1 | #
|
---|
2 | # Wireless Leiden PF firewall configuration for (iLeiden) Proxy Setup.
|
---|
3 | #
|
---|
4 | # N.B: The features points are shared between all firewall configurations to
|
---|
5 | # make comparisions more easy to do
|
---|
6 | #
|
---|
7 | # 1) It supports outgoing NAT to specified ports. The so called iLeiden setup.
|
---|
8 | # 2) It supports incoming NAT from the private MGMT network, for maintenance use.
|
---|
9 | # 3) It protects the private MGMT network from WL requests to it's own services.
|
---|
10 | # 4) It portects the $ext_if by only allowing an subset of services.
|
---|
11 | # 5) The Wireless Leiden facing interfaces are not firewalled.
|
---|
12 | # 6) WL Captive Portal Support for interfaces who needs it.
|
---|
13 | # 7) Optional: Exposure of WL services to the outside
|
---|
14 | # 9) Protect the Wireless Network from junk traffic.
|
---|
15 | #
|
---|
16 | # Rick van der Zwet <rick@wirelessleiden.nl>
|
---|
17 | #
|
---|
18 |
|
---|
19 | # Standard port allow listings
|
---|
20 | allow_ext_in_tcp="ssh, domain, openvpn"
|
---|
21 | allow_ext_in_udp="domain, snmp, openvpn"
|
---|
22 |
|
---|
23 | allow_ext_out_tcp = "domain, http, https, openvpn"
|
---|
24 | allow_ext_out_udp = "domain, ntp, openvpn"
|
---|
25 |
|
---|
26 |
|
---|
27 | # Default configuration for ALIX2 with vr0 as external interface and wlan0 as
|
---|
28 | # the public accesspoint in iLeiden setup, no aliases on interfaces.
|
---|
29 | ext_if="vr0"
|
---|
30 | ext_ip="(vr0:0)"
|
---|
31 | captive_portal_interfaces="wlan0"
|
---|
32 | publicnat="http,https"
|
---|
33 | masterip="127.0.0.1"
|
---|
34 | # For an traditional proxy setup set (no iLeiden clients!), uncomment:
|
---|
35 | #publicnat=0
|
---|
36 |
|
---|
37 | # Global standards. NOT to be edited.
|
---|
38 | wl_net="172.16.0.0/12"
|
---|
39 | private="{ 10.0.0.0/8, 192.168.0.0/16 }"
|
---|
40 | ileiden_ports="http,https"
|
---|
41 |
|
---|
42 | # Always be nice, and return the fact we are blocking the packets
|
---|
43 | set block-policy return
|
---|
44 |
|
---|
45 | # Table used to authorized hosts (6)
|
---|
46 | table <wlportal> persist counters
|
---|
47 |
|
---|
48 | # NAT MGMT to Wireless Leiden (2)
|
---|
49 | nat on ! $ext_if from $private to $wl_net -> $masterip
|
---|
50 |
|
---|
51 | # Do NOT allow NAT to the Private Network (3)
|
---|
52 | no nat from $wl_net to $private
|
---|
53 |
|
---|
54 | # Nat the internet for iLeiden functionality (1)
|
---|
55 | nat on $ext_if inet proto tcp from $wl_net to ! $wl_net port { $publicnat } -> $ext_ip
|
---|
56 |
|
---|
57 |
|
---|
58 | # Redirect user to captive portal they have not clicked OK yet (6)
|
---|
59 | no rdr on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port http
|
---|
60 | rdr on { $captive_portal_interfaces } proto tcp from $wl_net to !$wl_net port http -> 172.31.255.1 port 8081
|
---|
61 |
|
---|
62 | # Load autogenerated entries, like the remote mappings (7)
|
---|
63 | include "/etc/pf.hybrid.conf.local"
|
---|
64 |
|
---|
65 | # Make the device on WL find the proper gateway back (7)
|
---|
66 | nat on ! $ext_if inet from any to $wl_net tagged SRV -> $masterip
|
---|
67 |
|
---|
68 | # Special allow rules for inbound piercing (7)
|
---|
69 | pass in quick on $ext_if inet tagged SRV keep state
|
---|
70 |
|
---|
71 | # Localhost is considered safe (5)
|
---|
72 | pass quick on lo0 all
|
---|
73 |
|
---|
74 | # By default all interfaces are open (5)
|
---|
75 | pass all
|
---|
76 |
|
---|
77 | # By default deny all outgoing traffic to avoid systems spamming the network (9)
|
---|
78 | block out on { $captive_portal_interfaces } from any to !$wl_net
|
---|
79 |
|
---|
80 | # Note: not even HTTPS traffic allowed for those who has not clicked OK yet (6)
|
---|
81 | pass out on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port { $publicnat } keep state
|
---|
82 |
|
---|
83 | # External interface is permissive (4)
|
---|
84 | block on $ext_if inet from any to !$wl_net
|
---|
85 |
|
---|
86 | # Allow internal WL traffic on alias $ext_if interfaces (5)
|
---|
87 | pass in quick on $ext_if from $wl_net to $wl_net
|
---|
88 | pass out quick on $ext_if from $wl_net to $wl_net
|
---|
89 |
|
---|
90 | # Expose some local services (4)
|
---|
91 | pass in on $ext_if inet proto tcp from any to $ext_if port { $allow_ext_in_tcp } keep state
|
---|
92 | pass in on $ext_if inet proto udp from any to $ext_if port { $allow_ext_in_udp } keep state
|
---|
93 | pass in on $ext_if inet proto icmp from any to $ext_if icmp-type { echoreq }
|
---|
94 |
|
---|
95 | # Packets from the management LAN are allowed in (2)
|
---|
96 | pass in on $ext_if from $private to $wl_net keep state
|
---|
97 |
|
---|
98 | # Packets going out are the ones to the internet with an certain limit (1)
|
---|
99 | pass out on $ext_if inet proto tcp from $wl_net to any port { $publicnat } keep state \
|
---|
100 | (max-src-conn-rate 100/10, max-src-conn 10)
|
---|
101 |
|
---|
102 | # For proper functioning allow the local machine to initiate requests outside (4)
|
---|
103 | pass out on $ext_if inet proto udp from $ext_if to any port { $allow_ext_out_udp } keep state
|
---|
104 | pass out on $ext_if inet proto tcp from $ext_if to any port { $allow_ext_out_tcp } keep state
|
---|
105 | pass out on $ext_if inet proto icmp from $ext_if to any icmp-type { echoreq }
|
---|
106 |
|
---|
107 | # Do not allow connections to the local MGNT LAN to start (3)
|
---|
108 | block out on $ext_if from any to $private
|
---|
109 |
|
---|
110 | # Limited acess PRIVATE network to allow DHCP/DNS to function (3)
|
---|
111 | pass out on $ext_if inet proto {udp, tcp} from $ext_if to $private port {domain} keep state
|
---|
112 |
|
---|
113 | # Uncomment to allow limited access to MGNT interfaces ON the private network (3)
|
---|
114 | #pass out on $ext_if inet proto tcp from $ext_if to $private port {ssh, http, https} keep state
|
---|
115 |
|
---|