Index: branches/releng-9.0/nanobsd/files/etc/ipfw.sh
===================================================================
--- branches/releng-9.0/nanobsd/files/etc/ipfw.sh	(revision 10704)
+++ 	(revision )
@@ -1,69 +1,0 @@
-#!/bin/sh -
-
-# Based on /etc/rc.firewall
-
-# Suck in the configuration variables.
-if [ -z "${source_rc_confs_defined}" ]; then
-	if [ -r /etc/defaults/rc.conf ]; then
-		. /etc/defaults/rc.conf
-		source_rc_confs
-	elif [ -r /etc/rc.conf ]; then
-		. /etc/rc.conf
-	fi
-fi
-
-setup_loopback () {
-	############
-	# Only in rare cases do you want to change these rules
-	#
-	${fwcmd} add 100 pass all from any to any via lo0
-	${fwcmd} add 200 deny all from any to 127.0.0.0/8
-	${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
-}
-
-############
-# Set quiet mode if requested
-#
-case ${firewall_quiet} in
-[Yy][Ee][Ss])
-	fwcmd="/sbin/ipfw -q"
-	;;
-*)
-	fwcmd="/sbin/ipfw"
-	;;
-esac
-
-############
-# Flush out the list before we begin.
-#
-${fwcmd} -f flush
-
-setup_loopback
-
-############
-
-# By default no firewalling
-${fwcmd} add 65000 pass all from any to any
-
-# Transproxy/WLportal/Captive portal
-${fwcmd} add 10000 allow tcp from any to localhost 80
-${fwcmd} add 10001 allow tcp from any to me 80
-
-############
-# Reserved: Whitelist rule numbers
-# 10002 - 10009
-NR=10002
-  for IP in $captive_portal_whitelist; do
-  ${fwcmd} add $NR allow tcp from $IP to not 172.16.0.0/12 dst-port 80
-  NR=`expr $NR + 1`
-done
-
-############
-# Reserved: WLPortal rule numbers
-# 10010 - 10099
-
-# Forward rules work without a base address, so needed a loop over all inet4 adresses
-for INF in $captive_portal_interfaces; do
-  ${fwcmd} add 10100 fwd 172.31.255.1,8081 tcp from any to not 172.16.0.0/12 80 in via ${INF}
-  ${fwcmd} add 11000 deny ip from any to not 172.16.0.0/12 443 in via ${INF} 
-done
Index: branches/releng-9.0/nanobsd/files/etc/pf.proxy.conf
===================================================================
--- branches/releng-9.0/nanobsd/files/etc/pf.proxy.conf	(revision 10704)
+++ 	(revision )
@@ -1,118 +1,0 @@
-#
-# Wireless Leiden PF firewall configuration for (iLeiden) Proxy Setup.
-#
-# N.B: The features points are shared between all firewall configurations to
-# make comparisions more easy to do 
-#
-# 1) It supports outgoing NAT to specified ports. The so called iLeiden setup.
-# 2) It supports incoming NAT from the private MGMT network, for maintenance use.
-# 3) It protects the private MGMT network from WL requests to it's own services.
-# 4) It portects the $ext_if by only allowing an subset of services.
-# 5) The Wireless Leiden facing interfaces are not firewalled.
-# 6) WL Captive Portal Support for interfaces who needs it.
-# 7) Optional: Exposure of WL services to the outside
-# 8) Overrides default route for local orginating traffic to specific ports, needed for
-#    for normal proxy setup, which should NOT follow the iLeiden default route.
-# 9) Protect the Wireless Network from junk traffic.
-#
-# Rick van der Zwet <rick@wirelessleiden.nl>
-#
-
-# Standard port allow listings
-allow_ext_in_tcp="ssh, domain"
-allow_ext_in_udp="domain, snmp"
-
-allow_ext_out_tcp = "domain, http, https, 1194"
-allow_ext_out_udp = "domain, ntp, 1194"
-
-# Default configuration for ALIX2 with vr0 as external interface and wlan0 as
-# the public accesspoint in iLeiden setup. 
-ext_if="vr0"
-ext_if_net="vr0:network"
-ext_if_gw="127.127.127.127"
-captive_portal_interfaces="wlan0"
-#publicnat="http,https"
-masterip="127.0.0.1"
-# For an traditional proxy setup set, uncomment:
-publicnat=0
-
-# Global standards. NOT to be edited.
-wl_net="172.16.0.0/12"
-private="{ 10.0.0.0/8, 172.16.0.0/12 192.168.0.0/16 }"
-ileiden_ports="http,https"
-
-
-# Always be nice, and return the fact we are blocking the packets
-set block-policy return
-
-# Table used to authorized hosts (6)
-table <wlportal> persist counters
-
-# NAT MGMT to Wireless Leiden (2)
-nat on ! $ext_if from $ext_if_net to $wl_net -> $masterip
-
-# Do NOT allow NAT to the Private Network (3)
-no nat from $wl_net to $private
-
-# Nat the internet for iLeiden functionality (1)
-nat on $ext_if inet proto tcp from $wl_net to any port { $publicnat } -> ($ext_if) 
-
-# Nat to the internet for packets which are orginating from itself for proxy functionality (8)
-nat on !$ext_if inet proto tcp from $wl_net to any port { $allow_ext_out_tcp } -> ($ext_if) 
-nat on !$ext_if inet proto udp from $wl_net to any port { $allow_ext_out_udp } -> ($ext_if) 
-
-# Redirect some internal facing services outside, please mind also need allow rules (bottom of file) (7)
-rdr on $ext_if inet proto tcp from any to $ext_if port 8081 -> 172.16.4.46 port http
-
-# Redirect user to captive portal they have not clicked OK yet (6)
-no rdr on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port http
-rdr on { $captive_portal_interfaces } proto tcp from $wl_net to !$wl_net port http -> 172.31.255.1 port 8081
-
-# Localhost is considered safe (5)
-pass quick on lo0 all
-
-# By default all interfaces are open (5)
-pass all
-
-# This quirck is needed to override the routing table default route (8) 
-pass out on !$ext_if route-to ($ext_if $ext_if_gw) proto tcp from any to !$wl_net port { $allow_ext_out_tcp } user != unknown keep state
-pass out on !$ext_if route-to ($ext_if $ext_if_gw) proto udp from any to !$wl_net port { $allow_ext_out_udp } user != unknown keep state
-
-# By default deny all outgoing traffic to avoid systems spamming the network (9)
-block out on { $captive_portal_interfaces } from any to !$wl_net
-
-# Note: not even HTTPS traffic allowed for those who has not clicked OK yet (6)
-pass out on { $captive_portal_interfaces } proto tcp from <wlportal> to !$wl_net port { $ileiden_ports } keep state
-
-# External interface is permissive (4)
-block on $ext_if
-
-# Expose some local services (4)
-pass in on $ext_if inet proto tcp from any to $ext_if port { $allow_ext_in_tcp } keep state
-pass in on $ext_if inet proto udp from any to $ext_if port { $allow_ext_in_udp } keep state
-pass in on $ext_if inet proto icmp from any to $ext_if icmp-type { echoreq }
-
-# Packets from the management LAN are allowed in (2)
-pass in on $ext_if from $private to $wl_net keep state
-
-# Allow exposing some (internal) WL Services to the inet - see rdr on top as well (7)
-pass in on $ext_if inet proto tcp from any to $ext_if port { 8081 } keep state
-
-# Packets going out are the ones to the internet with an certain limit (1)
-pass out on $ext_if inet proto tcp from $wl_net to any port { $publicnat } keep state \
- (max-src-conn-rate 100/10, max-src-conn 10)
-
-# For proper functioning allow the local machine to initiate requests outside (4)
-pass out on $ext_if inet proto tcp from $ext_if to any port { $allow_ext_out_tcp } keep state
-pass out on $ext_if inet proto udp from $ext_if to any port { $allow_ext_out_udp } keep state
-pass out on $ext_if inet proto icmp from $ext_if to any icmp-type { echoreq }
-
-# Do not allow connections to the local MGNT LAN to start (3)
-block out on $ext_if from any to $private
-
-# Limited acess PRIVATE network to allow DHCP/DNS to function (3)
-pass out on $ext_if inet proto {udp, tcp} from $ext_if to $private port {domain} keep state
-
-# Uncomment to allow limited access to MGNT interfaces ON the private network (3)
-#pass out on $ext_if inet proto tcp from $ext_if to $private port {ssh, http, https} keep state
-
