Changeset 11543 in hybrid for branches/releng-9.0/nanobsd/files/etc

Timestamp:

Oct 10, 2012, 9:43:35 PM (12 years ago)

Author:

rick

Message:

Make the concentrator OpenVPN work. Please do mind that it potentially breaks
the code for external interfaces which also have an internal link on it (like
the watertoren setup) and no concentrator setup.

File:

• branches/releng-9.0/nanobsd/files/etc/pf.hybrid.conf (modified) (5 diffs)

branches/releng-9.0/nanobsd/files/etc/pf.hybrid.conf

@@ -27 +27 @@
 # Default configuration for ALIX2 with vr0 as external interface and wlan0 as
 # the public accesspoint in iLeiden setup, no aliases on interfaces.
-#ext_ip="(vr0:0)"
-#ext_if="vr0"
-ext_ip=$ext_if:0
+ext_if="vr0"
+ext_ip="(vr0:0)"
+inet_if="vr0"
+inet_ip="(vr0:0)"
 captive_portal_interfaces="wlan0"
 publicnat="http,https"
@@ -54 +55 @@
 
 # Nat the internet for iLeiden functionality (1)
-nat on $ext_if inet proto tcp from $wl_net to ! $wl_net port { $publicnat } -> $ext_ip
+nat on $inet_if inet proto tcp from $wl_net to ! $wl_net port { $publicnat } -> ($inet_if)
 
 
@@ -84 +85 @@
 # External interface is permissive (4)
 block on $ext_if inet from any to !$wl_net
+block on $inet_if inet from any to !$wl_net
 
 # Allow internal WL traffic on alias $ext_if interfaces (5)
@@ -98 +100 @@
 
 # Packets going out are the ones to the internet with an certain limit (1)
-pass out on $ext_if inet proto tcp from $wl_net to any port { $publicnat } keep state \
+pass out on $inet_if inet proto tcp from $wl_net to any port { $publicnat } keep state \
  (max-src-conn-rate 100/10, max-src-conn 10)
 
@@ -104 +106 @@
 pass out on $ext_if inet proto udp from $ext_if to any port { $allow_ext_out_udp } keep state
 pass out on $ext_if inet proto tcp from $ext_if to any port { $allow_ext_out_tcp } keep state
-pass out on $ext_if inet proto icmp from $ext_if to any icmp-type { echoreq }
+pass out on $ext_if inet proto icmp from $ext_if to any icmp-type { echoreq, trace }
+
+# For proper functioning allow the local machine to initiate requests outside + vpn (4)
+pass out on $inet_if inet proto udp from $inet_if to any port { $allow_ext_out_udp } keep state
+pass out on $inet_if inet proto tcp from $inet_if to any port { $allow_ext_out_tcp } keep state
+pass out on $inet_if inet proto icmp from $inet_if to any icmp-type { echoreq, trace }
+
+# Uncomment to UDP traceroute from this host to start
+#pass out on $ext_if inet proto udp from $ext_if to any port 33434 >< 33464 keep state
+#pass out on $inet_if inet proto udp from $inet_if to any port 33434 >< 33464 keep state
 
 # Do not allow connections to the local MGNT LAN to start (3)