ext_if="sis0" int_if="tap0" wifi_if="wlan0" all_node="172.31.255.1/32" wl_net="172.16.0.0/12" vpn_net="172.17.64.0/28" publicnat="{80, 443, 22}" allow_ext_tcp="{22}" allow_ext_udp="{161}" allow_int_tcp="{22,53,80,3128}" allow_int_udp="{53,131,161,12345}" allow_int_udp_any="{67}" private="{ 10.0.0.0/8 , 192.168.0.0/16 }" # Nat the internet nat on $ext_if from $wl_net to any port $publicnat -> ($ext_if) # Nat local wl access nat on $int_if from $private to $wl_net -> ($int_if) # Block all block in on $ext_if pass in on $int_if # Allow wl access from access point (not yet reversed) pass on $wifi_if from $wl_net to $wl_net # Block this device from wifi block in on $wifi_if inet from any to $wifi_if block inet from any to $all_node # Enable me to access anything pass out on {$ext_if, $int_if, $wifi_if} keep state # Allow internet access from the network pass in on $wifi_if inet proto tcp from $wl_net to any port $publicnat keep state block in on $wifi_if inet proto tcp from $wl_net to $wifi_if port $publicnat block in on $wifi_if inet proto tcp from $wl_net to $all_node port $publicnat # Allow directives pass in on $ext_if inet proto tcp from any to $ext_if port $allow_ext_tcp keep state pass in on $ext_if inet proto udp from any to $ext_if port $allow_ext_udp keep state pass in on $int_if inet proto tcp from $wl_net to $vpn_net port $allow_int_tcp keep state pass in on $int_if inet proto udp from $wl_net to $vpn_net port $allow_int_udp keep state pass in on $int_if inet proto icmp from $wl_net to $vpn_net keep state pass in on $int_if inet proto udp from any to any port $allow_int_udp_any keep state pass in on $wifi_if inet proto tcp from $wl_net to $wl_net port $allow_int_tcp keep state pass in on $wifi_if inet proto udp from $wl_net to $wl_net port $allow_int_udp keep state pass in on $wifi_if inet proto icmp from $wl_net to $wl_net keep state pass in on $wifi_if inet proto udp from any to any port $allow_int_udp_any keep state # Allow wl access from local network pass on $ext_if from $private to $wl_net keep state # Make sure to block local network access from wl block on $wifi_if from $wl_net to $private block on $int_if from $wl_net to $private