source: hybrid/branches/releng-9.0/nanobsd/files/etc/pf.proxy.conf@ 10601

Last change on this file since 10601 was 10589, checked in by rick, 13 years ago

Split hybrid and special proxy setup, as the proxy setup is highly custom and
somehow exotic, not useable in the hybrid setup (due to the gateway pain).

File size: 4.8 KB
Line 
1#
2# Wireless Leiden PF firewall configuration for (iLeiden) Proxy Setup.
3#
4# N.B: The features points are shared between all firewall configurations to
5# make comparisions more easy to do
6#
7# 1) It supports outgoing NAT to specified ports. The so called iLeiden setup.
8# 2) It supports incoming NAT from the private MGMT network, for maintenance use.
9# 3) It protects the private MGMT network from WL requests to it's own services.
10# 4) It portects the $ext_if by only allowing an subset of services.
11# 5) The Wireless Leiden facing interfaces are not firewalled.
12# 6) WL Captive Portal Support for interfaces who needs it.
13# 7) Optional: Exposure of WL services to the outside
14# 8) Overrides default route for local orginating traffic to specific ports, needed for
15# for normal proxy setup, which should NOT follow the iLeiden default route.
16# 9) Protect the Wireless Network from junk traffic.
17#
18# Rick van der Zwet <rick@wirelessleiden.nl>
19#
20wl_net="172.16.0.0/12"
21ileiden_ports="80,443"
22allow_ext_tcp="{ssh, domain}"
23allow_ext_udp="{domain, snmp}"
24private="{ 10.0.0.0/8, 172.16.0.0/12 192.168.0.0/16 }"
25
26
27# Default configuration for ALIX2 with vr0 as external interface and wlan0 as
28# the public accesspoint in iLeiden setup.
29ext_if="vr0"
30ext_if_net="vr0:network"
31ext_if_gw="127.127.127.127"
32captive_portal_interfaces="wlan0"
33publicnat="http,https"
34masterip="127.0.0.1"
35# For an traditional proxy setup set, uncomment:
36#publicnat=0
37
38# Always be nice, and return the fact we are blocking the packets
39set block-policy return
40
41# Table used to authorized hosts (6)
42table <wlportal> persist counters
43
44# NAT MGMT to Wireless Leiden (2)
45nat on ! $ext_if from $ext_if_net to $wl_net -> $masterip
46
47# Do NOT allow NAT to the Private Network (3)
48no nat from $wl_net to $private
49
50# Nat the internet for iLeiden functionality (1)
51nat on $ext_if inet proto tcp from $wl_net to any port { $ileiden_ports } -> ($ext_if)
52
53# Nat to the internet for packets which are orginating from itself for proxy functionality (8)
54nat on !$ext_if inet proto tcp from $wl_net to any port { $ileiden_ports } -> ($ext_if)
55
56# Redirect some internal facing services outside, please mind also need allow rules (bottom of file) (7)
57rdr on $ext_if inet proto tcp from any to $ext_if port 8081 -> 172.16.4.46 port 80
58
59# Redirect user to captive portal they have not clicked OK yet (6)
60no rdr on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port 80
61rdr on { $captive_portal_interfaces } proto tcp from $wl_net to !$wl_net port 80 -> 172.31.255.1 port 8081
62
63# Localhost is considered safe (5)
64pass quick on lo0 all
65
66# By default all interfaces are open (5)
67pass all
68
69# This quirck is needed to override the routing table default route (8)
70pass out on !$ext_if route-to ($ext_if $ext_if_gw) proto tcp from any to !$wl_net port {22, 80, 443} user != unknown keep state
71pass out on !$ext_if route-to ($ext_if $ext_if_gw) proto udp from any to !$wl_net port {53} user != unknown keep state
72
73# By default deny all outgoing traffic to avoid systems spamming the network (9)
74block out on { $captive_portal_interfaces } from any to !$wl_net
75
76# Note: not even HTTPS traffic allowed for those who has not clicked OK yet (6)
77pass out on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port { $ileiden_ports } keep state
78
79# External interface is permissive (4)
80block on $ext_if
81
82# Expose some local services (4)
83pass in on $ext_if inet proto tcp from any to $ext_if port $allow_ext_tcp keep state
84pass in on $ext_if inet proto udp from any to $ext_if port $allow_ext_udp keep state
85pass in on $ext_if inet proto icmp from any to $ext_if icmp-type { echoreq }
86
87# Packets from the management LAN are allowed in (2)
88pass in on $ext_if from $private to $wl_net keep state
89
90# Allow exposing some WL Services to the inet (7)
91pass in on $ext_if inet proto tcp from any to $ext_if port { 8081 } keep state
92
93# Packets going out are the ones to the internet with an certain limit (1)
94pass out on $ext_if inet proto tcp from $wl_net to any port { $publicnat } keep state \
95 (max-src-conn-rate 100/10, max-src-conn 10)
96
97# For proper functioning allow the local machine to initiate requests outside (4)
98pass out on $ext_if inet proto udp from $ext_if to any port{domain, 1194} keep state
99pass out on $ext_if inet proto tcp from $ext_if to any port{http, https, 1194} keep state
100pass out on $ext_if inet proto icmp from $ext_if to any icmp-type { echoreq }
101
102# Do not allow connections to the local MGNT LAN to start (3)
103block out on $ext_if from any to $private
104
105# Limited acess PRIVATE network to allow DHCP/DNS to function (3)
106pass out on $ext_if inet proto {udp, tcp} from $ext_if to $private port {domain} keep state
107
108# Uncomment to allow limited access to MGNT interfaces ON the private network (3)
109#pass out on $ext_if inet proto tcp from $ext_if to $private port {ssh, http, https} keep state
110
Note: See TracBrowser for help on using the repository browser.