Ignore:
Timestamp:
Apr 13, 2018, 6:11:59 PM (7 years ago)
Author:
rick
Message:

Add inbound NAT functionality for MGMT purposes

Removed in r13700, yet re-added since proven to be usefull at some locations (Rustdam, Huub)

File:
1 edited

Legend:

Unmodified
Added
Removed

  • branches/releng-11/nanobsd/files/etc/pf.hybrid.conf

    r14071 r14135  
    66#
    77# 1) It supports outgoing NAT to specified ports. The so called iLeiden setup.
     8# 2) It supports incoming NAT from the private MGMT network, for maintenance use.
    89# 3) It protects the private MGMT network from WL requests to it's own services.
    910# 4) It portects the $ext_if by only allowing an subset of services.
     
    1819# Standard port allow listings for external services
    1920allow_ext_in_tcp="1022"
     21
     22# Standard port allow listings for services at host network (in case of NAT)
     23allow_private_in_tcp="domain"
     24allow_private_in_udp="domain"
    2025
    2126allow_ext_out_tcp = "domain, http, https"
     
    4348# Table used to authorized hosts (6)
    4449table <wlportal> persist counters
     50
     51# NAT MGMT to Wireless Leiden (2)
     52nat on ! $ext_if from $private to $wl_net -> $masterip
    4553
    4654# Do NOT allow NAT to the Private Network (3)
     
    8694pass out quick on $ext_if from $wl_net to $wl_net
    8795
     96# Expose some local services for internal (NATted) network (4)
     97pass in on $ext_if inet proto tcp from $private to $ext_if port { $allow_private_in_tcp } keep state
     98pass in on $ext_if inet proto udp from $private to $ext_if port { $allow_private_in_udp } keep state
     99pass in on $ext_if inet proto icmp from $private to $ext_if icmp-type { echoreq }
     100
    88101# Expose some local services for the external world (WWW) network (4)
    89102pass in on $ext_if inet proto tcp from any to $ext_if port { $allow_ext_in_tcp } keep state
    90103pass in on $ext_if inet proto icmp from any to $ext_if icmp-type { echoreq }
     104
     105# Packets from the management LAN are allowed in (2)
     106pass in on $ext_if from $private to $wl_net keep state
    91107
    92108# Packets going out are the ones to the internet with an certain limit (1)
Note: See TracChangeset for help on using the changeset viewer.