source: hybrid/branches/releng-9.0/nanobsd/files/etc/pf.node.conf@ 10610

Last change on this file since 10610 was 10610, checked in by rick, 13 years ago

Makes variables and templates much cleaner allowing easy edits and mutations.
Stop hiding logic at duplicate places.

Related-To: nodefactory#129

File size: 1.7 KB
Line 
1#
2# Wireless Leiden PF firewall configuration for iLeiden Node.
3#
4# N.B: The features points are shared between all firewall configurations to
5# make comparisions more easy to do
6#
7# 5) The Wireless Leiden facing interfaces are not firewalled.
8# 6) WL Captive Portal Support for interfaces who needs it.
9# 9) Protect the Wireless Network from junk traffic.
10#
11# Rick van der Zwet <rick@wirelessleiden.nl>
12#
13
14# Global standards. NOT to be edited.
15wl_net="172.16.0.0/12"
16private="{ 10.0.0.0/8, 172.16.0.0/12 192.168.0.0/16 }"
17ileiden_ports="http,https"
18
19
20# Default configuration for ALIX2 with ue0 as public interface and wlan0 as
21# the public accesspoint in iLeiden setup.
22captive_portal_interfaces="ue0, wlan0"
23
24# Table used to authorized hosts (6)
25table <wlportal> persist counters
26
27# Always be nice, and return the fact we are blocking the packets
28set block-policy return
29
30# Nat to the internet for packets which are orginating from itself for proxy functionality (8)
31nat on !$ext_if inet proto tcp from $wl_net to any port { $ileiden_ports } -> ($ext_if)
32
33# Redirect user to captive portal they have not clicked OK yet (6)
34no rdr on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port 80
35rdr on { $captive_portal_interfaces } proto tcp from $wl_net to !$wl_net port 80 -> 172.31.255.1 port 8081
36
37# Localhost is considered safe (5)
38pass quick on lo0 all
39
40# By default all interfaces are open (5)
41pass all
42
43# By default deny all outgoing traffic to avoid systems spamming the network (9)
44block out on { $captive_portal_interfaces } from any to !$wl_net
45
46# Note: not even HTTPS traffic allowed for those who has not clicked OK yet (6)
47pass out on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port { $ileiden_ports } keep state
Note: See TracBrowser for help on using the repository browser.