Index: /branches/releng-9.0/nanobsd/files/etc/pf.hybrid.conf =================================================================== --- /branches/releng-9.0/nanobsd/files/etc/pf.hybrid.conf (revision 10447) +++ /branches/releng-9.0/nanobsd/files/etc/pf.hybrid.conf (revision 10448) @@ -8,6 +8,6 @@ # 4) It portects the $ext_if by only allowing an subset of services. # 5) The Wireless Leiden facing interfaces are not firewalled. -# -# Rick van der Zwet +# 6) WL Captive Portal Support for interfaces who needs it. +# 7) Optional: Exposure of WL services to the outside # wl_net="172.16.0.0/12" @@ -16,6 +16,18 @@ private="{ 10.0.0.0/8 , 172.16.0.0/12, 192.168.0.0/16 }" + +# Default configuration for ALIX2 with vr0 as external interface and wlan0 as +# the public accesspoint in iLeiden setup. +ext_if="vr0" +captive_portal_interfaces="wlan0" +publicnat="http,https" +# For an traditional proxy setup set, uncomment: +#publicnat=0 + # Always be nice, and return the fact we are blocking the packets set block-policy return + +# Table used to authorized hosts (6) +table persist counters # NAT MGMT to Wireless Leiden (2) @@ -23,7 +35,14 @@ # Nat the internet but NOT to Private Network (1) -nat on $ext_if inet proto tcp from $wl_net to any port {http,https} -> ($ext_if) +nat on $ext_if inet proto tcp from $wl_net to any port { $publicnat } -> ($ext_if) # Do NOT allow NAT to the Private Network (3) -no nat log on $ext_if from $wl_net to $private +no nat on $ext_if from $wl_net to $private + +# Redirection needs source natting and allow rules (see below) (7) +rdr on $ext_if inet proto tcp from any to $ext_if port 8081 -> 172.16.4.46 port 80 + +# Redirect user to captive portal they have not clicked OK yet (6) +no rdr on { $captive_portal_interfaces } proto tcp from to !$wl_net port 80 +rdr on { $captive_portal_interfaces } proto tcp from $wl_net to !$wl_net port 80 -> 172.31.255.1 port 8081 # Localhost is considered safe (5) @@ -43,4 +62,7 @@ # Packets from the management LAN are allowed in (2) pass in on $ext_if from $private to $wl_net keep state + +# Allow exposing some WL Services to the inet (7) +pass in on $ext_if inet proto tcp from any to $ext_if port { 8081 } keep state # Packets going out are the ones to the internet with an certain limit (1) Index: /branches/releng-9.0/nanobsd/files/etc/rc.conf =================================================================== --- /branches/releng-9.0/nanobsd/files/etc/rc.conf (revision 10447) +++ /branches/releng-9.0/nanobsd/files/etc/rc.conf (revision 10448) @@ -69,3 +69,3 @@ # Used with Hybrid Configuration #pf_rules="/etc/pf.hybrid.conf" -#pf_flags="-D ext_if=vr0 -D publicnat=80,443" +#pf_flags="-D ext_if=vr0 -D captive_portal_interfaces=wlan0 -D publicnat=80,443"