| 1 | #
|
|---|
| 2 | # Wirless Leiden PF firewall configuration for Proxy Setup. This firewall has 5
|
|---|
| 3 | # main features:
|
|---|
| 4 | #
|
|---|
| 5 | # 1) It supports outgoing NAT to specified ports. The so called iLeiden setup.
|
|---|
| 6 | # 2) It supports incoming NAT from the private MGMT network, for maintenance use.
|
|---|
| 7 | # 3) It protects the private MGMT network from WL requests to it's own services.
|
|---|
| 8 | # 4) It portects the $ext_if by only allowing an subset of services.
|
|---|
| 9 | # 5) The Wireless Leiden facing interfaces are not firewalled.
|
|---|
| 10 | #
|
|---|
| 11 | # Rick van der Zwet <rick@wirelessleiden.nl>
|
|---|
| 12 | #
|
|---|
| 13 | wl_net="172.16.0.0/12"
|
|---|
| 14 | allow_ext_tcp="{ssh, domain}"
|
|---|
| 15 | allow_ext_udp="{domain, snmp}"
|
|---|
| 16 | private="{ 10.0.0.0/8 , 172.16.0.0/12, 192.168.0.0/16 }"
|
|---|
| 17 |
|
|---|
| 18 | # Always be nice, and return the fact we are blocking the packets
|
|---|
| 19 | set block-policy return
|
|---|
| 20 |
|
|---|
| 21 | # NAT MGMT to Wireless Leiden (2)
|
|---|
| 22 | nat on lo0 from $private to $wl_net -> (lo0)
|
|---|
| 23 |
|
|---|
| 24 | # Nat the internet but NOT to Private Network (1)
|
|---|
| 25 | nat on $ext_if inet proto tcp from $wl_net to any port {http,https} -> ($ext_if)
|
|---|
| 26 | # Do NOT allow NAT to the Private Network (3)
|
|---|
| 27 | no nat log on $ext_if from $wl_net to $private
|
|---|
| 28 |
|
|---|
| 29 | # Localhost is considered safe (5)
|
|---|
| 30 | pass quick on lo0 all
|
|---|
| 31 |
|
|---|
| 32 | # By default all interfaces are open (5)
|
|---|
| 33 | pass all
|
|---|
| 34 |
|
|---|
| 35 | # External interface is permissive (4)
|
|---|
| 36 | block on $ext_if
|
|---|
| 37 |
|
|---|
| 38 | # Expose some local services (4)
|
|---|
| 39 | pass in on $ext_if inet proto tcp from any to $ext_if port $allow_ext_tcp keep state
|
|---|
| 40 | pass in on $ext_if inet proto udp from any to $ext_if port $allow_ext_udp keep state
|
|---|
| 41 | pass in on $ext_if inet proto icmp from any to $ext_if icmp-type { echoreq }
|
|---|
| 42 |
|
|---|
| 43 | # Packets from the management LAN are allowed in (2)
|
|---|
| 44 | pass in on $ext_if from $private to $wl_net keep state
|
|---|
| 45 |
|
|---|
| 46 | # Packets going out are the ones to the internet with an certain limit (1)
|
|---|
| 47 | pass out on $ext_if inet proto tcp from $wl_net to any port { $publicnat } keep state \
|
|---|
| 48 | (max-src-conn-rate 100/10, max-src-conn 10)
|
|---|
| 49 |
|
|---|
| 50 | # For proper functioning allow the local machine to initiate requests outside (4)
|
|---|
| 51 | pass out on $ext_if inet proto udp from $ext_if to any port{domain, 1194} keep state
|
|---|
| 52 | pass out on $ext_if inet proto tcp from $ext_if to any port{http, https, 1194} keep state
|
|---|
| 53 | pass out on $ext_if inet proto icmp from $ext_if to any icmp-type { echoreq }
|
|---|
| 54 |
|
|---|
| 55 | # Do not allow connections to the local MGNT LAN to start (3)
|
|---|
| 56 | block out on $ext_if from any to $private
|
|---|
| 57 |
|
|---|
| 58 | # Limited acess PRIVATE network to allow DHCP/DNS to function (3)
|
|---|
| 59 | pass out on $ext_if inet proto {udp, tcp} from $ext_if to $private port {domain} keep state
|
|---|
| 60 |
|
|---|
| 61 | # Uncomment to allow limited access to MGNT interfaces ON the private network (3)
|
|---|
| 62 | #pass out on $ext_if inet proto tcp from $ext_if to $private port {ssh, http, https} keep state
|
|---|
| 63 |
|
|---|
