source: hybrid/branches/releng-9.0/nanobsd/files/etc/pf.hybrid.conf@ 10593

Last change on this file since 10593 was 10589, checked in by rick, 13 years ago

Split hybrid and special proxy setup, as the proxy setup is highly custom and
somehow exotic, not useable in the hybrid setup (due to the gateway pain).

File size: 4.1 KB
RevLine 
[10446]1#
[10580]2# Wireless Leiden PF firewall configuration for (iLeiden) Proxy Setup.
[10446]3#
[10580]4# N.B: The features points are shared between all firewall configurations to
5# make comparisions more easy to do
6#
[10446]7# 1) It supports outgoing NAT to specified ports. The so called iLeiden setup.
8# 2) It supports incoming NAT from the private MGMT network, for maintenance use.
9# 3) It protects the private MGMT network from WL requests to it's own services.
10# 4) It portects the $ext_if by only allowing an subset of services.
11# 5) The Wireless Leiden facing interfaces are not firewalled.
[10448]12# 6) WL Captive Portal Support for interfaces who needs it.
13# 7) Optional: Exposure of WL services to the outside
[10579]14# 9) Protect the Wireless Network from junk traffic.
[10580]15#
16# Rick van der Zwet <rick@wirelessleiden.nl>
17#
[10446]18wl_net="172.16.0.0/12"
[10580]19ileiden_ports="80,443"
[10446]20allow_ext_tcp="{ssh, domain}"
21allow_ext_udp="{domain, snmp}"
[10523]22private="{ 10.0.0.0/8, 172.16.0.0/12 192.168.0.0/16 }"
[10446]23
[10448]24
25# Default configuration for ALIX2 with vr0 as external interface and wlan0 as
26# the public accesspoint in iLeiden setup.
27ext_if="vr0"
[10523]28ext_if_net="vr0:network"
[10448]29captive_portal_interfaces="wlan0"
30publicnat="http,https"
[10520]31masterip="127.0.0.1"
[10589]32# For an traditional proxy setup set (no iLeiden clients!), uncomment:
[10448]33#publicnat=0
34
[10446]35# Always be nice, and return the fact we are blocking the packets
36set block-policy return
37
[10448]38# Table used to authorized hosts (6)
39table <wlportal> persist counters
40
[10446]41# NAT MGMT to Wireless Leiden (2)
[10523]42nat on ! $ext_if from $ext_if_net to $wl_net -> $masterip
[10446]43
44# Do NOT allow NAT to the Private Network (3)
[10578]45no nat from $wl_net to $private
[10446]46
[10578]47# Nat the internet for iLeiden functionality (1)
[10580]48nat on $ext_if inet proto tcp from $wl_net to any port { $ileiden_ports } -> ($ext_if)
[10578]49
[10580]50# Redirect some internal facing services outside, please mind also need allow rules (bottom of file) (7)
[10448]51rdr on $ext_if inet proto tcp from any to $ext_if port 8081 -> 172.16.4.46 port 80
52
53# Redirect user to captive portal they have not clicked OK yet (6)
54no rdr on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port 80
55rdr on { $captive_portal_interfaces } proto tcp from $wl_net to !$wl_net port 80 -> 172.31.255.1 port 8081
56
[10446]57# Localhost is considered safe (5)
58pass quick on lo0 all
59
60# By default all interfaces are open (5)
61pass all
62
[10579]63# By default deny all outgoing traffic to avoid systems spamming the network (9)
64block out on { $captive_portal_interfaces } from any to !$wl_net
65
66# Note: not even HTTPS traffic allowed for those who has not clicked OK yet (6)
[10580]67pass out on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port { $ileiden_ports } keep state
[10579]68
[10446]69# External interface is permissive (4)
70block on $ext_if
71
72# Expose some local services (4)
73pass in on $ext_if inet proto tcp from any to $ext_if port $allow_ext_tcp keep state
74pass in on $ext_if inet proto udp from any to $ext_if port $allow_ext_udp keep state
75pass in on $ext_if inet proto icmp from any to $ext_if icmp-type { echoreq }
76
77# Packets from the management LAN are allowed in (2)
78pass in on $ext_if from $private to $wl_net keep state
79
[10448]80# Allow exposing some WL Services to the inet (7)
81pass in on $ext_if inet proto tcp from any to $ext_if port { 8081 } keep state
82
[10446]83# Packets going out are the ones to the internet with an certain limit (1)
84pass out on $ext_if inet proto tcp from $wl_net to any port { $publicnat } keep state \
85 (max-src-conn-rate 100/10, max-src-conn 10)
86
87# For proper functioning allow the local machine to initiate requests outside (4)
88pass out on $ext_if inet proto udp from $ext_if to any port{domain, 1194} keep state
89pass out on $ext_if inet proto tcp from $ext_if to any port{http, https, 1194} keep state
90pass out on $ext_if inet proto icmp from $ext_if to any icmp-type { echoreq }
91
92# Do not allow connections to the local MGNT LAN to start (3)
93block out on $ext_if from any to $private
94
95# Limited acess PRIVATE network to allow DHCP/DNS to function (3)
96pass out on $ext_if inet proto {udp, tcp} from $ext_if to $private port {domain} keep state
97
98# Uncomment to allow limited access to MGNT interfaces ON the private network (3)
99#pass out on $ext_if inet proto tcp from $ext_if to $private port {ssh, http, https} keep state
100
Note: See TracBrowser for help on using the repository browser.