Changeset 13700 in hybrid for branches/releng-11/nanobsd/files/etc/pf.hybrid.conf
- Timestamp:
- Jan 15, 2017, 9:19:19 PM (8 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
branches/releng-11/nanobsd/files/etc/pf.hybrid.conf
r13694 r13700 6 6 # 7 7 # 1) It supports outgoing NAT to specified ports. The so called iLeiden setup. 8 # 2) It supports incoming NAT from the private MGMT network, for maintenance use.9 8 # 3) It protects the private MGMT network from WL requests to it's own services. 10 9 # 4) It portects the $ext_if by only allowing an subset of services. … … 18 17 19 18 # Standard port allow listings for external services 20 allow_ext_in_tcp="1022 , openvpn"21 allow_ext_in_udp=" snmp, openvpn"19 allow_ext_in_tcp="1022" 20 allow_ext_in_udp="" 22 21 23 # Standard port allow listings for services at host network (in case of NAT) 24 allow_private_in_tcp="domain" 25 allow_private_in_udp="domain" 26 27 allow_ext_out_tcp = "domain, http, https, openvpn" 28 allow_ext_out_udp = "domain, ntp, openvpn" 22 allow_ext_out_tcp = "domain, http, https" 23 allow_ext_out_udp = "domain, ntp" 29 24 30 25 … … 49 44 # Table used to authorized hosts (6) 50 45 table <wlportal> persist counters 51 52 # NAT MGMT to Wireless Leiden (2)53 nat on ! $ext_if from $private to $wl_net -> $masterip54 46 55 47 # Do NOT allow NAT to the Private Network (3) … … 93 85 pass out quick on $ext_if from $wl_net to $wl_net 94 86 95 # Expose some local services for internal (NATted) network (4)96 pass in on $ext_if inet proto tcp from $private to $ext_if port { $allow_private_in_tcp } keep state97 pass in on $ext_if inet proto udp from $private to $ext_if port { $allow_private_in_udp } keep state98 pass in on $ext_if inet proto icmp from $private to $ext_if icmp-type { echoreq }99 100 87 # Expose some local services for the external world (WWW) network (4) 101 88 pass in on $ext_if inet proto tcp from any to $ext_if port { $allow_ext_in_tcp } keep state 102 89 pass in on $ext_if inet proto udp from any to $ext_if port { $allow_ext_in_udp } keep state 103 90 pass in on $ext_if inet proto icmp from any to $ext_if icmp-type { echoreq } 104 105 # Packets from the management LAN are allowed in (2)106 pass in on $ext_if from $private to $wl_net keep state107 91 108 92 # Packets going out are the ones to the internet with an certain limit (1)
Note:
See TracChangeset
for help on using the changeset viewer.