source: hybrid/branches/releng-9.0/nanobsd/files/etc/pf.hybrid.conf@ 10842

Last change on this file since 10842 was 10842, checked in by rick, 13 years ago

172.16.0.0/12 is alleen WL net en kan nooit gebruikt worden als (coperate) DMZ
voor de external interface, omdat dit allemaal raar gedrag met zich meebrengt.

fixes nodefactory:ticket:175

File size: 4.4 KB
RevLine 
[10446]1#
[10580]2# Wireless Leiden PF firewall configuration for (iLeiden) Proxy Setup.
[10446]3#
[10580]4# N.B: The features points are shared between all firewall configurations to
5# make comparisions more easy to do
6#
[10446]7# 1) It supports outgoing NAT to specified ports. The so called iLeiden setup.
8# 2) It supports incoming NAT from the private MGMT network, for maintenance use.
9# 3) It protects the private MGMT network from WL requests to it's own services.
10# 4) It portects the $ext_if by only allowing an subset of services.
11# 5) The Wireless Leiden facing interfaces are not firewalled.
[10448]12# 6) WL Captive Portal Support for interfaces who needs it.
13# 7) Optional: Exposure of WL services to the outside
[10579]14# 9) Protect the Wireless Network from junk traffic.
[10580]15#
16# Rick van der Zwet <rick@wirelessleiden.nl>
17#
[10446]18
[10610]19# Standard port allow listings
20allow_ext_in_tcp="ssh, domain"
21allow_ext_in_udp="domain, snmp"
[10448]22
[10610]23allow_ext_out_tcp = "domain, http, https, 1194"
24allow_ext_out_udp = "domain, ntp, 1194"
25
[10448]26# Default configuration for ALIX2 with vr0 as external interface and wlan0 as
27# the public accesspoint in iLeiden setup.
28ext_if="vr0"
[10523]29ext_if_net="vr0:network"
[10448]30captive_portal_interfaces="wlan0"
31publicnat="http,https"
[10520]32masterip="127.0.0.1"
[10589]33# For an traditional proxy setup set (no iLeiden clients!), uncomment:
[10448]34#publicnat=0
35
[10610]36# Global standards. NOT to be edited.
37wl_net="172.16.0.0/12"
[10842]38private="{ 10.0.0.0/8, 192.168.0.0/16 }"
[10610]39ileiden_ports="http,https"
40
[10446]41# Always be nice, and return the fact we are blocking the packets
42set block-policy return
43
[10448]44# Table used to authorized hosts (6)
45table <wlportal> persist counters
46
[10446]47# NAT MGMT to Wireless Leiden (2)
[10523]48nat on ! $ext_if from $ext_if_net to $wl_net -> $masterip
[10446]49
50# Do NOT allow NAT to the Private Network (3)
[10578]51no nat from $wl_net to $private
[10446]52
[10578]53# Nat the internet for iLeiden functionality (1)
[10610]54nat on $ext_if inet proto tcp from $wl_net to any port { $publicnat } -> ($ext_if)
[10578]55
[10448]56
57# Redirect user to captive portal they have not clicked OK yet (6)
[10610]58no rdr on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port http
59rdr on { $captive_portal_interfaces } proto tcp from $wl_net to !$wl_net port http -> 172.31.255.1 port 8081
[10448]60
[10704]61# Load autogenerated entries, like the remote mappings (7)
62include "/etc/pf.hybrid.conf.local"
[10694]63
64# Make the device on WL find the proper gateway back (7)
65nat on ! $ext_if inet from any to $wl_net tagged SRV -> $masterip
66
67# Special allow rules for inbound piercing (7)
68pass in quick on $ext_if inet tagged SRV keep state
69
[10446]70# Localhost is considered safe (5)
71pass quick on lo0 all
72
73# By default all interfaces are open (5)
74pass all
75
[10579]76# By default deny all outgoing traffic to avoid systems spamming the network (9)
77block out on { $captive_portal_interfaces } from any to !$wl_net
78
79# Note: not even HTTPS traffic allowed for those who has not clicked OK yet (6)
[10610]80pass out on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port { $publicnat } keep state
[10579]81
[10446]82# External interface is permissive (4)
83block on $ext_if
84
[10842]85# Allow internal WL traffic on alias $ext_if interfaces (5)
86pass in quick on $ext_if from $wl_net to $wl_net
87pass out quick on $ext_if from $wl_net to $wl_net
88
[10446]89# Expose some local services (4)
[10610]90pass in on $ext_if inet proto tcp from any to $ext_if port { $allow_ext_in_tcp } keep state
91pass in on $ext_if inet proto udp from any to $ext_if port { $allow_ext_in_udp } keep state
[10446]92pass in on $ext_if inet proto icmp from any to $ext_if icmp-type { echoreq }
93
94# Packets from the management LAN are allowed in (2)
95pass in on $ext_if from $private to $wl_net keep state
96
97# Packets going out are the ones to the internet with an certain limit (1)
98pass out on $ext_if inet proto tcp from $wl_net to any port { $publicnat } keep state \
99 (max-src-conn-rate 100/10, max-src-conn 10)
100
101# For proper functioning allow the local machine to initiate requests outside (4)
[10610]102pass out on $ext_if inet proto udp from $ext_if to any port { $allow_ext_out_udp } keep state
103pass out on $ext_if inet proto tcp from $ext_if to any port { $allow_ext_out_tcp } keep state
[10446]104pass out on $ext_if inet proto icmp from $ext_if to any icmp-type { echoreq }
105
106# Do not allow connections to the local MGNT LAN to start (3)
107block out on $ext_if from any to $private
108
109# Limited acess PRIVATE network to allow DHCP/DNS to function (3)
110pass out on $ext_if inet proto {udp, tcp} from $ext_if to $private port {domain} keep state
111
112# Uncomment to allow limited access to MGNT interfaces ON the private network (3)
113#pass out on $ext_if inet proto tcp from $ext_if to $private port {ssh, http, https} keep state
114
Note: See TracBrowser for help on using the repository browser.