Index: /branches/releng-11/nanobsd/files/etc/pf.hybrid.conf =================================================================== --- /branches/releng-11/nanobsd/files/etc/pf.hybrid.conf (revision 13699) +++ /branches/releng-11/nanobsd/files/etc/pf.hybrid.conf (revision 13700) @@ -6,5 +6,4 @@ # # 1) It supports outgoing NAT to specified ports. The so called iLeiden setup. -# 2) It supports incoming NAT from the private MGMT network, for maintenance use. # 3) It protects the private MGMT network from WL requests to it's own services. # 4) It portects the $ext_if by only allowing an subset of services. @@ -18,13 +17,9 @@ # Standard port allow listings for external services -allow_ext_in_tcp="1022, openvpn" -allow_ext_in_udp="snmp, openvpn" +allow_ext_in_tcp="1022" +allow_ext_in_udp="" -# Standard port allow listings for services at host network (in case of NAT) -allow_private_in_tcp="domain" -allow_private_in_udp="domain" - -allow_ext_out_tcp = "domain, http, https, openvpn" -allow_ext_out_udp = "domain, ntp, openvpn" +allow_ext_out_tcp = "domain, http, https" +allow_ext_out_udp = "domain, ntp" @@ -49,7 +44,4 @@ # Table used to authorized hosts (6) table persist counters - -# NAT MGMT to Wireless Leiden (2) -nat on ! $ext_if from $private to $wl_net -> $masterip # Do NOT allow NAT to the Private Network (3) @@ -93,16 +85,8 @@ pass out quick on $ext_if from $wl_net to $wl_net -# Expose some local services for internal (NATted) network (4) -pass in on $ext_if inet proto tcp from $private to $ext_if port { $allow_private_in_tcp } keep state -pass in on $ext_if inet proto udp from $private to $ext_if port { $allow_private_in_udp } keep state -pass in on $ext_if inet proto icmp from $private to $ext_if icmp-type { echoreq } - # Expose some local services for the external world (WWW) network (4) pass in on $ext_if inet proto tcp from any to $ext_if port { $allow_ext_in_tcp } keep state pass in on $ext_if inet proto udp from any to $ext_if port { $allow_ext_in_udp } keep state pass in on $ext_if inet proto icmp from any to $ext_if icmp-type { echoreq } - -# Packets from the management LAN are allowed in (2) -pass in on $ext_if from $private to $wl_net keep state # Packets going out are the ones to the internet with an certain limit (1)