Index: branches/releng-9.0/nanobsd/files/etc/pf.conf =================================================================== --- branches/releng-9.0/nanobsd/files/etc/pf.conf (revision 10417) +++ branches/releng-9.0/nanobsd/files/etc/pf.conf (revision 10418) @@ -1,47 +1,5 @@ -all_node="172.31.255.1/32" -wl_net="172.16.0.0/12" -allow_ext_tcp="{22}" -allow_ext_udp="{161}" -allow_int_tcp="{22,3128}" -allow_int_udp="{53,161,12345}" -allow_int_udp_any="{67}" +# Localhost is considered safe +pass quick on lo0 all -private="{ 10.0.0.0/8 , 192.168.0.0/16 }" - -# Nat the internet -nat on $ext_if from $wl_net to any port $publicnat -> ($ext_if) - -# Nat local wl access -nat on $int_if from $private to $wl_net -> ($int_if) - -# Redirection, needs source natting and allow rules -#rdr on $ext_if inet proto tcp from any to $ext_if port 1022 -> 192.168.84.1 port 22 - -# Block all -block in on $ext_if from any to $ext_if -block in on $int_if from any to $int_if - -# Allow private to private -# Enable me to access anything -pass out on {$ext_if, $int_if} keep state - -# Allow internet access from the network -pass in on $int_if inet proto tcp from $wl_net to any port $publicnat keep state -block in on $int_if inet proto tcp from $wl_net to $int_if port $publicnat - -# Allow directives -pass in on $ext_if inet proto tcp from any to $ext_if port $allow_ext_tcp keep state -pass in on $ext_if inet proto udp from any to $ext_if port $allow_ext_udp keep state - -pass in on $int_if inet proto tcp from $wl_net to $int_if port $allow_int_tcp keep state -pass in on $int_if inet proto udp from $wl_net to $int_if port $allow_int_udp keep state -pass in on $int_if inet proto icmp from $wl_net to $int_if keep state - -# Allow wl access from local network -pass on $ext_if from $private to $wl_net keep state - -# Make sure to block local network access from wl -block on $int_if from $wl_net to $private - -# Otherwise lvrouted breaks: -pass in on $int_if +# Default allow +pass all Index: branches/releng-9.0/nanobsd/files/etc/pf.open.conf =================================================================== --- branches/releng-9.0/nanobsd/files/etc/pf.open.conf (revision 10418) +++ branches/releng-9.0/nanobsd/files/etc/pf.open.conf (revision 10418) @@ -0,0 +1,5 @@ +# Localhost is considered safe +pass quick on lo0 all + +# Default allow +pass all Index: branches/releng-9.0/nanobsd/files/etc/pf.proxy.conf =================================================================== --- branches/releng-9.0/nanobsd/files/etc/pf.proxy.conf (revision 10418) +++ branches/releng-9.0/nanobsd/files/etc/pf.proxy.conf (revision 10418) @@ -0,0 +1,50 @@ +all_node="172.31.255.1/32" +wl_net="172.16.0.0/12" +allow_ext_tcp="{22}" +allow_ext_udp="{161}" +allow_int_tcp="{22,3128}" +allow_int_udp="{53,161,12345}" +allow_int_udp_any="{67}" + +private="{ 10.0.0.0/8 , 192.168.0.0/16 }" + +# Nat the internet +nat on $ext_if from $wl_net to any port $publicnat -> ($ext_if) + +# Nat local wl access +nat on $int_if from $private to $wl_net -> ($int_if) + +# Redirection, needs source natting and allow rules +#rdr on $ext_if inet proto tcp from any to $ext_if port 1022 -> 192.168.84.1 port 22 + +# Localhost is considered safe +pass quick on lo0 all + +# Block all +block in on $ext_if from any to $ext_if +block in on $int_if from any to $int_if + +# Allow private to private +# Enable me to access anything +pass out on {$ext_if, $int_if} keep state + +# Allow internet access from the network +pass in on $int_if inet proto tcp from $wl_net to any port $publicnat keep state +block in on $int_if inet proto tcp from $wl_net to $int_if port $publicnat + +# Allow directives +pass in on $ext_if inet proto tcp from any to $ext_if port $allow_ext_tcp keep state +pass in on $ext_if inet proto udp from any to $ext_if port $allow_ext_udp keep state + +pass in on $int_if inet proto tcp from $wl_net to $int_if port $allow_int_tcp keep state +pass in on $int_if inet proto udp from $wl_net to $int_if port $allow_int_udp keep state +pass in on $int_if inet proto icmp from $wl_net to $int_if keep state + +# Allow wl access from local network +pass on $ext_if from $private to $wl_net keep state + +# Make sure to block local network access from wl +block on $int_if from $wl_net to $private + +# Otherwise lvrouted breaks: +pass in on $int_if Index: branches/releng-9.0/nanobsd/files/etc/rc.conf =================================================================== --- branches/releng-9.0/nanobsd/files/etc/rc.conf (revision 10417) +++ branches/releng-9.0/nanobsd/files/etc/rc.conf (revision 10418) @@ -53,4 +53,3 @@ # Enable the firewall by default pf_enable="YES" -pf_rules="/etc/pf.default.conf" -pf_flags="-D ext_if=vr0 -D int_if=vr1 -D publicnat={80,443}" +pf_rules="/etc/pf.open.conf"