Changeset 13772 in hybrid for branches/releng-11/nanobsd/files/etc/pf.node.conf

Timestamp:

Jan 23, 2017, 5:26:28 PM (8 years ago)

Author:

rick

Message:

Fixing HTTPS allowance without accepting the terms.

From a node PoV the traffic from the client to the internet is flowing
inbound on the captive portal interfaces.

File:

• branches/releng-11/nanobsd/files/etc/pf.node.conf (modified) (1 diff)

branches/releng-11/nanobsd/files/etc/pf.node.conf

@@ -39 +39 @@
 
 # By default deny all outgoing traffic to avoid systems spamming the network (9)
-block out on { $captive_portal_interfaces } from any to !$wl_net
+block in on { $captive_portal_interfaces } from any to !$wl_net
+
+# Quickly drop out, with nice return value, avoiding endless connections on portal setup (6)
+block return in quick on { $captive_portal_interfaces } proto tcp from !<wlportal> to !$wl_net port { $publicnat }
 
 # Note: not even HTTPS traffic allowed for those who has not clicked OK yet (6)
-pass out on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port { $ileiden_ports } keep state
+pass in on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port { $ileiden_ports } keep state