Ignore:
Timestamp:
Apr 29, 2012, 1:51:20 PM (13 years ago)
Author:
rick
Message:

Makes variables and templates much cleaner allowing easy edits and mutations.
Stop hiding logic at duplicate places.

Related-To: nodefactory#129

File:
1 edited

Legend:

Unmodified
Added
Removed

  • branches/releng-9.0/nanobsd/files/etc/pf.proxy.conf

    r10589 r10610  
    1818# Rick van der Zwet <rick@wirelessleiden.nl>
    1919#
    20 wl_net="172.16.0.0/12"
    21 ileiden_ports="80,443"
    22 allow_ext_tcp="{ssh, domain}"
    23 allow_ext_udp="{domain, snmp}"
    24 private="{ 10.0.0.0/8, 172.16.0.0/12 192.168.0.0/16 }"
    2520
     21# Standard port allow listings
     22allow_ext_in_tcp="ssh, domain"
     23allow_ext_in_udp="domain, snmp"
     24
     25allow_ext_out_tcp = "domain, http, https, 1194"
     26allow_ext_out_udp = "domain, ntp, 1194"
    2627
    2728# Default configuration for ALIX2 with vr0 as external interface and wlan0 as
     
    3132ext_if_gw="127.127.127.127"
    3233captive_portal_interfaces="wlan0"
    33 publicnat="http,https"
     34#publicnat="http,https"
    3435masterip="127.0.0.1"
    3536# For an traditional proxy setup set, uncomment:
    36 #publicnat=0
     37publicnat=0
     38
     39# Global standards. NOT to be edited.
     40wl_net="172.16.0.0/12"
     41private="{ 10.0.0.0/8, 172.16.0.0/12 192.168.0.0/16 }"
     42ileiden_ports="http,https"
     43
    3744
    3845# Always be nice, and return the fact we are blocking the packets
     
    4956
    5057# Nat the internet for iLeiden functionality (1)
    51 nat on $ext_if inet proto tcp from $wl_net to any port { $ileiden_ports } -> ($ext_if)
     58nat on $ext_if inet proto tcp from $wl_net to any port { $publicnat } -> ($ext_if)
    5259
    5360# Nat to the internet for packets which are orginating from itself for proxy functionality (8)
    54 nat on !$ext_if inet proto tcp from $wl_net to any port { $ileiden_ports } -> ($ext_if)
     61nat on !$ext_if inet proto tcp from $wl_net to any port { $allow_ext_out_tcp } -> ($ext_if)
     62nat on !$ext_if inet proto udp from $wl_net to any port { $allow_ext_out_udp } -> ($ext_if)
    5563
    5664# Redirect some internal facing services outside, please mind also need allow rules (bottom of file) (7)
    57 rdr on $ext_if inet proto tcp from any to $ext_if port 8081 -> 172.16.4.46 port 80
     65rdr on $ext_if inet proto tcp from any to $ext_if port 8081 -> 172.16.4.46 port http
    5866
    5967# Redirect user to captive portal they have not clicked OK yet (6)
    60 no rdr on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port 80
    61 rdr on { $captive_portal_interfaces } proto tcp from $wl_net to !$wl_net port 80 -> 172.31.255.1 port 8081
     68no rdr on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port http
     69rdr on { $captive_portal_interfaces } proto tcp from $wl_net to !$wl_net port http -> 172.31.255.1 port 8081
    6270
    6371# Localhost is considered safe (5)
     
    6876
    6977# This quirck is needed to override the routing table default route (8)
    70 pass out on !$ext_if route-to ($ext_if $ext_if_gw) proto tcp from any to !$wl_net port {22, 80, 443} user != unknown keep state
    71 pass out on !$ext_if route-to ($ext_if $ext_if_gw) proto udp from any to !$wl_net port {53} user != unknown keep state
     78pass out on !$ext_if route-to ($ext_if $ext_if_gw) proto tcp from any to !$wl_net port { $allow_ext_out_tcp } user != unknown keep state
     79pass out on !$ext_if route-to ($ext_if $ext_if_gw) proto udp from any to !$wl_net port { $allow_ext_out_udp } user != unknown keep state
    7280
    7381# By default deny all outgoing traffic to avoid systems spamming the network (9)
     
    8189
    8290# Expose some local services (4)
    83 pass in on $ext_if inet proto tcp from any to $ext_if port $allow_ext_tcp keep state
    84 pass in on $ext_if inet proto udp from any to $ext_if port $allow_ext_udp keep state
     91pass in on $ext_if inet proto tcp from any to $ext_if port { $allow_ext_in_tcp } keep state
     92pass in on $ext_if inet proto udp from any to $ext_if port { $allow_ext_in_udp } keep state
    8593pass in on $ext_if inet proto icmp from any to $ext_if icmp-type { echoreq }
    8694
     
    8896pass in on $ext_if from $private to $wl_net keep state
    8997
    90 # Allow exposing some WL Services to the inet (7)
     98# Allow exposing some (internal) WL Services to the inet - see rdr on top as well (7)
    9199pass in on $ext_if inet proto tcp from any to $ext_if port { 8081 } keep state
    92100
     
    96104
    97105# For proper functioning allow the local machine to initiate requests outside (4)
    98 pass out on $ext_if inet proto udp from $ext_if to any port{domain, 1194} keep state
    99 pass out on $ext_if inet proto tcp from $ext_if to any port{http, https, 1194} keep state
     106pass out on $ext_if inet proto tcp from $ext_if to any port { $allow_ext_out_tcp } keep state
     107pass out on $ext_if inet proto udp from $ext_if to any port { $allow_ext_out_udp } keep state
    100108pass out on $ext_if inet proto icmp from $ext_if to any icmp-type { echoreq }
    101109
Note: See TracChangeset for help on using the changeset viewer.