Index: /branches/releng-9.0/nanobsd/files/etc/pf.hybrid.conf
===================================================================
--- /branches/releng-9.0/nanobsd/files/etc/pf.hybrid.conf	(revision 10609)
+++ /branches/releng-9.0/nanobsd/files/etc/pf.hybrid.conf	(revision 10610)
@@ -16,10 +16,11 @@
 # Rick van der Zwet <rick@wirelessleiden.nl>
 #
-wl_net="172.16.0.0/12"
-ileiden_ports="80,443"
-allow_ext_tcp="{ssh, domain}"
-allow_ext_udp="{domain, snmp}"
-private="{ 10.0.0.0/8, 172.16.0.0/12 192.168.0.0/16 }"
 
+# Standard port allow listings
+allow_ext_in_tcp="ssh, domain"
+allow_ext_in_udp="domain, snmp"
+
+allow_ext_out_tcp = "domain, http, https, 1194"
+allow_ext_out_udp = "domain, ntp, 1194"
 
 # Default configuration for ALIX2 with vr0 as external interface and wlan0 as
@@ -32,4 +33,9 @@
 # For an traditional proxy setup set (no iLeiden clients!), uncomment:
 #publicnat=0
+
+# Global standards. NOT to be edited.
+wl_net="172.16.0.0/12"
+private="{ 10.0.0.0/8, 172.16.0.0/12 192.168.0.0/16 }"
+ileiden_ports="http,https"
 
 # Always be nice, and return the fact we are blocking the packets
@@ -46,12 +52,12 @@
 
 # Nat the internet for iLeiden functionality (1)
-nat on $ext_if inet proto tcp from $wl_net to any port { $ileiden_ports } -> ($ext_if) 
+nat on $ext_if inet proto tcp from $wl_net to any port { $publicnat } -> ($ext_if) 
 
 # Redirect some internal facing services outside, please mind also need allow rules (bottom of file) (7)
-rdr on $ext_if inet proto tcp from any to $ext_if port 8081 -> 172.16.4.46 port 80
+rdr on $ext_if inet proto tcp from any to $ext_if port 8081 -> 172.16.4.46 port http
 
 # Redirect user to captive portal they have not clicked OK yet (6)
-no rdr on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port 80
-rdr on { $captive_portal_interfaces } proto tcp from $wl_net to !$wl_net port 80 -> 172.31.255.1 port 8081
+no rdr on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port http
+rdr on { $captive_portal_interfaces } proto tcp from $wl_net to !$wl_net port http -> 172.31.255.1 port 8081
 
 # Localhost is considered safe (5)
@@ -65,5 +71,5 @@
 
 # Note: not even HTTPS traffic allowed for those who has not clicked OK yet (6)
-pass out on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port { $ileiden_ports } keep state
+pass out on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port { $publicnat } keep state
 
 # External interface is permissive (4)
@@ -71,6 +77,6 @@
 
 # Expose some local services (4)
-pass in on $ext_if inet proto tcp from any to $ext_if port $allow_ext_tcp keep state
-pass in on $ext_if inet proto udp from any to $ext_if port $allow_ext_udp keep state
+pass in on $ext_if inet proto tcp from any to $ext_if port { $allow_ext_in_tcp } keep state
+pass in on $ext_if inet proto udp from any to $ext_if port { $allow_ext_in_udp } keep state
 pass in on $ext_if inet proto icmp from any to $ext_if icmp-type { echoreq }
 
@@ -78,5 +84,5 @@
 pass in on $ext_if from $private to $wl_net keep state
 
-# Allow exposing some WL Services to the inet (7)
+# Allow exposing some (internal) WL Services to the inet - see rdr on top as well (7)
 pass in on $ext_if inet proto tcp from any to $ext_if port { 8081 } keep state
 
@@ -86,6 +92,6 @@
 
 # For proper functioning allow the local machine to initiate requests outside (4)
-pass out on $ext_if inet proto udp from $ext_if to any port{domain, 1194, ntp} keep state
-pass out on $ext_if inet proto tcp from $ext_if to any port{http, https, 1194} keep state
+pass out on $ext_if inet proto udp from $ext_if to any port { $allow_ext_out_udp } keep state
+pass out on $ext_if inet proto tcp from $ext_if to any port { $allow_ext_out_tcp } keep state
 pass out on $ext_if inet proto icmp from $ext_if to any icmp-type { echoreq }
 
Index: /branches/releng-9.0/nanobsd/files/etc/pf.node.conf
===================================================================
--- /branches/releng-9.0/nanobsd/files/etc/pf.node.conf	(revision 10609)
+++ /branches/releng-9.0/nanobsd/files/etc/pf.node.conf	(revision 10610)
@@ -11,6 +11,10 @@
 # Rick van der Zwet <rick@wirelessleiden.nl>
 #
+
+# Global standards. NOT to be edited.
 wl_net="172.16.0.0/12"
-ileiden_ports="80,443"
+private="{ 10.0.0.0/8, 172.16.0.0/12 192.168.0.0/16 }"
+ileiden_ports="http,https"
+
 
 # Default configuration for ALIX2 with ue0 as public interface and wlan0 as
Index: /branches/releng-9.0/nanobsd/files/etc/pf.proxy.conf
===================================================================
--- /branches/releng-9.0/nanobsd/files/etc/pf.proxy.conf	(revision 10609)
+++ /branches/releng-9.0/nanobsd/files/etc/pf.proxy.conf	(revision 10610)
@@ -18,10 +18,11 @@
 # Rick van der Zwet <rick@wirelessleiden.nl>
 #
-wl_net="172.16.0.0/12"
-ileiden_ports="80,443"
-allow_ext_tcp="{ssh, domain}"
-allow_ext_udp="{domain, snmp}"
-private="{ 10.0.0.0/8, 172.16.0.0/12 192.168.0.0/16 }"
 
+# Standard port allow listings
+allow_ext_in_tcp="ssh, domain"
+allow_ext_in_udp="domain, snmp"
+
+allow_ext_out_tcp = "domain, http, https, 1194"
+allow_ext_out_udp = "domain, ntp, 1194"
 
 # Default configuration for ALIX2 with vr0 as external interface and wlan0 as
@@ -31,8 +32,14 @@
 ext_if_gw="127.127.127.127"
 captive_portal_interfaces="wlan0"
-publicnat="http,https"
+#publicnat="http,https"
 masterip="127.0.0.1"
 # For an traditional proxy setup set, uncomment:
-#publicnat=0
+publicnat=0
+
+# Global standards. NOT to be edited.
+wl_net="172.16.0.0/12"
+private="{ 10.0.0.0/8, 172.16.0.0/12 192.168.0.0/16 }"
+ileiden_ports="http,https"
+
 
 # Always be nice, and return the fact we are blocking the packets
@@ -49,15 +56,16 @@
 
 # Nat the internet for iLeiden functionality (1)
-nat on $ext_if inet proto tcp from $wl_net to any port { $ileiden_ports } -> ($ext_if) 
+nat on $ext_if inet proto tcp from $wl_net to any port { $publicnat } -> ($ext_if) 
 
 # Nat to the internet for packets which are orginating from itself for proxy functionality (8)
-nat on !$ext_if inet proto tcp from $wl_net to any port { $ileiden_ports } -> ($ext_if) 
+nat on !$ext_if inet proto tcp from $wl_net to any port { $allow_ext_out_tcp } -> ($ext_if) 
+nat on !$ext_if inet proto udp from $wl_net to any port { $allow_ext_out_udp } -> ($ext_if) 
 
 # Redirect some internal facing services outside, please mind also need allow rules (bottom of file) (7)
-rdr on $ext_if inet proto tcp from any to $ext_if port 8081 -> 172.16.4.46 port 80
+rdr on $ext_if inet proto tcp from any to $ext_if port 8081 -> 172.16.4.46 port http
 
 # Redirect user to captive portal they have not clicked OK yet (6)
-no rdr on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port 80
-rdr on { $captive_portal_interfaces } proto tcp from $wl_net to !$wl_net port 80 -> 172.31.255.1 port 8081
+no rdr on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port http
+rdr on { $captive_portal_interfaces } proto tcp from $wl_net to !$wl_net port http -> 172.31.255.1 port 8081
 
 # Localhost is considered safe (5)
@@ -68,6 +76,6 @@
 
 # This quirck is needed to override the routing table default route (8) 
-pass out on !$ext_if route-to ($ext_if $ext_if_gw) proto tcp from any to !$wl_net port {22, 80, 443} user != unknown keep state
-pass out on !$ext_if route-to ($ext_if $ext_if_gw) proto udp from any to !$wl_net port {53} user != unknown keep state
+pass out on !$ext_if route-to ($ext_if $ext_if_gw) proto tcp from any to !$wl_net port { $allow_ext_out_tcp } user != unknown keep state
+pass out on !$ext_if route-to ($ext_if $ext_if_gw) proto udp from any to !$wl_net port { $allow_ext_out_udp } user != unknown keep state
 
 # By default deny all outgoing traffic to avoid systems spamming the network (9)
@@ -81,6 +89,6 @@
 
 # Expose some local services (4)
-pass in on $ext_if inet proto tcp from any to $ext_if port $allow_ext_tcp keep state
-pass in on $ext_if inet proto udp from any to $ext_if port $allow_ext_udp keep state
+pass in on $ext_if inet proto tcp from any to $ext_if port { $allow_ext_in_tcp } keep state
+pass in on $ext_if inet proto udp from any to $ext_if port { $allow_ext_in_udp } keep state
 pass in on $ext_if inet proto icmp from any to $ext_if icmp-type { echoreq }
 
@@ -88,5 +96,5 @@
 pass in on $ext_if from $private to $wl_net keep state
 
-# Allow exposing some WL Services to the inet (7)
+# Allow exposing some (internal) WL Services to the inet - see rdr on top as well (7)
 pass in on $ext_if inet proto tcp from any to $ext_if port { 8081 } keep state
 
@@ -96,6 +104,6 @@
 
 # For proper functioning allow the local machine to initiate requests outside (4)
-pass out on $ext_if inet proto udp from $ext_if to any port{domain, 1194} keep state
-pass out on $ext_if inet proto tcp from $ext_if to any port{http, https, 1194} keep state
+pass out on $ext_if inet proto tcp from $ext_if to any port { $allow_ext_out_tcp } keep state
+pass out on $ext_if inet proto udp from $ext_if to any port { $allow_ext_out_udp } keep state
 pass out on $ext_if inet proto icmp from $ext_if to any icmp-type { echoreq }
 
