# # Wireless Leiden PF firewall configuration for (iLeiden) Proxy Setup. # # N.B: The features points are shared between all firewall configurations to # make comparisions more easy to do # # 1) It supports outgoing NAT to specified ports. The so called iLeiden setup. # 2) It supports incoming NAT from the private MGMT network, for maintenance use. # 3) It protects the private MGMT network from WL requests to it's own services. # 4) It portects the $ext_if by only allowing an subset of services. # 5) The Wireless Leiden facing interfaces are not firewalled. # 6) WL Captive Portal Support for interfaces who needs it. # 7) Optional: Exposure of WL services to the outside # 9) Protect the Wireless Network from junk traffic. # # Rick van der Zwet # # Standard port allow listings allow_ext_in_tcp="ssh, domain, openvpn" allow_ext_in_udp="domain, snmp, openvpn" allow_ext_out_tcp = "domain, http, https, openvpn" allow_ext_out_udp = "domain, ntp, openvpn" # Default configuration for ALIX2 with vr0 as external interface and wlan0 as # the public accesspoint in iLeiden setup, no aliases on interfaces. ext_if="vr0" ext_ip="(vr0:0)" inet_if="vr0" inet_ip="(vr0:0)" captive_portal_interfaces="wlan0" publicnat="http,https" masterip="127.0.0.1" # For an traditional proxy setup set (no iLeiden clients!), uncomment: #publicnat=0 # Global standards. NOT to be edited. wl_net="172.16.0.0/12" private="{ 10.0.0.0/8, 192.168.0.0/16 }" ileiden_ports="http,https" # Always be nice, and return the fact we are blocking the packets set block-policy return # Table used to authorized hosts (6) table persist counters # NAT MGMT to Wireless Leiden (2) nat on ! $ext_if from $private to $wl_net -> $masterip # Do NOT allow NAT to the Private Network (3) no nat from $wl_net to $private # Nat the internet for iLeiden functionality (1) nat on $inet_if inet proto tcp from $wl_net to ! $wl_net port { $publicnat } -> ($inet_if) # Redirect user to captive portal they have not clicked OK yet (6) no rdr on { $captive_portal_interfaces } proto tcp from to !$wl_net port http rdr on { $captive_portal_interfaces } proto tcp from $wl_net to !$wl_net port http -> 172.31.255.1 port 8081 # Load autogenerated entries, like the remote mappings (7) include "/etc/pf.hybrid.conf.local" # Make the device on WL find the proper gateway back (7) nat on ! $ext_if inet from any to $wl_net tagged SRV -> $masterip # Special allow rules for inbound piercing (7) pass in quick on $ext_if inet tagged SRV keep state # Localhost is considered safe (5) pass quick on lo0 all # By default all interfaces are open (5) pass all # By default deny all outgoing traffic to avoid systems spamming the network (9) block out on { $captive_portal_interfaces } from any to !$wl_net # Note: not even HTTPS traffic allowed for those who has not clicked OK yet (6) pass out on { $captive_portal_interfaces } proto tcp from to !$wl_net port { $publicnat } keep state # External interface is permissive (4) block on $ext_if inet from any to !$wl_net block on $inet_if inet from any to !$wl_net # Allow internal WL traffic on alias $ext_if interfaces (5) pass in quick on $ext_if from $wl_net to $wl_net pass out quick on $ext_if from $wl_net to $wl_net # Expose some local services (4) pass in on $ext_if inet proto tcp from any to $ext_if port { $allow_ext_in_tcp } keep state pass in on $ext_if inet proto udp from any to $ext_if port { $allow_ext_in_udp } keep state pass in on $ext_if inet proto icmp from any to $ext_if icmp-type { echoreq } # Packets from the management LAN are allowed in (2) pass in on $ext_if from $private to $wl_net keep state # Packets going out are the ones to the internet with an certain limit (1) pass out on $inet_if inet proto tcp from $wl_net to any port { $publicnat } keep state \ (max-src-conn-rate 100/10, max-src-conn 10) # For proper functioning allow the local machine to initiate requests outside (4) pass out on $ext_if inet proto udp from $ext_if to any port { $allow_ext_out_udp } keep state pass out on $ext_if inet proto tcp from $ext_if to any port { $allow_ext_out_tcp } keep state pass out on $ext_if inet proto icmp from $ext_if to any icmp-type { echoreq, trace } # For proper functioning allow the local machine to initiate requests outside + vpn (4) pass out on $inet_if inet proto udp from $inet_if to any port { $allow_ext_out_udp } keep state pass out on $inet_if inet proto tcp from $inet_if to any port { $allow_ext_out_tcp } keep state pass out on $inet_if inet proto icmp from $inet_if to any icmp-type { echoreq, trace } # Uncomment to UDP traceroute from this host to start #pass out on $ext_if inet proto udp from $ext_if to any port 33434 >< 33464 keep state #pass out on $inet_if inet proto udp from $inet_if to any port 33434 >< 33464 keep state # Do not allow connections to the local MGNT LAN to start (3) block out on $ext_if from any to $private # Limited acess PRIVATE network to allow DHCP/DNS to function (3) pass out on $ext_if inet proto {udp, tcp} from $ext_if to $private port {domain} keep state # Uncomment to allow limited access to MGNT interfaces ON the private network (3) #pass out on $ext_if inet proto tcp from $ext_if to $private port {ssh, http, https} keep state