Index: /branches/releng-9.0/nanobsd/files/etc/pf.conf =================================================================== --- /branches/releng-9.0/nanobsd/files/etc/pf.conf (revision 10242) +++ /branches/releng-9.0/nanobsd/files/etc/pf.conf (revision 10242) @@ -0,0 +1,59 @@ +wifi_if="wlan0" +all_node="172.31.255.1/32" + +wl_net="172.16.0.0/12" +vpn_net="172.17.64.0/28" +allow_ext_tcp="{22}" +allow_ext_udp="{161}" +allow_int_tcp="{22,53,80,3128}" +allow_int_udp="{53,131,161,12345}" +allow_int_udp_any="{67}" + +private="{ 10.0.0.0/8 , 192.168.0.0/16 }" + +# Nat the internet +nat on $ext_if from $wl_net to any port $publicnat -> ($ext_if) + +# Nat local wl access +nat on $int_if from $private to $wl_net -> ($int_if) + +# Block all +block in on $ext_if +pass in on $int_if + +# Allow wl access from access point (not yet reversed) +pass on $wifi_if from $wl_net to $wl_net + +# Block this device from wifi +block in on $wifi_if inet from any to $wifi_if +block inet from any to $all_node + +# Enable me to access anything +pass out on {$ext_if, $int_if, $wifi_if} keep state + +# Allow internet access from the network +pass in on $wifi_if inet proto tcp from $wl_net to any port $publicnat keep state +block in on $wifi_if inet proto tcp from $wl_net to $wifi_if port $publicnat +block in on $wifi_if inet proto tcp from $wl_net to $all_node port $publicnat + +# Allow directives +pass in on $ext_if inet proto tcp from any to $ext_if port $allow_ext_tcp keep state +pass in on $ext_if inet proto udp from any to $ext_if port $allow_ext_udp keep state + +pass in on $int_if inet proto tcp from $wl_net to $vpn_net port $allow_int_tcp keep state +pass in on $int_if inet proto udp from $wl_net to $vpn_net port $allow_int_udp keep state +pass in on $int_if inet proto icmp from $wl_net to $vpn_net keep state +pass in on $int_if inet proto udp from any to any port $allow_int_udp_any keep state + +pass in on $wifi_if inet proto tcp from $wl_net to $wl_net port $allow_int_tcp keep state +pass in on $wifi_if inet proto udp from $wl_net to $wl_net port $allow_int_udp keep state +pass in on $wifi_if inet proto icmp from $wl_net to $wl_net keep state +pass in on $wifi_if inet proto udp from any to any port $allow_int_udp_any keep state + +# Allow wl access from local network +pass on $ext_if from $private to $wl_net keep state + +# Make sure to block local network access from wl +block on $wifi_if from $wl_net to $private +block on $int_if from $wl_net to $private +