source: hybrid/branches/releng-9.0/nanobsd/files/etc/pf.hybrid.conf@ 10609

Last change on this file since 10609 was 10606, checked in by richardvm, 13 years ago

pf has a default block configuration, ntp wasn't explicitly allowed, allowing..

File size: 4.1 KB
Line 
1#
2# Wireless Leiden PF firewall configuration for (iLeiden) Proxy Setup.
3#
4# N.B: The features points are shared between all firewall configurations to
5# make comparisions more easy to do
6#
7# 1) It supports outgoing NAT to specified ports. The so called iLeiden setup.
8# 2) It supports incoming NAT from the private MGMT network, for maintenance use.
9# 3) It protects the private MGMT network from WL requests to it's own services.
10# 4) It portects the $ext_if by only allowing an subset of services.
11# 5) The Wireless Leiden facing interfaces are not firewalled.
12# 6) WL Captive Portal Support for interfaces who needs it.
13# 7) Optional: Exposure of WL services to the outside
14# 9) Protect the Wireless Network from junk traffic.
15#
16# Rick van der Zwet <rick@wirelessleiden.nl>
17#
18wl_net="172.16.0.0/12"
19ileiden_ports="80,443"
20allow_ext_tcp="{ssh, domain}"
21allow_ext_udp="{domain, snmp}"
22private="{ 10.0.0.0/8, 172.16.0.0/12 192.168.0.0/16 }"
23
24
25# Default configuration for ALIX2 with vr0 as external interface and wlan0 as
26# the public accesspoint in iLeiden setup.
27ext_if="vr0"
28ext_if_net="vr0:network"
29captive_portal_interfaces="wlan0"
30publicnat="http,https"
31masterip="127.0.0.1"
32# For an traditional proxy setup set (no iLeiden clients!), uncomment:
33#publicnat=0
34
35# Always be nice, and return the fact we are blocking the packets
36set block-policy return
37
38# Table used to authorized hosts (6)
39table <wlportal> persist counters
40
41# NAT MGMT to Wireless Leiden (2)
42nat on ! $ext_if from $ext_if_net to $wl_net -> $masterip
43
44# Do NOT allow NAT to the Private Network (3)
45no nat from $wl_net to $private
46
47# Nat the internet for iLeiden functionality (1)
48nat on $ext_if inet proto tcp from $wl_net to any port { $ileiden_ports } -> ($ext_if)
49
50# Redirect some internal facing services outside, please mind also need allow rules (bottom of file) (7)
51rdr on $ext_if inet proto tcp from any to $ext_if port 8081 -> 172.16.4.46 port 80
52
53# Redirect user to captive portal they have not clicked OK yet (6)
54no rdr on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port 80
55rdr on { $captive_portal_interfaces } proto tcp from $wl_net to !$wl_net port 80 -> 172.31.255.1 port 8081
56
57# Localhost is considered safe (5)
58pass quick on lo0 all
59
60# By default all interfaces are open (5)
61pass all
62
63# By default deny all outgoing traffic to avoid systems spamming the network (9)
64block out on { $captive_portal_interfaces } from any to !$wl_net
65
66# Note: not even HTTPS traffic allowed for those who has not clicked OK yet (6)
67pass out on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port { $ileiden_ports } keep state
68
69# External interface is permissive (4)
70block on $ext_if
71
72# Expose some local services (4)
73pass in on $ext_if inet proto tcp from any to $ext_if port $allow_ext_tcp keep state
74pass in on $ext_if inet proto udp from any to $ext_if port $allow_ext_udp keep state
75pass in on $ext_if inet proto icmp from any to $ext_if icmp-type { echoreq }
76
77# Packets from the management LAN are allowed in (2)
78pass in on $ext_if from $private to $wl_net keep state
79
80# Allow exposing some WL Services to the inet (7)
81pass in on $ext_if inet proto tcp from any to $ext_if port { 8081 } keep state
82
83# Packets going out are the ones to the internet with an certain limit (1)
84pass out on $ext_if inet proto tcp from $wl_net to any port { $publicnat } keep state \
85 (max-src-conn-rate 100/10, max-src-conn 10)
86
87# For proper functioning allow the local machine to initiate requests outside (4)
88pass out on $ext_if inet proto udp from $ext_if to any port{domain, 1194, ntp} keep state
89pass out on $ext_if inet proto tcp from $ext_if to any port{http, https, 1194} keep state
90pass out on $ext_if inet proto icmp from $ext_if to any icmp-type { echoreq }
91
92# Do not allow connections to the local MGNT LAN to start (3)
93block out on $ext_if from any to $private
94
95# Limited acess PRIVATE network to allow DHCP/DNS to function (3)
96pass out on $ext_if inet proto {udp, tcp} from $ext_if to $private port {domain} keep state
97
98# Uncomment to allow limited access to MGNT interfaces ON the private network (3)
99#pass out on $ext_if inet proto tcp from $ext_if to $private port {ssh, http, https} keep state
100
Note: See TracBrowser for help on using the repository browser.