Changeset 13700 in hybrid for branches/releng-11/nanobsd


Ignore:
Timestamp:
Jan 15, 2017, 9:19:19 PM (8 years ago)
Author:
rick
Message:

Remove inbound NAT functionality for MGMT purposes, it is not used and causing confusion.

While here: restrict outbound ports to used services.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • branches/releng-11/nanobsd/files/etc/pf.hybrid.conf

    r13694 r13700  
    66#
    77# 1) It supports outgoing NAT to specified ports. The so called iLeiden setup.
    8 # 2) It supports incoming NAT from the private MGMT network, for maintenance use.
    98# 3) It protects the private MGMT network from WL requests to it's own services.
    109# 4) It portects the $ext_if by only allowing an subset of services.
     
    1817
    1918# Standard port allow listings for external services
    20 allow_ext_in_tcp="1022, openvpn"
    21 allow_ext_in_udp="snmp, openvpn"
     19allow_ext_in_tcp="1022"
     20allow_ext_in_udp=""
    2221
    23 # Standard port allow listings for services at host network (in case of NAT)
    24 allow_private_in_tcp="domain"
    25 allow_private_in_udp="domain"
    26 
    27 allow_ext_out_tcp = "domain, http, https, openvpn"
    28 allow_ext_out_udp = "domain, ntp, openvpn"
     22allow_ext_out_tcp = "domain, http, https"
     23allow_ext_out_udp = "domain, ntp"
    2924
    3025
     
    4944# Table used to authorized hosts (6)
    5045table <wlportal> persist counters
    51 
    52 # NAT MGMT to Wireless Leiden (2)
    53 nat on ! $ext_if from $private to $wl_net -> $masterip
    5446
    5547# Do NOT allow NAT to the Private Network (3)
     
    9385pass out quick on $ext_if from $wl_net to $wl_net
    9486
    95 # Expose some local services for internal (NATted) network (4)
    96 pass in on $ext_if inet proto tcp from $private to $ext_if port { $allow_private_in_tcp } keep state
    97 pass in on $ext_if inet proto udp from $private to $ext_if port { $allow_private_in_udp } keep state
    98 pass in on $ext_if inet proto icmp from $private to $ext_if icmp-type { echoreq }
    99 
    10087# Expose some local services for the external world (WWW) network (4)
    10188pass in on $ext_if inet proto tcp from any to $ext_if port { $allow_ext_in_tcp } keep state
    10289pass in on $ext_if inet proto udp from any to $ext_if port { $allow_ext_in_udp } keep state
    10390pass in on $ext_if inet proto icmp from any to $ext_if icmp-type { echoreq }
    104 
    105 # Packets from the management LAN are allowed in (2)
    106 pass in on $ext_if from $private to $wl_net keep state
    10791
    10892# Packets going out are the ones to the internet with an certain limit (1)
Note: See TracChangeset for help on using the changeset viewer.