)
    57 rdr on $ext_if inet proto tcp from any to $ext_if port 8081 -> 172.16.4.46 port 80
     65rdr on $ext_if inet proto tcp from any to $ext_if port 8081 -> 172.16.4.46 port http
    5866
    5967# Redirect user to captive portal they have not clicked OK yet (6)
    60 no rdr on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port 80
    61 rdr on { $captive_portal_interfaces } proto tcp from $wl_net to !$wl_net port 80 -> 172.31.255.1 port 8081
     68no rdr on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port http
     69rdr on { $captive_portal_interfaces } proto tcp from $wl_net to !$wl_net port http -> 172.31.255.1 port 8081
    6270
    6371# Localhost is considered safe (5)
     
    6876
    6977# This quirck is needed to override the routing table default route (8)
    70 pass out on !$ext_if route-to ($ext_if $ext_if_gw) proto tcp from any to !$wl_net port {22, 80, 443} user != unknown keep state
    71 pass out on !$ext_if route-to ($ext_if $ext_if_gw) proto udp from any to !$wl_net port {53} user != unknown keep state
     78pass out on !$ext_if route-to ($ext_if $ext_if_gw) proto tcp from any to !$wl_net port { $allow_ext_out_tcp } user != unknown keep state
     79pass out on !$ext_if route-to ($ext_if $ext_if_gw) proto udp from any to !$wl_net port { $allow_ext_out_udp } user != unknown keep state
    7280
    7381# By default deny all outgoing traffic to avoid systems spamming the network (9)
     
    8189
    8290# Expose some local services (4)
    83 pass in on $ext_if inet proto tcp from any to $ext_if port $allow_ext_tcp keep state
    84 pass in on $ext_if inet proto udp from any to $ext_if port $allow_ext_udp keep state
     91pass in on $ext_if inet proto tcp from any to $ext_if port { $allow_ext_in_tcp } keep state
     92pass in on $ext_if inet proto udp from any to $ext_if port { $allow_ext_in_udp } keep state
    8593pass in on $ext_if inet proto icmp from any to $ext_if icmp-type { echoreq }
    8694
     
    8896pass in on $ext_if from $private to $wl_net keep state
    8997
    90 # Allow exposing some WL Services to the inet (7)
     98# Allow exposing some (internal) WL Services to the inet - see rdr on top as well (7)
    9199pass in on $ext_if inet proto tcp from any to $ext_if port { 8081 } keep state
    92100
     
    96104
    97105# For proper functioning allow the local machine to initiate requests outside (4)
    98 pass out on $ext_if inet proto udp from $ext_if to any port{domain, 1194} keep state
    99 pass out on $ext_if inet proto tcp from $ext_if to any port{http, https, 1194} keep state
     106pass out on $ext_if inet proto tcp from $ext_if to any port { $allow_ext_out_tcp } keep state
     107pass out on $ext_if inet proto udp from $ext_if to any port { $allow_ext_out_udp } keep state
    100108pass out on $ext_if inet proto icmp from $ext_if to any icmp-type { echoreq }
    101109
Note: See TracChangeset for help on using the changeset viewer.