Changeset 10448 in hybrid for branches/releng-9.0


Ignore:
Timestamp:
Apr 12, 2012, 2:13:27 PM (13 years ago)
Author:
rick
Message:

Two more functionality things for hybrid nodes who needs it.

Location:
branches/releng-9.0/nanobsd/files/etc
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • branches/releng-9.0/nanobsd/files/etc/pf.hybrid.conf

    r10446 r10448  
    88# 4) It portects the $ext_if by only allowing an subset of services.
    99# 5) The Wireless Leiden facing interfaces are not firewalled.
    10 #
    11 # Rick van der Zwet <rick@wirelessleiden.nl>
     10# 6) WL Captive Portal Support for interfaces who needs it.
     11# 7) Optional: Exposure of WL services to the outside
    1212#
    1313wl_net="172.16.0.0/12"
     
    1616private="{ 10.0.0.0/8 , 172.16.0.0/12, 192.168.0.0/16 }"
    1717
     18
     19# Default configuration for ALIX2 with vr0 as external interface and wlan0 as
     20# the public accesspoint in iLeiden setup.
     21ext_if="vr0"
     22captive_portal_interfaces="wlan0"
     23publicnat="http,https"
     24# For an traditional proxy setup set, uncomment:
     25#publicnat=0
     26
    1827# Always be nice, and return the fact we are blocking the packets
    1928set block-policy return
     29
     30# Table used to authorized hosts (6)
     31table <wlportal> persist counters
    2032
    2133# NAT MGMT to Wireless Leiden (2)
     
    2335
    2436# Nat the internet but NOT to Private Network (1)
    25 nat on $ext_if inet proto tcp from $wl_net to any port {http,https} -> ($ext_if)
     37nat on $ext_if inet proto tcp from $wl_net to any port { $publicnat } -> ($ext_if)
    2638# Do NOT allow NAT to the Private Network (3)
    27 no nat log on $ext_if from $wl_net to $private
     39no nat on $ext_if from $wl_net to $private
     40
     41# Redirection needs source natting and allow rules (see below) (7)
     42rdr on $ext_if inet proto tcp from any to $ext_if port 8081 -> 172.16.4.46 port 80
     43
     44# Redirect user to captive portal they have not clicked OK yet (6)
     45no rdr on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port 80
     46rdr on { $captive_portal_interfaces } proto tcp from $wl_net to !$wl_net port 80 -> 172.31.255.1 port 8081
    2847
    2948# Localhost is considered safe (5)
     
    4362# Packets from the management LAN are allowed in (2)
    4463pass in on $ext_if from $private to $wl_net keep state
     64
     65# Allow exposing some WL Services to the inet (7)
     66pass in on $ext_if inet proto tcp from any to $ext_if port { 8081 } keep state
    4567
    4668# Packets going out are the ones to the internet with an certain limit (1)
  • branches/releng-9.0/nanobsd/files/etc/rc.conf

    r10446 r10448  
    6969# Used with Hybrid Configuration
    7070#pf_rules="/etc/pf.hybrid.conf"
    71 #pf_flags="-D ext_if=vr0 -D publicnat=80,443"
     71#pf_flags="-D ext_if=vr0 -D captive_portal_interfaces=wlan0 -D publicnat=80,443"
Note: See TracChangeset for help on using the changeset viewer.