Index: /branches/releng-11/nanobsd/files/etc/pf.hybrid.conf =================================================================== --- /branches/releng-11/nanobsd/files/etc/pf.hybrid.conf (revision 14062) +++ /branches/releng-11/nanobsd/files/etc/pf.hybrid.conf (revision 14068) @@ -26,5 +26,5 @@ # the public accesspoint in iLeiden setup, aliases on external interface OK. ext_if="vr0" -inet_if="vr0" +ext_if="vr0" captive_portal_interfaces="wlan0" publicnat="http,https" @@ -48,5 +48,5 @@ # Nat the internet for iLeiden functionality allow for alias on vr0 (1) -nat on $inet_if inet proto tcp from $wl_net to ! $wl_net port { $publicnat } -> ($inet_if:0) +nat on $ext_if inet proto tcp from $wl_net to ! $wl_net port { $publicnat } -> ($ext_if:0) @@ -81,5 +81,4 @@ # External interface is permissive (4) block on $ext_if inet from any to !$wl_net -block on $inet_if inet from any to !$wl_net # Allow internal WL traffic on alias $ext_if interfaces (5) @@ -92,5 +91,5 @@ # Packets going out are the ones to the internet with an certain limit (1) -pass out on $inet_if inet proto tcp from $wl_net to any port { $publicnat } keep state \ +pass out on $ext_if inet proto tcp from $wl_net to any port { $publicnat } keep state \ (max-src-conn-rate 100/10, max-src-conn 10) @@ -101,11 +100,10 @@ # For proper functioning allow the local machine to initiate requests outside + vpn (4) -pass out on $inet_if inet proto udp from $inet_if to any port { $allow_ext_out_udp } keep state -pass out on $inet_if inet proto tcp from $inet_if to any port { $allow_ext_out_tcp } keep state -pass out on $inet_if inet proto icmp from $inet_if to any icmp-type { echoreq, trace } +pass out on $ext_if inet proto udp from $ext_if to any port { $allow_ext_out_udp } keep state +pass out on $ext_if inet proto tcp from $ext_if to any port { $allow_ext_out_tcp } keep state +pass out on $ext_if inet proto icmp from $ext_if to any icmp-type { echoreq, trace } # Uncomment to UDP traceroute from this host to start #pass out on $ext_if inet proto udp from $ext_if to any port 33434 >< 33464 keep state -#pass out on $inet_if inet proto udp from $inet_if to any port 33434 >< 33464 keep state # Do not allow connections to the local MGNT LAN to start (3)