# # Wireless Leiden PF firewall configuration for iLeiden Node. # # N.B: The features points are shared between all firewall configurations to # make comparisions more easy to do # # 5) The Wireless Leiden facing interfaces are not firewalled. # 6) WL Captive Portal Support for interfaces who needs it. # 9) Protect the Wireless Network from junk traffic. # # Rick van der Zwet # # Global standards. NOT to be edited. wl_net="172.16.0.0/12" private="{ 10.0.0.0/8, 172.16.0.0/12 192.168.0.0/16 }" ileiden_ports="http,https" # Default configuration for ALIX2 with ue0 as public interface and wlan0 as # the public accesspoint in iLeiden setup. captive_portal_interfaces="ue0, wlan0" # Table used to authorized hosts (6) table persist counters # Always be nice, and return the fact we are blocking the packets set block-policy return # Nat to the internet for packets which are orginating from itself for proxy functionality (8) nat on !$ext_if inet proto tcp from $wl_net to any port { $ileiden_ports } -> ($ext_if) # Redirect user to captive portal they have not clicked OK yet (6) no rdr on { $captive_portal_interfaces } proto tcp from to !$wl_net port 80 rdr on { $captive_portal_interfaces } proto tcp from $wl_net to !$wl_net port 80 -> 172.31.255.1 port 8081 # Localhost is considered safe (5) pass quick on lo0 all # By default all interfaces are open (5) pass all # By default deny all outgoing traffic to avoid systems spamming the network (9) block out on { $captive_portal_interfaces } from any to !$wl_net # Note: not even HTTPS traffic allowed for those who has not clicked OK yet (6) pass out on { $captive_portal_interfaces } proto tcp from to !$wl_net port { $ileiden_ports } keep state