| 1 | ext_if="sis0"
|
|---|
| 2 | int_if="tap0"
|
|---|
| 3 | wifi_if="wlan0"
|
|---|
| 4 | all_node="172.31.255.1/32"
|
|---|
| 5 |
|
|---|
| 6 | wl_net="172.16.0.0/12"
|
|---|
| 7 | vpn_net="172.17.64.0/28"
|
|---|
| 8 |
|
|---|
| 9 | publicnat="{80, 443, 22}"
|
|---|
| 10 | allow_ext_tcp="{22}"
|
|---|
| 11 | allow_ext_udp="{161}"
|
|---|
| 12 | allow_int_tcp="{22,53,80,3128}"
|
|---|
| 13 | allow_int_udp="{53,131,161,12345}"
|
|---|
| 14 | allow_int_udp_any="{67}"
|
|---|
| 15 |
|
|---|
| 16 | private="{ 10.0.0.0/8 , 192.168.0.0/16 }"
|
|---|
| 17 |
|
|---|
| 18 | # Nat the internet
|
|---|
| 19 | nat on $ext_if from $wl_net to any port $publicnat -> ($ext_if)
|
|---|
| 20 |
|
|---|
| 21 | # Nat local wl access
|
|---|
| 22 | nat on $int_if from $private to $wl_net -> ($int_if)
|
|---|
| 23 |
|
|---|
| 24 | # Block all
|
|---|
| 25 | block in on $ext_if
|
|---|
| 26 | pass in on $int_if
|
|---|
| 27 |
|
|---|
| 28 | # Allow wl access from access point (not yet reversed)
|
|---|
| 29 | pass on $wifi_if from $wl_net to $wl_net
|
|---|
| 30 |
|
|---|
| 31 | # Block this device from wifi
|
|---|
| 32 | block in on $wifi_if inet from any to $wifi_if
|
|---|
| 33 | block inet from any to $all_node
|
|---|
| 34 |
|
|---|
| 35 | # Enable me to access anything
|
|---|
| 36 | pass out on {$ext_if, $int_if, $wifi_if} keep state
|
|---|
| 37 |
|
|---|
| 38 | # Allow internet access from the network
|
|---|
| 39 | pass in on $wifi_if inet proto tcp from $wl_net to any port $publicnat keep state
|
|---|
| 40 | block in on $wifi_if inet proto tcp from $wl_net to $wifi_if port $publicnat
|
|---|
| 41 | block in on $wifi_if inet proto tcp from $wl_net to $all_node port $publicnat
|
|---|
| 42 |
|
|---|
| 43 | # Allow directives
|
|---|
| 44 | pass in on $ext_if inet proto tcp from any to $ext_if port $allow_ext_tcp keep state
|
|---|
| 45 | pass in on $ext_if inet proto udp from any to $ext_if port $allow_ext_udp keep state
|
|---|
| 46 |
|
|---|
| 47 | pass in on $int_if inet proto tcp from $wl_net to $vpn_net port $allow_int_tcp keep state
|
|---|
| 48 | pass in on $int_if inet proto udp from $wl_net to $vpn_net port $allow_int_udp keep state
|
|---|
| 49 | pass in on $int_if inet proto icmp from $wl_net to $vpn_net keep state
|
|---|
| 50 | pass in on $int_if inet proto udp from any to any port $allow_int_udp_any keep state
|
|---|
| 51 |
|
|---|
| 52 | pass in on $wifi_if inet proto tcp from $wl_net to $wl_net port $allow_int_tcp keep state
|
|---|
| 53 | pass in on $wifi_if inet proto udp from $wl_net to $wl_net port $allow_int_udp keep state
|
|---|
| 54 | pass in on $wifi_if inet proto icmp from $wl_net to $wl_net keep state
|
|---|
| 55 | pass in on $wifi_if inet proto udp from any to any port $allow_int_udp_any keep state
|
|---|
| 56 |
|
|---|
| 57 | # Allow wl access from local network
|
|---|
| 58 | pass on $ext_if from $private to $wl_net keep state
|
|---|
| 59 |
|
|---|
| 60 | # Make sure to block local network access from wl
|
|---|
| 61 | block on $wifi_if from $wl_net to $private
|
|---|
| 62 | block on $int_if from $wl_net to $private
|
|---|
| 63 |
|
|---|
