Changeset 10417 in hybrid for branches/releng-9.0/nanobsd/files/etc/pf.conf
- Timestamp:
- Apr 10, 2012, 2:51:13 PM (13 years ago)
- File:
-
- 1 edited
-
branches/releng-9.0/nanobsd/files/etc/pf.conf (modified) (4 diffs)
Legend:
- Unmodified
- Added
- Removed
-
branches/releng-9.0/nanobsd/files/etc/pf.conf
r10242 r10417 1 wifi_if="wlan0"2 1 all_node="172.31.255.1/32" 3 4 2 wl_net="172.16.0.0/12" 5 vpn_net="172.17.64.0/28"6 3 allow_ext_tcp="{22}" 7 4 allow_ext_udp="{161}" 8 allow_int_tcp="{22, 53,80,3128}"9 allow_int_udp="{53,1 31,161,12345}"5 allow_int_tcp="{22,3128}" 6 allow_int_udp="{53,161,12345}" 10 7 allow_int_udp_any="{67}" 11 8 … … 18 15 nat on $int_if from $private to $wl_net -> ($int_if) 19 16 17 # Redirection, needs source natting and allow rules 18 #rdr on $ext_if inet proto tcp from any to $ext_if port 1022 -> 192.168.84.1 port 22 19 20 20 # Block all 21 block in on $ext_if 22 pass in on$int_if21 block in on $ext_if from any to $ext_if 22 block in on $int_if from any to $int_if 23 23 24 # Allow wl access from access point (not yet reversed) 25 pass on $wifi_if from $wl_net to $wl_net 26 27 # Block this device from wifi 28 block in on $wifi_if inet from any to $wifi_if 29 block inet from any to $all_node 30 24 # Allow private to private 31 25 # Enable me to access anything 32 pass out on {$ext_if, $int_if , $wifi_if} keep state26 pass out on {$ext_if, $int_if} keep state 33 27 34 28 # Allow internet access from the network 35 pass in on $wifi_if inet proto tcp from $wl_net to any port $publicnat keep state 36 block in on $wifi_if inet proto tcp from $wl_net to $wifi_if port $publicnat 37 block in on $wifi_if inet proto tcp from $wl_net to $all_node port $publicnat 29 pass in on $int_if inet proto tcp from $wl_net to any port $publicnat keep state 30 block in on $int_if inet proto tcp from $wl_net to $int_if port $publicnat 38 31 39 32 # Allow directives … … 41 34 pass in on $ext_if inet proto udp from any to $ext_if port $allow_ext_udp keep state 42 35 43 pass in on $int_if inet proto tcp from $wl_net to $vpn_net port $allow_int_tcp keep state 44 pass in on $int_if inet proto udp from $wl_net to $vpn_net port $allow_int_udp keep state 45 pass in on $int_if inet proto icmp from $wl_net to $vpn_net keep state 46 pass in on $int_if inet proto udp from any to any port $allow_int_udp_any keep state 47 48 pass in on $wifi_if inet proto tcp from $wl_net to $wl_net port $allow_int_tcp keep state 49 pass in on $wifi_if inet proto udp from $wl_net to $wl_net port $allow_int_udp keep state 50 pass in on $wifi_if inet proto icmp from $wl_net to $wl_net keep state 51 pass in on $wifi_if inet proto udp from any to any port $allow_int_udp_any keep state 36 pass in on $int_if inet proto tcp from $wl_net to $int_if port $allow_int_tcp keep state 37 pass in on $int_if inet proto udp from $wl_net to $int_if port $allow_int_udp keep state 38 pass in on $int_if inet proto icmp from $wl_net to $int_if keep state 52 39 53 40 # Allow wl access from local network … … 55 42 56 43 # Make sure to block local network access from wl 57 block on $wifi_if from $wl_net to $private58 44 block on $int_if from $wl_net to $private 59 45 46 # Otherwise lvrouted breaks: 47 pass in on $int_if
Note:
See TracChangeset
for help on using the changeset viewer.
