source: hybrid/branches/releng-9.0/nanobsd/files/etc/pf.hybrid.conf@ 10898

Last change on this file since 10898 was 10898, checked in by rick, 13 years ago

external (vr0) kan twee IP of meer (1 x extern en meerdere intern) gedefineerd
hebben (zoals bij de watertoren). gformat zorgt ervoor dat de externe IP altijd
op plaats 1 komt te staan.

pf moet dit gebruiken ipv met NAT naar buiten, als je dit namelijk niet doet
zal het verkeer door de verkeerde IP naar buiten geNAT worden. Dit gebeurt
round-robin, dus het gaat 50% van de tijd fout.

Thanks for Richard of finding out about the wrong NAT IP assigment.

Reported-By: huub
Fixes: nodefactory:ticket:183
File size: 4.5 KB
Line 
1#
2# Wireless Leiden PF firewall configuration for (iLeiden) Proxy Setup.
3#
4# N.B: The features points are shared between all firewall configurations to
5# make comparisions more easy to do
6#
7# 1) It supports outgoing NAT to specified ports. The so called iLeiden setup.
8# 2) It supports incoming NAT from the private MGMT network, for maintenance use.
9# 3) It protects the private MGMT network from WL requests to it's own services.
10# 4) It portects the $ext_if by only allowing an subset of services.
11# 5) The Wireless Leiden facing interfaces are not firewalled.
12# 6) WL Captive Portal Support for interfaces who needs it.
13# 7) Optional: Exposure of WL services to the outside
14# 9) Protect the Wireless Network from junk traffic.
15#
16# Rick van der Zwet <rick@wirelessleiden.nl>
17#
18
19# Standard port allow listings
20allow_ext_in_tcp="ssh, domain"
21allow_ext_in_udp="domain, snmp"
22
23allow_ext_out_tcp = "domain, http, https, 1194"
24allow_ext_out_udp = "domain, ntp, 1194"
25
26
27# Default configuration for ALIX2 with vr0 as external interface and wlan0 as
28# the public accesspoint in iLeiden setup, no aliases on interfaces.
29ext_if="vr0"
30ext_ip="(vr0:0)"
31captive_portal_interfaces="wlan0"
32publicnat="http,https"
33masterip="127.0.0.1"
34# For an traditional proxy setup set (no iLeiden clients!), uncomment:
35#publicnat=0
36
37# Global standards. NOT to be edited.
38wl_net="172.16.0.0/12"
39private="{ 10.0.0.0/8, 192.168.0.0/16 }"
40ileiden_ports="http,https"
41
42# Always be nice, and return the fact we are blocking the packets
43set block-policy return
44
45# Table used to authorized hosts (6)
46table <wlportal> persist counters
47
48# NAT MGMT to Wireless Leiden (2)
49nat on ! $ext_if from $private to $wl_net -> $masterip
50
51# Do NOT allow NAT to the Private Network (3)
52no nat from $wl_net to $private
53
54# Nat the internet for iLeiden functionality (1)
55nat on $ext_if inet proto tcp from $wl_net to ! $wl_net port { $publicnat } -> $ext_ip
56
57
58# Redirect user to captive portal they have not clicked OK yet (6)
59no rdr on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port http
60rdr on { $captive_portal_interfaces } proto tcp from $wl_net to !$wl_net port http -> 172.31.255.1 port 8081
61
62# Load autogenerated entries, like the remote mappings (7)
63include "/etc/pf.hybrid.conf.local"
64
65# Make the device on WL find the proper gateway back (7)
66nat on ! $ext_if inet from any to $wl_net tagged SRV -> $masterip
67
68# Special allow rules for inbound piercing (7)
69pass in quick on $ext_if inet tagged SRV keep state
70
71# Localhost is considered safe (5)
72pass quick on lo0 all
73
74# By default all interfaces are open (5)
75pass all
76
77# By default deny all outgoing traffic to avoid systems spamming the network (9)
78block out on { $captive_portal_interfaces } from any to !$wl_net
79
80# Note: not even HTTPS traffic allowed for those who has not clicked OK yet (6)
81pass out on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port { $publicnat } keep state
82
83# External interface is permissive (4)
84block on $ext_if
85
86# Allow internal WL traffic on alias $ext_if interfaces (5)
87pass in quick on $ext_if from $wl_net to $wl_net
88pass out quick on $ext_if from $wl_net to $wl_net
89
90# Expose some local services (4)
91pass in on $ext_if inet proto tcp from any to $ext_if port { $allow_ext_in_tcp } keep state
92pass in on $ext_if inet proto udp from any to $ext_if port { $allow_ext_in_udp } keep state
93pass in on $ext_if inet proto icmp from any to $ext_if icmp-type { echoreq }
94
95# Packets from the management LAN are allowed in (2)
96pass in on $ext_if from $private to $wl_net keep state
97
98# Packets going out are the ones to the internet with an certain limit (1)
99pass out on $ext_if inet proto tcp from $wl_net to any port { $publicnat } keep state \
100 (max-src-conn-rate 100/10, max-src-conn 10)
101
102# For proper functioning allow the local machine to initiate requests outside (4)
103pass out on $ext_if inet proto udp from $ext_if to any port { $allow_ext_out_udp } keep state
104pass out on $ext_if inet proto tcp from $ext_if to any port { $allow_ext_out_tcp } keep state
105pass out on $ext_if inet proto icmp from $ext_if to any icmp-type { echoreq }
106
107# Do not allow connections to the local MGNT LAN to start (3)
108block out on $ext_if from any to $private
109
110# Limited acess PRIVATE network to allow DHCP/DNS to function (3)
111pass out on $ext_if inet proto {udp, tcp} from $ext_if to $private port {domain} keep state
112
113# Uncomment to allow limited access to MGNT interfaces ON the private network (3)
114#pass out on $ext_if inet proto tcp from $ext_if to $private port {ssh, http, https} keep state
115
Note: See TracBrowser for help on using the repository browser.