Index: branches/releng-11/nanobsd/files/etc/pf.hybrid.conf =================================================================== --- branches/releng-11/nanobsd/files/etc/pf.hybrid.conf (revision 14132) +++ branches/releng-11/nanobsd/files/etc/pf.hybrid.conf (revision 14135) @@ -6,4 +6,5 @@ # # 1) It supports outgoing NAT to specified ports. The so called iLeiden setup. +# 2) It supports incoming NAT from the private MGMT network, for maintenance use. # 3) It protects the private MGMT network from WL requests to it's own services. # 4) It portects the $ext_if by only allowing an subset of services. @@ -18,4 +19,8 @@ # Standard port allow listings for external services allow_ext_in_tcp="1022" + +# Standard port allow listings for services at host network (in case of NAT) +allow_private_in_tcp="domain" +allow_private_in_udp="domain" allow_ext_out_tcp = "domain, http, https" @@ -43,4 +48,7 @@ # Table used to authorized hosts (6) table persist counters + +# NAT MGMT to Wireless Leiden (2) +nat on ! $ext_if from $private to $wl_net -> $masterip # Do NOT allow NAT to the Private Network (3) @@ -86,7 +94,15 @@ pass out quick on $ext_if from $wl_net to $wl_net +# Expose some local services for internal (NATted) network (4) +pass in on $ext_if inet proto tcp from $private to $ext_if port { $allow_private_in_tcp } keep state +pass in on $ext_if inet proto udp from $private to $ext_if port { $allow_private_in_udp } keep state +pass in on $ext_if inet proto icmp from $private to $ext_if icmp-type { echoreq } + # Expose some local services for the external world (WWW) network (4) pass in on $ext_if inet proto tcp from any to $ext_if port { $allow_ext_in_tcp } keep state pass in on $ext_if inet proto icmp from any to $ext_if icmp-type { echoreq } + +# Packets from the management LAN are allowed in (2) +pass in on $ext_if from $private to $wl_net keep state # Packets going out are the ones to the internet with an certain limit (1)