source: hybrid/branches/releng-10/nanobsd/files/etc/pf.hybrid.conf

Last change on this file was 13233, checked in by huub, 10 years ago

NAT OK ook bij alias op external interface

File size: 5.7 KB
Line 
1#
2# Wireless Leiden PF firewall configuration for (iLeiden) Proxy Setup.
3#
4# N.B: The features points are shared between all firewall configurations to
5# make comparisions more easy to do
6#
7# 1) It supports outgoing NAT to specified ports. The so called iLeiden setup.
8# 2) It supports incoming NAT from the private MGMT network, for maintenance use.
9# 3) It protects the private MGMT network from WL requests to it's own services.
10# 4) It portects the $ext_if by only allowing an subset of services.
11# 5) The Wireless Leiden facing interfaces are not firewalled.
12# 6) WL Captive Portal Support for interfaces who needs it.
13# 7) Optional: Exposure of WL services to the outside
14# 9) Protect the Wireless Network from junk traffic.
15#
16# Rick van der Zwet <rick@wirelessleiden.nl>
17#
18
19# Standard port allow listings for external services
20allow_ext_in_tcp="1022, openvpn"
21allow_ext_in_udp="snmp, openvpn"
22
23# Standard port allow listings for services at host network (in case of NAT)
24allow_private_in_tcp="domain"
25allow_private_in_udp="domain"
26
27allow_ext_out_tcp = "domain, http, https, openvpn"
28allow_ext_out_udp = "domain, ntp, openvpn"
29
30
31# Default configuration for ALIX2 with vr0 as external interface and wlan0 as
32# the public accesspoint in iLeiden setup, aliases on external interface OK.
33ext_if="vr0"
34ext_ip="(vr0:0)"
35inet_if="vr0"
36inet_ip="(vr0:0)"
37captive_portal_interfaces="wlan0"
38publicnat="http,https"
39masterip="127.0.0.1"
40# For an traditional proxy setup set (no iLeiden clients!), uncomment:
41#publicnat=0
42
43# Global standards. NOT to be edited.
44wl_net="172.16.0.0/12"
45private="{ 10.0.0.0/8, 192.168.0.0/16 }"
46ileiden_ports="http,https"
47
48# Always be nice, and return the fact we are blocking the packets
49set block-policy return
50
51# Table used to authorized hosts (6)
52table <wlportal> persist counters
53
54# NAT MGMT to Wireless Leiden (2)
55nat on ! $ext_if from $private to $wl_net -> $masterip
56
57# Do NOT allow NAT to the Private Network (3)
58no nat from $wl_net to $private
59
60# Nat the internet for iLeiden functionality allow for alias on vr0 (1)
61nat on $inet_if inet proto tcp from $wl_net to ! $wl_net port { $publicnat } -> ($inet_ip)
62
63
64# Redirect user to captive portal they have not clicked OK yet (6)
65no rdr on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port http
66rdr on { $captive_portal_interfaces } proto tcp from $wl_net to !$wl_net port http -> 172.31.255.1 port 8081
67
68# Load autogenerated entries, like the remote mappings (7)
69include "/etc/pf.hybrid.conf.local"
70
71# Make the device on WL find the proper gateway back (7)
72nat on ! $ext_if inet from any to $wl_net tagged SRV -> $masterip
73
74# Special allow rules for inbound piercing (7)
75pass in quick on $ext_if inet tagged SRV keep state
76
77# Localhost is considered safe (5)
78pass quick on lo0 all
79
80# By default all interfaces are open (5)
81pass all
82
83# By default deny all outgoing traffic to avoid systems spamming the network (9)
84block out on { $captive_portal_interfaces } from any to !$wl_net
85
86# Note: not even HTTPS traffic allowed for those who has not clicked OK yet (6)
87pass out on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port { $publicnat } keep state
88
89# External interface is permissive (4)
90block on $ext_if inet from any to !$wl_net
91block on $inet_if inet from any to !$wl_net
92
93# Allow internal WL traffic on alias $ext_if interfaces (5)
94pass in quick on $ext_if from $wl_net to $wl_net
95pass out quick on $ext_if from $wl_net to $wl_net
96
97# Expose some local services for internal (NATted) network (4)
98pass in on $ext_if inet proto tcp from $private to $ext_if port { $allow_private_in_tcp } keep state
99pass in on $ext_if inet proto udp from $private to $ext_if port { $allow_private_in_udp } keep state
100pass in on $ext_if inet proto icmp from $private to $ext_if icmp-type { echoreq }
101
102# Expose some local services for the external world (WWW) network (4)
103pass in on $ext_if inet proto tcp from any to $ext_if port { $allow_ext_in_tcp } keep state
104pass in on $ext_if inet proto udp from any to $ext_if port { $allow_ext_in_udp } keep state
105pass in on $ext_if inet proto icmp from any to $ext_if icmp-type { echoreq }
106
107# Packets from the management LAN are allowed in (2)
108pass in on $ext_if from $private to $wl_net keep state
109
110# Packets going out are the ones to the internet with an certain limit (1)
111pass out on $inet_if inet proto tcp from $wl_net to any port { $publicnat } keep state \
112 (max-src-conn-rate 100/10, max-src-conn 10)
113
114# For proper functioning allow the local machine to initiate requests outside (4)
115pass out on $ext_if inet proto udp from $ext_if to any port { $allow_ext_out_udp } keep state
116pass out on $ext_if inet proto tcp from $ext_if to any port { $allow_ext_out_tcp } keep state
117pass out on $ext_if inet proto icmp from $ext_if to any icmp-type { echoreq, trace }
118
119# For proper functioning allow the local machine to initiate requests outside + vpn (4)
120pass out on $inet_if inet proto udp from $inet_if to any port { $allow_ext_out_udp } keep state
121pass out on $inet_if inet proto tcp from $inet_if to any port { $allow_ext_out_tcp } keep state
122pass out on $inet_if inet proto icmp from $inet_if to any icmp-type { echoreq, trace }
123
124# Uncomment to UDP traceroute from this host to start
125#pass out on $ext_if inet proto udp from $ext_if to any port 33434 >< 33464 keep state
126#pass out on $inet_if inet proto udp from $inet_if to any port 33434 >< 33464 keep state
127
128# Do not allow connections to the local MGNT LAN to start (3)
129block out on $ext_if from any to $private
130
131# Limited acess PRIVATE network to allow DHCP/DNS to function (3)
132pass out on $ext_if inet proto {udp, tcp} from $ext_if to $private port {domain} keep state
133
134# Uncomment to allow limited access to MGNT interfaces ON the private network (3)
135#pass out on $ext_if inet proto tcp from $ext_if to $private port {ssh, http, https} keep state
136
Note: See TracBrowser for help on using the repository browser.