Changeset 10448 in hybrid for branches/releng-9.0
- Timestamp:
- Apr 12, 2012, 2:13:27 PM (13 years ago)
- Location:
- branches/releng-9.0/nanobsd/files/etc
- Files:
-
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
branches/releng-9.0/nanobsd/files/etc/pf.hybrid.conf
r10446 r10448 8 8 # 4) It portects the $ext_if by only allowing an subset of services. 9 9 # 5) The Wireless Leiden facing interfaces are not firewalled. 10 # 11 # Rick van der Zwet <rick@wirelessleiden.nl>10 # 6) WL Captive Portal Support for interfaces who needs it. 11 # 7) Optional: Exposure of WL services to the outside 12 12 # 13 13 wl_net="172.16.0.0/12" … … 16 16 private="{ 10.0.0.0/8 , 172.16.0.0/12, 192.168.0.0/16 }" 17 17 18 19 # Default configuration for ALIX2 with vr0 as external interface and wlan0 as 20 # the public accesspoint in iLeiden setup. 21 ext_if="vr0" 22 captive_portal_interfaces="wlan0" 23 publicnat="http,https" 24 # For an traditional proxy setup set, uncomment: 25 #publicnat=0 26 18 27 # Always be nice, and return the fact we are blocking the packets 19 28 set block-policy return 29 30 # Table used to authorized hosts (6) 31 table <wlportal> persist counters 20 32 21 33 # NAT MGMT to Wireless Leiden (2) … … 23 35 24 36 # Nat the internet but NOT to Private Network (1) 25 nat on $ext_if inet proto tcp from $wl_net to any port { http,https} -> ($ext_if)37 nat on $ext_if inet proto tcp from $wl_net to any port { $publicnat } -> ($ext_if) 26 38 # Do NOT allow NAT to the Private Network (3) 27 no nat log on $ext_if from $wl_net to $private 39 no nat on $ext_if from $wl_net to $private 40 41 # Redirection needs source natting and allow rules (see below) (7) 42 rdr on $ext_if inet proto tcp from any to $ext_if port 8081 -> 172.16.4.46 port 80 43 44 # Redirect user to captive portal they have not clicked OK yet (6) 45 no rdr on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port 80 46 rdr on { $captive_portal_interfaces } proto tcp from $wl_net to !$wl_net port 80 -> 172.31.255.1 port 8081 28 47 29 48 # Localhost is considered safe (5) … … 43 62 # Packets from the management LAN are allowed in (2) 44 63 pass in on $ext_if from $private to $wl_net keep state 64 65 # Allow exposing some WL Services to the inet (7) 66 pass in on $ext_if inet proto tcp from any to $ext_if port { 8081 } keep state 45 67 46 68 # Packets going out are the ones to the internet with an certain limit (1) -
branches/releng-9.0/nanobsd/files/etc/rc.conf
r10446 r10448 69 69 # Used with Hybrid Configuration 70 70 #pf_rules="/etc/pf.hybrid.conf" 71 #pf_flags="-D ext_if=vr0 -D publicnat=80,443"71 #pf_flags="-D ext_if=vr0 -D captive_portal_interfaces=wlan0 -D publicnat=80,443"
Note:
See TracChangeset
for help on using the changeset viewer.