Index: branches/releng-10/nanobsd/files/etc/ipfw.sh =================================================================== --- branches/releng-10/nanobsd/files/etc/ipfw.sh (revision 13459) +++ branches/releng-10/nanobsd/files/etc/ipfw.sh (revision 13459) @@ -0,0 +1,68 @@ +#!/bin/sh - + +# Based on /etc/rc.firewall + +# Suck in the configuration variables. +if [ -z "${source_rc_confs_defined}" ]; then + if [ -r /etc/defaults/rc.conf ]; then + . /etc/defaults/rc.conf + source_rc_confs + elif [ -r /etc/rc.conf ]; then + . /etc/rc.conf + fi +fi + +setup_loopback () { + ############ + # Only in rare cases do you want to change these rules + # + ${fwcmd} add 100 pass all from any to any via lo0 + ${fwcmd} add 200 deny all from any to 127.0.0.0/8 + ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any +} + +############ +# Set quiet mode if requested +# +case ${firewall_quiet} in +[Yy][Ee][Ss]) + fwcmd="/sbin/ipfw -q" + ;; +*) + fwcmd="/sbin/ipfw" + ;; +esac + +############ +# Flush out the list before we begin. +# +${fwcmd} -f flush + +setup_loopback + +############ + +# By default no firewalling +${fwcmd} add 65000 pass all from any to any + +# Transproxy/WLportal/Captive portal +${fwcmd} add 10000 allow tcp from any to localhost 80 +${fwcmd} add 10001 allow tcp from any to me 80 + +############ +# Reserved: Whitelist rule numbers +# 10002 - 10009 +NR=10002 + for IP in $captive_portal_whitelist; do + ${fwcmd} add $NR allow tcp from $IP to not 172.16.0.0/12 dst-port 80 + NR=`expr $NR + 1` +done + +############ +# Reserved: WLPortal rule numbers +# 10010 - 10099 + +# Forward rules work without a base address, so needed a loop over all inet4 adresses +for INF in $captive_portal_interfaces; do + ${fwcmd} add 10100 fwd 172.31.255.1,8081 tcp from any to not 172.16.0.0/12 80 in via ${INF} +done Index: branches/releng-10/nanobsd/files/etc/rc.conf =================================================================== --- branches/releng-10/nanobsd/files/etc/rc.conf (revision 13458) +++ branches/releng-10/nanobsd/files/etc/rc.conf (revision 13459) @@ -29,5 +29,4 @@ netwait_timeout="20" netwait_ip="8.8.8.8 172.16.4.46 172.27.129.1 172.17.14.1" - # Block the full range as smaller subnets are used for allowances, this avoids @@ -78,5 +77,6 @@ # low-memory footprint DHCP and non-authorative recursive forwarding DNS resolver dnsmasq_enable="NO" -local_unbound_enable="YES" +local_unbound_enable="NO" +unbound_enable="YES" # Explicitly disable the memory-hungry alternatives @@ -94,17 +94,7 @@ # Enable the firewall by default -pf_enable="YES" -pf_rules="/etc/pf.open.conf" -pf_flags='' -# Used with Proxy Configuration -#pf_rules="/etc/pf.proxy.conf" -#pf_flags="-D ext_if=vr0 -D int_if=vr1 -D publicnat={80,443}" -# Used with Node Configuration -#pf_rules="/etc/pf.node.conf" -#pf_flags="-D captive_portal_interfaces=wlan0,wlan1" -# Used with Hybrid Configuration -#pf_rules="/etc/pf.hybrid.conf" -#pf_flags="-D ext_if=vr0 -D captive_portal_interfaces=wlan0 -D publicnat=80,443" - +# Firewall needed for port redirection (captive portal, splash screen), use ipfw not pf +firewall_enable="YES" +firewall_script="/etc/ipfw.sh" # Autogenerated flags are used during runtime