update ipfw template with current captive portal setup

66f30c7f · Ad Schellevis · 4d5ad276 · 66f30c7f
Commit 66f30c7f authored May 12, 2015 by Ad Schellevis
Hide whitespace changes
Inline Side-by-side

Showing with 66 additions and 25 deletions

ipfw.conf src/opnsense/service/templates/OPNsense/IPFW/ipfw.conf +66 -25

No files found.
--- a/src/opnsense/service/templates/OPNsense/IPFW/ipfw.conf
+++ b/src/opnsense/service/templates/OPNsense/IPFW/ipfw.conf
+{# collect interfaces list (with / without captive portal enabled) #}
+{% set cp_interface_list = [] %}
+{% set no_cp_interface_list = [] %}
+{% if helpers.exists('captiveportal') %}
+{% for intf_key,interface in interfaces.iteritems()%}
+{%      set is_cp=[] %}
+{%      for cp_key,cp_item in captiveportal.iteritems()  %}
+{%          if intf_key == cp_item.interface and interface.ipaddr != 'dhcp' %}
+{%              do cp_interface_list.append({'zone':cp_key,'zoneid':cp_item.zoneid,'if':interface.if}) %}
+{%              do is_cp.append(1) %}
+{%          endif %}
+{%      endfor %}
+{%      if not is_cp%}
+{%              do no_cp_interface_list.append(interface) %}
+{%      endif %}
+{% endfor %}
+{% else %}
+{%      for intf_key,interface in interfaces.iteritems() %}
+{%              do no_cp_interface_list.append(interface) %}
+{%      endfor %}
+{% endif %}
 #======================================================================================
 # flush ruleset
 #======================================================================================
@@ -30,41 +51,61 @@ add {{loop.index  + 1000}} allow icmp from any to { 255.255.255.255 or {{interfa
 {% endif %}
 {% endfor %}

-{% if helpers.exists('captiveportal') %}
-{% for cp_key,cp_item in captiveportal.iteritems() %}
-{%      for intf_key,interface in interfaces.iteritems() %}
-{%          if intf_key == cp_item.interface and interface.ipaddr != 'dhcp' %}
+{% for item in cp_interface_list %}
 #===================================================================================
-# zone {{cp_key}} ({{cp_item.zoneid}}) configuration
+# zone {{item.zone}} ({{item.zoneid}}) configuration
 #===================================================================================
 {# authenticated users ( table 1 + 2 ) #}
-add {{3000 + cp_item.zoneid|int * 10 + 1 }}  skipto {{10001 + cp_item.zoneid|int * 1000  }} ip from table({{6*(cp_item.zoneid|int-1) + 1 }}) to any via {{interface.if}}
-add {{3000 + cp_item.zoneid|int * 10 + 2 }}  skipto {{10001 + cp_item.zoneid|int * 1000  }} ip from table({{6*(cp_item.zoneid|int-1) + 1 }}) to any via {{interface.if}}
+add {{3000 + item.zoneid|int * 10 + 1 }}  skipto {{10001 + item.zoneid|int * 1000  }} ip from table({{6*(item.zoneid|int-1) + 1 }}) to any via {{item.if}}
+add {{3000 + item.zoneid|int * 10 + 2 }}  skipto {{10001 + item.zoneid|int * 1000  }} ip from table({{6*(item.zoneid|int-1) + 1 }}) to any via {{item.if}}
 {# authenticated hosts ( table 3 + 4 ) #}
-add {{3000 + cp_item.zoneid|int * 10 + 3 }}  skipto {{10001 + cp_item.zoneid|int * 1000  }} ip from table({{6*(cp_item.zoneid|int-1) + 3 }}) to any via {{interface.if}}
-add {{3000 + cp_item.zoneid|int * 10 + 4 }}  skipto {{10001 + cp_item.zoneid|int * 1000  }} ip from table({{6*(cp_item.zoneid|int-1) + 3 }}) to any via {{interface.if}}
+add {{3000 + item.zoneid|int * 10 + 3 }}  skipto {{10001 + item.zoneid|int * 1000  }} ip from table({{6*(item.zoneid|int-1) + 3 }}) to any via {{item.if}}
+add {{3000 + item.zoneid|int * 10 + 4 }}  skipto {{10001 + item.zoneid|int * 1000  }} ip from table({{6*(item.zoneid|int-1) + 3 }}) to any via {{item.if}}
 {# authenticated mac addresses ( table 5 + 6 ) #}
-add {{3000 + cp_item.zoneid|int * 10 + 5 }}  skipto {{10001 + cp_item.zoneid|int * 1000  }} ip from table({{6*(cp_item.zoneid|int-1) + 5 }}) to any via {{interface.if}}
-add {{3000 + cp_item.zoneid|int * 10 + 6 }}  skipto {{10001 + cp_item.zoneid|int * 1000  }} ip from table({{6*(cp_item.zoneid|int-1) + 5 }}) to any via {{interface.if}}
-{%          endif %}
-{%      endfor %}
+add {{3000 + item.zoneid|int * 10 + 5 }}  skipto {{10001 + item.zoneid|int * 1000  }} ip from table({{6*(item.zoneid|int-1) + 5 }}) to any via {{item.if}}
+add {{3000 + item.zoneid|int * 10 + 6 }}  skipto {{10001 + item.zoneid|int * 1000  }} ip from table({{6*(item.zoneid|int-1) + 5 }}) to any via {{item.if}}
 {% endfor %}
-{% endif %}


+#======================================================================================
+# redirect non-authenticated clients to captive portal @ local port 8000 + zoneid
+#======================================================================================
+{% for item in cp_interface_list %}
+add {{5000 + item.zoneid|int }} fwd 127.0.0.1,{{  item.zoneid|int + 8000 }} tcp from any to any dst-port 80 in via {{item.if}}
+add {{5000 + item.zoneid|int }} allow ip from any to any dst-port 80 via {{item.if}}
+{% endfor %}
+
+
+#======================================================================================
+# accept traffic from all interfaces not used by captive portal
+#======================================================================================
+{% for item in no_cp_interface_list %}
+add {{6001 + loop.index }} allow all from any to any via {{item.if}} ;
+{% endfor %}
+# let the responses from the captive portal web server back out
+add 6200 pass tcp from any to any out
+# block everything else (not mentioned before)
+add 6201 skipto 65534 all from any to any
+

 #======================================================================================
 # setup zone accounting section
 #======================================================================================
-{% if helpers.exists('captiveportal') %}
-{% for cp_key,cp_item in captiveportal.iteritems() %}
-{%      for intf_key,interface in interfaces.iteritems() %}
-{%          if intf_key == cp_item.interface and interface.ipaddr != 'dhcp' %}
-# zone {{cp_key}} ({{cp_item.zoneid}})
-add {{ (cp_item.zoneid|int * 1000) + 10001 }} count ip from any to any via {{interface.if}}
-add {{ (cp_item.zoneid|int * 1000) + 10998 }} skipto 30000 all from any to any via {{interface.if}}
-add {{ (cp_item.zoneid|int * 1000) + 10999 }} deny all from any to any not via {{interface.if}}
-{%          endif %}
-{%      endfor %}
+{% for item in cp_interface_list %}
+# zone {{item.zone}} ({{item.zoneid}})
+add {{ (item.zoneid|int * 1000) + 10001 }} count ip from any to any via {{item.if}}
+add {{ (item.zoneid|int * 1000) + 10998 }} skipto 30000 all from any to any via {{item.if}}
+add {{ (item.zoneid|int * 1000) + 10999 }} deny all from any to any not via {{item.if}}
 {% endfor %}
-{% endif %}
+
+
+#======================================================================================
+# setup accounting section, first rule is counting all CP traffic
+# rule 65500 unlocks the traffic already authorized from a CP zone
+#======================================================================================
+add 30000 set 0 count ip from any to any
+add 65500 pass ip from any to any
+
+# block all unmatched
+add 65534 deny all from any to any
+