Changeset 13160 in hybrid for branches/releng-10/nanobsd/files

Timestamp:

Feb 11, 2015, 12:21:07 PM (10 years ago)

Author:

rick

Message:

Fix open DNS relay issue by closing down to the proper networks.

File:

• branches/releng-10/nanobsd/files/etc/pf.hybrid.conf (modified) (2 diffs)

branches/releng-10/nanobsd/files/etc/pf.hybrid.conf

@@ -17 +17 @@
 #
 
-# Standard port allow listings
-allow_ext_in_tcp="ssh, domain, openvpn"
-allow_ext_in_udp="domain, snmp, openvpn"
+# Standard port allow listings for external services
+allow_ext_in_tcp="ssh, openvpn"
+allow_ext_in_udp="snmp, openvpn"
+
+# Standard port allow listings for services at host network (in case of NAT)
+allow_private_in_tcp="domain"
+allow_private_in_udp="domain"
 
 allow_ext_out_tcp = "domain, http, https, openvpn"
@@ -91 +95 @@
 pass out quick on $ext_if from $wl_net to $wl_net
 
-# Expose some local services (4)
+# Expose some local services for internal (NATted) network (4)
+pass in on $ext_if inet proto tcp from $private to $ext_if port { $allow_private_in_tcp } keep state
+pass in on $ext_if inet proto udp from $private to $ext_if port { $allow_private_in_udp } keep state
+pass in on $ext_if inet proto icmp from $private to $ext_if icmp-type { echoreq }
+
+# Expose some local services for the external world (WWW) network (4)
 pass in on $ext_if inet proto tcp from any to $ext_if port { $allow_ext_in_tcp } keep state
 pass in on $ext_if inet proto udp from any to $ext_if port { $allow_ext_in_udp } keep state