Index: /branches/releng-9/nanobsd/files/etc/pf.hybrid.conf =================================================================== --- /branches/releng-9/nanobsd/files/etc/pf.hybrid.conf (revision 13233) +++ /branches/releng-9/nanobsd/files/etc/pf.hybrid.conf (revision 13234) @@ -17,7 +17,11 @@ # -# Standard port allow listings -allow_ext_in_tcp="ssh, domain, openvpn" -allow_ext_in_udp="domain, snmp, openvpn" +# Standard port allow listings for external services +allow_ext_in_tcp="1022, openvpn" +allow_ext_in_udp="snmp, openvpn" + +# Standard port allow listings for services at host network (in case of NAT) +allow_private_in_tcp="domain" +allow_private_in_udp="domain" allow_ext_out_tcp = "domain, http, https, openvpn" @@ -26,5 +30,5 @@ # Default configuration for ALIX2 with vr0 as external interface and wlan0 as -# the public accesspoint in iLeiden setup, no aliases on interfaces. +# the public accesspoint in iLeiden setup, aliases on external interface OK. ext_if="vr0" ext_ip="(vr0:0)" @@ -54,6 +58,6 @@ no nat from $wl_net to $private -# Nat the internet for iLeiden functionality (1) -nat on $inet_if inet proto tcp from $wl_net to ! $wl_net port { $publicnat } -> ($inet_if) +# Nat the internet for iLeiden functionality allow for alias on vr0 (1) +nat on $inet_if inet proto tcp from $wl_net to ! $wl_net port { $publicnat } -> ($inet_ip) @@ -91,5 +95,10 @@ pass out quick on $ext_if from $wl_net to $wl_net -# Expose some local services (4) +# Expose some local services for internal (NATted) network (4) +pass in on $ext_if inet proto tcp from $private to $ext_if port { $allow_private_in_tcp } keep state +pass in on $ext_if inet proto udp from $private to $ext_if port { $allow_private_in_udp } keep state +pass in on $ext_if inet proto icmp from $private to $ext_if icmp-type { echoreq } + +# Expose some local services for the external world (WWW) network (4) pass in on $ext_if inet proto tcp from any to $ext_if port { $allow_ext_in_tcp } keep state pass in on $ext_if inet proto udp from any to $ext_if port { $allow_ext_in_udp } keep state