Ignore:
Timestamp:
Apr 26, 2012, 10:58:34 AM (13 years ago)
Author:
rick
Message:

While here, start rejecting junk traffic from the captive portal interfaces, as
we cannot deliver it anyways.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • branches/releng-9.0/nanobsd/files/etc/pf.hybrid.conf

    r10578 r10579  
    1212# 8) Overrides default route for local orginating traffic to specific ports, needed for
    1313#    for normal proxy setup, which should NOT follow the iLeiden default route.
     14# 9) Protect the Wireless Network from junk traffic.
    1415wl_net="172.16.0.0/12"
    1516allow_ext_tcp="{ssh, domain}"
     
    6566pass out on !$ext_if route-to ($ext_if $ext_if_default_route) proto udp from any to !$wl_net port {53} user != unknown keep state
    6667
     68# By default deny all outgoing traffic to avoid systems spamming the network (9)
     69block out on { $captive_portal_interfaces } from any to !$wl_net
     70
     71# Note: not even HTTPS traffic allowed for those who has not clicked OK yet (6)
     72pass out on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port { 80, 443 } keep state
     73
    6774# External interface is permissive (4)
    6875block on $ext_if
Note: See TracChangeset for help on using the changeset viewer.