Changeset 10610 in hybrid for branches/releng-9.0/nanobsd/files/etc/pf.hybrid.conf

Timestamp:

Apr 29, 2012, 1:51:20 PM (13 years ago)

Author:

rick

Message:

Makes variables and templates much cleaner allowing easy edits and mutations.
Stop hiding logic at duplicate places.

Related-To: nodefactory#129

File:

• branches/releng-9.0/nanobsd/files/etc/pf.hybrid.conf (modified) (7 diffs)

branches/releng-9.0/nanobsd/files/etc/pf.hybrid.conf

@@ -16 +16 @@
 # Rick van der Zwet <rick@wirelessleiden.nl>
 #
-wl_net="172.16.0.0/12"
-ileiden_ports="80,443"
-allow_ext_tcp="{ssh, domain}"
-allow_ext_udp="{domain, snmp}"
-private="{ 10.0.0.0/8, 172.16.0.0/12 192.168.0.0/16 }"
 
+# Standard port allow listings
+allow_ext_in_tcp="ssh, domain"
+allow_ext_in_udp="domain, snmp"
+
+allow_ext_out_tcp = "domain, http, https, 1194"
+allow_ext_out_udp = "domain, ntp, 1194"
 
 # Default configuration for ALIX2 with vr0 as external interface and wlan0 as
@@ -32 +33 @@
 # For an traditional proxy setup set (no iLeiden clients!), uncomment:
 #publicnat=0
+
+# Global standards. NOT to be edited.
+wl_net="172.16.0.0/12"
+private="{ 10.0.0.0/8, 172.16.0.0/12 192.168.0.0/16 }"
+ileiden_ports="http,https"
 
 # Always be nice, and return the fact we are blocking the packets
@@ -46 +52 @@
 
 # Nat the internet for iLeiden functionality (1)
-nat on $ext_if inet proto tcp from $wl_net to any port { $ileiden_ports } -> ($ext_if) 
+nat on $ext_if inet proto tcp from $wl_net to any port { $publicnat } -> ($ext_if) 
 
 # Redirect some internal facing services outside, please mind also need allow rules (bottom of file) (7)
-rdr on $ext_if inet proto tcp from any to $ext_if port 8081 -> 172.16.4.46 port 80
+rdr on $ext_if inet proto tcp from any to $ext_if port 8081 -> 172.16.4.46 port http
 
 # Redirect user to captive portal they have not clicked OK yet (6)
-no rdr on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port 80
-rdr on { $captive_portal_interfaces } proto tcp from $wl_net to !$wl_net port 80 -> 172.31.255.1 port 8081
+no rdr on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port http
+rdr on { $captive_portal_interfaces } proto tcp from $wl_net to !$wl_net port http -> 172.31.255.1 port 8081
 
 # Localhost is considered safe (5)
@@ -65 +71 @@
 
 # Note: not even HTTPS traffic allowed for those who has not clicked OK yet (6)
-pass out on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port { $ileiden_ports } keep state
+pass out on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port { $publicnat } keep state
 
 # External interface is permissive (4)
@@ -71 +77 @@
 
 # Expose some local services (4)
-pass in on $ext_if inet proto tcp from any to $ext_if port $allow_ext_tcp keep state
-pass in on $ext_if inet proto udp from any to $ext_if port $allow_ext_udp keep state
+pass in on $ext_if inet proto tcp from any to $ext_if port { $allow_ext_in_tcp } keep state
+pass in on $ext_if inet proto udp from any to $ext_if port { $allow_ext_in_udp } keep state
 pass in on $ext_if inet proto icmp from any to $ext_if icmp-type { echoreq }
 
@@ -78 +84 @@
 pass in on $ext_if from $private to $wl_net keep state
 
-# Allow exposing some WL Services to the inet (7)
+# Allow exposing some (internal) WL Services to the inet - see rdr on top as well (7)
 pass in on $ext_if inet proto tcp from any to $ext_if port { 8081 } keep state
 
@@ -86 +92 @@
 
 # For proper functioning allow the local machine to initiate requests outside (4)
-pass out on $ext_if inet proto udp from $ext_if to any port{domain, 1194, ntp} keep state
-pass out on $ext_if inet proto tcp from $ext_if to any port{http, https, 1194} keep state
+pass out on $ext_if inet proto udp from $ext_if to any port { $allow_ext_out_udp } keep state
+pass out on $ext_if inet proto tcp from $ext_if to any port { $allow_ext_out_tcp } keep state
 pass out on $ext_if inet proto icmp from $ext_if to any icmp-type { echoreq }