Index: branches/releng-9.0/nanobsd/files/etc/pf.hybrid.conf =================================================================== --- branches/releng-9.0/nanobsd/files/etc/pf.hybrid.conf (revision 10579) +++ branches/releng-9.0/nanobsd/files/etc/pf.hybrid.conf (revision 10580) @@ -1,5 +1,7 @@ # -# Wirless Leiden PF firewall configuration for Proxy Setup. This firewall has 5 -# main features: +# Wireless Leiden PF firewall configuration for (iLeiden) Proxy Setup. +# +# N.B: The features points are shared between all firewall configurations to +# make comparisions more easy to do # # 1) It supports outgoing NAT to specified ports. The so called iLeiden setup. @@ -13,5 +15,9 @@ # for normal proxy setup, which should NOT follow the iLeiden default route. # 9) Protect the Wireless Network from junk traffic. +# +# Rick van der Zwet +# wl_net="172.16.0.0/12" +ileiden_ports="80,443" allow_ext_tcp="{ssh, domain}" allow_ext_udp="{domain, snmp}" @@ -43,11 +49,10 @@ # Nat the internet for iLeiden functionality (1) -nat on $ext_if inet proto tcp from $wl_net to any port { 80,443 } -> ($ext_if) +nat on $ext_if inet proto tcp from $wl_net to any port { $ileiden_ports } -> ($ext_if) # Nat to the internet for packets which are orginating from itself for proxy functionality (8) -nat on !$ext_if inet proto tcp from $wl_net to any port { 80,443 } -> ($ext_if) +nat on !$ext_if inet proto tcp from $wl_net to any port { $ileiden_ports } -> ($ext_if) - -# Redirection needs source natting and allow rules (see below) (7) +# Redirect some internal facing services outside, please mind also need allow rules (bottom of file) (7) rdr on $ext_if inet proto tcp from any to $ext_if port 8081 -> 172.16.4.46 port 80 @@ -70,5 +75,5 @@ # Note: not even HTTPS traffic allowed for those who has not clicked OK yet (6) -pass out on { $captive_portal_interfaces } proto tcp from to !$wl_net port { 80, 443 } keep state +pass out on { $captive_portal_interfaces } proto tcp from to !$wl_net port { $ileiden_ports } keep state # External interface is permissive (4) Index: branches/releng-9.0/nanobsd/files/etc/pf.node.conf =================================================================== --- branches/releng-9.0/nanobsd/files/etc/pf.node.conf (revision 10579) +++ branches/releng-9.0/nanobsd/files/etc/pf.node.conf (revision 10580) @@ -1,3 +1,22 @@ -# Table used to authorized hosts +# +# Wireless Leiden PF firewall configuration for iLeiden Node. +# +# N.B: The features points are shared between all firewall configurations to +# make comparisions more easy to do +# +# 5) The Wireless Leiden facing interfaces are not firewalled. +# 6) WL Captive Portal Support for interfaces who needs it. +# 9) Protect the Wireless Network from junk traffic. +# +# Rick van der Zwet +# +wl_net="172.16.0.0/12" +ileiden_ports="80,443" + +# Default configuration for ALIX2 with ue0 as public interface and wlan0 as +# the public accesspoint in iLeiden setup. +captive_portal_interfaces="ue0, wlan0" + +# Table used to authorized hosts (6) table persist counters @@ -5,14 +24,20 @@ set block-policy return -# Localhost is considered safe and should thus not be filtered -set skip on lo0 +# Nat to the internet for packets which are orginating from itself for proxy functionality (8) +nat on !$ext_if inet proto tcp from $wl_net to any port { $ileiden_ports } -> ($ext_if) -wl_net="172.16.0.0/12" -#captive_ifs="vr0,vr1,vr2,ue0" +# Redirect user to captive portal they have not clicked OK yet (6) +no rdr on { $captive_portal_interfaces } proto tcp from to !$wl_net port 80 +rdr on { $captive_portal_interfaces } proto tcp from $wl_net to !$wl_net port 80 -> 172.31.255.1 port 8081 -# Redirect user to captive portal they have not clicked OK yet. -no rdr on { $captive_portal_interfaces } proto tcp from to !$wl_net port 80 -rdr on { $captive_portal_interfaces } proto tcp from $wl_net to !$wl_net port 80 -> 127.0.0.1 port 8082 +# Localhost is considered safe (5) +pass quick on lo0 all -# Default allow +# By default all interfaces are open (5) pass all + +# By default deny all outgoing traffic to avoid systems spamming the network (9) +block out on { $captive_portal_interfaces } from any to !$wl_net + +# Note: not even HTTPS traffic allowed for those who has not clicked OK yet (6) +pass out on { $captive_portal_interfaces } proto tcp from to !$wl_net port { $ileiden_ports } keep state