Changeset 10206 in hybrid
- Timestamp:
- Mar 17, 2012, 5:45:39 PM (14 years ago)
- Location:
- branches/releng-9.0/nanobsd/files/etc
- Files:
- 
      - 3 edited
 
 
Legend:
- Unmodified
- Added
- Removed
- 
      branches/releng-9.0/nanobsd/files/etc/ipfw.shr10201 r10206 66 66 for INF in $captive_portal_interfaces; do 67 67 ${fwcmd} add 10100 fwd 172.31.255.1,8081 tcp from any to not 172.16.0.0/12 80 in via ${INF} 68 ${fwcmd} add 11000 deny ip from any to any in via ${INF}68 ${fwcmd} add 11000 deny ip from any to not 172.16.0.0/12 443 in via ${INF} 69 69 done 
- 
      branches/releng-9.0/nanobsd/files/etc/pf.conf.ileidenr10200 r10206 2 2 int_if="tap0" 3 3 wifi_if="wlan0" 4 all_node="172.31.255.1/32" 4 5 5 6 wl_net="172.16.0.0/12" 6 7 vpn_net="172.17.64.0/28" 7 8 8 publicnat="{80, 443 }"9 publicnat="{80, 443, 22}" 9 10 allow_ext_tcp="{22}" 10 11 allow_ext_udp="{161}" 11 allow_int_tcp="{22,53,80,3128,12345}" 12 allow_int_udp="{53,67,68,131,161,12345}" 12 allow_int_tcp="{22,53,80,3128}" 13 allow_int_udp="{53,131,161,12345}" 14 allow_int_udp_any="{67}" 13 15 14 16 private="{ 10.0.0.0/8 , 192.168.0.0/16 }" … … 18 20 19 21 # Nat local wl access 20 nat on $int_if from any to $wl_net -> ($int_if) 21 pass on $ext_if from any to $wl_net keep state 22 nat on $int_if from $private to $wl_net -> ($int_if) 22 23 23 24 # Block all … … 25 26 pass in on $int_if 26 27 28 # Allow wl access from access point (not yet reversed) 29 pass on $wifi_if from $wl_net to $wl_net 30 31 # Block this device from wifi 32 block in on $wifi_if inet from any to $wifi_if 33 block inet from any to $all_node 34 35 # Enable me to access anything 36 pass out on {$ext_if, $int_if, $wifi_if} keep state 37 38 # Allow internet access from the network 39 pass in on $wifi_if inet proto tcp from $wl_net to any port $publicnat keep state 40 block in on $wifi_if inet proto tcp from $wl_net to $wifi_if port $publicnat 41 block in on $wifi_if inet proto tcp from $wl_net to $all_node port $publicnat 42 43 # Allow directives 44 pass in on $ext_if inet proto tcp from any to $ext_if port $allow_ext_tcp keep state 45 pass in on $ext_if inet proto udp from any to $ext_if port $allow_ext_udp keep state 46 47 pass in on $int_if inet proto tcp from $wl_net to $vpn_net port $allow_int_tcp keep state 48 pass in on $int_if inet proto udp from $wl_net to $vpn_net port $allow_int_udp keep state 49 pass in on $int_if inet proto icmp from $wl_net to $vpn_net keep state 50 pass in on $int_if inet proto udp from any to any port $allow_int_udp_any keep state 51 52 pass in on $wifi_if inet proto tcp from $wl_net to $wl_net port $allow_int_tcp keep state 53 pass in on $wifi_if inet proto udp from $wl_net to $wl_net port $allow_int_udp keep state 54 pass in on $wifi_if inet proto icmp from $wl_net to $wl_net keep state 55 pass in on $wifi_if inet proto udp from any to any port $allow_int_udp_any keep state 56 57 # Allow wl access from local network 58 pass on $ext_if from $private to $wl_net keep state 59 27 60 # Make sure to block local network access from wl 28 61 block on $wifi_if from $wl_net to $private 29 62 block on $int_if from $wl_net to $private 30 63 31 # Allow wl access from access point (not yet reversed)32 pass on $wifi_if from $wl_net to $wl_net33 34 # Allow directives35 pass in on $ext_if inet proto tcp from any to $ext_if port $allow_ext_tcp keep state36 pass in on $ext_if inet proto udp from any to $ext_if port $allow_ext_udp keep state37 pass in on $int_if inet proto tcp from any to $vpn_net port $allow_int_tcp keep state38 pass in on $int_if inet proto udp from any to $vpn_net port $allow_int_udp keep state39 pass in on $int_if inet proto icmp from $wl_net to $vpn_net keep state40 41 # Enable statefull firewalling42 pass out on {$ext_if, $int_if} keep state43 44 45 
- 
      branches/releng-9.0/nanobsd/files/etc/rc.confr10205 r10206 58 58 pf_enable="YES" 59 59 pf_rules="/etc/pf.conf.ileiden" 60 pf_flags=""61 60 pf2_enable="YES" 
  Note:
 See   TracChangeset
 for help on using the changeset viewer.
  
