ipfw.conf 6.78 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
{# collect interfaces list (with / without captive portal enabled) #}
{% set cp_interface_list = [] %}
{% set no_cp_interface_list = [] %}
{% if helpers.exists('captiveportal') %}
{% for intf_key,interface in interfaces.iteritems()%}
{%      set is_cp=[] %}
{%      for cp_key,cp_item in captiveportal.iteritems()  %}
{%          if intf_key == cp_item.interface and interface.ipaddr != 'dhcp' %}
{%              do cp_interface_list.append({'zone':cp_key,'zoneid':cp_item.zoneid,'if':interface.if}) %}
{%              do is_cp.append(1) %}
{%          endif %}
{%      endfor %}
{%      if not is_cp%}
{%              do no_cp_interface_list.append(interface) %}
{%      endif %}
{% endfor %}
{% else %}
{%      for intf_key,interface in interfaces.iteritems() %}
{%              do no_cp_interface_list.append(interface) %}
{%      endfor %}
{% endif %}
22 23 24 25 26
#======================================================================================
# flush ruleset
#======================================================================================
flush

27 28 29
#======================================================================================
# define dummynet pipes
#======================================================================================
30 31
{% if helpers.exists('OPNsense.TrafficShaper.pipes.pipe') %}
{% for pipe in OPNsense.TrafficShaper.pipes.pipe %}
32
pipe {{ pipe.number }} config bw {{ pipe.bandwidth }}{{ pipe.bandwidthMetric }}/s {%
33 34
 if pipe.queue %} queue {{ pipe.queue }} {%
 if pipe.queueMetric != 'slots' %} {{pipe.queueMetric}}  {% endif %}  {% endif %}
35

36
{% endfor %}
37 38
{% endif %}

39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65
#======================================================================================
# general purpose rules 1...1000
#======================================================================================
add 100 allow pfsync from any to any
add 110 allow carp from any to any
# layer 2: pass ARP
add 120 pass layer2 mac-type arp,rarp
# OPNsense requires for WPA
add 130 pass layer2 mac-type 0x888e,0x88c7
# PPP Over Ethernet Session Stage/Discovery Stage
add 140 pass layer2 mac-type 0x8863,0x8864
# layer 2: block anything else non-IP(v4/v6)
add 150 deny layer2 not mac-type ip,ipv6

#======================================================================================
# Allow traffic to this hosts static ip's
#======================================================================================
{% for intf_key,interface in interfaces.iteritems() %}
{% if intf_key != "wan" and interface.ipaddr != "dhcp" and interface.ipaddr != "" %}
add {{loop.index  + 1000}} allow udp from any to {{ interface.ipaddr }} dst-port 53 keep-state
add {{loop.index  + 1000}} allow ip from any to { 255.255.255.255 or {{interface.ipaddr}} } in
add {{loop.index  + 1000}} allow ip from { 255.255.255.255 or {{interface.ipaddr}} } to any out
add {{loop.index  + 1000}} allow icmp from { 255.255.255.255 or {{interface.ipaddr}} } to any out icmptypes 0
add {{loop.index  + 1000}} allow icmp from any to { 255.255.255.255 or {{interface.ipaddr}} } in icmptypes 8
{% endif %}
{% endfor %}

66
{% for item in cp_interface_list %}
67
#===================================================================================
68
# zone {{item.zone}} ({{item.zoneid}}) configuration
69 70
#===================================================================================
{# authenticated users ( table 1 + 2 ) #}
71 72
add {{3000 + item.zoneid|int * 10 + 1 }}  skipto {{10001 + item.zoneid|int * 1000  }} ip from table({{6*(item.zoneid|int-1) + 1 }}) to any via {{item.if}}
add {{3000 + item.zoneid|int * 10 + 2 }}  skipto {{10001 + item.zoneid|int * 1000  }} ip from table({{6*(item.zoneid|int-1) + 1 }}) to any via {{item.if}}
73
{# authenticated hosts ( table 3 + 4 ) #}
74 75
add {{3000 + item.zoneid|int * 10 + 3 }}  skipto {{10001 + item.zoneid|int * 1000  }} ip from table({{6*(item.zoneid|int-1) + 3 }}) to any via {{item.if}}
add {{3000 + item.zoneid|int * 10 + 4 }}  skipto {{10001 + item.zoneid|int * 1000  }} ip from table({{6*(item.zoneid|int-1) + 3 }}) to any via {{item.if}}
76
{# authenticated mac addresses ( table 5 + 6 ) #}
77 78
add {{3000 + item.zoneid|int * 10 + 5 }}  skipto {{10001 + item.zoneid|int * 1000  }} ip from table({{6*(item.zoneid|int-1) + 5 }}) to any via {{item.if}}
add {{3000 + item.zoneid|int * 10 + 6 }}  skipto {{10001 + item.zoneid|int * 1000  }} ip from table({{6*(item.zoneid|int-1) + 5 }}) to any via {{item.if}}
79 80 81
{% endfor %}


82 83 84 85 86 87 88 89 90 91 92 93 94
#======================================================================================
# redirect non-authenticated clients to captive portal @ local port 8000 + zoneid
#======================================================================================
{% for item in cp_interface_list %}
add {{5000 + item.zoneid|int }} fwd 127.0.0.1,{{  item.zoneid|int + 8000 }} tcp from any to any dst-port 80 in via {{item.if}}
add {{5000 + item.zoneid|int }} allow ip from any to any dst-port 80 via {{item.if}}
{% endfor %}


#======================================================================================
# accept traffic from all interfaces not used by captive portal
#======================================================================================
{% for item in no_cp_interface_list %}
95
add {{6001 + loop.index }} skipto 60000 all from any to any via {{item.if}}
96 97 98 99 100 101
{% endfor %}
# let the responses from the captive portal web server back out
add 6200 pass tcp from any to any out
# block everything else (not mentioned before)
add 6201 skipto 65534 all from any to any

102 103 104 105

#======================================================================================
# setup zone accounting section
#======================================================================================
106 107 108 109 110
{% for item in cp_interface_list %}
# zone {{item.zone}} ({{item.zoneid}})
add {{ (item.zoneid|int * 1000) + 10001 }} count ip from any to any via {{item.if}}
add {{ (item.zoneid|int * 1000) + 10998 }} skipto 30000 all from any to any via {{item.if}}
add {{ (item.zoneid|int * 1000) + 10999 }} deny all from any to any not via {{item.if}}
111
{% endfor %}
112 113 114 115 116 117


#======================================================================================
# setup accounting section, first rule is counting all CP traffic
#======================================================================================
add 30000 set 0 count ip from any to any
118 119 120


#======================================================================================
121
# traffic shaping section, authorized traffic
122 123
#======================================================================================
add 60000 return via any
124 125 126 127 128 129 130 131 132

{% if helpers.exists('OPNsense.TrafficShaper.rules.rule') %}
{% for rule in OPNsense.TrafficShaper.rules.rule %}
add {{loop.index  + 60000}} pipe {{ rule.pipe }} {{ rule.proto }} via {{ rule.interface }}
{% endfor %}
{% endif %}


# pass authorized
133
add 65533 pass ip from any to any
134 135 136

# block all unmatched
add 65534 deny all from any to any