Context Navigation

pf.hybrid.conf@ 14107

Last change on this file since 14107 was 14071, checked in by rick, 7 years ago

Fix no traffic possible from aliased gateway iface

Packets originating from same interface as the gateway interface (aliased
interface) are not matched by the 'out' rule.

Technically they are both incoming and outgoing at the same time and thus will
be covered the the 'in' rule directive. By ensuring matching is done on both
incoming and outgoing this packets will be allowed.

File size: 4.9 KB

Line
1	#
2	# Wireless Leiden PF firewall configuration for (iLeiden) Proxy Setup.
3	#
4	# N.B: The features points are shared between all firewall configurations to
5	# make comparisions more easy to do
6	#
7	# 1) It supports outgoing NAT to specified ports. The so called iLeiden setup.
8	# 3) It protects the private MGMT network from WL requests to it's own services.
9	# 4) It portects the $ext_if by only allowing an subset of services.
10	# 5) The Wireless Leiden facing interfaces are not firewalled.
11	# 6) WL Captive Portal Support for interfaces who needs it.
12	# 7) Optional: Exposure of WL services to the outside
13	# 9) Protect the Wireless Network from junk traffic.
14	#
15	# Rick van der Zwet <rick@wirelessleiden.nl>
16	#
17
18	# Standard port allow listings for external services
19	allow_ext_in_tcp="1022"
20
21	allow_ext_out_tcp = "domain, http, https"
22	allow_ext_out_udp = "domain, ntp"
23
24
25	# Default configuration for ALIX2 with vr0 as external interface and wlan0 as
26	# the public accesspoint in iLeiden setup, aliases on external interface OK.
27	ext_if="vr0"
28	ext_if="vr0"
29	captive_portal_interfaces="wlan0"
30	publicnat="http,https"
31	masterip="127.0.0.1"
32	# For an traditional proxy setup set (no iLeiden clients!), uncomment:
33	#publicnat=0
34
35	# Global standards. NOT to be edited.
36	wl_net="172.16.0.0/12"
37	private="{ 10.0.0.0/8, 192.168.0.0/16 }"
38	ileiden_ports="http,https"
39
40	# Always be nice, and return the fact we are blocking the packets
41	set block-policy return
42
43	# Table used to authorized hosts (6)
44	table <wlportal> persist counters
45
46	# Do NOT allow NAT to the Private Network (3)
47	no nat from $wl_net to $private
48
49	# Nat the internet for iLeiden functionality allow for alias on vr0 (1)
50	nat on $ext_if inet proto tcp from $wl_net to ! $wl_net port { $publicnat } -> ($ext_if:0)
51
52
53	# Redirect user to captive portal they have not clicked OK yet (6)
54	no rdr on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port http
55	rdr on { $captive_portal_interfaces } proto tcp from $wl_net to !$wl_net port http -> 172.31.255.1 port 8081
56
57	# Load autogenerated entries, like the remote mappings (7)
58	include "/etc/pf.hybrid.conf.local"
59
60	# Make the device on WL find the proper gateway back (7)
61	nat on ! $ext_if inet from any to $wl_net tagged SRV -> $masterip
62
63	# Special allow rules for inbound piercing (7)
64	pass in quick on $ext_if inet tagged SRV keep state
65
66	# Localhost is considered safe (5)
67	pass quick on lo0 all
68
69	# By default all interfaces are open (5)
70	pass all
71
72	# By default deny all outgoing traffic to avoid systems spamming the network (9)
73	block in on { $captive_portal_interfaces } from any to !$wl_net
74
75	# Quickly drop out, with nice return value, avoiding endless connections on portal setup (6)
76	block return in quick on { $captive_portal_interfaces } proto tcp from !<wlportal> to !$wl_net port { $publicnat }
77
78	# Note: not even HTTPS traffic allowed for those who has not clicked OK yet (6)
79	pass in on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port { $publicnat } keep state
80
81	# External interface is permissive (4)
82	block on $ext_if inet from any to !$wl_net
83
84	# Allow internal WL traffic on alias $ext_if interfaces (5)
85	pass in quick on $ext_if from $wl_net to $wl_net
86	pass out quick on $ext_if from $wl_net to $wl_net
87
88	# Expose some local services for the external world (WWW) network (4)
89	pass in on $ext_if inet proto tcp from any to $ext_if port { $allow_ext_in_tcp } keep state
90	pass in on $ext_if inet proto icmp from any to $ext_if icmp-type { echoreq }
91
92	# Packets going out are the ones to the internet with an certain limit (1)
93	pass on $ext_if inet proto tcp from $wl_net to !$wl_net port { $publicnat } keep state \
94	(max-src-conn-rate 100/10, max-src-conn 10)
95
96	# For proper functioning allow the local machine to initiate requests outside (4)
97	pass out on $ext_if inet proto udp from $ext_if to any port { $allow_ext_out_udp } keep state
98	pass out on $ext_if inet proto tcp from $ext_if to any port { $allow_ext_out_tcp } keep state
99	pass out on $ext_if inet proto icmp from $ext_if to any icmp-type { echoreq, trace }
100
101	# For proper functioning allow the local machine to initiate requests outside + vpn (4)
102	pass out on $ext_if inet proto udp from $ext_if to any port { $allow_ext_out_udp } keep state
103	pass out on $ext_if inet proto tcp from $ext_if to any port { $allow_ext_out_tcp } keep state
104	pass out on $ext_if inet proto icmp from $ext_if to any icmp-type { echoreq, trace }
105
106	# Uncomment to UDP traceroute from this host to start
107	#pass out on $ext_if inet proto udp from $ext_if to any port 33434 >< 33464 keep state
108
109	# Do not allow connections to the local MGNT LAN to start (3)
110	block out on $ext_if from any to $private
111
112	# Limited acess PRIVATE network to allow DHCP/DNS to function (3)
113	pass out on $ext_if inet proto {udp, tcp} from $ext_if to $private port {domain} keep state
114
115	# Uncomment to allow limited access to MGNT interfaces ON the private network (3)
116	#pass out on $ext_if inet proto tcp from $ext_if to $private port {ssh, http, https} keep state
117	#pass out on $ext_if inet proto icmp from $ext_if to $private icmp-type { echoreq, trace }

Note: See TracBrowser for help on using the repository browser.

Download in other formats:

Original Format