source: hybrid/branches/releng-9.0/nanobsd/files/etc/pf.hybrid.conf@ 10578

Last change on this file since 10578 was 10578, checked in by rick, 13 years ago

Brain gymnastics to get the local originating packets for a default proxy setup
to go the right way (out on the ext interface, instead of the following default
route).

Downside is that I explicitly need to know the default gateway, as lvrouted is
rewriting it for the iLeiden setup.

Related-To: nodefactory#129
File size: 4.2 KB
Line 
1#
2# Wirless Leiden PF firewall configuration for Proxy Setup. This firewall has 5
3# main features:
4#
5# 1) It supports outgoing NAT to specified ports. The so called iLeiden setup.
6# 2) It supports incoming NAT from the private MGMT network, for maintenance use.
7# 3) It protects the private MGMT network from WL requests to it's own services.
8# 4) It portects the $ext_if by only allowing an subset of services.
9# 5) The Wireless Leiden facing interfaces are not firewalled.
10# 6) WL Captive Portal Support for interfaces who needs it.
11# 7) Optional: Exposure of WL services to the outside
12# 8) Overrides default route for local orginating traffic to specific ports, needed for
13# for normal proxy setup, which should NOT follow the iLeiden default route.
14wl_net="172.16.0.0/12"
15allow_ext_tcp="{ssh, domain}"
16allow_ext_udp="{domain, snmp}"
17private="{ 10.0.0.0/8, 172.16.0.0/12 192.168.0.0/16 }"
18
19
20# Default configuration for ALIX2 with vr0 as external interface and wlan0 as
21# the public accesspoint in iLeiden setup.
22ext_if="vr0"
23ext_if_net="vr0:network"
24ext_if_default_route="192.168.42.1"
25captive_portal_interfaces="wlan0"
26publicnat="http,https"
27masterip="127.0.0.1"
28# For an traditional proxy setup set, uncomment:
29#publicnat=0
30
31# Always be nice, and return the fact we are blocking the packets
32set block-policy return
33
34# Table used to authorized hosts (6)
35table <wlportal> persist counters
36
37# NAT MGMT to Wireless Leiden (2)
38nat on ! $ext_if from $ext_if_net to $wl_net -> $masterip
39
40# Do NOT allow NAT to the Private Network (3)
41no nat from $wl_net to $private
42
43# Nat the internet for iLeiden functionality (1)
44nat on $ext_if inet proto tcp from $wl_net to any port { 80,443 } -> ($ext_if)
45
46# Nat to the internet for packets which are orginating from itself for proxy functionality (8)
47nat on !$ext_if inet proto tcp from $wl_net to any port { 80,443 } -> ($ext_if)
48
49
50# Redirection needs source natting and allow rules (see below) (7)
51rdr on $ext_if inet proto tcp from any to $ext_if port 8081 -> 172.16.4.46 port 80
52
53# Redirect user to captive portal they have not clicked OK yet (6)
54no rdr on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port 80
55rdr on { $captive_portal_interfaces } proto tcp from $wl_net to !$wl_net port 80 -> 172.31.255.1 port 8081
56
57# Localhost is considered safe (5)
58pass quick on lo0 all
59
60# By default all interfaces are open (5)
61pass all
62
63# This quirck is needed to override the routing table default route (8)
64pass out on !$ext_if route-to ($ext_if $ext_if_default_route) proto tcp from any to !$wl_net port {22, 80, 443} user != unknown keep state
65pass out on !$ext_if route-to ($ext_if $ext_if_default_route) proto udp from any to !$wl_net port {53} user != unknown keep state
66
67# External interface is permissive (4)
68block on $ext_if
69
70# Expose some local services (4)
71pass in on $ext_if inet proto tcp from any to $ext_if port $allow_ext_tcp keep state
72pass in on $ext_if inet proto udp from any to $ext_if port $allow_ext_udp keep state
73pass in on $ext_if inet proto icmp from any to $ext_if icmp-type { echoreq }
74
75# Packets from the management LAN are allowed in (2)
76pass in on $ext_if from $private to $wl_net keep state
77
78# Allow exposing some WL Services to the inet (7)
79pass in on $ext_if inet proto tcp from any to $ext_if port { 8081 } keep state
80
81# Packets going out are the ones to the internet with an certain limit (1)
82pass out on $ext_if inet proto tcp from $wl_net to any port { $publicnat } keep state \
83 (max-src-conn-rate 100/10, max-src-conn 10)
84
85# For proper functioning allow the local machine to initiate requests outside (4)
86pass out on $ext_if inet proto udp from $ext_if to any port{domain, 1194} keep state
87pass out on $ext_if inet proto tcp from $ext_if to any port{http, https, 1194} keep state
88pass out on $ext_if inet proto icmp from $ext_if to any icmp-type { echoreq }
89
90# Do not allow connections to the local MGNT LAN to start (3)
91block out on $ext_if from any to $private
92
93# Limited acess PRIVATE network to allow DHCP/DNS to function (3)
94pass out on $ext_if inet proto {udp, tcp} from $ext_if to $private port {domain} keep state
95
96# Uncomment to allow limited access to MGNT interfaces ON the private network (3)
97#pass out on $ext_if inet proto tcp from $ext_if to $private port {ssh, http, https} keep state
98
Note: See TracBrowser for help on using the repository browser.