Index: branches/releng-11/nanobsd/files/etc/pf.hybrid.conf =================================================================== --- branches/releng-11/nanobsd/files/etc/pf.hybrid.conf (revision 13771) +++ branches/releng-11/nanobsd/files/etc/pf.hybrid.conf (revision 13772) @@ -71,8 +71,11 @@ # By default deny all outgoing traffic to avoid systems spamming the network (9) -block out on { $captive_portal_interfaces } from any to !$wl_net +block in on { $captive_portal_interfaces } from any to !$wl_net + +# Quickly drop out, with nice return value, avoiding endless connections on portal setup (6) +block return in quick on { $captive_portal_interfaces } proto tcp from ! to !$wl_net port { $publicnat } # Note: not even HTTPS traffic allowed for those who has not clicked OK yet (6) -pass out on { $captive_portal_interfaces } proto tcp from to !$wl_net port { $publicnat } keep state +pass in on { $captive_portal_interfaces } proto tcp from to !$wl_net port { $publicnat } keep state # External interface is permissive (4) Index: branches/releng-11/nanobsd/files/etc/pf.node.conf =================================================================== --- branches/releng-11/nanobsd/files/etc/pf.node.conf (revision 13771) +++ branches/releng-11/nanobsd/files/etc/pf.node.conf (revision 13772) @@ -39,6 +39,9 @@ # By default deny all outgoing traffic to avoid systems spamming the network (9) -block out on { $captive_portal_interfaces } from any to !$wl_net +block in on { $captive_portal_interfaces } from any to !$wl_net + +# Quickly drop out, with nice return value, avoiding endless connections on portal setup (6) +block return in quick on { $captive_portal_interfaces } proto tcp from ! to !$wl_net port { $publicnat } # Note: not even HTTPS traffic allowed for those who has not clicked OK yet (6) -pass out on { $captive_portal_interfaces } proto tcp from to !$wl_net port { $ileiden_ports } keep state +pass in on { $captive_portal_interfaces } proto tcp from to !$wl_net port { $ileiden_ports } keep state