Changeset 10580 in hybrid for branches/releng-9.0
- Timestamp:
- Apr 26, 2012, 11:14:59 AM (13 years ago)
- Location:
- branches/releng-9.0/nanobsd/files/etc
- Files:
-
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
branches/releng-9.0/nanobsd/files/etc/pf.hybrid.conf
r10579 r10580 1 1 # 2 # Wirless Leiden PF firewall configuration for Proxy Setup. This firewall has 5 3 # main features: 2 # Wireless Leiden PF firewall configuration for (iLeiden) Proxy Setup. 3 # 4 # N.B: The features points are shared between all firewall configurations to 5 # make comparisions more easy to do 4 6 # 5 7 # 1) It supports outgoing NAT to specified ports. The so called iLeiden setup. … … 13 15 # for normal proxy setup, which should NOT follow the iLeiden default route. 14 16 # 9) Protect the Wireless Network from junk traffic. 17 # 18 # Rick van der Zwet <rick@wirelessleiden.nl> 19 # 15 20 wl_net="172.16.0.0/12" 21 ileiden_ports="80,443" 16 22 allow_ext_tcp="{ssh, domain}" 17 23 allow_ext_udp="{domain, snmp}" … … 43 49 44 50 # Nat the internet for iLeiden functionality (1) 45 nat on $ext_if inet proto tcp from $wl_net to any port { 80,443} -> ($ext_if)51 nat on $ext_if inet proto tcp from $wl_net to any port { $ileiden_ports } -> ($ext_if) 46 52 47 53 # Nat to the internet for packets which are orginating from itself for proxy functionality (8) 48 nat on !$ext_if inet proto tcp from $wl_net to any port { 80,443} -> ($ext_if)54 nat on !$ext_if inet proto tcp from $wl_net to any port { $ileiden_ports } -> ($ext_if) 49 55 50 51 # Redirection needs source natting and allow rules (see below) (7) 56 # Redirect some internal facing services outside, please mind also need allow rules (bottom of file) (7) 52 57 rdr on $ext_if inet proto tcp from any to $ext_if port 8081 -> 172.16.4.46 port 80 53 58 … … 70 75 71 76 # Note: not even HTTPS traffic allowed for those who has not clicked OK yet (6) 72 pass out on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port { 80, 443} keep state77 pass out on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port { $ileiden_ports } keep state 73 78 74 79 # External interface is permissive (4) -
branches/releng-9.0/nanobsd/files/etc/pf.node.conf
r10419 r10580 1 # Table used to authorized hosts 1 # 2 # Wireless Leiden PF firewall configuration for iLeiden Node. 3 # 4 # N.B: The features points are shared between all firewall configurations to 5 # make comparisions more easy to do 6 # 7 # 5) The Wireless Leiden facing interfaces are not firewalled. 8 # 6) WL Captive Portal Support for interfaces who needs it. 9 # 9) Protect the Wireless Network from junk traffic. 10 # 11 # Rick van der Zwet <rick@wirelessleiden.nl> 12 # 13 wl_net="172.16.0.0/12" 14 ileiden_ports="80,443" 15 16 # Default configuration for ALIX2 with ue0 as public interface and wlan0 as 17 # the public accesspoint in iLeiden setup. 18 captive_portal_interfaces="ue0, wlan0" 19 20 # Table used to authorized hosts (6) 2 21 table <wlportal> persist counters 3 22 … … 5 24 set block-policy return 6 25 7 # Localhost is considered safe and should thus not be filtered8 set skip on lo0 26 # Nat to the internet for packets which are orginating from itself for proxy functionality (8) 27 nat on !$ext_if inet proto tcp from $wl_net to any port { $ileiden_ports } -> ($ext_if) 9 28 10 wl_net="172.16.0.0/12" 11 #captive_ifs="vr0,vr1,vr2,ue0" 29 # Redirect user to captive portal they have not clicked OK yet (6) 30 no rdr on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port 80 31 rdr on { $captive_portal_interfaces } proto tcp from $wl_net to !$wl_net port 80 -> 172.31.255.1 port 8081 12 32 13 # Redirect user to captive portal they have not clicked OK yet. 14 no rdr on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port 80 15 rdr on { $captive_portal_interfaces } proto tcp from $wl_net to !$wl_net port 80 -> 127.0.0.1 port 8082 33 # Localhost is considered safe (5) 34 pass quick on lo0 all 16 35 17 # Default allow36 # By default all interfaces are open (5) 18 37 pass all 38 39 # By default deny all outgoing traffic to avoid systems spamming the network (9) 40 block out on { $captive_portal_interfaces } from any to !$wl_net 41 42 # Note: not even HTTPS traffic allowed for those who has not clicked OK yet (6) 43 pass out on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port { $ileiden_ports } keep state
Note:
See TracChangeset
for help on using the changeset viewer.